HKP and firewalls

Neil Williams
Mon Apr 7 13:27:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Description: signed data
Content-Disposition: inline

On Friday 04 April 2003 6:12 am, Heiko Teichmeier wrote:
> I had test with our firewall:
> =============================
> If I allow routing (NAT) for services dns, port:11371 and incoming
> highports the --auto-key-retrieve works fine.

That was the solution - enabling higher ports - HKP doesn't just use 11371, it 
tries to connect at other higher ports too. Just enabling 11371 isn't enough. 
I've now got access to the HKP servers. Thanks Heiko. (It still doesn't work 
100% of the time but at least it's working 90% instead of 1%!)

That isn't good enough to use auto-key-retrieve though so I'll continue 
working on it using different distros and installations.

> How works a http(port80)proxy with port of hkp?
> How get it (the http-proxy) the dns-information, if it think it can't
> contact the port 11371?

HKP should work as HTTP in these areas.

> > I'm not familiar with that particular router, but I can give you some
> > general information that will hopefully help you.
> >
> > HKP is HTTP underneath it all.  The only thing unusual about it is
> > that it runs on port 11371.  If there is a general "HTTP"
> > configuration for your firewall, try that, and allow it on port 11371.
> >
> > If that isn't possible for whatever reason, you might look around for
> > a HKP keyserver that runs on port 80 (for this exact reason -
> > firewalls).  Ask on the pgp-keyserver-folk @ list, and I'm
> > sure someone there can suggest a server to use.
> >
> > David


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)