[Sks-devel] SRV records and HKPS requests

Phil Pennock sks-devel-phil at spodhuis.org
Mon Dec 3 01:59:58 CET 2012 

On 2012-12-02 at 10:23 -0500, David Shaw wrote:
> On Oct 6, 2012, at 10:20 PM, Phil Pennock <sks-devel-phil at spodhuis.org> wrote:
> > GnuPG folks (since this is cross-posted, if my mail makes it through):
> > 
> > there is a bug in GnuPG's SRV handling, I've identified where I think
> > it is, it's in the second block of text from me; the first part of this
> > mail relates to SKS and some policy issues around the new keyserver
> > pool Kristian has added.
> 
> Somehow I didn't notice this mail when it originally came through.  Anyway, thanks for the report.  Clearly the port supplied in the SRV should be honored.
> 
> Can you try the attached patch (against 2.0)?

Might be a sleep issue, but I'm having trouble persuading gpg2 to use
gpgkeys_hkp instead of gpgkeys_curl, or even telling them apart from
"--keyserver-options debug,verbose" output.

I'm going to bail and grab coffee, but here's what I have for testing,
which should make it easy for you to test too.

For testing, I have:
  keyserver.spodhuis.org:
    A, AAAA, and SRV records _pgpkey-http/_pgpkey-https
  keytest.spodhuis.org:
    just the SRV records, pointing to keyserver.spodhuis.org
  all on non-standard ports:
----------------------------8< cut here >8------------------------------
keyserver       IN      A       94.142.241.93
keyserver       IN      AAAA    2a02:898:31:0:48:4558:73:6b73
_pgpkey-http._tcp.keyserver     IN      SRV     10 10 11374     keyserver
_pgpkey-https._tcp.keyserver    IN      SRV     10 10 11373     keyserver
_pgpkey-http._tcp.keytest       IN      SRV     10 10 11374     keyserver
_pgpkey-https._tcp.keytest      IN      SRV     10 10 11373     keyserver
----------------------------8< cut here >8------------------------------

There is a proxy (nginx) listening on both ports, it will insert a
correct identifying Via: header to confirm from the server-side which
port was used, and the cert presented on 11373 is my normal cert, which
should match names.  You can grab the CA from:
  https://www.security.spodhuis.org/CA/globnixCA3.crt
for use as --keyserver-options ca-cert-file=/.../globnixCA3.crt


----------------------------8< cut here >8------------------------------
% ls -ld =gpg2
-r-xr-xr-x  1 root  wheel  685696 Dec  2 19:33 /usr/local/bin/gpg2
% gpg2 --keyserver-options debug,verbose --keyserver hkp://keytest.spodhuis.org/ --recv-key $gpg_key
gpg: requesting key 0x403043153903637F from hkp server keytest.spodhuis.org
gpgkeys: curl version = GnuPG curl-shim
Host:		keytest.spodhuis.org
Command:	GET
* HTTP proxy is "null"
* HTTP URL is "http://keytest.spodhuis.org:11371/pks/lookup?op=get&options=mr&search=0x403043153903637F"
* HTTP auth is "null"
* HTTP method is GET
gpg: key 0x403043153903637F: "Phil Pennock <phil.pennock at globnix.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
----------------------------8< cut here >8------------------------------

Yeah, I installed the patched version as the system gpg2.  I built with
FreeBSD Ports, which has gnupg-2.0.19, by doing:
  make patch
  patch -p1 <~/bug1446.patch
  make
  make FORCE_PKG_REGISTER=t install

What am I doing wrong?

Thanks,
-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: </pipermail/attachments/20121202/dccb955f/attachment-0001.pgp>

More information about the Gnupg-users mailing list