shutdown of pgpkeys.co.uk and pgpkeys.uk
Hi, Due to the demise of the SKS pools and non-renewal of the SSL certs, i'm shutting down pgpkeys.co.uk and pgpkeys.uk keyservers with immediate effect. If you peer with either of them, please remove the entries from your membership files. It's been a good time, and i'm glad I could help over the years - but time is over. Thanks, Daniel.
Re: pgpkeys.eu going offline
If anyone within one of the remaining EU member states would like the domain name, you're welcome to it. It's no use to me and will sit there suspended until next year otherwise. If anyone wants it, i'll transfer it over... first come first served. (due to EU rules, you must be an EU resident and EURid may require you to prove it) Thanks, Dan. On 08/01/2021 08:08, Jacob Alonso Maldonado wrote: Well they want the brexit bye bye rights the normal . Anyway that domain is register and pointing to a IP On Fri, 25 Dec 2020, 9:58 pm Daniel Austin, <mailto:m...@dan.me.uk>> wrote: Hi everyone, Just a heads up that pgpkeys.eu <http://pgpkeys.eu> cluster will be going offline shortly due to the UK leaving the EU and EURid registry revoking all .eu domains for UK citizens on 1st Jan 2021. It hasn't been in the hkps pool for some time anyway as its certificate expired. Thanks, Dan.
pgpkeys.eu going offline
Hi everyone, Just a heads up that pgpkeys.eu cluster will be going offline shortly due to the UK leaving the EU and EURid registry revoking all .eu domains for UK citizens on 1st Jan 2021. It hasn't been in the hkps pool for some time anyway as its certificate expired. Thanks, Dan.
Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net
Hi, All my secondaries (ns.dan.*) should validate fine with EDNS0 packets, so this should be a fairly minimal issue (although one that should still be addressed). For hkps.pool.sks-keyservers.net, we'll need to wait for Kristian to take a look as it doesn't appear to be in the zonefile at the moment. Thanks, Dan. On Mon, Mar 18, 2019 at 15:47, Jim Popovitch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 2019-03-18 at 11:42 -0400, Jim Popovitch wrote: On Mon, 2019-03-18 at 08:27 -0700, Sparr wrote: hkps.pool.sks-keyservers.net does not seem to resolve currently, from public or local or whois-authoritative nameservers. There's also been quite a few DNSSEC validation errors for RSIGs, for some time now. Sorry, wrong error for that domain. sks-keyservers.net has EDNS0 issues not RSIG errors. (DNS Flag Day was last month) https://ednscomp.isc.org/ednscomp/57d26bc180 (https://ednscomp.isc.org/ednscomp/57d26bc180) - -Jim P. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyPvVsACgkQdRlcPb+1 fkXdnw//Xga1uS9YPH/3OoavB26YgQ5vaPHoPNBPggSWK++F9idoSK11+NF5Hg1S s2rW00zuoQyIIMbJ5Zel582i1ZgP+arfNDMmY7wlhgFf+XIcMIaLsuzZ6SohTbdm H6P+97KMvLeIaSD6YyWFg+kZV6e/U9HGMUQewECKGKbpvfgu/6jMRKmuSiSq1mQ4 7zUBgCUop8l+bk6kYFim93+Jx764Y+JJtdDJeqJtfiJv2LYYIvJ++PJq7uC6HPIy FnGxAdoRtZ0ZK1mSwlAkuz2f4mOxIhlW0MJaW5S1X30gFDrIpeMFeTYM1RSn+wbf MEelNPgunjzI2kosrJ5OeYbgI0eTMOKyvymZt0CIfPDSWnGYlCUirI3kQaFpNJy8 6bCo5dYBj5x6iK1Rx5nzZC4fa0jECONc0XrgNbaIPT6xEd+/dGdzBTMCzeml+LOX +3Ils4w6Qn6UJPPB925iRd+slxZcMnSUAFSsNMa9fH4u/4XPJtOq/ju4fAhSnUzL iqaP61WNYb20gtm+CgSd6xka+Eq5ltUkoQY6Ut5IziRItg7SQ7WQruzfW5BL3d+Y KgcsC1J7KiukaxtmjD6lOZbiLTH7AqVj4RUKJ+5hFMSIkjq+wy2i738wn/ShMkg3 26b5qyQEQ4yy6Eeq93KFJj/vn0kv8IIJd9Xm9FRCYc+bmQ8M6Lk= =cFT6 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org (mailto:Sks-devel@nongnu.org) https://lists.nongnu.org/mailman/listinfo/sks-devel (https://lists.nongnu.org/mailman/listinfo/sks-devel) ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Seeking peers
Hi All, I've setup a couple of additional clusters and i'm seeking some new peers. These are both in the pools at the moment (and will be in the HKPS pool once I get the certificates back) Note: i'll only accept peers that have enough keys that they would ordinarily be included in the pools (minimum of 5,295,820 keys please!). Please add me to your membership file, and let me know which of my servers (below) you would like to peer with by return (please email me directly, not to the list!): pgpkeys.uk 11370 # Daniel Austin 0x34A3662F837F2C28 The above server is located in Bolton, UK with 1Gbit/s IPv4+IPv6 connectivity. fks.pgpkeys.eu 11370 # Daniel Austin 0x34A3662F837F2C28 The above server is located in Falkenstein, DE with 250Mbit/s IPv4+IPv6 connectivity. Thanks, Daniel. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Anyone successfully running SKS on FreeBSD 11.1 ?
