Hi, In relation to setting up a HKPS pool for sks-keyservers.net[0] I've encountered a scenario where some input would be appreciated.
In the process of trying to figure out a mechanism to not have to disable certificate checking when using the pool (I quite like DKG's approach in [1]) I set up nginx (which was a reverse proxy to my SKS server for hkp requests already) to respond to SSL requests on port 11375. Port 443 on this server is already used by Apache. Normally I'd be able to set up Apache with a ProxyPassReverse to use this as a shared resource, but since migrating to mod_gnutls rather than mod_ssl , this configuration directive seems somewhat non-trivial[2] (and since i'm not using mod_proxy for anything else, debugging it isn't that much of a priority), so for the purposes of this discussion, using port 443 for this service is out of the question. As 11375 is a non-default port I set up a SRV record as shown in #Snippet 1# below. When trying to send a key request as shown in #Snippet 2# below, however, a connection to port 443 is attempted. Am I using the wrong SRV records for HKPS? When first introducing SRV records in the pool, this was the one being pointed out[3]. Some background information on this particular pool: My crawler is now trying to detect HKPS enabled servers by looking for this SRV record, and if no such SRV record is found, attempting to connect and locate a SKS stats page on port 443. Servers available on 443 are then included as A, AAAA and SRV records, while other SSL-enabled servers are only represented as SRV records, as shown in #Snippet 3# ## Snippet 1: ## kristianf@kristianf-precision-m4600:~$ dig +short srv _pgpkey-https._tcp.keys.kfwebs.net any 10 10 11375 keys.kfwebs.net. ## Snippet 2: ## kristianf@kristianf-precision-m4600:~$ gpg2 --keyserver-options no-check-cert,debug,verbose --keyserver hkps://keys.kfwebs.net --recv-key 0x0B7F8B60E3EDFAE3 gpg: requesting key 0B7F8B60E3EDFAE3 from hkps server keys.kfwebs.net gpgkeys: curl version = libcurl/7.22.0 GnuTLS/2.12.14 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 * About to connect() to keys.kfwebs.net port 443 (#0) * Trying 2001:16d8:ee30::4... * connected * server certificate verification SKIPPED * compression: NULL * cipher: AES-128-CBC * MAC: SHA1 > GET /pks/lookup?op=get&options=mr&search=0x0B7F8B60E3EDFAE3 HTTP/1.1 Host: keys.kfwebs.net Accept: */* Pragma: no-cache Cache-Control: no-cache ## Snippet 3: ## kristianf@kristianf-precision-m4600:~$ dig +short srv _pgpkey-https._tcp.hkps.pool.sks-keyservers.net 100 100 443 zimmerman.mayfirst.org. 100 100 11375 keys.kfwebs.net. 100 100 443 gpg.spline.inf.fu-berlin.de. 100 100 443 sks.spodhuis.org. 100 100 443 keyserver.cns.vt.edu. 100 100 443 keyserver.oeg.com.au. 100 100 443 keyserver.stack.nl. ########################### [0] http://lists.nongnu.org/archive/html/sks-devel/2012-10/msg00000.html [1] http://lists.nongnu.org/archive/html/sks-devel/2012-10/msg00002.html [2] http://apache-http-server.18135.n6.nabble.com/mod-gnutls-and-mod-proxy-TLS-termination-td4831028.html [3] http://lists.gnu.org/archive/html/sks-devel/2010-04/msg00016.html -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- "In politics stupidity is not a handicap." (Napoleon Bonaparte) ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
