HKP and firewalls

Heiko Teichmeier
Fri Apr 4 07:14:01 2003

Hash: SHA1

David Shaw schrieb:
> On Sat, Mar 29, 2003 at 10:54:05PM +0000, Neil Williams wrote:
>>I've had recent problems with a new ISDN router that doesn't use a
>>particularly easy firewall setup. All other outgoing internet
connections are
>>fine (HTTP,POP,SMTP,SSH,FTP,DNS etc) and the firewall appears to be
>>other packets as expected - it's a basic deny-all firewall with no
>>services available.
I had same problems to get a connection to a keyserver over a http-proxy
One problem is, that the http-proxy connect to remote-port 80. How I can
now it learn to use a other port???
The next problem in my mind is the DNS. In normal the user get only
contact to the http-proxy in local network (security-reasons) and *no
routing* trough the firewall. So makes the http-server the dns-request
to the internet and get the IP to the asked name. This reasons make the
- --auto-key-retrieve over a http-server difficult (or complete not

I had test with our firewall:
If I allow routing (NAT) for services dns, port:11371 and incoming
highports the --auto-key-retrieve works fine.
If I use secure restrictions (no routing, only proxy-connections [in
this time not with user/password] to the internet) the key-retrieve
works not.

Now my questions:
How works a http(port80)proxy with port of hkp?
How get it (the http-proxy) the dns-information, if it think it can't
contact the port 11371?
Who has a working combination of only-proxy-allow firewall with
http-proxy (Squid) and enigmail (on windows) for the communication? -
What options make the squid-enigmail-gpg-key-retrieve-combination to a
working suite.

>>However, I cannot get a reply from any keyservers using --recv-keys. I
>>send to keyservers fine (and I can test that the keyserver received the
>>update using an SSH connection to a remote server with GPG installed)
and I
>>can receive all keys IF I use a dial-up modem connection instead of the
>>router, so I can't see that it is a problem with ~/.gnup/options.
>>I've tried opening port 11371 but I get very confusing results. Once in=
>>while (and only once each time) I can get a single key through - as if
it has
>>been cached somewhere - but the other 99 times gpg just waits and
waits and
>>waits. e.g. output
>>$ gpg --verbose --verbose --keyserver --recv-keys 0x28BCB3E=
>>gpg: requesting key 28BCB3E3 from HKP keyserver
>>gpg: armor header: Version: PGP Key Server 0.9.5
>>I also use
>>My basic problem is that the router doesn't use the familiar iptables
>>and doesn't provide a full listing of the traffic. I can't tell where t=
>>packets are being dropped. I've tried using IP addresses for the
>>and using hkp:// etc.
>>Does HKP only use port 11371? (Could it be trying to send data back to =
>>different port?)
>>The router is a D-Link DI-304
> I'm not familiar with that particular router, but I can give you some
> general information that will hopefully help you.
> HKP is HTTP underneath it all.  The only thing unusual about it is
> that it runs on port 11371.  If there is a general "HTTP"
> configuration for your firewall, try that, and allow it on port 11371.
> If that isn't possible for whatever reason, you might look around for
> a HKP keyserver that runs on port 80 (for this exact reason -
> firewalls).  Ask on the pgp-keyserver-folk @ list, and I'm
> sure someone there can suggest a server to use.
> David

- --

Mit freundlichen Gr=FC=DFen
Stadtwerke Meerane GmbH

Netzmeister NB Elt
Tel: +49 3764 791720
Fax: +49 3764 791719
Version: GnuPG v1.2.1-nr1 (Windows 98)
Comment: Using GnuPG with Mozilla -