Hi Phil, Both of my SKS instances are running under FreeBSD 11.1-RELEASE-p8 (amd64) (i've not installed -p9 yet) on pgpkeys.co.uk: root@bolton:~ # freebsd-version 11.1-RELEASE-p8 root@bolton:~ # pkg info | grep sks sks-1.1.6 Synchronizing Key Server, a fast OpenPGP keyserver root@bolton:~ # ps axuwww | grep sks sks 152019.6 0.1 165124 117836 v0- S25Nov17 12487:16.12 /usr/local/bin/sks db sks 166830.0 0.1 12936477724 v0- S25Nov171819:38.51 /usr/local/bin/sks recon and on pgpkeys.eu: root@roubaix:~ # freebsd-version 11.1-RELEASE-p8 root@roubaix:~ # pkg info | grep sks sks-1.1.6 Synchronizing Key Server, a fast OpenPGP keyserver root@roubaix:~ # ps axuwww | grep sks sks 45338 0.0 0.7 163312 111824 v0- S18Mar18 3145:05.63 /usr/local/bin/sks db sks 48048 0.0 0.3 98656 50068 v0- S18Mar18309:13.72 /usr/local/bin/sks recon I use my own package builder, but here's my details for ocaml package: Name : ocaml Version: 4.02.3 Origin : lang/ocaml Architecture : FreeBSD:11:amd64 Prefix : /usr/local Repository : dan [pkg+http://pkg.dan.tm/FreeBSD:11:amd64/latest] Categories : lang Licenses : LGPL20, QPL10 Maintainer : michip...@gmail.com WWW: http://caml.inria.fr/ocaml/ Comment: Objective Caml compiler and programming environment Options: DOCS : on EXAMPLES : on THREADS: on X11: on Shared Libs required: libX11.so.6 Annotations: FreeBSD_version: 1101001 cpe: cpe:2.3:a:inria:ocaml:4.02.3:freebsd11:x64 Flat size : 115MiB Pkg size : 21.1MiB Description: Thanks, Dan. On Thu, Apr 12, 2018 at 14:03, Phil Pennock wrote: I updated my system from FreeBSD 10.3 to 11.1, which for the most part has gone far better than expected. The one dark spot is SKS. The daemon keeps running away chewing CPU and not responding; ktrace shows that it's doing nothing but _umtx_op() calls, which is kernel support for userland threads. OCaml 4.05.0 and my own patched code, so it's possible that I broke something at some point in my patches. Berkeley DB 5.3. Code unmodified since the version which was running fine on FreeBSD 10.3, only recompiled since then. I did a fresh keydump download and install; it took around 8 hours for a fastbuild, which is significantly longer than I expected. (Dell Poweredge hardware, Intel etc etc). If there's anyone out there on FreeBSD, can you share tips please? Anything in particular you did to build with an OCaml other than the one in Ports, which has the "generate code susceptible to integer overflow attack" vulnerability? My knowledge of the OCaml ecosystem is poor, I poked and prodded until I got ocamlbrew appearing to give me working binaries and I followed the exact same steps when I rebuilt. Thanks, -Phil ___ Sks-devel mailing list Sks-devel@nongnu.org (mailto:Sks-devel@nongnu.org) https://lists.nongnu.org/mailman/listinfo/sks-devel (https://lists.nongnu.org/mailman/listinfo/sks-devel) ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Request: Install an efficient robots.txt file
Hi, On 22/06/2017 09:40, robots.txt fan wrote: > http://pgpkeys.eu:11371 (completely missing) Whilst I don't believe it will make any difference whatsoever to your spam levels, it may reduce some load on my keyservers from genuine indexing so I've added a robots.txt file at the root (covering both port 11371 and 80). This has been applied to: pgpkeys.eu pgpkeys.co.uk Thanks, Daniel. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Keyserver dump (Was: Re: Checking dump)
Hi All, Should anybody require it, I now maintain weekly keyserver dumps via FTP and HTTP/HTTPS at the following locations: ftp://pgpkeys.eu/current/ http://pgpkeys.eu/dump/current/ https://pgpkeys.eu/dump/current/ Dumps are in 5000 key batches, and are run every Sunday morning. (although the current one was generated this evening) The HTTPS site is currently using an expired sks-keyserver pool CA cert, but i'll sort a proper cert via SNI tomorrow. Thanks, Daniel. On 05/01/2016 19:53, Kiss Gabor (Bitman) wrote: > Dear Andrew et al, > >> I'm starting to think your dumps may be bad. I've counted the 'packet:' lines >> and the total lines