dirmngr: Add warning on the use of --add-servers.

* tools/gpgconf-comp.c (known_options_dirmngr): Degrade add-servers to expert mode.
2020-10-05 17:24:57 +02:00 · 2020-10-05 17:24:57 +02:00 · 210575d882
parent ff31dde456
commit 210575d882
3 changed files with 21 additions and 11 deletions
--- a/dirmngr/ldap.c
+++ b/dirmngr/ldap.c
@ -433,7 +433,12 @@ make_url (char **url, const char *dn, const char *filter)
  gpg_error_t err;
  char *u_dn, *u_filter;
  char const attrs[] = (USERCERTIFICATE ","
-/*                         USERSMIMECERTIFICATE "," */
+                        /* In 2005 wk mentioned in the changelog that
+                         * work on the userSMIMECertificate has
+                         * started but it seems that no further
+                         * progress was made or the whole thing was
+                         * simply forgotten.  */
+                        /* USERSMIMECERTIFICATE "," */
                        CACERTIFICATE ","
                        X509CACERT );

--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@ -434,17 +434,22 @@ out.  The default are 15 seconds.  0 will never timeout.
@opindex add-servers
 This option makes dirmngr add any servers it discovers when validating
 certificates against CRLs to the internal list of servers to consult for
-certificates and CRLs.
+certificates and CRLs.  This option should in general not be used.

-This option is useful when trying to validate a certificate that has
-a CRL distribution point that points to a server that is not already
-listed in the ldapserverlist. Dirmngr will always go to this server and
-try to download the CRL, but chances are high that the certificate used
-to sign the CRL is located on the same server. So if dirmngr doesn't add
-that new server to list, it will often not be able to verify the
-signature of the CRL unless the @code{--add-servers} option is used.
+This option might be useful when trying to validate a certificate that
+has a CRL distribution point that points to a server that is not
+already listed in the ldapserverlist.  Dirmngr will always go to this
+server and try to download the CRL, but chances are high that the
+certificate used to sign the CRL is located on the same server. So if
+dirmngr doesn't add that new server to list, it will often not be able
+to verify the signature of the CRL unless the @code{--add-servers}
+option is used.

-Note: The current version of dirmngr has this option disabled by default.
+Caveat emptor: Using this option may enable denial-of-service attacks
+and leak search requests to unknown third parties.  This is because
+arbitrary servers are added to the internal list of LDAP servers which
+in turn is used for all unspecific LDAP queries as well as a fallback
+for queries which did not return a result.


@item --allow-ocsp
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@ -470,7 +470,7 @@ static known_option_t known_options_dirmngr[] =
   { "ignore-ldap-dp",    GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED },
   { "ldap-proxy",        GC_OPT_FLAG_NONE, GC_LEVEL_BASIC },
   { "only-ldap-proxy",   GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED },
-   { "add-servers",       GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED },
+   { "add-servers",       GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT },
   { "ldaptimeout",       GC_OPT_FLAG_NONE, GC_LEVEL_BASIC },
   { "max-replies",       GC_OPT_FLAG_NONE, GC_LEVEL_BASIC },
   { "allow-ocsp",        GC_OPT_FLAG_NONE, GC_LEVEL_BASIC },