[Sks-devel] pool.sks-keyservers.net issues (was: Questions about OpenPGP best practices)

Phil Pennock sks-devel-phil at spodhuis.org
Thu Feb 28 00:50:27 CET 2013


On 2013-02-27 at 10:57 +0100, Niels Laukens wrote:
> Apologies for cross-posting to both mailing lists, but since I got
> replies via both ways I feel this is the easiest way to sync them.

Current status: Kristian and I have debugged and he found the core
issue.  If I load down my server, we can sometimes see my server with
the same symptom, so it's timing-sensitive.

It is the half-close you saw: GnuPG with curl-shim is the only thing
doing this and it's the common factor.  nginx as a proxy will drop the
request if it sees the connection half-closed before it passes the
request onto the backend.

Half-closing an HTTP request connection is into a very grey area of the
HTTP specification, with some strong opinions all around based on "it's
classic TCP" to "it's not in HTTP", etc.  The nginx authors think it's a
problem to allow it.

There's a proxy_ignore_client_abort option for nginx, which is broken at
various times in the nginx source tree.

The best fix is to use gpg with a real cURL library.  Separately, for
maximum compatibility, gnupg's curl-shim should stop half-closing the
TCP connections used, and behave more like curl does.

Separately from that, we're trying to find ways to configure nginx and
establish a best-practice configuration which avoids exposing this
issue.

So:
 (1) there's a corner-case interaction of TCP/HTTP and half-closes
 (2) there's a build work-around for end-sites of the client software
 (3) there's a code change for the client software that avoids the issue
 (4) we're working on server configuration fixes to avoid the issue too

(4) is the only thing that will help currently deployed software bases.
(3) is the only thing that will keep the issue reliably fixed going
    forward.
(2) means people encountering it can work around it now.
(1) sucks, because I for one like the signalling done and the model used
    in TCP and used by the GnuPG developers.  It's very clear, "we're
    not going to send anything else".  Unfortunately, it's causing
    real-world interoperability issues.  :-(

-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: </pipermail/attachments/20130227/d700be32/attachment-0001.pgp>


More information about the Gnupg-users mailing list