7 files changed, 60 insertions, 57 deletions
diff --git a/configure.ac b/configure.ac
index 913aeb4e4..d03ea3bfe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1977,7 +1977,7 @@ AC_DEFINE_UNQUOTED(TPM2DAEMON_SOCK_NAME, "S.tpm2daemon",
 AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr",
                    [The name of the dirmngr socket])
 AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER,
-                   "hkps://hkps.pool.sks-keyservers.net",
+                   "hkps://keyserver.ubuntu.com",
       [The default keyserver for dirmngr to use, if none is explicitly given])
 
 AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix])
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index bee1c44d6..4c2bf121f 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -724,11 +724,12 @@ cert_cache_init (strlist_t hkp_cacerts)
   /* Put the special pool certificate into our store.  This is
    * currently only used with ntbtls.  For GnuTLS http_session_new
    * unfortunately loads that certificate directly from the file.  */
-  fname = make_filename_try (gnupg_datadir (),
-                             "sks-keyservers.netCA.pem", NULL);
-  if (fname)
-    load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1);
-  xfree (fname);
+  /* Disabled for 2.3.2 because the service had to be shutdown.  */
+  /* fname = make_filename_try (gnupg_datadir (), */
+  /*                            "sks-keyservers.netCA.pem", NULL); */
+  /* if (fname) */
+  /*   load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1); */
+  /* xfree (fname); */
 
   for (sl = hkp_cacerts; sl; sl = sl->next)
     load_certs_from_file (sl->d, CERTTRUST_CLASS_HKP, 0);
diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c
index ae5cf5519..2191acb60 100644
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@@ -47,7 +47,7 @@ gnupg_http_tls_verify_cb (void *opaque,
   ksba_cert_t cert;
   ksba_cert_t hostcert = NULL;
   unsigned int validate_flags;
-  const char *hostname;
+  /* const char *hostname; */
 
   (void)http;
   (void)session;
@@ -81,14 +81,16 @@ gnupg_http_tls_verify_cb (void *opaque,
    * certificate.  Note that this differes from the GnuTLS
    * implementation which uses this special certificate only if no
    * other certificates are configured. */
-  hostname = ntbtls_get_hostname (tls);
-  if (hostname
-      && !ascii_strcasecmp (hostname, get_default_keyserver (1)))
-    {
-      validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL;
-    }
-  else /* Use the certificates as requested from the HTTP module.  */
+  /* Disabled for 2.3.2 to due problems with the standard hkps pool.  */
+  /* hostname = ntbtls_get_hostname (tls); */
+  /* if (hostname */
+  /*     && !ascii_strcasecmp (hostname, get_default_keyserver (1))) */
+  /*   { */
+  /*     validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; */
+  /*   } */
+  /* else */
     {
+      /* Use the certificates as requested from the HTTP module.  */
       if ((http_flags & HTTP_FLAG_TRUST_CFG))
         validate_flags |= VALIDATE_FLAG_TRUST_CONFIG;
       if ((http_flags & HTTP_FLAG_TRUST_DEF))
diff --git a/dirmngr/http.c b/dirmngr/http.c
index dc1873448..73606c01c 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -761,35 +761,38 @@ http_session_new (http_session_t *r_session,
         goto leave;
       }
 
-    is_hkps_pool = (intended_hostname
-                    && !ascii_strcasecmp (intended_hostname,
-                                          get_default_keyserver (1)));
+    /* Disabled for 2.3.2 to due problems with the standard hkps pool.  */
+    /* is_hkps_pool = (intended_hostname */
+    /*                 && !ascii_strcasecmp (intended_hostname, */
+    /*                                       get_default_keyserver (1))); */
+    is_hkps_pool = 0;
 
     /* If we are looking for the hkps pool from sks-keyservers.net,
      * then forcefully use its dedicated certificate authority.  */
-    if (is_hkps_pool)
-      {
-        char *pemname = make_filename_try (gnupg_datadir (),
-                                           "sks-keyservers.netCA.pem", NULL);
-        if (!pemname)
-          {
-            err = gpg_error_from_syserror ();
-            log_error ("setting CA from file '%s' failed: %s\n",
-                       pemname, gpg_strerror (err));
-          }
-        else
-          {
-            rc = gnutls_certificate_set_x509_trust_file
-              (sess->certcred, pemname, GNUTLS_X509_FMT_PEM);
-            if (rc < 0)
-              log_info ("setting CA from file '%s' failed: %s\n",
-                        pemname, gnutls_strerror (rc));
-            xfree (pemname);
-          }
-
-        if (is_hkps_pool)
-          add_system_cas = 0;
-      }
+    /* Disabled for 2.3.2 because the service had to be shutdown.  */
+    /* if (is_hkps_pool) */
+    /*   { */
+    /*     char *pemname = make_filename_try (gnupg_datadir (), */
+    /*                                        "sks-keyservers.netCA.pem", NULL); */
+    /*     if (!pemname) */
+    /*       { */
+    /*         err = gpg_error_from_syserror (); */
+    /*         log_error ("setting CA from file '%s' failed: %s\n", */
+    /*                    pemname, gpg_strerror (err)); */
+    /*       } */
+    /*     else */
+    /*       { */
+    /*         rc = gnutls_certificate_set_x509_trust_file */
+    /*           (sess->certcred, pemname, GNUTLS_X509_FMT_PEM); */
+    /*         if (rc < 0) */
+    /*           log_info ("setting CA from file '%s' failed: %s\n", */
+    /*                     pemname, gnutls_strerror (rc)); */
+    /*         xfree (pemname); */
+    /*       } */
+    /*         */
+    /*     if (is_hkps_pool) */
+    /*       add_system_cas = 0; */
+    /*   } */
 
     /* Add configured certificates to the session.  */
     if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool)
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 2880dcb47..ced92de21 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -2138,22 +2138,22 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
    */
   if (!strcmp (uri, "hkps://keys.gnupg.net")
       || !strcmp (uri, "keys.gnupg.net"))
-    uri = "hkps://hkps.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
   else if (!strcmp (uri, "https://keys.gnupg.net"))
-    uri = "https://hkps.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
   else if (!strcmp (uri, "hkp://keys.gnupg.net"))
-    uri = "hkp://hkps.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl";
   else if (!strcmp (uri, "http://keys.gnupg.net"))
-    uri = "http://hkps.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl:80";
   else if (!strcmp (uri, "hkps://http-keys.gnupg.net")
            || !strcmp (uri, "http-keys.gnupg.net"))
-    uri = "hkps://ha.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
   else if (!strcmp (uri, "https://http-keys.gnupg.net"))
-    uri = "https://ha.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
   else if (!strcmp (uri, "hkp://http-keys.gnupg.net"))
-    uri = "hkp://ha.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl";
   else if (!strcmp (uri, "http://http-keys.gnupg.net"))
-    uri = "http://ha.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl:80";
 
   item = xtrymalloc (sizeof *item + strlen (uri));
   if (!item)
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index a9237edee..1638d7d84 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -321,9 +321,8 @@ provided.  These are the same as the @option{--keyserver-options} of
 @command{gpg}, but apply only to this particular keyserver.
 
 Most keyservers synchronize with each other, so there is generally no
-need to send keys to more than one server. The keyserver
-@code{hkp://keys.gnupg.net} uses round robin DNS to give a different
-keyserver each time you use it.
+need to send keys to more than one server. Somes keyservers use round
+robin DNS to give a different keyserver each time you use it.
 
 If exactly two keyservers are configured and only one is a Tor hidden
 service (.onion), Dirmngr selects the keyserver to use depending on
@@ -331,7 +330,7 @@ whether Tor is locally running or not.  The check for a running Tor is
 done for each new connection.
 
 If no keyserver is explicitly configured, dirmngr will use the
-built-in default of @code{hkps://hkps.pool.sks-keyservers.net}.
+built-in default of @code{https://keyserver.ubuntu.com}.
 
 Windows users with a keyserver running on their Active Directory
 may use the short form @code{ldap:///} for @var{name} to access this directory.
@@ -596,10 +595,8 @@ the file is in PEM format a suffix of @code{.pem} is expected for
 @var{file}.  This option may be given multiple times to add more
 root certificates.  Tilde expansion is supported.
 
-If no @code{hkp-cacert} directive is present, dirmngr will make a
-reasonable choice: if the keyserver in question is the special pool
-@code{hkps.pool.sks-keyservers.net}, it will use the bundled root
-certificate for that pool.  Otherwise, it will use the system CAs.
+If no @code{hkp-cacert} directive is present, dirmngr will use the
+system CAs.
 
 @end table
 
diff --git a/doc/wks.texi b/doc/wks.texi
index ad239f132..48e534b7d 100644
--- a/doc/wks.texi
+++ b/doc/wks.texi
@@ -57,7 +57,7 @@ Directory.
 
 @mansect description
 The @command{gpg-wks-client} is used to send requests to a Web Key
-Service provider.  This is usuallay done to upload a key into a Web
+Service provider.  This is usually done to upload a key into a Web
 Key Directory.
 
 With the @option{--supported} command the caller can test whether a