Non-blocking connect for dirmngr
wk at gnupg.org
Thu Jun 8 18:28:18 CEST 2017
When using --auto-key-retrieve or --auto-key-locate to automagically
retrieve keys from the Web Key Directory (WKD) or keyservers it often
happens that a server does not respond timely.
Keyservers may be down and dirmngr would then select another keyserver.
However, it may take several minutes until the connect call returns an
Even more annoying are WKD queries to servers which don't support this
service and - worse - don't run a web server at all at the expected
address. For example one of our core hackers has an address at iki.fi.
Now when dirmngr want to lookup an address it tries
https://iki.fi/foo/bar and hangs (plain http redirects to www.iki.fo and
works). After it times out the code tries the next server listed for
that address, until that one times out as well. Finally after 3 times
the default timeout you get an error message back. That can be 15
minutes or more. Clearly not acceptable.
The obvious solution to this is to use a lower timeout. However, Unix
has no easy way to do this because connect(2) has no timeout parameter
and the way it can be done used to be non-portable: You switch the
socket into blocking mode, call connect and then the select on the
socket. Now this works, but according to Stevens, systems use slightly
different semantics to tell you the outcome of the operation.
This is unfortunate but let's assume it works with todays systems
without too much trouble.
I implemented that in master and there are now default timeouts of 15
seconds for regular operations and 2 seconds for "unimportant"
operations (looking up a key for verification). Works nice on my Linux
box but I have not yet tested on any other system. There is code for
Windows which builds but it has not yet been tested.
I like to ask those of you who are using master on non Debian/Linux
boxes to try it out. For example put
into dirmngr.conf, fireup watchgnupg
watchgnupg --time-only --force $(gpgconf --list-dirs socketdir)/S.log
and in another term/screen run
as test shell. Entering for example
WKD_GET --quick --submission-address -- foo at iki.fi
should give you a Connection Refused after just a few seconds. Or does
it not on your system?
The new options we have are:
Set the timeout for HTTP and generic TCP connection
attempts to N seconds. The value set with the quick
variant is used when the --quick option has been given to
certain Assuan commands. The quick value is capped at the
value of the regular connect timeout. The default values
are 15 and 2 seconds. Note that the timeout values are
for each connection attempt; the connection code will
attempt to connect all addresses listed for a server.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 227 bytes
Desc: not available
More information about the Gnupg-devel