Gnupg-users Digest, Vol 16, Issue 34

lord grinny grinny3004 at yahoo.com
Mon Jan 24 12:21:34 CET 2005 

Thank you for your response Henry, one day I'll get it
to work and then I'll 
send you all an encrypted e-mail :-).

Henry Hertz Hobbit wrote:
>>------------------------------
>>
>>Message: 9
>>Date: Sat, 22 Jan 2005 03:42:53 -0800 (PST)
>>From: lord grinny <grinny3004 at yahoo.com>
>>Subject: Re: Proxy trouble
>>To: gnu-pg mailing <gnupg-users at gnupg.org>
>>Message-ID:
<20050122114254.69384.qmail at web61208.mail.yahoo.com>
>>Content-Type: text/plain; charset=us-ascii
>>
>>
>>Thanks for your response Jason,
>>
>>Jason Harris wrote:
>>
>>>In that case, try using port 80:
>>>
>>>  %gpg --keyserver hkp://keyserver.kjsl.com:80
>>
>>--recv BB36BA75
>>
>>>  gpg: requesting key BB36BA75 from hkp server
>>
>>keyserver.kjsl.com
>>
>>>  Host:           keyserver.kjsl.com
>>>  Port:           80
>>>  Command:        GET
>>>  gpgkeys: HTTP URL is
>>
>>`hkp://keyserver.kjsl.com:80/pks/lookup?op=get&options=mr&search=0xBB36BA75'
>>
>>>  gpg: key BB36BA75: public key "Barry Porter
<barry
>>
>>bpuk.net>" imported
>>
>>>  gpg: Total number processed: 1
>>>  gpg:               imported: 1
>>>
>>
>>D:\>gpg --keyserver hkp://keyserver.kjsl.com:80
>>--recv-keys 0xBB36BA75
>>gpg: requesting key BB36BA75 from hkp server
>>keyserver.kjsl.com
>>Host:           keyserver.kjsl.com
>>Port:           80
>>Command:        GET
>>gpgkeys: HTTP URL is
>>`hkp://keyserver.kjsl.com:80/pks/lookup?op=get&options=mr&s
>>earch=0xBB36BA75'
>>?: keyserver.kjsl.com: Host not found: ec=10065
>>gpgkeys: HKP fetch error: No error
>>gpg: no valid OpenPGP data found.
>>gpg: Total number processed: 0
>>
>>I don't know what this is. My proxy is set up
>>correctly (works for Firefox) and 
>>I think I've setup gnu-pg correctly...
> 
> 
> I don't think GPG is at fault here.  Please type the
following
> in a command prompt:
> 
> nslookup keyserver.kjsl.com

I tried this, but my DNS is definitly set up okee.

C:\Documents and
Settings\Administrator.GRINNY>nslookup
keyserver.kjsl.com
*** Can't find server name for address 192.168.0.1:
Non-existent domain
*** Default servers are not available
Server:  UnKnown
Address:  192.168.0.1

Non-authoritative answer:
Name:    keyserver.kjsl.com
Address:  69.36.241.130

192.168.0.1 is my gateway (A windows 98 box serving as
a router)

> 
> If it doesn't give you an IP address, your failure
is either in your
> DNS setup, or you don't have a connection to the
Internet.  Until that
> is resolved you don't know if gpg is causing the
problem or not.  I just
> typed the command he gave, and it got the keys
INSTANTLY.  Here is what
> gpg --list-keys gives me:
> 
> pub  1024D/BB36BA75 2003-11-11 Barry Porter
<barry at bpuk.net>
> uid                            Barry Porter
<bporter at ikon.com>
> uid                            Barry Porter
<barry.porter at gmail.com>
> uid                            Barry Porter
<barry at mozilla-enigmail.org>
> sub  4096g/1F5A0D8B 2003-11-11
> 
> To test the your connection to the internet, find
some host you can
> ping and do a (it would be ping -c on Unix, but it
looks like you are
> using MS Windows):
> 
>    ping -n 1 hostname.com

My proxy server doesn't allow me to ping. But I do
have connection to the 
internet, only not directly. I know my connection is
okee, cause I'm still 
surfing the internet with firefox, and have set up my
mail to run via the http 
proxy too.

