Non-blocking connect for dirmngr

Werner Koch wk at
Thu Jun 8 18:28:18 CEST 2017


When using --auto-key-retrieve or --auto-key-locate to automagically
retrieve keys from the Web Key Directory (WKD) or keyservers it often
happens that a server does not respond timely.

Keyservers may be down and dirmngr would then select another keyserver.
However, it may take several minutes until the connect call returns an
error.  Annoying.

Even more annoying are WKD queries to servers which don't support this
service and - worse - don't run a web server at all at the expected
address.  For example one of our core hackers has an address at
Now when dirmngr want to lookup an address it tries and hangs (plain http redirects to and
works).  After it times out the code tries the next server listed for
that address, until that one times out as well.  Finally after 3 times
the default timeout you get an error message back.  That can be 15
minutes or more.  Clearly not acceptable.

The obvious solution to this is to use a lower timeout.  However, Unix
has no easy way to do this because connect(2) has no timeout parameter
and the way it can be done used to be non-portable: You switch the
socket into blocking mode, call connect and then the select on the
socket.  Now this works, but according to Stevens, systems use slightly
different semantics to tell you the outcome of the operation.
This is unfortunate but let's assume it works with todays systems
without too much trouble.

I implemented that in master and there are now default timeouts of 15
seconds for regular operations and 2 seconds for "unimportant"
operations (looking up a key for verification).  Works nice on my Linux
box but I have not yet tested on any other system.  There is code for
Windows which builds but it has not yet been tested.

I like to ask those of you who are using master on non Debian/Linux
boxes to try it out.  For example put 

  debug ipc,dns,network
  log-file socket://

into dirmngr.conf, fireup watchgnupg

  watchgnupg --time-only --force $(gpgconf --list-dirs socketdir)/S.log

and in another term/screen run

  gpg-connect-agent --dirmngr

as test shell.   Entering for example

  WKD_GET --quick --submission-address -- foo at

should give you a Connection Refused after just a few seconds.  Or does
it not on your system?



The new options we have are:

   --connect-timeout n
   --connect-quick-timeout n

          Set the timeout for HTTP and generic TCP connection
          attempts to N seconds.  The value set with the quick
          variant is used when the --quick option has been given to
          certain Assuan commands.  The quick value is capped at the
          value of the regular connect timeout.  The default values
          are 15 and 2 seconds.  Note that the timeout values are
          for each connection attempt; the connection code will
          attempt to connect all addresses listed for a server.

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170608/bfed4d45/attachment.sig>

More information about the Gnupg-devel mailing list