4 files changed, 53 insertions, 47 deletions
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index bee1c44d6..4c2bf121f 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -724,11 +724,12 @@ cert_cache_init (strlist_t hkp_cacerts)
   /* Put the special pool certificate into our store.  This is
    * currently only used with ntbtls.  For GnuTLS http_session_new
    * unfortunately loads that certificate directly from the file.  */
-  fname = make_filename_try (gnupg_datadir (),
-                             "sks-keyservers.netCA.pem", NULL);
-  if (fname)
-    load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1);
-  xfree (fname);
+  /* Disabled for 2.3.2 because the service had to be shutdown.  */
+  /* fname = make_filename_try (gnupg_datadir (), */
+  /*                            "sks-keyservers.netCA.pem", NULL); */
+  /* if (fname) */
+  /*   load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1); */
+  /* xfree (fname); */
 
   for (sl = hkp_cacerts; sl; sl = sl->next)
     load_certs_from_file (sl->d, CERTTRUST_CLASS_HKP, 0);
diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c
index ae5cf5519..2191acb60 100644
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@@ -47,7 +47,7 @@ gnupg_http_tls_verify_cb (void *opaque,
   ksba_cert_t cert;
   ksba_cert_t hostcert = NULL;
   unsigned int validate_flags;
-  const char *hostname;
+  /* const char *hostname; */
 
   (void)http;
   (void)session;
@@ -81,14 +81,16 @@ gnupg_http_tls_verify_cb (void *opaque,
    * certificate.  Note that this differes from the GnuTLS
    * implementation which uses this special certificate only if no
    * other certificates are configured. */
-  hostname = ntbtls_get_hostname (tls);
-  if (hostname
-      && !ascii_strcasecmp (hostname, get_default_keyserver (1)))
-    {
-      validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL;
-    }
-  else /* Use the certificates as requested from the HTTP module.  */
+  /* Disabled for 2.3.2 to due problems with the standard hkps pool.  */
+  /* hostname = ntbtls_get_hostname (tls); */
+  /* if (hostname */
+  /*     && !ascii_strcasecmp (hostname, get_default_keyserver (1))) */
+  /*   { */
+  /*     validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; */
+  /*   } */
+  /* else */
     {
+      /* Use the certificates as requested from the HTTP module.  */
       if ((http_flags & HTTP_FLAG_TRUST_CFG))
         validate_flags |= VALIDATE_FLAG_TRUST_CONFIG;
       if ((http_flags & HTTP_FLAG_TRUST_DEF))
diff --git a/dirmngr/http.c b/dirmngr/http.c
index dc1873448..73606c01c 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -761,35 +761,38 @@ http_session_new (http_session_t *r_session,
         goto leave;
       }
 
-    is_hkps_pool = (intended_hostname
-                    && !ascii_strcasecmp (intended_hostname,
-                                          get_default_keyserver (1)));
+    /* Disabled for 2.3.2 to due problems with the standard hkps pool.  */
+    /* is_hkps_pool = (intended_hostname */
+    /*                 && !ascii_strcasecmp (intended_hostname, */
+    /*                                       get_default_keyserver (1))); */
+    is_hkps_pool = 0;
 
     /* If we are looking for the hkps pool from sks-keyservers.net,
      * then forcefully use its dedicated certificate authority.  */
-    if (is_hkps_pool)
-      {
-        char *pemname = make_filename_try (gnupg_datadir (),
-                                           "sks-keyservers.netCA.pem", NULL);
-        if (!pemname)
-          {
-            err = gpg_error_from_syserror ();
-            log_error ("setting CA from file '%s' failed: %s\n",
-                       pemname, gpg_strerror (err));
-          }
-        else
-          {
-            rc = gnutls_certificate_set_x509_trust_file
-              (sess->certcred, pemname, GNUTLS_X509_FMT_PEM);
-            if (rc < 0)
-              log_info ("setting CA from file '%s' failed: %s\n",
-                        pemname, gnutls_strerror (rc));
-            xfree (pemname);
-          }
-
-        if (is_hkps_pool)
-          add_system_cas = 0;
-      }
+    /* Disabled for 2.3.2 because the service had to be shutdown.  */
+    /* if (is_hkps_pool) */
+    /*   { */
+    /*     char *pemname = make_filename_try (gnupg_datadir (), */
+    /*                                        "sks-keyservers.netCA.pem", NULL); */
+    /*     if (!pemname) */
+    /*       { */
+    /*         err = gpg_error_from_syserror (); */
+    /*         log_error ("setting CA from file '%s' failed: %s\n", */
+    /*                    pemname, gpg_strerror (err)); */
+    /*       } */
+    /*     else */
+    /*       { */
+    /*         rc = gnutls_certificate_set_x509_trust_file */
+    /*           (sess->certcred, pemname, GNUTLS_X509_FMT_PEM); */
+    /*         if (rc < 0) */
+    /*           log_info ("setting CA from file '%s' failed: %s\n", */
+    /*                     pemname, gnutls_strerror (rc)); */
+    /*         xfree (pemname); */
+    /*       } */
+    /*         */
+    /*     if (is_hkps_pool) */
+    /*       add_system_cas = 0; */
+    /*   } */
 
     /* Add configured certificates to the session.  */
     if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool)
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 2880dcb47..ced92de21 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -2138,22 +2138,22 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
    */
   if (!strcmp (uri, "hkps://keys.gnupg.net")
       || !strcmp (uri, "keys.gnupg.net"))
-    uri = "hkps://hkps.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
   else if (!strcmp (uri, "https://keys.gnupg.net"))
-    uri = "https://hkps.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
   else if (!strcmp (uri, "hkp://keys.gnupg.net"))
-    uri = "hkp://hkps.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl";
   else if (!strcmp (uri, "http://keys.gnupg.net"))
-    uri = "http://hkps.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl:80";
   else if (!strcmp (uri, "hkps://http-keys.gnupg.net")
            || !strcmp (uri, "http-keys.gnupg.net"))
-    uri = "hkps://ha.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
   else if (!strcmp (uri, "https://http-keys.gnupg.net"))
-    uri = "https://ha.pool.sks-keyservers.net";
+    uri = "hkps://keyserver.ubuntu.com";
   else if (!strcmp (uri, "hkp://http-keys.gnupg.net"))
-    uri = "hkp://ha.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl";
   else if (!strcmp (uri, "http://http-keys.gnupg.net"))
-    uri = "http://ha.pool.sks-keyservers.net";
+    uri = "hkp://pgp.surf.nl:80";
 
   item = xtrymalloc (sizeof *item + strlen (uri));
   if (!item)