> 
> Jason's advice is generally good, but gpg keyservers
are notorious for
> handing off a key request to another key server. 
That creates a problem
> for my DLink DI-604e broadband firewall, because if
the request is handed
> off, the response is now coming from another server
that I didn't request
> things from.  Now, if it was just port 11371 that
would be fine, but I
> have observed some of them sending back ICMP packets
on port 10, and I
> don't know how many ports they want open.  So far,
the only alternatives
> I can see are:
> 
> [1] Don't allow the return to come back from any
server other than one
> you sent the request to, much like a DNS server.  I
could care less if
> one key server talks to another key server - the
only one that should
> be talking to me though, is the one I sent the
request to.  All
> unsolicited responses on ALL ports to IPs I didn't
establish a connection
> with are BLOCKED.  This is the DEFAULT for most of
these broadband
> routers.  I don't care if it is port 11371 or port
80.  If I sent it out,
> a connection is established.  If they hand it off to
another keyserver,
> the connection is broken.  It makes no difference
what port is being
> used. The transfer broke the connection.
> 
Yeah, since I can't open ports on my side, I can only
get a direct response from 
the keyserver I asked for it (like HTTP).


> [2] Okay, they said to hell with me and they are
going to allow the
> response to come back from ANY server, not
necessarily the one I sent
> the request to.  FINE.  I have only one request if
they do that, and
> that is they better peg ALL traffic to and from the
keyservers to the
> port already allocated for GP which is 11371.  I
don't want to see an
> ICMP packet on port 10!  The reason why is that on
my side I have to do
> the following things:
> 
>   (a) Punch a hole through my firewall for port
11371 to come in from
>       anybody.  This would be permanent, since the
firewalls running on
>       the machines (iptables with Linux, ZoneAlarm
with Windows, and PF
>       with OpenBSD) will stop it cold anyway.
>   (b) Put my machine into the DI-604e's DMZ.
>   (c) Turn off iptables (it blocks it just as fast
as the DI-604e or any
>       other broadband router / switch / NAT /
firewall will.   I do my
>       encryption / signing email on Linux.
>   (d) NOW, send out the request, but it better be a
WELL documented way
>       in how this is done.  As it stands now, I am
NOT the only one that
>       has problems.
>   (e) If the request is successful, I can just start
iptables and move
>       myself back out of the DMZ.
> 
> I don't want ANY other port other than 11371 opened
up though, and I will
> NOT open up port 10.  For that matter you can't ping
my WAN port.
> 
I really wish I could open up more ports.... But I'm
not the owner/admin of the 
proxy server. So the only thing it will ever allow are
outgoing requests to port 80.

> You will note that I am NOT a subscriber to the main
list.  Please forward
> this on to Jason Harris since I cannot see his email
address anywhere in
> the digest.
> 
Done

> Also, if you read the --multifile BS don't believe
it.  It isn't part of
> gpg (GnuPG) 1.2.3.  It MAY be a part of newer
versions.  If he were on
> Windows I would understand it.  He isn't.  On BSD or
Linux all you have to
> do in a shell script on 'nix machines is to type
(everything after a '#'
> to the end of the line is a comment):
> 
> for FILE in file1.txt file2.txt file3.doc # etcetera
> do
>   if [ -s $FILE ]
>   then
>     gpg -a --encrypt -r KEYID < $FILE >
${FILE}.crypt
>   fi
> done
> 
> # or if you want the actual files themselves to be
encrypted,
> # and since he is on BSD he has the srm command
which Securely
> # ReMoves the files:
> 
> for FILE in file1.txt file2.txt file3.doc # etcetera
> do
>   if [ -s $FILE ]
>   then
>     gpg -a --encrypt -r KEYID < $FILE >
${FILE}.crypt
>     if [ -s ${FILE}.crypt ]
>     then
>       srm $FILE ; sync ; sync
>       mv ${FILE}.crypt $FILE
>     fi
>   fi
> done
> 
> Cheerio
> 
> HHH
> 
> 
Do you think I have a better chance on FreeBSD? (I do
have a dualboot FreeBSD 
5.1 and Windows 2000, but I use windows for checking
my email with thunderbird).

- Grinny -

Real programmers don't comment their code.  It was
hard to write, it should be 
hard to understand.


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250

More information about the Gnupg-users mailing list