Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

[Kristian Fiskerstrand]

On 10/08/2012 09:15 PM, Phil Pennock wrote:
> On 2012-10-08 at 19:44 +0200, Kristian Fiskerstrand wrote:
>> Ok, I think I'm getting closer to having a working setup for a CA here
>> using subjectAltNames for hkps.pool.sks-keyservers.net
>>
>> The current CA cert is available at [0] and I only currently sign
>> https://keys.kfwebs.net:11375 and https://keys2.kfwebs.net.
> 
> Note for testing: GnuPG will use SRV records for the hkps: URL scheme,
> which may override some local DNS overrides data, but will not use SRV
> for the https: scheme.
> 
> The below is an example of a test against one of the existing servers,
> since it's useful to test something which is supposed to work, before
> trying to make your additional configuration work; I now _maybe_ have a
> known-good state to try to work towards.
> 
> Kristian: this appears to be the same certificate as is presented if I
> use {{ --keyserver keys2.kfwebs.net }}.  Is there a way to confirm that
> gpgkeys_hkps/curl are playing together nicely and setting
> serverNameIndication in the TLS negotiation?

Hi Phil,

The certificate presented by keys2.kfwebs.net should be chained
certificate containing both the CA itself and the individual cert for
keys2.kfwebs.net. I'm not entirely sure that this is fully required, but
at least it works for me :)

Upon signing the keys2.kfwebs.net I add a subjectAltName for
hkps.pool.sks-keyservers.net , which is the one that is matched here as
indicated by
*        subjectAltName: hkps.pool.sks-keyservers.net matched

then
*        issuer: C=NO; ST=Oslo; O=sks-keyservers.net CA; CN=sks-keyservers.net 
CA
refers to the CA you specified in
*   CAfile: /home/pdp/.gnupg/CA/sks-keyservers.netCA.pem

If the names didn't play well together you should get an error message,
as shown in #Snippet 1# where I created an entry for
keys2-test.kfwebs.net in my /etc/hosts (I've also added it to the DNS
server, but this will take some time to become active)

##
Snippet 1
##
address@hidden:~$ /usr/bin/gpg2 --keyserver-options
ca-cert-file=/home/kristianf/Tmp/sks-keyservers.netCA.pem,verbose,debug
--keyserver https://keys2-test.kfwebs.net --refresh 0x6b0b9508
gpg: refreshing 1 key from https://keys2-test.kfwebs.net
gpg: requesting key 16E0CF8D6B0B9508 from https server keys2-test.kfwebs.net
gpgkeys: curl version = libcurl/7.22.0 GnuTLS/2.12.14 zlib/1.2.3.4
libidn/1.23 librtmp/2.3
Scheme:         https
Host:           keys2-test.kfwebs.net
Path:           /
Command:        GET
* About to connect() to keys2-test.kfwebs.net port 443 (#0)
*   Trying 192.168.0.33... * connected
* found 1 certificates in /home/kristianf/Tmp/sks-keyservers.netCA.pem
*        server certificate verification OK
* SSL: certificate subject name (keys2.kfwebs.net) does not match target
host name 'keys2-test.kfwebs.net'
* Closing connection #0
gpgkeys: https fetch error 51: SSL: certificate subject name
(keys2.kfwebs.net) does not match target host name 'keys2-test.kfwebs.net'
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver internal error
gpg: keyserver refresh failed: Keyserver error


-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
"Expect the best. Prepare for the worst. Capitalize on what comes."
(Zig Ziglar)
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/

signature.asc
Description: OpenPGP digital signature