diff options
| author | Werner Koch <[email protected]> | 2021-06-25 17:15:24 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2021-08-24 16:09:56 +0000 |
| commit | 55b5928099bafbd5409d3377a42259c11e394cd0 (patch) | |
| tree | 553c3ff0add040041e4a6a6343c78e4417982075 /dirmngr/http-ntbtls.c | |
| parent | po: In German always use "Passwort" instead of "Passphrase". (diff) | |
| download | gnupg-55b5928099bafbd5409d3377a42259c11e394cd0.tar.gz gnupg-55b5928099bafbd5409d3377a42259c11e394cd0.zip | |
dirmngr: Change the default keyserver.
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.
* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.
* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--
Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore. Thus it is better to change them.
For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.
For http based access the Dutch Surfnet keyserver is used. However
due to a non-standard TLS certificate this server can not easily be
made the default for https.
Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.
(cherry picked from commit 47c4e3e00a7ef55f954c14b3c237496e54a853c1)
Diffstat (limited to 'dirmngr/http-ntbtls.c')
| -rw-r--r-- | dirmngr/http-ntbtls.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c index ae5cf5519..2191acb60 100644 --- a/dirmngr/http-ntbtls.c +++ b/dirmngr/http-ntbtls.c @@ -47,7 +47,7 @@ gnupg_http_tls_verify_cb (void *opaque, ksba_cert_t cert; ksba_cert_t hostcert = NULL; unsigned int validate_flags; - const char *hostname; + /* const char *hostname; */ (void)http; (void)session; @@ -81,14 +81,16 @@ gnupg_http_tls_verify_cb (void *opaque, * certificate. Note that this differes from the GnuTLS * implementation which uses this special certificate only if no * other certificates are configured. */ - hostname = ntbtls_get_hostname (tls); - if (hostname - && !ascii_strcasecmp (hostname, get_default_keyserver (1))) - { - validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; - } - else /* Use the certificates as requested from the HTTP module. */ + /* Disabled for 2.3.2 to due problems with the standard hkps pool. */ + /* hostname = ntbtls_get_hostname (tls); */ + /* if (hostname */ + /* && !ascii_strcasecmp (hostname, get_default_keyserver (1))) */ + /* { */ + /* validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; */ + /* } */ + /* else */ { + /* Use the certificates as requested from the HTTP module. */ if ((http_flags & HTTP_FLAG_TRUST_CFG)) validate_flags |= VALIDATE_FLAG_TRUST_CONFIG; if ((http_flags & HTTP_FLAG_TRUST_DEF)) |