diff options
| -rw-r--r-- | dirmngr/http.c | 15 | ||||
| -rw-r--r-- | doc/dirmngr.texi | 5 |
2 files changed, 15 insertions, 5 deletions
diff --git a/dirmngr/http.c b/dirmngr/http.c index 90682fa46..bc62c820b 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -613,6 +613,8 @@ http_session_new (http_session_t *r_session, const char *tls_priority, const char *errpos; int rc; strlist_t sl; + int add_system_cas = !!(flags & HTTP_FLAG_TRUST_SYS); + int is_hkps_pool; rc = gnutls_certificate_allocate_credentials (&sess->certcred); if (rc < 0) @@ -623,13 +625,14 @@ http_session_new (http_session_t *r_session, const char *tls_priority, goto leave; } + is_hkps_pool = (intended_hostname + && !ascii_strcasecmp (intended_hostname, + "hkps.pool.sks-keyservers.net")); + /* If the user has not specified a CA list, and they are looking * for the hkps pool from sks-keyservers.net, then default to * Kristian's certificate authority: */ - if (!tls_ca_certlist - && intended_hostname - && !ascii_strcasecmp (intended_hostname, - "hkps.pool.sks-keyservers.net")) + if (!tls_ca_certlist && is_hkps_pool) { char *pemname = make_filename_try (gnupg_datadir (), "sks-keyservers.netCA.pem", NULL); @@ -662,10 +665,12 @@ http_session_new (http_session_t *r_session, const char *tls_priority, log_info ("setting CA from file '%s' failed: %s\n", sl->d, gnutls_strerror (rc)); } + if (!tls_ca_certlist && !is_hkps_pool) + add_system_cas = 1; } /* Add system certificates to the session. */ - if ((flags & HTTP_FLAG_TRUST_SYS)) + if (add_system_cas) { #if GNUTLS_VERSION_NUMBER >= 0x030014 static int shown; diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index 73afbc318..bc3072ce8 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -461,6 +461,11 @@ the file is in PEM format a suffix of @code{.pem} is expected for @var{file}. This option may be given multiple times to add more root certificates. Tilde expansion is supported. +If no @code{hkp-cacert} directive is present, dirmngr will make a +reasonable choice: if the keyserver in question is the special pool +@code{hkps.pool.sks-keyservers.net}, it will use the bundled root +certificate for that pool. Otherwise, it will use the system CAs. + @end table |