dirmngr: Align the gnutls use of CAs with the ntbtls code.

* dirmngr/http.c (http_session_new) <gnutls>: Use only the special pool certificate for the default keyserver. -- The gnutls version uses a different strategy than the ntbtls version on when to use the special SKS pool certificate. This patch aligns it so that we don't need to wonder about different kind of bug reports. In short the special cert is now the only cert use with the default keyserver. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2020-09-10 09:13:59 +02:00 · 2020-09-10 09:13:59 +02:00 · faabc49797
commit faabc49797
parent d4cb774ddd
3 changed files with 18 additions and 10 deletions
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@ -765,10 +765,9 @@ http_session_new (http_session_t *r_session,
                    && !ascii_strcasecmp (intended_hostname,
                                          get_default_keyserver (1)));

-    /* If the user has not specified a CA list, and they are looking
-     * for the hkps pool from sks-keyservers.net, then default to
-     * Kristian's certificate authority:  */
-    if (!tls_ca_certlist && is_hkps_pool)
+    /* If we are looking for the hkps pool from sks-keyservers.net,
+     * then forcefully use its dedicated certificate authority.  */
+    if (is_hkps_pool)
      {
        char *pemname = make_filename_try (gnupg_datadir (),
                                           "sks-keyservers.netCA.pem", NULL);
@ -788,11 +787,12 @@ http_session_new (http_session_t *r_session,
            xfree (pemname);
          }

-        add_system_cas = 0;
+        if (is_hkps_pool)
+          add_system_cas = 0;
      }

    /* Add configured certificates to the session.  */
-    if ((flags & HTTP_FLAG_TRUST_DEF))
+    if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool)
      {
        for (sl = tls_ca_certlist; sl; sl = sl->next)
          {
@ -803,7 +803,10 @@ http_session_new (http_session_t *r_session,
              log_info ("setting CA from file '%s' failed: %s\n",
                        sl->d, gnutls_strerror (rc));
          }
-        if (!tls_ca_certlist && !is_hkps_pool)
+
+        /* If HKP trust is requested and there are no HKP certificates
+         * configured, also try the standard system certificates.  */
+        if (!tls_ca_certlist)
          add_system_cas = 1;
      }

@ -825,7 +828,7 @@ http_session_new (http_session_t *r_session,
      }

    /* Add other configured certificates to the session.  */
-    if ((flags & HTTP_FLAG_TRUST_CFG))
+    if ((flags & HTTP_FLAG_TRUST_CFG) && !is_hkps_pool)
      {
        for (sl = cfg_ca_certlist; sl; sl = sl->next)
          {