searching for keys

Sat Jul 13 23:56:49 CEST 2013

Hi,

When I search for a key via browser on [1] I get an unencrypted answer
from [2]. This happens for some keys that are onlyavailable on some servers. The problem is that the info, whose key I am
searching is presented to sniffers in plaintext. I think the encrypted
pool should not forward to unencrypted web interfaces.

[1] https://hkps.pool.sks-keyservers.net/
[2] http://keyserver.stack.nl

Another but related issue on the command line:

$ gpg --search hkps.pool.sks-keyservers.net
gpg: searching for "hkps.pool.sks-keyservers.net" from hkps server
hkps.pool.sks-keyservers.net gpgkeys: HTTP search error 60: server
certificate verification failed.
CAfile: /usr/local/share/ca-certificates/sks-keyservers.netCA.crt
CRLfile: none gpg: key "hkps.pool.sks-keyservers.net" not found on
keyserver gpg: keyserver internal error gpg: keyserver search failed:
keyserver error

The last three error messages are misleading and contradicting, but this
is just a gpg problem. Interesting is error 60 by gpgkeys. Calling curl
directly:

$ curl
"https://hkps.pool.sks-keyservers.net/pks/lookup?op=index&search=hkps.pool.sks-keyservers.net"
curl: (60) SSL certificate problem: unable to get local issuer
certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
curl: (60) SSL certificate problem: self signed certificate in
certificate chain More details here:
http://curl.haxx.se/docs/sslcerts.html

Which is the same output as for
$ curl
"https://hkps.pool.sks-keyservers.net/pks/lookup?op=index&search=hkps.pool.sks-keyservers.net"
--cacert /usr/local/share/ca-certificates/sks-keyservers.netCA.crt
$ curl
"https://hkps.pool.sks-keyservers.net/pks/lookup?op=index&search=hkps.pool.sks-keyservers.net"
--cacert /etc/ssl/certs/sks-keyservers.netCA.pem

Both files are identical and can be seen below, retrieved via

echo "QUIT"|openssl s_client -connect $DOMAIN:443 2>&1 | \
sed -ne "/^-----BEGIN CERTIFICATE/,/^-----END CERTIFICATE/p" > $PEMFILE

As suggested in [3] my gpg.conf contains the foll. I found that I can
leave out the ca-cert-file following option, if the key has been added
to the bundle via update-ca-certificates:

auto-key-locate cert pka ldap hkps://hkps.pool.sks-keyservers.net
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options no-honor-keyserver-url

What else needs to be done to retrieve gpg keys? A similar error
has been posted [4] on the curl list without an answer, maybe because
the message "". Seems as the problem is with the server certificate,
isn't it?
http://sks-keyservers.net/verify_tls.php

It would be great to have more meaningful error messages for gnupg,
also for "HTTP search error 77" when a wrong cert file is defined.

Thanks,
Kardan

[3] https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
[4] http://curl.haxx.se/mail/lib-2012-08/0100.html

ii  curl                                  7.31.0-2
ii  gnupg-curl                            1.4.12-7

SSL certificate for hkps.pool.sks-keyservers.net: