diff options
| -rw-r--r-- | dirmngr/certcache.c | 3 | ||||
| -rw-r--r-- | dirmngr/http-ntbtls.c | 6 | ||||
| -rw-r--r-- | dirmngr/http.c | 19 |
3 files changed, 18 insertions, 10 deletions
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c index 5486997b6..87f605eab 100644 --- a/dirmngr/certcache.c +++ b/dirmngr/certcache.c @@ -721,6 +721,9 @@ cert_cache_init (strlist_t hkp_cacerts) load_certs_from_dir (fname, 0); xfree (fname); + /* Put the special pool certificate into our store. This is + * currently only used with ntbtls. For GnuTLS http_session_new + * unfortunately loads that certificate directly from the file. */ fname = make_filename_try (gnupg_datadir (), "sks-keyservers.netCA.pem", NULL); if (fname) diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c index 924b8b25f..ae5cf5519 100644 --- a/dirmngr/http-ntbtls.c +++ b/dirmngr/http-ntbtls.c @@ -77,8 +77,10 @@ gnupg_http_tls_verify_cb (void *opaque, validate_flags = VALIDATE_FLAG_TLS; - /* If we are using the standard hkps:// pool use the dedicated - * root certificate. */ + /* If we are using the standard hkps:// pool use the dedicated root + * certificate. Note that this differes from the GnuTLS + * implementation which uses this special certificate only if no + * other certificates are configured. */ hostname = ntbtls_get_hostname (tls); if (hostname && !ascii_strcasecmp (hostname, get_default_keyserver (1))) diff --git a/dirmngr/http.c b/dirmngr/http.c index f3d98e14b..bfbc30276 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -765,10 +765,9 @@ http_session_new (http_session_t *r_session, && !ascii_strcasecmp (intended_hostname, get_default_keyserver (1))); - /* If the user has not specified a CA list, and they are looking - * for the hkps pool from sks-keyservers.net, then default to - * Kristian's certificate authority: */ - if (!tls_ca_certlist && is_hkps_pool) + /* If we are looking for the hkps pool from sks-keyservers.net, + * then forcefully use its dedicated certificate authority. */ + if (is_hkps_pool) { char *pemname = make_filename_try (gnupg_datadir (), "sks-keyservers.netCA.pem", NULL); @@ -788,11 +787,12 @@ http_session_new (http_session_t *r_session, xfree (pemname); } - add_system_cas = 0; + if (is_hkps_pool) + add_system_cas = 0; } /* Add configured certificates to the session. */ - if ((flags & HTTP_FLAG_TRUST_DEF)) + if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool) { for (sl = tls_ca_certlist; sl; sl = sl->next) { @@ -803,7 +803,10 @@ http_session_new (http_session_t *r_session, log_info ("setting CA from file '%s' failed: %s\n", sl->d, gnutls_strerror (rc)); } - if (!tls_ca_certlist && !is_hkps_pool) + + /* If HKP trust is requested and there are no HKP certificates + * configured, also try the standard system certificates. */ + if (!tls_ca_certlist) add_system_cas = 1; } @@ -825,7 +828,7 @@ http_session_new (http_session_t *r_session, } /* Add other configured certificates to the session. */ - if ((flags & HTTP_FLAG_TRUST_CFG)) + if ((flags & HTTP_FLAG_TRUST_CFG) && !is_hkps_pool) { for (sl = cfg_ca_certlist; sl; sl = sl->next) { |