dirmngr: Change the default keyserver.

* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.

* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.

* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--

Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore.  Thus it is better to change them.

For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.

For http based access the Dutch Surfnet keyserver is used.  However
due to a non-standard TLS certificate this server can not easily be
made the default for https.

Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.

(cherry picked from commit 47c4e3e00a)
This commit is contained in:
Werner Koch 2021-06-25 19:15:24 +02:00
parent 8b1fb97861
commit 55b5928099
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
7 changed files with 60 additions and 57 deletions

View File

@ -1977,7 +1977,7 @@ AC_DEFINE_UNQUOTED(TPM2DAEMON_SOCK_NAME, "S.tpm2daemon",
AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr", AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr",
[The name of the dirmngr socket]) [The name of the dirmngr socket])
AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER, AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER,
"hkps://hkps.pool.sks-keyservers.net", "hkps://keyserver.ubuntu.com",
[The default keyserver for dirmngr to use, if none is explicitly given]) [The default keyserver for dirmngr to use, if none is explicitly given])
AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix]) AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix])

View File

@ -724,11 +724,12 @@ cert_cache_init (strlist_t hkp_cacerts)
/* Put the special pool certificate into our store. This is /* Put the special pool certificate into our store. This is
* currently only used with ntbtls. For GnuTLS http_session_new * currently only used with ntbtls. For GnuTLS http_session_new
* unfortunately loads that certificate directly from the file. */ * unfortunately loads that certificate directly from the file. */
fname = make_filename_try (gnupg_datadir (), /* Disabled for 2.3.2 because the service had to be shutdown. */
"sks-keyservers.netCA.pem", NULL); /* fname = make_filename_try (gnupg_datadir (), */
if (fname) /* "sks-keyservers.netCA.pem", NULL); */
load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1); /* if (fname) */
xfree (fname); /* load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1); */
/* xfree (fname); */
for (sl = hkp_cacerts; sl; sl = sl->next) for (sl = hkp_cacerts; sl; sl = sl->next)
load_certs_from_file (sl->d, CERTTRUST_CLASS_HKP, 0); load_certs_from_file (sl->d, CERTTRUST_CLASS_HKP, 0);

View File

@ -47,7 +47,7 @@ gnupg_http_tls_verify_cb (void *opaque,
ksba_cert_t cert; ksba_cert_t cert;
ksba_cert_t hostcert = NULL; ksba_cert_t hostcert = NULL;
unsigned int validate_flags; unsigned int validate_flags;
const char *hostname; /* const char *hostname; */
(void)http; (void)http;
(void)session; (void)session;
@ -81,14 +81,16 @@ gnupg_http_tls_verify_cb (void *opaque,
* certificate. Note that this differes from the GnuTLS * certificate. Note that this differes from the GnuTLS
* implementation which uses this special certificate only if no * implementation which uses this special certificate only if no
* other certificates are configured. */ * other certificates are configured. */
hostname = ntbtls_get_hostname (tls); /* Disabled for 2.3.2 to due problems with the standard hkps pool. */
if (hostname /* hostname = ntbtls_get_hostname (tls); */
&& !ascii_strcasecmp (hostname, get_default_keyserver (1))) /* if (hostname */
{ /* && !ascii_strcasecmp (hostname, get_default_keyserver (1))) */
validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; /* { */
} /* validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; */
else /* Use the certificates as requested from the HTTP module. */ /* } */
/* else */
{ {
/* Use the certificates as requested from the HTTP module. */
if ((http_flags & HTTP_FLAG_TRUST_CFG)) if ((http_flags & HTTP_FLAG_TRUST_CFG))
validate_flags |= VALIDATE_FLAG_TRUST_CONFIG; validate_flags |= VALIDATE_FLAG_TRUST_CONFIG;
if ((http_flags & HTTP_FLAG_TRUST_DEF)) if ((http_flags & HTTP_FLAG_TRUST_DEF))

View File

@ -761,35 +761,38 @@ http_session_new (http_session_t *r_session,
goto leave; goto leave;
} }
is_hkps_pool = (intended_hostname /* Disabled for 2.3.2 to due problems with the standard hkps pool. */
&& !ascii_strcasecmp (intended_hostname, /* is_hkps_pool = (intended_hostname */
get_default_keyserver (1))); /* && !ascii_strcasecmp (intended_hostname, */
/* get_default_keyserver (1))); */
is_hkps_pool = 0;
/* If we are looking for the hkps pool from sks-keyservers.net, /* If we are looking for the hkps pool from sks-keyservers.net,
* then forcefully use its dedicated certificate authority. */ * then forcefully use its dedicated certificate authority. */
if (is_hkps_pool) /* Disabled for 2.3.2 because the service had to be shutdown. */
{ /* if (is_hkps_pool) */
char *pemname = make_filename_try (gnupg_datadir (), /* { */
"sks-keyservers.netCA.pem", NULL); /* char *pemname = make_filename_try (gnupg_datadir (), */
if (!pemname) /* "sks-keyservers.netCA.pem", NULL); */
{ /* if (!pemname) */
err = gpg_error_from_syserror (); /* { */
log_error ("setting CA from file '%s' failed: %s\n", /* err = gpg_error_from_syserror (); */
pemname, gpg_strerror (err)); /* log_error ("setting CA from file '%s' failed: %s\n", */
} /* pemname, gpg_strerror (err)); */
else /* } */
{ /* else */
rc = gnutls_certificate_set_x509_trust_file /* { */
(sess->certcred, pemname, GNUTLS_X509_FMT_PEM); /* rc = gnutls_certificate_set_x509_trust_file */
if (rc < 0) /* (sess->certcred, pemname, GNUTLS_X509_FMT_PEM); */
log_info ("setting CA from file '%s' failed: %s\n", /* if (rc < 0) */
pemname, gnutls_strerror (rc)); /* log_info ("setting CA from file '%s' failed: %s\n", */
xfree (pemname); /* pemname, gnutls_strerror (rc)); */
} /* xfree (pemname); */
/* } */
if (is_hkps_pool) /* */
add_system_cas = 0; /* if (is_hkps_pool) */
} /* add_system_cas = 0; */
/* } */
/* Add configured certificates to the session. */ /* Add configured certificates to the session. */
if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool) if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool)

