dirmngr vs. tor gateways
Werner Koch
wk at gnupg.org
Wed Feb 28 08:03:37 CET 2018
On Tue, 27 Feb 2018 20:42, o at immerda.ch said:
> On 02/26/2018 09:23 AM, Werner Koch wrote:
>> Dirmngr (actually Libassuan) always uses 127.0.0.1 and
>> checks whether Tor is running on one of the two standard ports
>
> That might be a bit of a problematic assumption, given there is at least
> one distribution, where this is never true. Especially, if there is no
> workaround whatsoever.
That complain comes a bit late ;-) We have the integrated Tor support for
more than 2 years. Just wondering.
> The point is, that this does not work. dirmngr name resolution for
> keyservers fails, if dirmngr connects through a whonix tor gateway. The
> error message is:
In this case you need to diable the integrated Tor support: --no-use-tor
And you need top make sure that you have a full DNS resolver over Tor.
Just looking up AAAA records is not sufficient to use the key server pools.
> That does not help. Due to the above problem, we can only specify
> keyservers by ip. The ip is most likely not mentioned in the cert.
Without proper DNS support PKIX does not work anyway.
Shalom-Salam,
Werner
--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180228/d67e0fef/attachment.sig>
More information about the Gnupg-devel
mailing list