Bug 1479: GnuPG curl-shim TCP half-close harms HTTP interop

[David Shaw]

On Mar 2, 2013, at 4:12 PM, Kristian Fiskerstrand <kristian.fiskerstrand at sumptuouscapital.com> wrote:

>> A quick check of a few sks servers show that keys2.kfwebs.net does 
>> properly return a 404 for an unknown key.  pgp.mit.edu returns a
>> 500, but this is also running an older version of sks, possibly
>> before the 404 was added.
> 
> Indeed, as far as I can recall this behavior was implemented in 1.1.4,
> and is listed in the changelog as
> - - Improved the HTTP status and HTTP error codes returned for various
>    situations and added checks for more error conditions.
> 
> The only pool that guarantee 1.1.4 is subset.pool.sks-keyservers.net ,
> the minimum requirement for main is 1.1.3.

Ok, this is reasonable.  I'll add some code to gpgkeys to look for the HTTP status.  It'll only really work properly on sks 1.1.4 or later, but it'll work well enough on earlier versions (it'll say "key can't be retrieved" rather than "key not found" if the key isn't found).  That addresses all 4 cases here, since gpgkeys can use those status codes, along with the state it already has, to tell the difference between key found (either complete or incomplete), not found, and server failed.

David