dirmngr vs. tor gateways

Werner Koch wk at gnupg.org
Wed Feb 28 08:03:37 CET 2018


On Tue, 27 Feb 2018 20:42, o at immerda.ch said:
> On 02/26/2018 09:23 AM, Werner Koch wrote:
>> Dirmngr (actually Libassuan) always uses 127.0.0.1 and
>> checks whether Tor is running on one of the two standard ports
>
> That might be a bit of a problematic assumption, given there is at least
> one distribution, where this is never true. Especially, if there is no
> workaround whatsoever.

That complain comes a bit late ;-)  We have the integrated Tor support for
more than 2 years.  Just wondering.

> The point is, that this does not work. dirmngr name resolution for
> keyservers fails, if dirmngr connects through a whonix tor gateway. The
> error message is:

In this case you need to diable the integrated Tor support: --no-use-tor
And you need top make sure that you have a full DNS resolver over Tor.
Just looking up AAAA records is not sufficient to use the key server pools.

> That does not help. Due to the above problem, we can only specify
> keyservers by ip. The ip is most likely not mentioned in the cert.

Without proper DNS support PKIX does not work anyway.


Shalom-Salam,

   Werner


-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180228/d67e0fef/attachment.sig>


More information about the Gnupg-devel mailing list