diff options
| author | Werner Koch <[email protected]> | 2021-06-25 17:15:24 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2021-08-24 16:09:56 +0000 |
| commit | 55b5928099bafbd5409d3377a42259c11e394cd0 (patch) | |
| tree | 553c3ff0add040041e4a6a6343c78e4417982075 /dirmngr/http.c | |
| parent | po: In German always use "Passwort" instead of "Passphrase". (diff) | |
| download | gnupg-55b5928099bafbd5409d3377a42259c11e394cd0.tar.gz gnupg-55b5928099bafbd5409d3377a42259c11e394cd0.zip | |
dirmngr: Change the default keyserver.
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.
* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.
* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--
Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore. Thus it is better to change them.
For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.
For http based access the Dutch Surfnet keyserver is used. However
due to a non-standard TLS certificate this server can not easily be
made the default for https.
Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.
(cherry picked from commit 47c4e3e00a7ef55f954c14b3c237496e54a853c1)
Diffstat (limited to 'dirmngr/http.c')
| -rw-r--r-- | dirmngr/http.c | 55 |
1 files changed, 29 insertions, 26 deletions
diff --git a/dirmngr/http.c b/dirmngr/http.c index dc1873448..73606c01c 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -761,35 +761,38 @@ http_session_new (http_session_t *r_session, goto leave; } - is_hkps_pool = (intended_hostname - && !ascii_strcasecmp (intended_hostname, - get_default_keyserver (1))); + /* Disabled for 2.3.2 to due problems with the standard hkps pool. */ + /* is_hkps_pool = (intended_hostname */ + /* && !ascii_strcasecmp (intended_hostname, */ + /* get_default_keyserver (1))); */ + is_hkps_pool = 0; /* If we are looking for the hkps pool from sks-keyservers.net, * then forcefully use its dedicated certificate authority. */ - if (is_hkps_pool) - { - char *pemname = make_filename_try (gnupg_datadir (), - "sks-keyservers.netCA.pem", NULL); - if (!pemname) - { - err = gpg_error_from_syserror (); - log_error ("setting CA from file '%s' failed: %s\n", - pemname, gpg_strerror (err)); - } - else - { - rc = gnutls_certificate_set_x509_trust_file - (sess->certcred, pemname, GNUTLS_X509_FMT_PEM); - if (rc < 0) - log_info ("setting CA from file '%s' failed: %s\n", - pemname, gnutls_strerror (rc)); - xfree (pemname); - } - - if (is_hkps_pool) - add_system_cas = 0; - } + /* Disabled for 2.3.2 because the service had to be shutdown. */ + /* if (is_hkps_pool) */ + /* { */ + /* char *pemname = make_filename_try (gnupg_datadir (), */ + /* "sks-keyservers.netCA.pem", NULL); */ + /* if (!pemname) */ + /* { */ + /* err = gpg_error_from_syserror (); */ + /* log_error ("setting CA from file '%s' failed: %s\n", */ + /* pemname, gpg_strerror (err)); */ + /* } */ + /* else */ + /* { */ + /* rc = gnutls_certificate_set_x509_trust_file */ + /* (sess->certcred, pemname, GNUTLS_X509_FMT_PEM); */ + /* if (rc < 0) */ + /* log_info ("setting CA from file '%s' failed: %s\n", */ + /* pemname, gnutls_strerror (rc)); */ + /* xfree (pemname); */ + /* } */ + /* */ + /* if (is_hkps_pool) */ + /* add_system_cas = 0; */ + /* } */ /* Add configured certificates to the session. */ if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool) |