On Mon, 16 Sep 2019 10:11, ionic@ionic.de said:
> which also means that requests to URLs like http://keys.gnupg.net will sometimes
> redirect a user to that location.
That is not correct. For quite some time that address is a hardwired to
avoid problems DNS problems (
https://dev.gnupg.org/T3755):
/* We used to have DNS CNAME redirection from the URLs below to
* sks-keyserver pools. The idea was to allow for a quick way to
* switch to a different set of pools. The problem with that
* approach is that TLS needs to verify the hostname and - because
* DNS is not secured - it can only check the user supplied hostname
* and not a hostname from a CNAME RR. Thus the final server all
* need to have certificates with the actual pool name as well as
* for keys.gnupg.net - that would render the advantage of
* keys.gnupg.net useless and so we better give up on this. Because
* the keys.gnupg.net URL are still in widespread use we do a static
* mapping here.
*/
if (!strcmp (uri, "hkps://keys.gnupg.net")
|| !strcmp (uri, "keys.gnupg.net"))
uri = "hkps://hkps.pool.sks-keyservers.net";
else if (!strcmp (uri, "
https://keys.gnupg.net"))
uri = "
https://hkps.pool.sks-keyservers.net"; else if (!strcmp (uri, "hkp://keys.gnupg.net"))
uri = "hkp://hkps.pool.sks-keyservers.net";
else if (!strcmp (uri, "
http://keys.gnupg.net"))
uri = "
http://hkps.pool.sks-keyservers.net"; else if (!strcmp (uri, "hkps://http-keys.gnupg.net")
|| !strcmp (uri, "http-keys.gnupg.net"))
uri = "hkps://ha.pool.sks-keyservers.net";
else if (!strcmp (uri, "
https://http-keys.gnupg.net"))
uri = "
https://ha.pool.sks-keyservers.net"; else if (!strcmp (uri, "hkp://http-keys.gnupg.net"))
uri = "hkp://ha.pool.sks-keyservers.net";
else if (!strcmp (uri, "
http://http-keys.gnupg.net"))
uri = "
http://ha.pool.sks-keyservers.net"; Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc (0.88 KB)