and my figures come to 14 million and 89 million >> respectively. > > You must be right. > I've just compiled the pgpdump program written by Kazu Yamamoto. > http://www.mew.org/~kazu/proj/pgpdump/en/ > > It reports all my files to be corrupted. Mostly with > "unexpected end of file". > Meanwhile a dumpfile from http://ftp.prato.linux.it/pub/keyring/dump-latest/ > can be processed without errors. > > Conclusion: > I have no valid keydump. I have to stop distributing the garbage. :-( > > Thanks for the help everybody. > > Gabor > > ___ > Sks-devel mailing list > Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel > signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks.disunitedstates.com
Hi David, On 02/08/2014 23:06, David Benfell wrote: I am also changing operating systems. I noticed that FreeBSD runs in much less memory and am discovering that its job scheduling is much more to my taste. The bad news is that when I try to build the sks database from the dump from the old system, I get a segmentation fault. I am rebuilding nearly every piece of software on the system (there were other issues as well that made an upgrade from 10.0-RELEASE advisable) and hoping I can make this go away. If anyone else has encountered this, what did you do to fix it? Yes! You need to tweak the cache and ptree_cache variables... The defaults seem to cause a segfault. I used the following when building mine: /usr/local/bin/sks build /home/sks/dump/*.pgp -n 7 -cache 100 /usr/local/bin/sks cleandb /usr/local/bin/sks pbuild -cache 20 -ptree_cache 70 and it imported fine (although took a while!), and has been running without a problem ever since. (I'm running FreeBSD 10.0-RELEASE/amd64 with latest patchlevel, and sks from ports tree) Thanks, Daniel. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, On 06/05/2014 10:08, Kristian Fiskerstrand wrote:> Dear lists, > > Following the release of SKS 1.1.5[0] the following changes will be > made to the pools of sks-keyservers.net > > subset.pool.sks-keyservers.net has been set to a minimum requirement > of SKS 1.1.5 with immediate effect. > > Due to CVE-2014-3207[1] I want to bump hkps.pool.sks-keyservers.net to > a requirement of 1.1.5 as this can potentially be in another security > context / zone, however I'm giving this a grace period of (at least) > 45-60 days to allow server administrators to upgrade their servers. pgpkeys.co.uk & pgpkeys.eu have been updated. Thanks, Daniel. -BEGIN PGP SIGNATURE- Version: Encryption Desktop 10.3.1 (Build 13100) Charset: utf-8 wsFVAwUBU2kg0zmvNPSdqqOuAQp45hAAuj+G8osEEfw+Z9bjcadJFKpJcn/NZevj zAu4t3s5EbPo94A2HAbDdAa1ABkk/djP+zdR510cDLAbsCW/Q2GfmBBsg5c25q1h whAeruS5RfwHcLqyb1ORBY3OQL+52hvC9me1tz/+G/mDfsKhT153wmDFTABelcGk raOhyghtczbqrs+8PIhPrXtGAc+xja3B9Gg6//3LW/r9BFa4d+B50vLFvdlLJL/a 6SFPAXEzI+pa2mE2HiU0rVqBAk5CSXA9QoPF2zf0VtKjQl3Y1plYpOXlYc3kXYNa SIvomRwUz732z6fzENvuW4Y1Zq43XwkyLXcDEU78RDCGnycUzsKLUoRu5++3SQMu qoIi1nbvQMrFy4ui5WyGow+0eG7supJdZAIQ3LLX1vqgQAQSgSmDdJfQLDlWGrPq gDE9KBQMjtl/0yr1A65OzYVF3jIy5+G1lctQKoidT70JeBbCeJ46RE7MgWN7LSAO 0lQIQZu5ejbEWbCBFNtmmto5x5Wq3kkPkgCi2RKc3LOmBETrmVjQI4GL238DHM+c oej+0b0tOd7t2b37R+z8OrLKNYGEFoEzXz1CQBLdRFE9E7opOCjMmygF/ZfrJ4Az d5PXxd7Lxs8zxU6xo9p+JpnOZ1ij4BegeZsQvObYP2WY8MhbDSGSnccP1XKoUcdJ LRS9BGTLpz8= =nscj -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Gabor/Kristian, On 29/04/2014 11:52, Kiss Gabor (Bitman) wrote:> Dear all, > > A quick scan of certificates used by current HKPS pool members > shows that the following servers have pre-heartbleed certificate: > > pgpkeys.eu Mar 9 12:48:04 2014 GMT I've updated the above server with a new cert from Kristian. Thanks, Daniel. -BEGIN PGP SIGNATURE- Version: Encryption Desktop 10.3.1 (Build 13100) Charset: utf-8 wsFVAwUBU1/miDmvNPSdqqOuAQobXBAAn1Pa3IpjfskVj8NX7xOp0levZjJt3Pee +dnxcNF8Gk2ZK+uNZilEm6xOpbbcjAhMjarHG0kon+lEFdjxYzCefUoL+mFXYKsO R9AILgMqoNZ9903smWlnSV+KiQMvyDN1LHk3Eyhb7Yrap0aHSYJ1vfbOD1jrR8p6 mDVXkBEqi8QdyqAS6sXjiH8Jm67HaauW5XLxRuVb3G5LJ0Sk+cU70XPeEDvgBOZ/ n2KXzCJlEs6VcJeg0dTfiNohqmpp3dq4z8vOVhixHFevoaMi99Y1rVXScHIGqDP3 QZV76ZZjlLziQeVrMyu2JK8sKQ3iDaBIpBCq1rC8MT+rZRlMzSi7sDKrphjNuCXQ LlR8iCiDLJfOd5P2drq+XGGcAyvpFu8gcJTf6lPAxpeZdlh2lLA57DatK2K7QMws fuy9WR/xwCENXvXS6JftwT0WzmvHLvy2Ywc+CMdHX51wDGXarkSeE8/uQsIozuCn R4CULTmF9tj3E3vJGlLyeN9JlRIbCs++WAzQD9VvZDPmoFRMNZbi7FOva5iNdY/R qZcClV44aj/clTQICAa6NbP8r/C2G70sE44C8iQH6hKUrloBGPYzTisI7iMXcKa/ wiOB1y2A/pM/O4KExEa3pSoFrBs3/ErE1P5ZCEvQwKwYbk9jXaUYJ0FM0a5mdU0X NWpl8UEymBc= =1mTN -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] SKS peering request (pgpkeys.co.uk & pgpkeys.eu)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, Just doing my periodic request for additional peers on my SKS servers. If you wish to peer, please add me to your membership file and drop me an email with your details to add at this end. I currently operate two SKS servers (in UK and FR), both are IPv4+IPv6 reachable. membership file lines: pgpkeys.co.uk 11370 # Daniel Austin 0x34A3662F837F2C28 pgpkeys.eu 11370 # Daniel Austin 0x34A3662F837F2C28 Thanks, Daniel. -BEGIN PGP SIGNATURE- Version: Encryption Desktop 10.3.1 (Build 13100) Charset: utf-8 wsFVAwUBUxxrtzmvNPSdqqOuAQoY6w//fhX9iEIbO/IL9+Ds+Z2BPwtjEo9iAAfu 0AA35LpqmDvoCxfIG77PiIO0Ro9R5mvvUfAvH2+1Epm8FkglCUwe44+DG9S748Aw h1yJSfF2A/Qq1RJTQdtJ1xCcY9gLtbcTcy7nMPekOTq7UhfDJNIBqEkvd7f1tStl inHnpilQzHYm/rSa5kJA6YgM5kTGlQUkrS3+K8oSUZ5iw/eY60ybojGlqJ4qADMg llga+OWRGgd2z9mo7S5GUBmrQ/LX78VPP6ttyKFaSZ+2SkfDhYOvnd0+3AwjUwKQ kqnUvA6sR1MyhEo0rQoQ37V8svyp3+3pxoWGy1u0xqGktIT9TV8fh1ShgGhvKgqA IGkF248e1J6g9nctb4M8kCdEORfD0Rc/3frd82QF3E5n3SEmbBOlyGtjz5g4xhzi Mqh5JZD8BvM0Q0VOGR9hlzTii4JxA7GUwTt0/H79fKu2msYQwrYV9B9EeRspEHTL qLdTWFjqYPgm/DCTz0YGZ/H9YNQMsgLCrH79Ds6cRCH15hTfypT5Fzgt93Uh/iZ7 QrDSmMXjPSPYF8hZkC65G6eJ9cF23HtRqgU5Fmpa8zTfvrDm2NHrVld59gVqwhuz rSeO2KPH0bpiy2+RcI6GRba148SvtkvblIqaKXtgZQZR3o9wbQL8Kw5ZTZ8rlzDL 2SLTvn3dWNU= =aSUM -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] DNSSEC for pool.sks-keyservers.net
Looking ok here, Kristian - getting 'ad' flag also. Thanks, Dan. On 17/11/2013 21:15, Kristian Fiskerstrand wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, As my upstream domain provider has finally added support for DNSSEC, I've just activated a configuration that SHOULD enable DNSSEC for sks-keyservers.net. I've tested it using my local DNS resolver and get the expected "ad" flag in the result. Please let me know if anyone is encountering any issues with the pool as a result of this change. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Carpe noctem Seize the night -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSiTIIAAoJEAt/i2Dj7frjPpQP/20J2pPL4qtyEq+DZMtZqebH KH1GSaah9kV0shPZGJnDcwpyPHKtnPBF7oiK3ayOorBPpz27bLRu6+6bj/Vz55Ng 2CPw7EdGhLy+rnJvH5AKXbN/CcP80RyvxcCiUenvE9ZiW2QPsvfouxJmBCywOaQ3 2yD2J3RpbdLm7DSxxaX3e61UijpAQ6neI6ktewaGQNcPMjSwl1z2Zt3nhSRnrwmF diKyALO2Kwq8z6al069zSIpzMGnbzbizZYZHYrnaxnRN5NrjiXIxzi5mgm3EMD5l T64I8FYTeXkUxfpe2f2DYBfMudgubVeOuFPRSlZhKDPIvhMwgZmP3XU8Gw/Fn8RB JyoauLrwwCLDbq+yQBVbq0QcwRQHzZNmMBXdF0/ssEMUymbSqEUIpBk1JcC+5VK+ sU1H88JxNYFp6HFeqb/TfIPxtEBugK2/Oe3K+Efu8W8Obd0fc/DZU/XA0Q+0vGkA Sm+O/JwZEZL6PyiwnFwiF5uPEPSniu932IPrL2Inf30mbe/w7binskFog3oevoug xdRio0IdjsMmX643tjL5+mCrH3q+nsToeDNQ/aIJRuYzF+prqEqACJ1CQSo/XuhD ZIrKgUn3ActCrMBGdEsTYiUZuEiHWorUU9HjQ67qewdvc8ddfBb0Zq1kboLTJH+4 UpI8tz2DwMO/ynJJox34 =hQeh -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] hkps pool
Hi Kristian, On 25/06/2013 21:41, Kristian Fiskerstrand wrote: On 06/25/2013 10:25 PM, Daniel Austin wrote: Hi Kristian, On 25/06/2013 21:18, Kristian Fiskerstrand wrote: On 06/25/2013 10:01 PM, Daniel Austin wrote: Hi Kristian, .. root@bsdlaptop:~ # gpg2 --version gpg (GnuPG) 2.0.20 libgcrypt 1.5.2 Copyright (C) 2013 Free Software Foundation, Inc. ... As far as i'm aware my libcurl and openssl versions should support SNI If I re-run the command several times, it works when it hits a non-SNI certificate. To try to limit possible causes, do you experience the same issue with 2.0.19 ? If it helps... running openssl with -servername to trigger SNI also comes back that a few hosts in the pool are not