View File

@ -2138,22 +2138,22 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
*/ */
if (!strcmp (uri, "hkps://keys.gnupg.net") if (!strcmp (uri, "hkps://keys.gnupg.net")
|| !strcmp (uri, "keys.gnupg.net")) || !strcmp (uri, "keys.gnupg.net"))
uri = "hkps://hkps.pool.sks-keyservers.net"; uri = "hkps://keyserver.ubuntu.com";
else if (!strcmp (uri, "https://keys.gnupg.net")) else if (!strcmp (uri, "https://keys.gnupg.net"))
uri = "https://hkps.pool.sks-keyservers.net"; uri = "hkps://keyserver.ubuntu.com";
else if (!strcmp (uri, "hkp://keys.gnupg.net")) else if (!strcmp (uri, "hkp://keys.gnupg.net"))
uri = "hkp://hkps.pool.sks-keyservers.net"; uri = "hkp://pgp.surf.nl";
else if (!strcmp (uri, "http://keys.gnupg.net")) else if (!strcmp (uri, "http://keys.gnupg.net"))
uri = "http://hkps.pool.sks-keyservers.net"; uri = "hkp://pgp.surf.nl:80";
else if (!strcmp (uri, "hkps://http-keys.gnupg.net") else if (!strcmp (uri, "hkps://http-keys.gnupg.net")
|| !strcmp (uri, "http-keys.gnupg.net")) || !strcmp (uri, "http-keys.gnupg.net"))
uri = "hkps://ha.pool.sks-keyservers.net"; uri = "hkps://keyserver.ubuntu.com";
else if (!strcmp (uri, "https://http-keys.gnupg.net")) else if (!strcmp (uri, "https://http-keys.gnupg.net"))
uri = "https://ha.pool.sks-keyservers.net"; uri = "hkps://keyserver.ubuntu.com";
else if (!strcmp (uri, "hkp://http-keys.gnupg.net")) else if (!strcmp (uri, "hkp://http-keys.gnupg.net"))
uri = "hkp://ha.pool.sks-keyservers.net"; uri = "hkp://pgp.surf.nl";
else if (!strcmp (uri, "http://http-keys.gnupg.net")) else if (!strcmp (uri, "http://http-keys.gnupg.net"))
uri = "http://ha.pool.sks-keyservers.net"; uri = "hkp://pgp.surf.nl:80";
item = xtrymalloc (sizeof *item + strlen (uri)); item = xtrymalloc (sizeof *item + strlen (uri));
if (!item) if (!item)

View File

@ -321,9 +321,8 @@ provided. These are the same as the @option{--keyserver-options} of
@command{gpg}, but apply only to this particular keyserver. @command{gpg}, but apply only to this particular keyserver.
Most keyservers synchronize with each other, so there is generally no Most keyservers synchronize with each other, so there is generally no
need to send keys to more than one server. The keyserver need to send keys to more than one server. Somes keyservers use round
@code{hkp://keys.gnupg.net} uses round robin DNS to give a different robin DNS to give a different keyserver each time you use it.
keyserver each time you use it.
If exactly two keyservers are configured and only one is a Tor hidden If exactly two keyservers are configured and only one is a Tor hidden
service (.onion), Dirmngr selects the keyserver to use depending on service (.onion), Dirmngr selects the keyserver to use depending on
@ -331,7 +330,7 @@ whether Tor is locally running or not. The check for a running Tor is
done for each new connection. done for each new connection.
If no keyserver is explicitly configured, dirmngr will use the If no keyserver is explicitly configured, dirmngr will use the
built-in default of @code{hkps://hkps.pool.sks-keyservers.net}. built-in default of @code{https://keyserver.ubuntu.com}.
Windows users with a keyserver running on their Active Directory Windows users with a keyserver running on their Active Directory
may use the short form @code{ldap:///} for @var{name} to access this directory. may use the short form @code{ldap:///} for @var{name} to access this directory.
@ -596,10 +595,8 @@ the file is in PEM format a suffix of @code{.pem} is expected for
@var{file}. This option may be given multiple times to add more @var{file}. This option may be given multiple times to add more
root certificates. Tilde expansion is supported. root certificates. Tilde expansion is supported.
If no @code{hkp-cacert} directive is present, dirmngr will make a If no @code{hkp-cacert} directive is present, dirmngr will use the
reasonable choice: if the keyserver in question is the special pool system CAs.
@code{hkps.pool.sks-keyservers.net}, it will use the bundled root
certificate for that pool. Otherwise, it will use the system CAs.
@end table @end table

View File

@ -57,7 +57,7 @@ Directory.
@mansect description @mansect description
The @command{gpg-wks-client} is used to send requests to a Web Key The @command{gpg-wks-client} is used to send requests to a Web Key
Service provider. This is usuallay done to upload a key into a Web Service provider. This is usually done to upload a key into a Web
Key Directory. Key Directory.
With the @option{--supported} command the caller can test whether a With the @option{--supported} command the caller can test whether a