Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

[Phil Pennock]

On 2012-10-08 at 19:44 +0200, Kristian Fiskerstrand wrote:
> Ok, I think I'm getting closer to having a working setup for a CA here
> using subjectAltNames for hkps.pool.sks-keyservers.net
> 
> The current CA cert is available at [0] and I only currently sign
> https://keys.kfwebs.net:11375 and https://keys2.kfwebs.net.

Note for testing: GnuPG will use SRV records for the hkps: URL scheme,
which may override some local DNS overrides data, but will not use SRV
for the https: scheme.

The below is an example of a test against one of the existing servers,
since it's useful to test something which is supposed to work, before
trying to make your additional configuration work; I now _maybe_ have a
known-good state to try to work towards.

Kristian: this appears to be the same certificate as is presented if I
use {{ --keyserver keys2.kfwebs.net }}.  Is there a way to confirm that
gpgkeys_hkps/curl are playing together nicely and setting
serverNameIndication in the TLS negotiation?

----------------------------8< cut here >8------------------------------
% unbound-control local_data hkps.pool.sks-keyservers.net A 84.215.15.221
ok

~/.gnupg/gpg.conf:
  keyserver https://hkps.pool.sks-keyservers.net
  keyserver-options 
verbose,ca-cert-file=/home/phil/.gnupg/CA/sks-keyservers.netCA.pem

Then:
% gpg --keyserver-options debug --refresh-key $gpg_key
gpg: refreshing 1 key from https://hkps.pool.sks-keyservers.net
gpg: requesting key 0x403043153903637F from https server 
hkps.pool.sks-keyservers.net
gpgkeys: curl version = libcurl/7.24.0 OpenSSL/1.0.1c zlib/1.2.3 libidn/1.22 
libssh2/1.4.1 librtmp/2.3
Scheme:         https
Host:           hkps.pool.sks-keyservers.net
Path:           /
Command:        GET
* About to connect() to hkps.pool.sks-keyservers.net port 443 (#0)
*   Trying 84.215.15.221...
* connected
* Connected to hkps.pool.sks-keyservers.net (84.215.15.221) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /home/pdp/.gnupg/CA/sks-keyservers.netCA.pem
  CApath: none
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
*        subject: C=NO; ST=Oslo; O=keys2.kfwebs.net; CN=keys2.kfwebs.net
*        start date: 2012-10-08 17:38:36 GMT
*        expire date: 2013-10-08 17:38:36 GMT
*        subjectAltName: hkps.pool.sks-keyservers.net matched
*        issuer: C=NO; ST=Oslo; O=sks-keyservers.net CA; CN=sks-keyservers.net 
CA
*        SSL certificate verify ok.
> GET / HTTP/1.1
[...]
----------------------------8< cut here >8------------------------------

pgp3yIxae_hG8.pgp
Description: PGP signature