[Sks-devel] SRV records and HKPS requests

David Shaw dshaw at jabberwocky.com
Mon Dec 3 05:46:02 CET 2012

On Dec 2, 2012, at 7:59 PM, Phil Pennock <sks-devel-phil at spodhuis.org> wrote:

> On 2012-12-02 at 10:23 -0500, David Shaw wrote:
>> On Oct 6, 2012, at 10:20 PM, Phil Pennock <sks-devel-phil at spodhuis.org> wrote:
>>> GnuPG folks (since this is cross-posted, if my mail makes it through):
>>> there is a bug in GnuPG's SRV handling, I've identified where I think
>>> it is, it's in the second block of text from me; the first part of this
>>> mail relates to SKS and some policy issues around the new keyserver
>>> pool Kristian has added.
>> Somehow I didn't notice this mail when it originally came through.  Anyway, thanks for the report.  Clearly the port supplied in the SRV should be honored.
>> Can you try the attached patch (against 2.0)?
> Might be a sleep issue, but I'm having trouble persuading gpg2 to use
> gpgkeys_hkp instead of gpgkeys_curl, or even telling them apart from
> "--keyserver-options debug,verbose" output.
> I'm going to bail and grab coffee, but here's what I have for testing,
> which should make it easy for you to test too.

Hmm.  Were you intending to test with the internal HTTP support or with libcurl?  You're currently built with internal support:

> gpgkeys: curl version = GnuPG curl-shim

Looking at the internal support, it seems not to work on platforms with getaddrinfo(), which is odd as that part works in the 1.4 code.  Anyway, try the attached patch in addition to the original one, and you should hopefully have better results.  I also fixed an issue where the Host: header was not being set correctly after a SRV.  It seems to me that like SNI, the Host header should be the SRV name, and thus should never have a :port attached.

I tried talking to keytest.spodhuis.org to test, but all the ports returned in the SRV were not listening.  Or at least, not listening to me ;)

$ telnet keyserver.spodhuis.org 11373
telnet: connect to address Connection refused

$ telnet keyserver.spodhuis.org 11374
telnet: connect to address Connection refused


-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug1446.patch.2
Type: application/octet-stream
Size: 3405 bytes
Desc: not available
URL: </pipermail/attachments/20121202/588604a9/attachment.obj>
-------------- next part --------------

More information about the Gnupg-users mailing list