dirmngr: Change the default keyserver.

* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to keyserver.ubuntu.com. * dirmngr/certcache.c (cert_cache_init): Disable default pool cert. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto. * dirmngr/http.c (http_session_new): Ditto. * dirmngr/server.c (make_keyserver_item): Use a different mapping for the gnupg.net names. -- Due to the unfortunate shutdown of the keyserver pool, the long term defaults won't work anymore. Thus it is better to change them. For https access keyserver.ubuntu.com is now used because it can be expected that this server can stand the load from newer gnupg LTS versions. For http based access the Dutch Surfnet keyserver is used. However due to a non-standard TLS certificate this server can not easily be made the default for https. Note: that the default server will be changed again as soon as a new connected keyserver infrastructure has been established.
2025-07-02 22:46:30 +02:00 · 2021-06-25 19:15:24 +02:00 · 2021-06-25 19:15:24 +02:00 · 47c4e3e00a
commit 47c4e3e00a
parent 5fe4b97887
7 changed files with 60 additions and 57 deletions
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@ -724,11 +724,12 @@ cert_cache_init (strlist_t hkp_cacerts)
  /* Put the special pool certificate into our store.  This is
   * currently only used with ntbtls.  For GnuTLS http_session_new
   * unfortunately loads that certificate directly from the file.  */
-  fname = make_filename_try (gnupg_datadir (),
-                             "sks-keyservers.netCA.pem", NULL);
-  if (fname)
-    load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1);
-  xfree (fname);
+  /* Disabled for 2.2.29 because the service had to be shutdown.  */
+  /* fname = make_filename_try (gnupg_datadir (), */
+  /*                            "sks-keyservers.netCA.pem", NULL); */
+  /* if (fname) */
+  /*   load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1); */
+  /* xfree (fname); */

  for (sl = hkp_cacerts; sl; sl = sl->next)
    load_certs_from_file (sl->d, CERTTRUST_CLASS_HKP, 0);
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@ -47,7 +47,7 @@ gnupg_http_tls_verify_cb (void *opaque,
  ksba_cert_t cert;
  ksba_cert_t hostcert = NULL;
  unsigned int validate_flags;
-  const char *hostname;
+  /* const char *hostname; */

  (void)http;
  (void)session;
@ -81,14 +81,16 @@ gnupg_http_tls_verify_cb (void *opaque,
   * certificate.  Note that this differes from the GnuTLS
   * implementation which uses this special certificate only if no
   * other certificates are configured. */
-  hostname = ntbtls_get_hostname (tls);
-  if (hostname
-      && !ascii_strcasecmp (hostname, get_default_keyserver (1)))
-    {
-      validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL;
-    }
-  else /* Use the certificates as requested from the HTTP module.  */
+  /* Disabled for 2.2.19 to due problems with the standard hkps pool.  */
+  /* hostname = ntbtls_get_hostname (tls); */
+  /* if (hostname */
+  /*     && !ascii_strcasecmp (hostname, get_default_keyserver (1))) */
+  /*   { */
+  /*     validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; */
+  /*   } */
+  /* else */
    {
+      /* Use the certificates as requested from the HTTP module.  */
      if ((http_flags & HTTP_FLAG_TRUST_CFG))
        validate_flags |= VALIDATE_FLAG_TRUST_CONFIG;
      if ((http_flags & HTTP_FLAG_TRUST_DEF))
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@ -766,35 +766,38 @@ http_session_new (http_session_t *r_session,
        goto leave;
      }

-    is_hkps_pool = (intended_hostname
-                    && !ascii_strcasecmp (intended_hostname,
-                                          get_default_keyserver (1)));
+    /* Disabled for 2.2.19 to due problems with the standard hkps pool.  */
+    /* is_hkps_pool = (intended_hostname */
+    /*                 && !ascii_strcasecmp (intended_hostname, */
+    /*                                       get_default_keyserver (1))); */
+    is_hkps_pool = 0;

    /* If we are looking for the hkps pool from sks-keyservers.net,
     * then forcefully use its dedicated certificate authority.  */
-    if (is_hkps_pool)
-      {
-        char *pemname = make_filename_try (gnupg_datadir (),
-                                           "sks-keyservers.netCA.pem", NULL);
-        if (!pemname)
-          {
-            err = gpg_error_from_syserror ();
-            log_error ("setting CA from file '%s' failed: %s\n",
-                       pemname, gpg_strerror (err));
-          }
-        else
-          {
-            rc = gnutls_certificate_set_x509_trust_file
-              (sess->certcred, pemname, GNUTLS_X509_FMT_PEM);
-            if (rc < 0)
-              log_info ("setting CA from file '%s' failed: %s\n",
-                        pemname, gnutls_strerror (rc));
-            xfree (pemname);
-          }
-
-        if (is_hkps_pool)
-          add_system_cas = 0;
-      }
+    /* Disabled for 2.2.29 because the service had to be shutdown.  */
+    /* if (is_hkps_pool) */
+    /*   { */
+    /*     char *pemname = make_filename_try (gnupg_datadir (), */
+    /*                                        "sks-keyservers.netCA.pem", NULL); */
+    /*     if (!pemname) */
+    /*       { */
+    /*         err = gpg_error_from_syserror (); */
+    /*         log_error ("setting CA from file '%s' failed: %s\n", */
+    /*                    pemname, gpg_strerror (err)); */
+    /*       } */
+    /*     else */
+    /*       { */
+    /*         rc = gnutls_certificate_set_x509_trust_file */
+    /*           (sess->certcred, pemname, GNUTLS_X509_FMT_PEM); */
+    /*         if (rc < 0) */
+    /*           log_info ("setting CA from file '%s' failed: %s\n", */
+    /*                     pemname, gnutls_strerror (rc)); */
+    /*         xfree (pemname); */
+    /*       } */
+    /*         */
+    /*     if (is_hkps_pool) */
+    /*       add_system_cas = 0; */
+    /*   } */

    /* Add configured certificates to the session.  */
    if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool)
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@ -2138,22 +2138,22 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
   */
  if (!strcmp (uri, "hkps://keys.gnupg.net")
      || !strcmp (uri, "keys.gnupg.net"))
-    uri = "hkps://hkps.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
  else if (!strcmp (uri, "https://keys.gnupg.net"))
-    uri = "https://hkps.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
  else if (!strcmp (uri, "hkp://keys.gnupg.net"))
-    uri = "hkp://hkps.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl";
  else if (!strcmp (uri, "http://keys.gnupg.net"))
-    uri = "http://hkps.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl:80";
  else if (!strcmp (uri, "hkps://http-keys.gnupg.net")
           || !strcmp (uri, "http-keys.gnupg.net"))
-    uri = "hkps://ha.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
  else if (!strcmp (uri, "https://http-keys.gnupg.net"))
-    uri = "https://ha.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
  else if (!strcmp (uri, "hkp://http-keys.gnupg.net"))
-    uri = "hkp://ha.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl";
  else if (!strcmp (uri, "http://http-keys.gnupg.net"))
-    uri = "http://ha.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl:80";

  item = xtrymalloc (sizeof *item + strlen (uri));
  if (!item)