returning the correct CA signed cert. using the following command: openssl s_client -servername hkps.pool.sks-keyservers.net -connect IP:443 I've also had someone else to test it for me from a Linux server to make sure it's not just local to my FreeBSD installation. My curl version is 7.24.0, his is 7.28.1 testing with curl alone (not via gpg) also gives the same incorrect cert. Using SNI, the following hosts still returned the wrong cert: 198.82.169.69 issuer=/CN=Virginia Tech Global Server CA/OU=Global Server CA/O=Virginia Tech/C=US 66.16.6.88 issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root 2001:470:7:6ad::2 issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supp...@cacert.org 2001:468:c80:210f:0:162:701c:c917 issuer=/CN=Virginia Tech Global Server CA/OU=Global Server CA/O=Virginia Tech/C=US 2001:470:e232:132:209:6bff:feb7:e69 issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root Thanks, Daniel. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] hkps pool
Hi Kristian, On 25/06/2013 21:18, Kristian Fiskerstrand wrote: On 06/25/2013 10:01 PM, Daniel Austin wrote: Hi Kristian, ... I'm assuming the version of GPG i have doesn't support SNI then. What version of GPG is it and what do you get when running gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net - --keyserver-options ca-cert-file=sks-keyservers.netCA.pem,verbose,debug --recv-key 0x6b0b9508 ? I'm thinking specifically of the curl link, i.e. gpgkeys: curl version = libcurl/7.29.0 GnuTLS/3.1.9 zlib/1.2.7 root@bsdlaptop:~ # gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=sks-keyservers.netCA.pem,verbose,debug --recv-key 0x6b0b9508 gpg: requesting key 6B0B9508 from hkps server hkps.pool.sks-keyservers.net gpgkeys: curl version = libcurl/7.24.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.26 libssh2/1.4.3 librtmp/2.3 * About to connect() to hkps.pool.sks-keyservers.net port 443 (#0) * Trying 198.82.169.69... * connected * Connected to hkps.pool.sks-keyservers.net (198.82.169.69) port 443 (#0) * successfully set certificate verify locations: * CAfile: sks-keyservers.netCA.pem CApath: none * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection #0 gpgkeys: HTTP fetch error 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed gpg: no valid OpenPGP data found. gpg: Total number processed: 0 root@bsdlaptop:~ # gpg2 --version gpg (GnuPG) 2.0.20 libgcrypt 1.5.2 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 As far as i'm aware my libcurl and openssl versions should support SNI If I re-run the command several times, it works when it hits a non-SNI certificate. Thanks, Daniel. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] hkps pool
Hi Kristian, On 25/06/2013 20:53, Kristian Fiskerstrand wrote: On 06/25/2013 09:29 PM, Daniel Austin wrote: Hi, It appears that several of the current active hosts in the hkps pool are not signed using the sks CA which is causing issues when trying to publish keys to it. Hi Daniel, I suspect that you're trying to access the hosts directly and not using the hostname hkps.pool.sks-keyservers.net. Note that most hosts only offer the pool CA in the chain for this hostname (using SNI). I'm assuming the version of GPG i have doesn't support SNI then. about 70% of the time, I get the following: gpg: requesting key 7F003DE6 from hkps server hkps.pool.sks-keyservers.net gpgkeys: HTTP fetch error 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed gpg: no valid OpenPGP data found. gpg: Total number processed: 0 If the majority of GPG users don't support SNI is it wise to have servers in the pool that only work if the client supports SNI? Would it be worth having two separate pools? Thanks, Daniel. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] hkps pool
