[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] IPv6 and GPG
From: |
David Shaw |
Subject: |
Re: [Sks-devel] IPv6 and GPG |
Date: |
Tue, 10 Mar 2009 12:52:40 -0400 |
User-agent: |
Mutt/1.5.18 (2008-05-17) |
On Mon, Mar 09, 2009 at 02:49:52PM -0700, Phil Pennock wrote:
> On 2009-03-09 at 09:19 -0400, David Shaw wrote:
> > What with the recent discussion of IPv6, I'm curious if anyone has
> > tested GPG against it for key retrieval and submission. It should
> > "just work" with the curl backend, but when GPG is built on a system
> > without curl, an internal HTTP handler is used instead. I believe
> > this handler code should work fine as written, but I don't believe the
> > IPv6 piece of it has been tested extensively. If someone could give
> > it a whirl, I'd appreciate it. To force the use of the internal HTTP
> > handler even when you do have curl installed, you can build GPG with
> > "configure --without-libcurl".
>
> Yes; using gpg was my test case that I had the HKP port stuff working.
> I even mentioned this, but it'll be buried deep in a long post. The
> keyserver is open for public querying, so anyone can test against it.
> Demos of gpg with curl working are below. Yes, it just works. :)
I'm not too surprised it works with curl. That has been very well
tested against IPv6. It's the internal handler that hasn't had a lot
of IPv6 testing.
> I don't have time right now to rebuild gpg; I use FreeBSD Ports builds
> though and the options files record that I'm using curl (although ldd
> doesn't report it (static linkage of that lib?) and an objdump of the
> dynamic strings doesn't list anything matching Curl*).
It wouldn't be linked to gpg. It would be linked to the HKP "helper",
gpgkeys_hkp. GPG calls a different handler for each keyserver type
(HKP, LDAP, HTTP, etc).
> As a feature
> suggestion, it would be nice if gpg --version reported the optional
> libraries it's linked against (not just libgcrypt).
As it happens, this is actually part of the next release:
$ /usr/local/libexec/gnupg/gpgkeys_hkp --version
gpgkeys_hkp (GnuPG) 1.4.10-svn4878
Uses: libcurl/7.18.2 NSS/3.12.2.0 zlib/1.2.3 libidn/0.6.14 libssh2/0.18
> Another idea is that on a line like:
> gpg: requesting key 0x99242560 from hkp server sks.spodhuis.org
> you could follow the hostname with the IP address tried.
This is harder than it seems to do. Given that most keyserver
addresses round-robin a large set of IPs, there is no way to know
until we're into the HTTP call which IP was chosen. It would require
quite a bit of plumbing to fetch the IP earlier and then force the
HTTP engine to fetch by IP. This would also remove any optimizations
that the HTTP engine might apply - such as trying more than one of
multiple IPs until one succeeds.
If you really need to know what IP is being used, add
"keyserver-options debug"" to your config file. That tells the engine
(either curl or the internal engine) to print each IP it tries during
a key operation.
David