Hi, When I search for a key via browser on [1] I get an unencrypted answer from [2]. This happens for some keys that are onlyavailable on some servers. The problem is that the info, whose key I am searching is presented to sniffers in plaintext. I think the encrypted pool should not forward to unencrypted web interfaces.
[1] https://hkps.pool.sks-keyservers.net/ [2] http://keyserver.stack.nl Another but related issue on the command line: $ gpg --search hkps.pool.sks-keyservers.net gpg: searching for "hkps.pool.sks-keyservers.net" from hkps server hkps.pool.sks-keyservers.net gpgkeys: HTTP search error 60: server certificate verification failed. CAfile: /usr/local/share/ca-certificates/sks-keyservers.netCA.crt CRLfile: none gpg: key "hkps.pool.sks-keyservers.net" not found on keyserver gpg: keyserver internal error gpg: keyserver search failed: keyserver error The last three error messages are misleading and contradicting, but this is just a gpg problem. Interesting is error 60 by gpgkeys. Calling curl directly: $ curl "https://hkps.pool.sks-keyservers.net/pks/lookup?op=index&search=hkps.pool.sks-keyservers.net" curl: (60) SSL certificate problem: unable to get local issuer certificate chain More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: http://curl.haxx.se/docs/sslcerts.html Which is the same output as for $ curl "https://hkps.pool.sks-keyservers.net/pks/lookup?op=index&search=hkps.pool.sks-keyservers.net" --cacert /usr/local/share/ca-certificates/sks-keyservers.netCA.crt $ curl "https://hkps.pool.sks-keyservers.net/pks/lookup?op=index&search=hkps.pool.sks-keyservers.net" --cacert /etc/ssl/certs/sks-keyservers.netCA.pem Both files are identical and can be seen below, retrieved via echo "QUIT"|openssl s_client -connect $DOMAIN:443 2>&1 | \ sed -ne "/^-----BEGIN CERTIFICATE/,/^-----END CERTIFICATE/p" > $PEMFILE As suggested in [3] my gpg.conf contains the foll. I found that I can leave out the ca-cert-file following option, if the key has been added to the bundle via update-ca-certificates: auto-key-locate cert pka ldap hkps://hkps.pool.sks-keyservers.net keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options no-honor-keyserver-url What else needs to be done to retrieve gpg keys? A similar error has been posted [4] on the curl list without an answer, maybe because the message "". Seems as the problem is with the server certificate, isn't it? http://sks-keyservers.net/verify_tls.php It would be great to have more meaningful error messages for gnupg, also for "HTTP search error 77" when a wrong cert file is defined. Thanks, Kardan [3] https://we.riseup.net/riseuplabs+paow/openpgp-best-practices [4] http://curl.haxx.se/mail/lib-2012-08/0100.html ii curl 7.31.0-2 ii gnupg-curl 1.4.12-7 SSL certificate for hkps.pool.sks-keyservers.net: -----BEGIN CERTIFICATE----- MIIGkzCCBXugAwIBAgIDCsjWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMwNjE4MDQzMDQ1 WhcNMTQwNjE4MTEwODI1WjCBhzEZMBcGA1UEDRMQWDVqMHBSV0U2MWlPWXBmcDEL MAkGA1UEBhMCREUxJzAlBgNVBAMTHnd3dy5zZWNyZXRyZXNlYXJjaGZhY2lsaXR5 LmNvbTE0MDIGCSqGSIb3DQEJARYlaG9zdG1hc3RlckBzZWNyZXRyZXNlYXJjaGZh Y2lsaXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKUjJW3/ KhIDN41K+X19cNaQAYBYwWUzi1dWhVMTK7o+fHyAqKoXbjbtdiTFr9QybSH96Jro k88g+DIq6q/ft7DT36fpBhcrOEE4XZmgYNhNgqYceTusYtRbMZb32mTjFFKKw90p TPTvlX6IHhC+j0m0kUV5fVD0foDjURBeaQRoWMMzJo5gPE94ZEsSgMKR+C0tJ5n7 njingjqb0cXkHcqM3s1HiM1XrYblJSZPNZ2i2ZVRBpxVkBALBrUnMVWYHQUtj0ke wWuOolj4ks0StAu5WzeJZOBk3QMFuUd1uuzNNSYzstgFi80Brz59prOHnQIhpexj tLU3iSBSaZ0BaF8CAwEAAaOCAv8wggL7MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOo MBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBSef/P88+I1dOhRDWcDmncJ SX25ijAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTBFBgNVHREEPjA8 gh53d3cuc2VjcmV0cmVzZWFyY2hmYWNpbGl0eS5jb22CGnNlY3JldHJlc2VhcmNo ZmFjaWxpdHkuY29tMIIBVgYDVR0gBIIBTTCCAUkwCAYGZ4EMAQIBMIIBOwYLKwYB BAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNv bS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNz dWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVt ZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZv ciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5 aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8v Y3JsLnN0YXJ0c3NsLmNvbS9jcnQxLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8w OQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3Mx L3NlcnZlci9jYTBCBggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFydHNzbC5jb20v Y2VydHMvc3ViLmNsYXNzMS5zZXJ2ZXIuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUFAAOCAQEAG9hsvIuIUxrf L0XSC+XAoW3MzgPoiAfGHfcVSQLKUSfmGKj4n0FXUs64gO1pwfV8lrddFLq9RCPB qcdktSj0M+G53zHsZmkw0qr2siYxq3u+zQes4Cr2mo886n6DmG0njssSFnj72Zzj YwfesDaoczGCbrCO45dYq9ipYf4VmephooWr7aYxy649FqezXz59a6LC3OrcZhtv U0OBBltds1ZfAf+YCNpxV2NOomHXGtt1q47DUpBq4to/T8PmNYD1nC4+u1RM3Upv u4kqHFmdJEoPvZr4hwUxMxwuxi1If0aOP3uiKZ+QyxWGO4QLhBpkZMZ4q6yRVxFt 9EL+/EWnbw== -----END CERTIFICATE----- _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