Hi, It appears that several of the current active hosts in the hkps pool are not signed using the sks CA which is causing issues when trying to publish keys to it. 46.19.90.99 (StartCom) 80.241.60.3 (StartCom) 94.142.241.93 (GlobNix) 66.16.6.88 (CACert) 131.155.141.70 (CACert) 198.82.169.69 (self-signed) 2001:610:1108:5011::70 (CACert) 2a02:898:31:0:48:4558:73:6b73 (GlobNix) 2001:470:7:6ad::2 (CACert) 2001:470:e232:132:209:6bff:feb7:e69 (CACert) 2001:468:c80:210f:0:162:701c:c917 (self-signed) 2001:67c:2050:1000::3:4 (StartCom) As you can see almost all of the pool are using certificates that are not signed by the SKS CA certificate. Thanks, Daniel. (pgpkeys.co.uk / pgpkeys.eu) ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] keyserver peering request
Hi, I'm doing a periodic round of peering for my SKS keyservers. Anyone who doesn't currently peer with my keyservers who wishes to, please add the following membership entries to your server and email me with your entries to add to mine: pgpkeys.co.uk 11370 # Daniel Austin 0x7F003DE6 pgpkeys.eu 11370 # Daniel Austin 0x7F003DE6 Both servers are IPv4+IPv6 reachable on 100mbps connections (in UK and France respectively) If you only wish to peer with one of the servers, please indicate which one when you email me - otherwise I will add you to both servers. Thanks, Daniel. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Keyserver operators with reverse proxies: read this please
Hi Phil, On 02/03/2013 00:00, Phil Pennock wrote: .eu is running apache 2.2.23 mod_proxy - both systems are FreeBSD 9.1 x64 and sks 1.1.4 Okay. And without the header modification config, you could reproduce the failure in Apache? I'm trying to be very sure, so that I can update the docs to be definitive about "this *will* go wrong with Apache, and this change is confirmed to fix it". I've commented out the 'Expect' header lines in apache config, and restarted. My local gpg still works fine as follows: gpgkeys: curl version = libcurl/7.24.0 OpenSSL/1.0.1e zlib/1.2.7 c-ares/1.9.1 libidn/1.26 libssh2/1.4.3 librtmp/2.3 gpg: sending key 7F003DE6 to hkp server pgpkeys.eu * About to connect() to pgpkeys.eu port 11371 (#0) * Trying 91.121.145.226... * connected * Connected to pgpkeys.eu (91.121.145.226) port 11371 (#0) > POST /pks/add HTTP/1.1 Host: pgpkeys.eu:11371 Accept: */* Pragma: no-cache Cache-Control: no-cache Content-Length: 159490 Content-Type: application/x-www-form-urlencoded Expect: 100-continue < HTTP/1.1 100 Continue < HTTP/1.1 200 OK < Date: Sat, 02 Mar 2013 11:39:16 GMT < Server: sks_www/1.1.4 < Cache-Control: no-cache < Pragma: no-cache < Expires: 0 < Content-length: 129 < X-HKP-Results-Count: 1 < Content-type: text/html; charset=UTF-8 < * Connection #0 to host pgpkeys.eu left intact * Closing connection #0 Perhaps someone who did have the issue could try against pgpkeys.eu ? I'll leave the header mods out unless anyone comes back with a problem. Thanks, Daniel. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Keyserver operators with reverse proxies: read this please
Hi Phil, On 01/03/2013 23:35, Phil Pennock wrote: On 2013-03-01 at 22:36 +, Daniel Austin wrote: I've added the config to ports 80+11371 for pgpkeys.eu (using Apache mod_proxy) and your example config from the wiki - all tests seem to work for me, but please feel free to test for confidence. If all works well, i'll duplicate the config onto pgpkeys.co.uk this weekend also. I don't see the problem on pgpkeys.co.uk. What version of Apache are you using? Perhaps this Expect:/417 issue depends upon the version of Apache. There's no rprox on .co.uk yet - it's handled directly by sks on there. .eu is running apache 2.2.23 mod_proxy - both systems are FreeBSD 9.1 x64 and sks 1.1.4 Thanks, Dan. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Keyserver operators with reverse proxies: read this please
