Re: [Sks-devel] Keyserver operators with reverse proxies: read this please

[John Clizbe]

Phil Pennock wrote:
> Folks,
> 
> We now have two separate issues affecting SKS (and GnuKS) keyservers
> which have nginx or Apache in front of them, affecting interop
> compatibility with various versions of GnuPG (and other clients) as
> deployed.
> 
> Even as changed clients roll out, we can expect to see clients which
> have issues for years to come.  We need keyservers to also work around
> these issues.
> 
> I have updated
> <https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering> already.
> 
> 
> Apache
> ------
> 
> By default, breaks all clients which use a real libcurl, blocking their
> ability to POST (--send-key) to the server.  The clients set an "Expect:
> 100-continue" HTTP/1.1 header and unfortunately Apache actually
> implements the part of the HTTP specification (RFC2616) which says that
> a HTTP/1.1 proxy should issue a "417 Expectation Failed" response if it
> would pass onto an HTTP/1.0 server.
> 
> I strongly suspect that this:
> 
>     RequestHeader unset Expect early
> 
> will fix Apache configurations, but need someone using Apache to confirm
> it.  You also need the mod_headers module loaded.  The version in the
> wiki wraps that in an IfModule guard, but we should look at making sure
> that works and then encourage people to make it a hard failure if the
> directive is not available.
> 
> You can test the fix by using a GnuPG built against libcurl (*not*
> curl-shim) and try to --send-key your own key to your keyserver:
> 
>   gpg2 -v --keyserver-options verbose,debug --keyserver YOURSERVER --send-key 
> YOURKEY
> 
> This currently fails reproducibly, every time, for an Apache server.  If
> it stops failing with the "RequestHeader unset Expect early" directive,
> you know you've fixed it.  Please let us know if this works or not!
> Feedback is needed.

Sorry Phil,

Does not appear to be failing. I have not added the "RequestHeader unset
Expect early" directive you suggest. Perhaps this is sensitive to particular
releases of Apache?

> bash-4.2# gpg2 -v --keyserver-options verbose,debug --keyserver 
> keyserver.gingerbear.net
  --send-key 0x608d2a10
> gpg: compacting user ID "Furr Bear <address@hidden>" on key 608D2A10: revoked
> gpg: compacting user ID "Furr Bear <address@hidden>" on key 608D2A10: revoked
> gpg: compacting user ID "John P. Clizbe <address@hidden>" on key 608D2A10: 
> revoked
> gpg: compacting user ID "John P. Clizbe <address@hidden>" on key 608D2A10: 
> revoked
> gpg: sending key 608D2A10 to hkp server keyserver.gingerbear.net
> gpgkeys: curl version = libcurl/7.29.0 OpenSSL/1.0.1c zlib/1.2.6 libidn/1.25
> * About to connect() to keyserver.gingerbear.net port 11371 (#0)
> *   Trying 173.175.198.28...
> * Connected to keyserver.gingerbear.net (173.175.198.28) port 11371 (#0)
>> POST /pks/add HTTP/1.1
> Host: keyserver.gingerbear.net:11371
> Accept: */*
> Pragma: no-cache
> Cache-Control: no-cache
> Content-Length: 24075
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
> < HTTP/1.1 100 Continue
> < HTTP/1.1 200 OK
> < Date: Sat, 02 Mar 2013 19:29:01 GMT
> < Server: Apache/2.4.2 (Unix)
> < Cache-Control: no-cache
> < Pragma: no-cache
> < Expires: 0
> < Content-length: 129
> < X-HKP-Results-Count: 1
> < Content-type: text/html; charset=UTF-8
> < Via: 1.1 keyserver.gingerbear.net:11371
> < 
> * Connection #0 to host keyserver.gingerbear.net left intact
> bash-4.2# gpg2 -v --keyserver-options verbose,debug --keyserver 
> sks.keyservers.net 
  --send-key 0x608d2a10
> gpg: compacting user ID "Furr Bear <address@hidden>" on key 608D2A10: revoked
> gpg: compacting user ID "Furr Bear <address@hidden>" on key 608D2A10: revoked
> gpg: compacting user ID "John P. Clizbe <address@hidden>" on key 608D2A10: 
> revoked
> gpg: compacting user ID "John P. Clizbe <address@hidden>" on key 608D2A10: 
> revoked
> gpg: sending key 608D2A10 to hkp server sks.keyservers.net
> gpgkeys: curl version = libcurl/7.29.0 OpenSSL/1.0.1c zlib/1.2.6 libidn/1.25
> * About to connect() to sks.keyservers.net port 11371 (#0)
> *   Trying 108.86.73.186...
> * Connected to sks.keyservers.net (108.86.73.186) port 11371 (#0)
>> POST /pks/add HTTP/1.1
> Host: sks.keyservers.net:11371
> Accept: */*
> Pragma: no-cache
> Cache-Control: no-cache
> Content-Length: 24075
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
> < HTTP/1.1 100 Continue
> < HTTP/1.1 200 OK
> < Date: Sat, 02 Mar 2013 19:29:08 GMT
> < Server: Apache/2.4.2 (Unix)
> < Cache-Control: no-cache
> < Pragma: no-cache
> < Expires: 0
> < Content-length: 129
> < X-HKP-Results-Count: 1
> < Content-type: text/html; charset=UTF-8
> < Via: 1.1 sks.keyservers.net:11371
> < 
> * Connection #0 to host sks.keyservers.net left intact

Apache on both servers is
> bash-4.2# ls /var/log/packages/httpd*
> /var/log/packages/httpd-2.4.3-i486-1
> bash-4.2# 

Configs and software on both should be identical except for server names.

-John

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:address@hidden

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

signature.asc
Description: OpenPGP digital signature