From 55b5928099bafbd5409d3377a42259c11e394cd0 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 25 Jun 2021 19:15:24 +0200 Subject: [PATCH] dirmngr: Change the default keyserver. * configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to keyserver.ubuntu.com. * dirmngr/certcache.c (cert_cache_init): Disable default pool cert. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto. * dirmngr/http.c (http_session_new): Ditto. * dirmngr/server.c (make_keyserver_item): Use a different mapping for the gnupg.net names. -- Due to the unfortunate shutdown of the keyserver pool, the long term defaults won't work anymore. Thus it is better to change them. For https access keyserver.ubuntu.com is now used because it can be expected that this server can stand the load from newer gnupg LTS versions. For http based access the Dutch Surfnet keyserver is used. However due to a non-standard TLS certificate this server can not easily be made the default for https. Note: that the default server will be changed again as soon as a new connected keyserver infrastructure has been established. (cherry picked from commit 47c4e3e00a7ef55f954c14b3c237496e54a853c1) --- configure.ac | 2 +- dirmngr/certcache.c | 11 +++++---- dirmngr/http-ntbtls.c | 18 +++++++------- dirmngr/http.c | 55 +++++++++++++++++++++++-------------------- dirmngr/server.c | 16 ++++++------- doc/dirmngr.texi | 13 ++++------ doc/wks.texi | 2 +- 7 files changed, 60 insertions(+), 57 deletions(-) diff --git a/configure.ac b/configure.ac index 913aeb4e4..d03ea3bfe 100644 --- a/configure.ac +++ b/configure.ac @@ -1977,7 +1977,7 @@ AC_DEFINE_UNQUOTED(TPM2DAEMON_SOCK_NAME, "S.tpm2daemon", AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr", [The name of the dirmngr socket]) AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER, - "hkps://hkps.pool.sks-keyservers.net", + "hkps://keyserver.ubuntu.com", [The default keyserver for dirmngr to use, if none is explicitly given]) AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix]) diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c index bee1c44d6..4c2bf121f 100644 --- a/dirmngr/certcache.c +++ b/dirmngr/certcache.c @@ -724,11 +724,12 @@ cert_cache_init (strlist_t hkp_cacerts) /* Put the special pool certificate into our store. This is * currently only used with ntbtls. For GnuTLS http_session_new * unfortunately loads that certificate directly from the file. */ - fname = make_filename_try (gnupg_datadir (), - "sks-keyservers.netCA.pem", NULL); - if (fname) - load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1); - xfree (fname); + /* Disabled for 2.3.2 because the service had to be shutdown. */ + /* fname = make_filename_try (gnupg_datadir (), */ + /* "sks-keyservers.netCA.pem", NULL); */ + /* if (fname) */ + /* load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1); */ + /* xfree (fname); */ for (sl = hkp_cacerts; sl; sl = sl->next) load_certs_from_file (sl->d, CERTTRUST_CLASS_HKP, 0); diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c index ae5cf5519..2191acb60 100644 --- a/dirmngr/http-ntbtls.c +++ b/dirmngr/http-ntbtls.c @@ -47,7 +47,7 @@ gnupg_http_tls_verify_cb (void *opaque, ksba_cert_t cert; ksba_cert_t hostcert = NULL; unsigned int validate_flags; - const char *hostname; + /* const char *hostname; */ (void)http; (void)session; @@ -81,14 +81,16 @@ gnupg_http_tls_verify_cb (void *opaque, * certificate. Note that this differes from the GnuTLS * implementation which uses this special certificate only if no * other certificates are configured. */ - hostname = ntbtls_get_hostname (tls); - if (hostname - && !ascii_strcasecmp (hostname, get_default_keyserver (1))) - { - validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; - } - else /* Use the certificates as requested from the HTTP module. */ + /* Disabled for 2.3.2 to due problems with the standard hkps pool. */ + /* hostname = ntbtls_get_hostname (tls); */ + /* if (hostname */ + /* && !ascii_strcasecmp (hostname, get_default_keyserver (1))) */ + /* { */ + /* validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; */ + /* } */ + /* else */ { + /* Use the certificates as requested from the HTTP module. */ if ((http_flags & HTTP_FLAG_TRUST_CFG)) validate_flags |= VALIDATE_FLAG_TRUST_CONFIG; if ((http_flags & HTTP_FLAG_TRUST_DEF)) diff --git a/dirmngr/http.c b/dirmngr/http.c index dc1873448..73606c01c 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -761,35 +761,38 @@ http_session_new (http_session_t *r_session, goto leave; } - is_hkps_pool = (intended_hostname - && !ascii_strcasecmp (intended_hostname, - get_default_keyserver (1))); + /* Disabled for 2.3.2 to due problems with the standard hkps pool. */ + /* is_hkps_pool = (intended_hostname */ + /* && !ascii_strcasecmp (intended_hostname, */ + /* get_default_keyserver (1))); */ + is_hkps_pool = 0; /* If we are looking for the hkps pool from sks-keyservers.net, * then forcefully use its dedicated certificate authority. */ - if (is_hkps_pool) - { - char *pemname = make_filename_try (gnupg_datadir (), - "sks-keyservers.netCA.pem", NULL); - if (!pemname) - { - err = gpg_error_from_syserror (); - log_error ("setting CA from file '%s' failed: %s\n", - pemname, gpg_strerror (err)); - } - else - { - rc = gnutls_certificate_set_x509_trust_file - (sess->certcred, pemname, GNUTLS_X509_FMT_PEM); - if (rc < 0) - log_info ("setting CA from file '%s' failed: %s\n", - pemname, gnutls_strerror (rc)); - xfree (pemname); - } - - if (is_hkps_pool) - add_system_cas = 0; - } + /* Disabled for 2.3.2 because the service had to be shutdown. */ + /* if (is_hkps_pool) */ + /* { */ + /* char *pemname = make_filename_try (gnupg_datadir (), */ + /* "sks-keyservers.netCA.pem", NULL); */ + /* if (!pemname) */ + /* { */ + /* err = gpg_error_from_syserror (); */ + /* log_error ("setting CA from file '%s' failed: %s\n", */ + /* pemname, gpg_strerror (err)); */ + /* } */ + /* else */ + /* { */ + /* rc = gnutls_certificate_set_x509_trust_file */ + /* (sess->certcred, pemname, GNUTLS_X509_FMT_PEM); */ + /* if (rc < 0) */ + /* log_info ("setting CA from file '%s' failed: %s\n", */ + /* pemname, gnutls_strerror (rc)); */ + /* xfree (pemname); */ + /* } */ + /* */ + /* if (is_hkps_pool) */ + /* add_system_cas = 0; */ + /* } */ /* Add configured certificates to the session. */ if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool) diff --git a/dirmngr/server.c b/dirmngr/server.c index 2880dcb47..ced92de21 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -2138,22 +2138,22 @@ make_keyserver_item (const char *uri, uri_item_t *r_item) */ if (!strcmp (uri, "hkps://keys.gnupg.net") || !strcmp (uri, "keys.gnupg.net")) - uri = "hkps://hkps.pool.sks-keyservers.net"; + uri = "hkps://keyserver.ubuntu.com"; else if (!strcmp (uri, "https://keys.gnupg.net")) - uri = "https://hkps.pool.sks-keyservers.net"; + uri = "hkps://keyserver.ubuntu.com"; else if (!strcmp (uri, "hkp://keys.gnupg.net")) - uri = "hkp://hkps.pool.sks-keyservers.net"; + uri = "hkp://pgp.surf.nl"; else if (!strcmp (uri, "http://keys.gnupg.net")) - uri = "http://hkps.pool.sks-keyservers.net"; + uri = "hkp://pgp.surf.nl:80"; else if (!strcmp (uri, "hkps://http-keys.gnupg.net") || !strcmp (uri, "http-keys.gnupg.net")) - uri = "hkps://ha.pool.sks-keyservers.net"; + uri = "hkps://keyserver.ubuntu.com"; else if (!strcmp (uri, "https://http-keys.gnupg.net")) - uri = "https://ha.pool.sks-keyservers.net"; + uri = "hkps://keyserver.ubuntu.com"; else if (!strcmp (uri, "hkp://http-keys.gnupg.net")) - uri = "hkp://ha.pool.sks-keyservers.net"; + uri = "hkp://pgp.surf.nl"; else if (!strcmp (uri, "http://http-keys.gnupg.net")) - uri = "http://ha.pool.sks-keyservers.net"; + uri = "hkp://pgp.surf.nl:80"; item = xtrymalloc (sizeof *item + strlen (uri)); if (!item) diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index a9237edee..1638d7d84 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -321,9 +321,8 @@ provided. These are the same as the @option{--keyserver-options} of @command{gpg}, but apply only to this particular keyserver. Most keyservers synchronize with each other, so there is generally no -need to send keys to more than one server. The keyserver -@code{hkp://keys.gnupg.net} uses round robin DNS to give a different -keyserver each time you use it. +need to send keys to more than one server. Somes keyservers use round +robin DNS to give a different keyserver each time you use it. If exactly two keyservers are configured and only one is a Tor hidden service (.onion), Dirmngr selects the keyserver to use depending on @@ -331,7 +330,7 @@ whether Tor is locally running or not. The check for a running Tor is done for each new connection. If no keyserver is explicitly configured, dirmngr will use the -built-in default of @code{hkps://hkps.pool.sks-keyservers.net}. +built-in default of @code{https://keyserver.ubuntu.com}. Windows users with a keyserver running on their Active Directory may use the short form @code{ldap:///} for @var{name} to access this directory. @@ -596,10 +595,8 @@ the file is in PEM format a suffix of @code{.pem} is expected for @var{file}. This option may be given multiple times to add more root certificates. Tilde expansion is supported. -If no @code{hkp-cacert} directive is present, dirmngr will make a -reasonable choice: if the keyserver in question is the special pool -@code{hkps.pool.sks-keyservers.net}, it will use the bundled root -certificate for that pool. Otherwise, it will use the system CAs. +If no @code{hkp-cacert} directive is present, dirmngr will use the +system CAs. @end table diff --git a/doc/wks.texi b/doc/wks.texi index ad239f132..48e534b7d 100644 --- a/doc/wks.texi +++ b/doc/wks.texi @@ -57,7 +57,7 @@ Directory. @mansect description The @command{gpg-wks-client} is used to send requests to a Web Key -Service provider. This is usuallay done to upload a key into a Web +Service provider. This is usually done to upload a key into a Web Key Directory. With the @option{--supported} command the caller can test whether a