Hi Phil/List, On 01/03/2013 22:03, Phil Pennock wrote: Apache -- By default, breaks all clients which use a real libcurl, blocking their ability to POST (--send-key) to the server. The clients set an "Expect: 100-continue" HTTP/1.1 header and unfortunately Apache actually implements the part of the HTTP specification (RFC2616) which says that a HTTP/1.1 proxy should issue a "417 Expectation Failed" response if it would pass onto an HTTP/1.0 server. I strongly suspect that this: RequestHeader unset Expect early will fix Apache configurations, but need someone using Apache to confirm it. You also need the mod_headers module loaded. The version in the wiki wraps that in an IfModule guard, but we should look at making sure that works and then encourage people to make it a hard failure if the directive is not available. You can test the fix by using a GnuPG built against libcurl (*not* curl-shim) and try to --send-key your own key to your keyserver: gpg2 -v --keyserver-options verbose,debug --keyserver YOURSERVER --send-key YOURKEY This currently fails reproducibly, every time, for an Apache server. If it stops failing with the "RequestHeader unset Expect early" directive, you know you've fixed it. Please let us know if this works or not! Feedback is needed. I've added the config to ports 80+11371 for pgpkeys.eu (using Apache mod_proxy) and your example config from the wiki - all tests seem to work for me, but please feel free to test for confidence. If all works well, i'll duplicate the config onto pgpkeys.co.uk this weekend also. Thanks, Daniel. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] a search for more peers
Hi Everyone, I'm looking to add more peers to my two SKS keyservers. I have a server based in Bolton, United Kingdom and another in Roubaix, France - both IPv6 enabled and on 100mbps connections. If you do not already peer with my servers, or if you peer with only 1 and wish to peer with both, please add the following entries to your membership file and reply back to me with your details for inclusion. You can respond to this email, or the email in the lines below - either is fine. pgpkeys.co.uk 11370 # Daniel Austin 0x7F003DE6 pgpkeys.eu 11370 # Daniel Austin 0x7F003DE6 Thanks in advance for peering! Thanks, Daniel. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks (fast)build memory/cache problem
On 07/01/12 21:31, Kristian Fiskerstrand wrote: > On 2012-07-01 22:26, Stephan Beyer wrote: >> Hi, > >> On 01.07.2012 04:56, Brian D Heaton wrote: >>> Having beat my forehead on this one a few weeks ago, I can offer >>> the following suggestions from JohnC that got me on the right >>> track: >>> >>> Note: I used the 5K/file keydump for the initial build. > >> I tried several parameters like * keys/file (7.5k, 20k, 5k) * bdb >> version (5.1, 5.3) * -n * -cache * pagesize / ptree_pagesize > >> Nothing helped. > >> Perhaps I'll try it one last time with a some 4.x version of bdb. > > > I'd recommend to try 4.6 or 4.7, at least working for me without any > issue. I'll throw up some development boxes with BDB 5.x and do some > testing, although I'm quite sure John already is using this. > > Out of curiosity, what is the source of the BDB install? And is it > configured with pthread support? I'm using FreeBSD 9-STABLE (with SKS 1.1.3 from ports) linked against BDB 5.2.42 (with pthread). Today I imported keys (5k each) using the following in my sksconf file: # Tweak DB page sizes pagesize: 128 ptree_pagesize: 16 and the following commands: sks build dump/*.pgp -n 4 -cache 128 cp DB_CONFIG KDB/ sks cleandb sks pbuild -cache 2 -ptree_cache 70 cp DB_CONFIG PTree/ If I increase the cache settings, it causes a segfault. After the build and pbuild, I put the following in the DB_CONFIG file in the KDB and PTree directories respectively: mutex_set_max 262144 I've also re-imported keys on a 2nd FreeBSD server using the same details as above. Using a single 3.07GHz Xeon core, here's the timings: 1 mins 39 secs - build command 0 mins 27 secs - cleandb command 18 mins 46 secs - pbuild command 20 mins 52 secs total import time. Using a single 3.1GHz 2nd gen i5 core, here's the timings: 3 mins 11 secs - build command 1 mins 2 secs - cleandb command 20 mins 40 secs - pbuild command 24 mins 53 secs total import time. The 2nd import has a slower hard disk subsystem than the 1st, so is most likely the cause of the slightly longer import times. Hope that helps. Thanks, Dan. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] IPv6 pool broken?
Hi, Ignore me - it would help if I typed the pool with the word "pool" in it! ;-) Thanks, Dan. On 07/01/12 17:34, Daniel Austin wrote: > Hi, > > Is the IPv6 pool operating correctly at the moment? > > If I view the status of the servers at sks-keyservers.net, I see plenty > of working IPv6 keyservers right now... > > If I query DNS, it returns only one IP: > > ; <<>> DiG 9.8.2 <<>> ipv6.sks-keyservers.net any @ns2.sks-keyservers.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1174 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;ipv6.sks-keyservers.net. IN ANY > > ;; ANSWER SECTION: > ipv6.sks-keyservers.net. 28800 IN 2001:16d8:ee30::4 > > ;; AUTHORITY SECTION: > sks-keyservers.net. 28800 IN NS ns1.kfwebs.net. > sks-keyservers.net. 28800 IN NS ns7.sks-keyservers.net. > sks-keyservers.net. 28800 IN NS ns2.sks-keyservers.net. > sks-keyservers.net. 28800 IN NS ns3.sks-keyservers.net. > sks-keyservers.net. 28800 IN NS ns6.sks-keyservers.net. > sks-keyservers.net. 28800 IN NS ns5.sks-keyservers.net. > > > > Thanks, > > Dan. > > ___ > Sks-devel mailing list > Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel > ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] IPv6 pool broken?
Hi, Is the IPv6 pool operating correctly at the moment? If I view the status of the servers at sks-keyservers.net, I see plenty of working IPv6 keyservers right now... If I query DNS, it returns only one IP: ; <<>> DiG 9.8.2 <<>> ipv6.sks-keyservers.net any @ns2.sks-keyservers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1174 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ipv6.sks-keyservers.net. IN ANY ;; ANSWER SECTION: ipv6.sks-keyservers.net. 28800 IN 2001:16d8:ee30::4 ;; AUTHORITY SECTION: sks-keyservers.net. 28800 IN NS ns1.kfwebs.net. sks-keyservers.net. 28800 IN NS ns7.sks-keyservers.net. sks-keyservers.net. 28800 IN NS ns2.sks-keyservers.net. sks-keyservers.net. 28800 IN NS ns3.sks-keyservers.net. sks-keyservers.net. 28800 IN NS ns6.sks-keyservers.net. sks-keyservers.net. 28800 IN NS ns5.sks-keyservers.net. Thanks, Dan. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] New server(s) / peers
Hi, I've just added a 2nd server for anyone who wishes to peer. If you don't already have both of the following, please feel free to add to your membership file and send me an email so I can do the same. pgpkeys.co.uk is located in UK, pgpkeys.eu is located in FR. Both servers are IPv4 and IPv6 reachable. pgpkeys.co.uk 11370 # Daniel Austin 0x7F003DE6 pgpkeys.eu 11370 # Daniel Austin 0x7F003DE6 Thanks, Daniel. PGP.sig Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Peers required/offerred
Dear List, I've setup a new SKS keyserver, and i'm happy to peer with any other servers who are interested. I'm using a hostname I acquired long ago that's very fitting for the job. The server is hosted on a fast, stable server with excellent connectivity (both IPv4 and native IPv6 reachable) If you'd like to peer, please add me to your 'membership' file with the following data, and let me know your details so I can do the same here: pgpkeys.co.uk 11370 # Daniel Austin 0x7F003DE6 Thanks, Dan. PGP.sig Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Peers required/offerred
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear List, I've setup a new SKS keyserver, and i'm happy to peer with any other servers who are interested. I'm using a hostname I acquired long ago that's very fitting for the job. The server is hosted on a fast, stable server with excellent connectivity (both IPv4 and native IPv6 reachable) If you'd like to peer, please add me to your 'membership' file with the following data, and let me know your details so I can do the same here: pgpkeys.co.uk 11370 # Daniel Austin 0x7F003DE6 Thanks, Dan. -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.1.2 (Build 9) Comment: https://www.dan.me.uk/ Charset: utf-8 wj8DBQFPMN4EuHpKuX8APeYRAmaNAKCoNrLK5CBDqMoG14oC2k56LpzS8gCfaLo/ 8p52SG7kMoWfAxUYWpfat9k= =sZIW -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel