diff options
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | dirmngr/ks-engine-hkp.c | 2 | ||||
| -rw-r--r-- | dirmngr/server.c | 32 |
3 files changed, 36 insertions, 1 deletions
@@ -19,6 +19,9 @@ Noteworthy changes in version 2.2.7 (unreleased) * dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL caches under Windows. [#2448,#3923] + * dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed + mapping of keys.gnupg.net to sks-keyservers.net. [#3755] + Noteworthy changes in version 2.2.6 (2018-04-09) ------------------------------------------------ diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index a9bb93666..eba7a1a48 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -583,7 +583,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, /* Deal with the pool name before selecting a host. */ if (r_httphost) { - *r_httphost = xtrystrdup (hi->cname? hi->cname : hi->name); + *r_httphost = xtrystrdup (hi->name); if (!*r_httphost) return gpg_error_from_syserror (); } diff --git a/dirmngr/server.c b/dirmngr/server.c index 8a0b940ce..b7cdb24c9 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -1997,6 +1997,38 @@ make_keyserver_item (const char *uri, uri_item_t *r_item) uri_item_t item; *r_item = NULL; + + /* We used to have DNS CNAME redirection from the URLs below to + * sks-keyserver. pools. The idea was to allow for a quick way to + * switch to a different set of pools. The problem with that + * approach is that TLS needs to verify the hostname and - because + * DNS is not secured - it can only check the user supplied hostname + * and not a hostname from a CNAME RR. Thus the final server all + * need to have certificates with the actual pool name as well as + * for keys.gnupg.net - that would render the advantage of + * keys.gnupg.net useless and so we better give up on this. Because + * the keys.gnupg.net URL are still in widespread use we do a static + * mapping here. + */ + if (!strcmp (uri, "hkps://keys.gnupg.net") + || !strcmp (uri, "keys.gnupg.net")) + uri = "hkps://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "https://keys.gnupg.net")) + uri = "https://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "hkp://keys.gnupg.net")) + uri = "hkp://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "http://keys.gnupg.net")) + uri = "http://hkps.pool.sks-keyservers.net"; + else if (!strcmp (uri, "hkps://http-keys.gnupg.net") + || !strcmp (uri, "http-keys.gnupg.net")) + uri = "hkps://ha.pool.sks-keyservers.net"; + else if (!strcmp (uri, "https://http-keys.gnupg.net")) + uri = "https://ha.pool.sks-keyservers.net"; + else if (!strcmp (uri, "hkp://http-keys.gnupg.net")) + uri = "hkp://ha.pool.sks-keyservers.net"; + else if (!strcmp (uri, "http://http-keys.gnupg.net")) + uri = "http://ha.pool.sks-keyservers.net"; + item = xtrymalloc (sizeof *item + strlen (uri)); if (!item) return gpg_error_from_syserror (); |