Re: [Sks-devel] IPv6 and GPG

[David Shaw]

On Mon, Mar 09, 2009 at 02:49:52PM -0700, Phil Pennock wrote:
> On 2009-03-09 at 09:19 -0400, David Shaw wrote:
> > What with the recent discussion of IPv6, I'm curious if anyone has  
> > tested GPG against it for key retrieval and submission.  It should  
> > "just work" with the curl backend, but when GPG is built on a system  
> > without curl, an internal HTTP handler is used instead.  I believe  
> > this handler code should work fine as written, but I don't believe the  
> > IPv6 piece of it has been tested extensively.  If someone could give  
> > it a whirl, I'd appreciate it.  To force the use of the internal HTTP  
> > handler even when you do have curl installed, you can build GPG with  
> > "configure --without-libcurl".
> 
> Yes; using gpg was my test case that I had the HKP port stuff working.
> I even mentioned this, but it'll be buried deep in a long post.  The
> keyserver is open for public querying, so anyone can test against it.
> Demos of gpg with curl working are below.  Yes, it just works.  :)

I'm not too surprised it works with curl.  That has been very well
tested against IPv6.  It's the internal handler that hasn't had a lot
of IPv6 testing.

> I don't have time right now to rebuild gpg; I use FreeBSD Ports builds
> though and the options files record that I'm using curl (although ldd
> doesn't report it (static linkage of that lib?) and an objdump of the
> dynamic strings doesn't list anything matching Curl*).

It wouldn't be linked to gpg.  It would be linked to the HKP "helper",
gpgkeys_hkp.  GPG calls a different handler for each keyserver type
(HKP, LDAP, HTTP, etc).

> As a feature
> suggestion, it would be nice if gpg --version reported the optional
> libraries it's linked against (not just libgcrypt).

As it happens, this is actually part of the next release:

$ /usr/local/libexec/gnupg/gpgkeys_hkp --version
gpgkeys_hkp (GnuPG) 1.4.10-svn4878
Uses: libcurl/7.18.2 NSS/3.12.2.0 zlib/1.2.3 libidn/0.6.14 libssh2/0.18

> Another idea is that on a line like:
>   gpg: requesting key 0x99242560 from hkp server sks.spodhuis.org
> you could follow the hostname with the IP address tried.

This is harder than it seems to do.  Given that most keyserver
addresses round-robin a large set of IPs, there is no way to know
until we're into the HTTP call which IP was chosen.  It would require
quite a bit of plumbing to fetch the IP earlier and then force the
HTTP engine to fetch by IP.  This would also remove any optimizations
that the HTTP engine might apply - such as trying more than one of
multiple IPs until one succeeds.

If you really need to know what IP is being used, add
"keyserver-options debug"" to your config file.  That tells the engine
(either curl or the internal engine) to print each IP it tries during
a key operation.

David