security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

dirmngr: Change the default keyserver.

Browse source 
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.

* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.

* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--

Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore.  Thus it is better to change them.

For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.

For http based access the Dutch Surfnet keyserver is used.  However
due to a non-standard TLS certificate this server can not easily be
made the default for https.

Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.

(cherry picked from commit 47c4e3e00a)
This commit is contained in:
Werner Koch 2021-06-25 19:15:24 +02:00
parent 8b1fb97861
commit 55b5928099
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
7 changed files with 60 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

18
dirmngr/http-ntbtls.c
View file

@ -47,7 +47,7 @@ gnupg_http_tls_verify_cb (void *opaque,
ksba_cert_t cert;
ksba_cert_t hostcert = NULL;
unsigned int validate_flags;
const char *hostname;
/* const char *hostname; */
(void)http;
(void)session;
@ -81,14 +81,16 @@ gnupg_http_tls_verify_cb (void *opaque,
* certificate. Note that this differes from the GnuTLS
* implementation which uses this special certificate only if no
* other certificates are configured. */
hostname = ntbtls_get_hostname (tls);
if (hostname
&& !ascii_strcasecmp (hostname, get_default_keyserver (1)))
{
validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL;
}
else /* Use the certificates as requested from the HTTP module. */
/* Disabled for 2.3.2 to due problems with the standard hkps pool. */
/* hostname = ntbtls_get_hostname (tls); */
/* if (hostname */
/* && !ascii_strcasecmp (hostname, get_default_keyserver (1))) */
/* { */
/* validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; */
/* } */
/* else */
{
/* Use the certificates as requested from the HTTP module. */
if ((http_flags & HTTP_FLAG_TRUST_CFG))
validate_flags |= VALIDATE_FLAG_TRUST_CONFIG;
if ((http_flags & HTTP_FLAG_TRUST_DEF))