searching for keys
kardan
kardan at riseup.net
Sat Jul 13 23:56:49 CEST 2013
Hi,
When I search for a key via browser on [1] I get an unencrypted answer
from [2]. This happens for some keys that are onlyavailable on some servers. The problem is that the info, whose key I am
searching is presented to sniffers in plaintext. I think the encrypted
pool should not forward to unencrypted web interfaces.
[1] https://hkps.pool.sks-keyservers.net/
[2] http://keyserver.stack.nl
Another but related issue on the command line:
$ gpg --search hkps.pool.sks-keyservers.net
gpg: searching for "hkps.pool.sks-keyservers.net" from hkps server
hkps.pool.sks-keyservers.net gpgkeys: HTTP search error 60: server
certificate verification failed.
CAfile: /usr/local/share/ca-certificates/sks-keyservers.netCA.crt
CRLfile: none gpg: key "hkps.pool.sks-keyservers.net" not found on
keyserver gpg: keyserver internal error gpg: keyserver search failed:
keyserver error
The last three error messages are misleading and contradicting, but this
is just a gpg problem. Interesting is error 60 by gpgkeys. Calling curl
directly:
$ curl
"https://hkps.pool.sks-keyservers.net/pks/lookup?op=index&search=hkps.pool.sks-keyservers.net"
curl: (60) SSL certificate problem: unable to get local issuer
certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
curl: (60) SSL certificate problem: self signed certificate in
certificate chain More details here:
http://curl.haxx.se/docs/sslcerts.html
Which is the same output as for
$ curl
"https://hkps.pool.sks-keyservers.net/pks/lookup?op=index&search=hkps.pool.sks-keyservers.net"
--cacert /usr/local/share/ca-certificates/sks-keyservers.netCA.crt
$ curl
"https://hkps.pool.sks-keyservers.net/pks/lookup?op=index&search=hkps.pool.sks-keyservers.net"
--cacert /etc/ssl/certs/sks-keyservers.netCA.pem
Both files are identical and can be seen below, retrieved via
echo "QUIT"|openssl s_client -connect $DOMAIN:443 2>&1 | \
sed -ne "/^-----BEGIN CERTIFICATE/,/^-----END CERTIFICATE/p" > $PEMFILE
As suggested in [3] my gpg.conf contains the foll. I found that I can
leave out the ca-cert-file following option, if the key has been added
to the bundle via update-ca-certificates:
auto-key-locate cert pka ldap hkps://hkps.pool.sks-keyservers.net
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options no-honor-keyserver-url
What else needs to be done to retrieve gpg keys? A similar error
has been posted [4] on the curl list without an answer, maybe because
the message "". Seems as the problem is with the server certificate,
isn't it?
http://sks-keyservers.net/verify_tls.php
It would be great to have more meaningful error messages for gnupg,
also for "HTTP search error 77" when a wrong cert file is defined.
Thanks,
Kardan
[3] https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
[4] http://curl.haxx.se/mail/lib-2012-08/0100.html
ii curl 7.31.0-2
ii gnupg-curl 1.4.12-7
SSL certificate for hkps.pool.sks-keyservers.net:
-----BEGIN CERTIFICATE-----
MIIGkzCCBXugAwIBAgIDCsjWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMwNjE4MDQzMDQ1
WhcNMTQwNjE4MTEwODI1WjCBhzEZMBcGA1UEDRMQWDVqMHBSV0U2MWlPWXBmcDEL
MAkGA1UEBhMCREUxJzAlBgNVBAMTHnd3dy5zZWNyZXRyZXNlYXJjaGZhY2lsaXR5
LmNvbTE0MDIGCSqGSIb3DQEJARYlaG9zdG1hc3RlckBzZWNyZXRyZXNlYXJjaGZh
Y2lsaXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKUjJW3/
KhIDN41K+X19cNaQAYBYwWUzi1dWhVMTK7o+fHyAqKoXbjbtdiTFr9QybSH96Jro
k88g+DIq6q/ft7DT36fpBhcrOEE4XZmgYNhNgqYceTusYtRbMZb32mTjFFKKw90p
TPTvlX6IHhC+j0m0kUV5fVD0foDjURBeaQRoWMMzJo5gPE94ZEsSgMKR+C0tJ5n7
njingjqb0cXkHcqM3s1HiM1XrYblJSZPNZ2i2ZVRBpxVkBALBrUnMVWYHQUtj0ke
wWuOolj4ks0StAu5WzeJZOBk3QMFuUd1uuzNNSYzstgFi80Brz59prOHnQIhpexj
tLU3iSBSaZ0BaF8CAwEAAaOCAv8wggL7MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOo
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBSef/P88+I1dOhRDWcDmncJ
SX25ijAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTBFBgNVHREEPjA8
gh53d3cuc2VjcmV0cmVzZWFyY2hmYWNpbGl0eS5jb22CGnNlY3JldHJlc2VhcmNo
ZmFjaWxpdHkuY29tMIIBVgYDVR0gBIIBTTCCAUkwCAYGZ4EMAQIBMIIBOwYLKwYB
BAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNv
bS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNz
dWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVt
ZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZv
ciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5
aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8v
Y3JsLnN0YXJ0c3NsLmNvbS9jcnQxLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8w
OQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3Mx
L3NlcnZlci9jYTBCBggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFydHNzbC5jb20v
Y2VydHMvc3ViLmNsYXNzMS5zZXJ2ZXIuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUFAAOCAQEAG9hsvIuIUxrf
L0XSC+XAoW3MzgPoiAfGHfcVSQLKUSfmGKj4n0FXUs64gO1pwfV8lrddFLq9RCPB
qcdktSj0M+G53zHsZmkw0qr2siYxq3u+zQes4Cr2mo886n6DmG0njssSFnj72Zzj
YwfesDaoczGCbrCO45dYq9ipYf4VmephooWr7aYxy649FqezXz59a6LC3OrcZhtv
U0OBBltds1ZfAf+YCNpxV2NOomHXGtt1q47DUpBq4to/T8PmNYD1nC4+u1RM3Upv
u4kqHFmdJEoPvZr4hwUxMxwuxi1If0aOP3uiKZ+QyxWGO4QLhBpkZMZ4q6yRVxFt
9EL+/EWnbw==
-----END CERTIFICATE-----
More information about the Gnupg-users
mailing list