Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with "hkps.pool.sks-keyservers.net"
On Fri, Nov 08, 2013 at 03:33:54PM -0500, Nat Howard wrote: > results in perfectly good information. How'd you guys do it? The nginx config from https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering doubled for port 443, with the equivalent of this added: ssl on; ssl_certificate cert.pem; ssl_certificate_key key.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; and no other "sites" on those IPs. It should respond the same way no matter what value is given in the Host header. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with "hkps.pool.sks-keyservers.net"
Thanks, Daniel and Kristian, for all your help -- I'll give Daniel's plan a try. No news (and keyserver.witopia.net appearing in the green for hkps on the status page) will be good news. On Nov 8, 2013, at 5:18 PM, Daniel Kahn Gillmor wrote: > On 11/08/2013 03:33 PM, Nat Howard wrote: >> Unfortunately, I made the mistake of asking Kristian if I was done now. >> And his answer was, "Make sure to setup the vhost for >> hkps.pool.sks-keyservers.net" >> and he was kind enough to give me the exact command that should work: >> >> curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: >> hkps.pool.sks-keyservers.net' >> "https://keyserver.witopia.net/pks/lookup?op=stats"; > > as your apache error logs point out, this is is not actually the correct > command, because curl is extracting the hostname for SNI from the URL string > (before the TLS handshake completes), but is sending the overridden Host: > HTTP header (after the TLS handshake). No sane HTTP client will do this, so > i would not expect your server to consider it a valid request. > >> [Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname >> keyserver.witopia.net provided via SNI and hostname >> hkps.pool.sks-keyservers.net provided via HTTP are different. > > exactly. > > If you want to test this explicitly (that is, you want the connection to go > to your server and your server only, but you want to see how it looks when > someone lands there as the result of the DNS rr pool), you can override the > DNS system by putting a line in your /etc/hosts: > > 192.0.2.3 hkps.pool.sks-keyservers.net > > (replacing 192.0.2.3 with your server's public-facing IP address, of course) > and then make a normal connection: > > curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem \ >https://keyserver.witopia.net/pks/lookup?op=stats > > Once you've tested it, remember to remove or comment out the line from > /etc/hosts! > >> Now, the interesting thing is, if I change the curl command just a little >> bit, so it uses the "-H" arg with "keyserver.witopia.net" instead of >> "hkps.pool.sks-keyservers.net", I get a "correct" response -- that is, my >> stats in HTML, and no messages in the log file. That is: this works: >> >> curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: >> keyserver.witopia.net' "https://keyserver.witopia.net/pks/lookup?op=stats"; > > right, because this is what curl would have sent as the Host: HTTP header > anyway :) > >> I noticed that some of you in the "hkps green zone" on the status page >> *also* don't have this working (I won't name names!). > > If there are misconfigurations or problems, please do name names. We learn > from each others' instruction and diagnostics on this mailing list :) > >> In fact, almost all of the ones I tried didn't have this working (Yes, I >> changed the https name as appropriate in the curl command). However >> congratulations to keys.sflc.info -- >> >> curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost: >> hkps.pool.sks-keyservers.net' 'https://keys.sflc.info/pks/lookup?op=stats' >> >> results in perfectly good information. How'd you guys do it? > > yeah, what are they doing ? that's pretty weird. > > --dkg > > ___ > Sks-devel mailing list > Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel > signature.asc Description: Message signed with OpenPGP using GPGMail ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with "hkps.pool.sks-keyservers.net"
