diff options
| author | Werner Koch <[email protected]> | 2018-04-26 10:28:53 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2018-04-26 10:28:53 +0000 |
| commit | cc66108253c58583d6bad3d1e2da2b004701d0f0 (patch) | |
| tree | bfe4972f1e4d35a51c82ccb0dfa5c1a8375e124b | |
| parent | dirmngr: Add the used TLS library to the debug output. (diff) | |
| download | gnupg-cc66108253c58583d6bad3d1e2da2b004701d0f0.tar.gz gnupg-cc66108253c58583d6bad3d1e2da2b004701d0f0.zip | |
dirmngr: Fix handling of CNAMEed keyserver pools.
* dirmngr/ks-engine-hkp.c (map_host): Don't use the cname for HTTPHOST.
* dirmngr/server.c (make_keyserver_item): Map keys.gnupg.net.
--
For a description of the problem see the comment in
make_keyserver_item.
GnuPG-bug-id: 3755
Signed-off-by: Werner Koch <[email protected]>
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | dirmngr/ks-engine-hkp.c | 2 | ||||
| -rw-r--r-- | dirmngr/server.c | 32 |
3 files changed, 36 insertions, 1 deletions
@@ -19,6 +19,9 @@ Noteworthy changes in version 2.2.7 (unreleased) * dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL caches under Windows. [#2448,#3923] + * dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed + mapping of keys.gnupg.net to sks-keyservers.net. [#3755] + Noteworthy changes in version 2.2.6 (2018-04-09) ------------------------------------------------ diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index a9bb93666..eba7a1a48 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -583,7 +583,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, /* Deal with the pool name before selecting a host. */ if (r_httphost) { - *r_httphost = xtrystrdup (hi->cname? hi->cname : hi->name); + *r_httphost = xtrystrdup (hi->name); if (!*r_httphost) return gpg_error_from_syserror (); } diff --git a/dirmngr/server.c b/dirmngr/server.c index 8a0b940ce..b7cdb24c9 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -1997,6 +1997,38 @@ make_keyserver_item (const char *uri, uri_item_t *r_item) uri_item_t item; *r_item = NULL; + + /* We used to have DNS CNAME redirection from the URLs below to + * sks-keyserver. pools. The idea was to allow for a quick way to + * switch to a different set of pools. The problem with that + * approach is that TLS needs to verify the hostname and - because + * DNS is not secured - it can only check the user supplied hostname + * and not a hostname from a CNAME RR. Thus the final server all + * need to have certificates with the actual pool name as well as + * for keys.gnupg.net - that would render the advantage of + * keys.gnupg.net useless and so we better give up on this. Because + * the keys.gnupg.net URL are still in widespread use we do a static + * mapping here. + */ + if (!strcmp (uri, "hkps://keys.gnupg.net") + || !strcmp (uri, "keys.gnupg.net")) + uri = "hkps://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "https://keys.gnupg.net")) + uri = "https://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "hkp://keys.gnupg.net")) + uri = "hkp://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "http://keys.gnupg.net")) + uri = "http://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "hkps://http-keys.gnupg.net") + || !strcmp (uri, "http-keys.gnupg.net")) + uri = "hkps://ha.pool.sks-keyservers.net"; + else if (!strcmp (uri, "https://http-keys.gnupg.net")) + uri = "https://ha.pool.sks-keyservers.net"; + else if (!strcmp (uri, "hkp://http-keys.gnupg.net")) + uri = "hkp://ha.pool.sks-keyservers.net"; + else if (!strcmp (uri, "http://http-keys.gnupg.net")) + uri = "http://ha.pool.sks-keyservers.net"; + item = xtrymalloc (sizeof *item + strlen (uri)); if (!item) return gpg_error_from_syserror (); |