Re: [Sks-devel] hkps pool

[Daniel Austin]

Hi Kristian,

On 25/06/2013 21:41, Kristian Fiskerstrand wrote:
> On 06/25/2013 10:25 PM, Daniel Austin wrote:
> > Hi Kristian,
> >
> > On 25/06/2013 21:18, Kristian Fiskerstrand wrote:
> > > On 06/25/2013 10:01 PM, Daniel Austin wrote:
> > > > Hi Kristian,
>
> ..
>
> address@hidden:~ # gpg2 --version
> > gpg (GnuPG) 2.0.20 libgcrypt 1.5.2 Copyright (C) 2013 Free Software
> > Foundation, Inc.
>
> ...
>
> > As far as i'm aware my libcurl and openssl versions should support
> > SNI
> >
> > If I re-run the command several times, it works when it hits a
> > non-SNI certificate.
>
> To try to limit possible causes, do you experience the same issue with
> 2.0.19 ?

If it helps... running openssl with -servername to trigger SNI also 
comes back that a few hosts in the pool are not returning the correct CA 
signed cert.

using the following command:

openssl s_client -servername hkps.pool.sks-keyservers.net -connect IP:443

I've also had someone else to test it for me from a Linux server to make 
sure it's not just local to my FreeBSD installation.

My curl version is 7.24.0, his is 7.28.1
testing with curl alone (not via gpg) also gives the same incorrect cert.


Using SNI, the following hosts still returned the wrong cert:

198.82.169.69 issuer=/CN=Virginia Tech Global Server CA/OU=Global Server 
CA/O=Virginia Tech/C=US

66.16.6.88 issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert 
Class 3 Root

2001:470:7:6ad::2 issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert 
Signing Authority/address@hidden

2001:468:c80:210f:0:162:701c:c917 issuer=/CN=Virginia Tech Global Server 
CA/OU=Global Server CA/O=Virginia Tech/C=US

2001:470:e232:132:209:6bff:feb7:e69 issuer=/O=CAcert 
Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root



Thanks,

Daniel.