On 11/08/2013 03:33 PM, Nat Howard wrote: Unfortunately, I made the mistake of asking Kristian if I was done now. And his answer was, "Make sure to setup the vhost for hkps.pool.sks-keyservers.net" and he was kind enough to give me the exact command that should work: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net' "https://keyserver.witopia.net/pks/lookup?op=stats"; as your apache error logs point out, this is is not actually the correct command, because curl is extracting the hostname for SNI from the URL string (before the TLS handshake completes), but is sending the overridden Host: HTTP header (after the TLS handshake). No sane HTTP client will do this, so i would not expect your server to consider it a valid request. [Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname keyserver.witopia.net provided via SNI and hostname hkps.pool.sks-keyservers.net provided via HTTP are different. exactly. If you want to test this explicitly (that is, you want the connection to go to your server and your server only, but you want to see how it looks when someone lands there as the result of the DNS rr pool), you can override the DNS system by putting a line in your /etc/hosts: 192.0.2.3 hkps.pool.sks-keyservers.net (replacing 192.0.2.3 with your server's public-facing IP address, of course) and then make a normal connection: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem \ https://keyserver.witopia.net/pks/lookup?op=stats Once you've tested it, remember to remove or comment out the line from /etc/hosts! Now, the interesting thing is, if I change the curl command just a little bit, so it uses the "-H" arg with "keyserver.witopia.net" instead of "hkps.pool.sks-keyservers.net", I get a "correct" response -- that is, my stats in HTML, and no messages in the log file. That is: this works: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: keyserver.witopia.net' "https://keyserver.witopia.net/pks/lookup?op=stats"; right, because this is what curl would have sent as the Host: HTTP header anyway :) I noticed that some of you in the "hkps green zone" on the status page *also* don't have this working (I won't name names!). If there are misconfigurations or problems, please do name names. We learn from each others' instruction and diagnostics on this mailing list :) In fact, almost all of the ones I tried didn't have this working (Yes, I changed the https name as appropriate in the curl command). However congratulations to keys.sflc.info -- curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost: hkps.pool.sks-keyservers.net' 'https://keys.sflc.info/pks/lookup?op=stats' results in perfectly good information. How'd you guys do it? yeah, what are they doing ? that's pretty weird. --dkg ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with "hkps.pool.sks-keyservers.net"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/08/2013 09:33 PM, Nat Howard wrote: ... > > P.S. I noticed that some of you in the "hkps green zone" on the > status page *also* don't have this working (I won't name names!). > In fact, almost all of the ones I tried didn't have this working > (Yes, I changed the https name as appropriate in the curl command). > However congratulations to keys.sflc.info -- In curl the SNI isn't directly interprented from the Host name by default, I'm using a patch available at [0] for this to happen. The proper curl protocol to override the hostname is to use curl_resolve for this, making it somewhat more difficult to debug. But in this case I'm testing for hostname of hkps.pool.sks-keyservers.net directly, which is why it works for PGP clients. [0] https://bitbucket.org/kristianf/portage-user-patches/src/d40e0f3634ed0f4c2fc4237d364f387f6ddf3f9d/patches/net-misc/curl/01_http_host_sni.patch?at=default - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nunc aut numquam Now or never -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSfWBnAAoJEAt/i2Dj7frjO1cP/ApIlAcoQpRL4WvkisN0JeG/ RzDSwKnGpZpsoWaVc50kXKp6UzTfg8opJeN1gypHe2w5otDz66YEJsRS4Bx9EUDw SBCgNfEW3OHz/bEhtp1A1ytyFzznhy/plJUGorEkW+bdAdLrDmzWtDMlSp1gZKil C2NJuX4wtErUIodheH68b1x4rHwBS0ehVKGHGnj37sJRkYJwSH3/qFlIg1aA5Wsc OEnJ+SDJPJaoMyzIMq0XJKgZ6yRdu2DuUhM5g8BCMEelbXaiYQq13NM6BBTuGhqV GboJNXlbRFIclHYFUYsv8le3Io8u4npd7AGo0x6/iPgNSOP0b3F0W2nwEEM2ofBU uP7HX91CW6JnbDgBf4FG83A8r9+Yh+XNTzZgDMCavBAzff/wn3a5L2KJM5PD/piz wRPYn3x3gvQYAbj38wmJyKgqwxZ+xrqN/Gr/EmMJXLkP3Q9Xzluzz0unipifvyTU V8VJgoVxnthbKSLAC0vfNPzA6DZf5s0NCoTcfEGVluQd1VHreG/zlsoyEZ4jdapP 5XObi+X0IdO0Mi7E0pLLc5z+IQ4OXwxhKfYMmpJeiZ5XHAXr8MgvLqevO12JGffH OjmVBQjemHBlD76WX8IyFqHlWCsUpJs+MwHV+X4/ZAmfSRqan0bvQ3kf4vNrnzhq SazPmtertaoh2xo8Ni6S =KPcQ -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with "hkps.pool.sks-keyservers.net"
Okay, so I get my SSL certificate so I can (in theory) do hkps -- thanks Kristian!I do all the magic, so that things appear to work fine -- for example: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem "https://keyserver.witopia.net/pks/lookup?op=stats"; Gets me a reasonable return.I can do the appropriate thing with the GPG Key manager and retrieve keys, and I'm clearly talking SSL. I'm done, right? Unfortunately, I made the mistake of asking Kristian if I was done now. And his answer was, "Make sure to setup the vhost for hkps.pool.sks-keyservers.net" and he was kind enough to give me the exact command that should work: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net' "https://keyserver.witopia.net/pks/lookup?op=stats"; Unfortunately, after several hours of trying "plausible" stuff with my apache (Server version: Apache/2.4.6 (FreeBSD) Server built: Sep 1 2013 20:55:47) reverse-proxy setup, this still does not work. Here's the response: $ curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net' "https://keyserver.witopia.net/pks/lookup?op=stats"; 400 Bad Request Bad Request Your browser sent a request that this server could not understand. And in the httpd-error log, I see: [Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname keyserver.witopia.net provided via SNI and hostname hkps.pool.sks-keyservers.net provided via HTTP are different. Here's a sample of the vhosts I've been creating (at the moment, there are three of these, with "ServerName" set to hkps.pool.sks-keyservers.net, keyserver.witopia.net and an internal name) : SSLEngine On ServerName hkps.pool.sks-keyservers.net SSLStrictSNIVHostCheck off SSLProxyEngine On #ProxyRequests Off # Local (WiTopia) Server Cert info for all 443 hosts on this system # (prod00.keyserver.dca) SSLCertificateFile /usr/local/etc/apache24/publickey/actual_keys/keyserver.witopia.net.crt SSLCertificateKeyFile /usr/local/etc/apache24/publickey/actual_keys/keyserver.witopia.net.key #SSLCertificateChainFile /usr/local/etc/apache24/publickey/actual_keys/sks-keyservers.netCA.pem SSLCACertificateFile /usr/local/etc/apache24/publickey/actual_keys/sks-keyservers.netCA.pem #CustomLog /dev/null common Order deny,allow Allow from all ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ # include the Via: to get on the right list. ProxyVia Full SetEnv proxy-nokeepalive 1 Now, the interesting thing is, if I change the curl command just a little bit, so it uses the "-H" arg with "keyserver.witopia.net" instead of "hkps.pool.sks-keyservers.net", I get a "correct" response -- that is, my stats in HTML, and no messages in the log file. That is: this works: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: keyserver.witopia.net' "https://keyserver.witopia.net/pks/lookup?op=stats"; I've tried creating two VirtualHosts with ServerName set to keyserver.witopia.net in one and "hkps.pool.sks-keyservers.net" in the other. I've tried "ServerAlias". I've tried "ProxyPreserveHost On" and leaving it off.I feel reasonably sure that there's some simple "map 'hkps.pool.sks-keyservers.net' to 'keyserver.witopia.net'" directive, but I've yet to find it. I'd love to let people try it, but as I say, I'd rather not leave the port open.Does anyone have any suggestions? P.S. I noticed that some of you in the "hkps green zone" on the status page *also* don't have this working (I won't name names!). In fact, almost all of the ones I tried didn't have this working (Yes, I changed the https name as appropriate in the curl command). However congratulations to keys.sflc.info -- curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost: hkps.pool.sks-keyservers.net' 'https://keys.sflc.info/pks/lookup?op=stats' results in perfectly good information. How'd you guys do it? signature.asc Description: Message signed with OpenPGP using GPGMail ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel