[Sks-devel] Shutting down keyserver.zap.org.au
It is with feelings of sadness and regret that I will be shutting down keyserver.zap.org.au, effective immediately, purging all associated database files and logs. I will be sending out individual emails to my current peers as well. I have enjoyed being part of the SKS community since May 2014. Thank you for all your help during that time! But good things often come to an end... I had hoped to be "last one standing" :-) but that is not to be. For the record, I am not shutting my server down because something better has come along -- although keys.openpgp.org is a start. It's just that my current installation began core-dumping on a regular basis since last week (segfault error 6 -- write to an unmapped address). I've been running a cron job every fifteen minutes to restart the daemons, but that was only a stop-gap measure. Recreating the databases using a fresh key dump did not help. And given the current state of the SKS network, it just wasn't worth bothering about debugging the root cause. All the best, everyone! Yours truly, John Zaitseff -- John Zaitseff ,--_|\The ZAP Group Telephone: +61 2 9643 7737 / \ Sydney, Australia Email: j.zaits...@zap.org.au \_,--._* https://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Apache setup for refusing to serve bad keys
Hi, echelon, You wrote: > Thank you, but looks like it does only works partly, e.g. from > webinterface. > > e.g.: > [20/Feb/2019:12:52:40 +0100] "GET /pks/lookup?search=0x69D2EAD9&op=vindex > HTTP/1.1" 410 602 "http://keys.i2p-projekt.de/"; "Mozilla/5.0 (X11; Linux > x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 > Safari/537.36" > > looks like it works fine. BUT: > > [20/Feb/2019:12:55:26 +0100] "GET > /pks/lookup?op=get&options=mr&search=0x69D2EAD9 HTTP/1.1" 200 39693256 "-" "-" > > does not work with youre rewriteConds. It works for me :-) $ HEAD 'https://keyserver.zap.org.au/pks/lookup?search=0x69D2EAD9&op=vindex' 410 Gone Connection: close ... $ HEAD 'https://keyserver.zap.org.au/pks/lookup?op=get&options=mr&search=0x69D2EAD9' 410 Gone Connection: close ... (HEAD is a command-line tool in the libwww-perl package under Debian and Ubuntu.) My complete set of rules, for reference, is: RewriteEngine on RewriteMap badkeys "txt:/etc/sks/apache-badkeys" RewriteMap lc int:tolower RewriteCond "%{REQUEST_URI}""^/pks/lookup" RewriteCond "%{QUERY_STRING}" "op=(get|index|search|vindex)" RewriteCond "%{QUERY_STRING}" "search=([^&]+)(&|$)" RewriteCond "${badkeys:${lc:%1}|ok}""!=ok" RewriteRule ^/pks/lookup- [L,G] > (BTW: look at this key: 0xD7FFC063B40A2294B966DB47FF80AE9D1DEC358D [...]) Nice signatures :-) We're playing "whack-a-mole" here. I went through my Apache logs for the last month or so, searching for very large keys being requested, and added these (and certain variations of them) to my /etc/sks/apache-badkeys file. I have 15 keys listed so far... Yours truly, John Zaitseff -- John Zaitseff ,--_|\The ZAP Group Telephone: +61 2 9643 7737 / \ Sydney, Australia Email: j.zaits...@zap.org.au \_,--._* https://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Apache setup for refusing to serve bad keys
Hi, all again, Slight bug fix: replace: RewriteCond "%{QUERY_STRING}" "search=([^&]+)&?" with: RewriteCond "%{QUERY_STRING}" "search=([^&]+)(&|$)" John Zaitseff -- John Zaitseff ,--_|\The ZAP Group Telephone: +61 2 9643 7737 / \ Sydney, Australia Email: j.zaits...@zap.org.au \_,--._* https://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Apache setup for refusing to serve bad keys
Hi, all, I previously wrote: > [...] Here is my version for the Apache server. It allows you to > include the list of keys in a separate file that can be updated at > any time without restarting/reloading the server. I've since revised the Apache configuration file to contain: RewriteEngine on RewriteMap badkeys "txt:/etc/sks/apache-badkeys" RewriteMap lc int:tolower RewriteCond "%{REQUEST_URI}""^/pks/lookup" RewriteCond "%{QUERY_STRING}" "op=(get|index|search|vindex)" RewriteCond "%{QUERY_STRING}" "search=([^&]+)&?" RewriteCond "${badkeys:${lc:%1}|ok}""!=ok" RewriteRule ^/pks/lookup- [L,G] Yours truly, John Zaitseff -- John Zaitseff ,--_|\The ZAP Group Telephone: +61 2 9643 7737 / \ Sydney, Australia Email: j.zaits...@zap.org.au \_,--._* https://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Apache setup for refusing to serve bad keys
Hi, everyone, There's been some discussion on this list about refusing to serve bad OpenPGP keys -- at least as a workaround for the time being. Andreas Puls has even supplied a configuration snippet for nginx. Here is my version for the Apache server. It allows you to include the list of keys in a separate file that can be updated at any time without restarting/reloading the server. In particular, I have something like the following in the file /etc/sks/apache-badkeys: # /etc/sks/apache-badkeys: Prevent hosts from querying bad keys # This file contains a list of OpenPGP keys that should NOT be returned # to clients using the web interface. Each line contains the query # string followed by a space and a hyphen, as required by the Apache # RewriteMap directive; keys MUST be in lowercase only. 0x1013d73fecac918a0a25823986ce877469d2ead9 - 0x86ce877469d2ead9 - 0x69d2ead9 - 0x2016349f5bc6f49340fccaf99f9169f4b33b4659 - 0x9f9169f4b33b4659 - 0xb33b4659 - Then in my Apache configuration file, I have the following rules: RewriteEngine on RewriteMap badkeys "txt:/etc/sks/apache-badkeys" RewriteMap lc int:tolower RewriteCond "%{REQUEST_URI}""^/pks/lookup" RewriteCond "%{QUERY_STRING}" "op=(get|search|vindex)&?.*search=([^&]+)&?" RewriteCond "${badkeys:${lc:%2}|ok}""!=ok" RewriteRule ^/pks/lookup- [L,G] This block appears BEFORE any ProxyPass / ProxyPassReverse / ProxyVia lines. Whenever a matching key is requested, a 410 Gone message is returned. And I can add to the apache-badkeys file any time I like... Yours truly, John Zaitseff -- John Zaitseff ,--_|\The ZAP Group Telephone: +61 2 9643 7737 / \ Sydney, Australia Email: j.zaits...@zap.org.au \_,--._* https://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Excessive use of /var/lib/sks/DB/log.*
Hi, all, > In fact... I think that The Debian Way™ would be to have [the > DB_CONFIG file] in /etc/sks, with a message on top clearly stating > it should be linked from /var/lib/sks/DB (as we Debian people are > often too lazy to look up configuration details in our software > and expect everything to be in /etc) 😉 That is indeed how I set up my own system: /etc/sks/DB_CONFIG is the actual config file, and /var/lib/sks/DB/DB_CONFIG and /var/lib/sks/PTree/DB_CONFIG are symlinks to it. > > If you're using a debian system, please compare > > /usr/share/doc/sks/sampleConfig/DB_CONFIG with > > /var/lib/sks/DB/DB_CONFIG I overwrote my DB_CONFIG file back in September 2018. I changed set_lock_timeout 1000 set_txn_timeout 1000 to set_lock_timeout 1000 set_txn_timeout 500 I did not notice any negative effects, but, by the same token, I was still getting "add_keys_merge failed: Eventloop.SigAlarm" and "Key addition failed: Eventloop.SigAlarm" in my log files. Changing /etc/sks/sksconf to include the following lines has completely stopped those events from occurring (I made the change five days ago): pagesize: 32 ptree_pagesize:16 command_timeout: 600 max_recover: 150 I fear, however, that increasing the timeouts simply pushes the problem slightly further down the track... Yours truly, John Zaitseff -- John Zaitseff ,--_|\The ZAP Group Telephone: +61 2 9643 7737 / \ Sydney, Australia Email: j.zaits...@zap.org.au \_,--._* https://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Script to rebuild SKS databases
Hi, everyone, Here is a quick script I wrote to help me rebuild SKS databases if (when?) they become corrupt. You might like to use it too. Patches welcome! I also run cron job to check the status of SKS on a daily basis; I'm including that script too for your perusal. I'm sure you already do something like this, but if not, well, now you can :-) Both files are officially released into the public domain. Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v #!/bin/bash # Rebuild the SKS keyserver databases # [JNZ] Modified 08-Sep-2018 set -e SKSUSER=${SKSUSER:-debian-sks} SKSHOME=${SKSHOME:-/var/lib/sks} SKSBIN=${SKSBIN:-/usr/sbin/sks} SKSETC=${SKSETC:-/etc/sks} SKSCONF=$SKSETC/sksconf SKSDBCONFIG=$SKSETC/DB_CONFIG function run_as_sks () { su $SKSUSER -c "$*" } # Process command line options if [ "$1" == "--help" ]; then cat <&2 exit 1 fi WHICHKEYS="$1" case "$WHICHKEYS" in local) LOCALKEYS=true ;; mattrude) LOCALKEYS=false REMOTEHOST=keyserver.mattrude.com WGETPARAMS="-m -nH --cut-dirs=3 ftp://keyserver.mattrude.com/current"; ;; *) echo "$0: unknown value for WHICHKEYS parameter" 1>&2 exit 1 ;; esac # Preliminary checks if [ $(id -u) != 0 ]; then echo "$0: must run as root" 1>&2 exit 1 fi if [ ! -f $SKSCONF ]; then echo "$0: $SKSCONF: no such file" 1>&2 exit 1 fi if [ ! -d $SKSHOME ]; then echo "$0: $SKSHOME: no such directory" 1>&2 exit 1 fi # Rebuild the SKS databases echo " Stopping SKS keyserver" $DRYRUN systemctl stop sks.service sks-recon.service echo " Checking SKS configuration files" if ! grep -q -P '^pagesize:\s*32\b' $SKSCONF; then echo " Changing the pagesize parameter" $DRYRUN sed -e 's/^pagesize:.*$/pagesize: 32/' $SKSCONF >$SKSCONF.new $DRYRUN mv $SKSCONF.new $SKSCONF fi if ! grep -q -P '^ptree_pagesize:\s*16\b' $SKSCONF; then echo " Changing the ptree_pagesize parameter" $DRYRUN sed -e 's/^ptree_pagesize:.*$/ptree_pagesize: 16/' $SKSCONF >$SKSCONF.new $DRYRUN mv $SKSCONF.new $SKSCONF fi if [ ! -f $SKSDBCONFIG ]; then echo " Creating $SKSDBCONFIG" $DRYRUN cat <$SKSDBCONFIG set_flags DB_LOG_AUTOREMOVE EOF fi if [ $LOCALKEYS = true ]; then echo " Dumping existing keys database" run_as_sks $DRYRUN rm -f $SKSHOME/dump/* run_as_sks $DRYRUN $SKSBIN dump 32768 $SKSHOME/dump else echo " Downloading key dump from $REMOTEHOST" run_as_sks $DRYRUN rm -f $SKSHOME/dump/* run_as_sks "$DRYRUN wget -P $SKSHOME/dump $WGETPARAMS" fi echo " Preserving old database directories" run_as_sks $DRYRUN rm -f $SKSHOME/DB.old $SKSHOME/PTree.old run_as_sks $DRYRUN mv $SKSHOME/DB $SKSHOME/DB.old run_as_sks $DRYRUN mv $SKSHOME/PTree $SKSHOME/PTree.old echo " Building new keys (DB) database" run_as_sks $DRYRUN $SKSBIN build $SKSHOME/dump/*.pgp -n 1 -cache 100 run_as_sks $DRYRUN ln -s $SKSDBCONFIG $SKSHOME/DB/DB_CONFIG echo " Cleaning keys database" run_as_sks $DRYRUN $SKSBIN cleandb echo " Building new PTree database" run_as_sks $DRYRUN $SKSBIN pbuild -cache 50 -ptree_cache 100 run_as_sks $DRYRUN ln -s $SKSDBCONFIG $SKSHOME/PTree/DB_CONFIG echo " Starting SKS keyserver" $DRYRUN systemctl start sks.service #!/bin/bash # Check the status of the SKS keyserver daemons # [JNZ] Modified 07-Sep-2018 for keyserver.zap.org.au MAILADDR="r...@zap.org.au" HOSTNAME="keyserver.zap.org.au" sks_activestate=$(systemctl show --property=ActiveState sks.service) sks_substate=$(systemctl show --property=SubState sks.service) sksrecon_activestate=$(systemctl show --property=ActiveState sks-recon.service) sksrecon_substate=$(systemctl show --property=SubState sks-recon.service) FAILED=false if [ "$sks_activestate" != "ActiveState=active" ]; then FAILED=true elif [ "$sks_substate" != "SubState=running" ]; then FAILED=true elif [ "$sksrecon_activestate" != "ActiveState=active" ]; then FAILED=true elif [ "$sksrecon_substate" != "SubState=running" ]; then FAILED=true fi if [ "$FAILED" = "true" ]; then MAILFILE=$(mktemp -t check-sks.XX) || exit 1 cat >>$MAILFILE <>$MAILFILE cat >>$MAILFILE <>$MAILFILE cat >>$MAILFILE <>$MAILFILE cat >>$MAILFILE < for more information. EOF mail -s "SKS keyserver status on $HOSTNAME" "$MAILADDR" <$MAILFILE rm -f $MAILFILE fi ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] PTree may be corrupted kills recon service
Hi, everyone, On Tue, Jul 17, 2018 at 10:44:53AM -0400, Keith Erekson wrote: > After the last time I trashed the DB/PTree and rebuilt from a > downloaded dump, I copied the sample "DB_CONFIG" file from the > Debian package into the DB dir, and haven't had any problems since > then. Ah, yes, I forgot to mention that I had done this as well. Actually, I just created a DB_CONFIG file in /var/lib/sks/DB with one line, "set_flags DB_LOG_AUTOREMOVE". I put the same file in /var/lib/sks/PTree as well, although I don't think it's needed there. Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] PTree may be corrupted kills recon service
Hi, On Tue, Jul 17, 2018 at 10:52:18AM +0200, André Keller wrote: > [...] > > >>> 2018-07-02 15:17:53 Raising Sys.Break -- PTree may be > >>> corrupted: Failure("remove_from_node: attempt to delete > >>> non-existant element from prefix tree") > >>> 2018-07-02 15:17:53 DB closed > > >> I saw the same thing happen. I stopped SKS, dumped my existing keys > >> to the dump directory ("/usr/sbin/sks dump 32768 /var/lib/sks/dump"), > >> tweaked the /etc/sks/sksconf file to include "pagesize: 32" and > >> "ptree_pagesize: 16", removed the DB and PTree directories, then > >> rebuilt both: > >> > >> /usr/sbin/sks build /var/lib/sks/dump/*.pgp -n 1 -cache 100 > >> /usr/sbin/sks cleandb > >> /usr/sbin/sks pbuild -cache 50 -ptree_cache 100 > >> > >> SKS restarted fine; so far so good! I'll be keeping an eye on it > >> over the next few days, so I'll report back as needed. > [...] > > Unfortunately the issues is still not resolved. Is nobody else > experiencing this? Mine's still working... John -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] PTree may be corrupted kills recon service
Hi, > for a few days I have an issue with the recon process on > keys.communityrack.org: > > 2018-07-02 15:17:53 Raising Sys.Break -- PTree may be corrupted: > Failure("remove_from_node: attempt to delete non-existant element > from prefix tree") > 2018-07-02 15:17:53 DB closed I saw the same thing happen. I stopped SKS, dumped my existing keys to the dump directory ("/usr/sbin/sks dump 32768 /var/lib/sks/dump"), tweaked the /etc/sks/sksconf file to include "pagesize: 32" and "ptree_pagesize: 16", removed the DB and PTree directories, then rebuilt both: /usr/sbin/sks build /var/lib/sks/dump/*.pgp -n 1 -cache 100 /usr/sbin/sks cleandb /usr/sbin/sks pbuild -cache 50 -ptree_cache 100 SKS restarted fine; so far so good! I'll be keeping an eye on it over the next few days, so I'll report back as needed. I'm just wondering whether someone has found yet another way to take down SKS servers worldwide. It's a bit disappointing that the SKS keyserver source code available on bitbucket.org has not been touched in over a year... is anyone actually working on it? Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS intermittently stalls with 100% CPU & rate-limiting
Hi, everyone, Paul Fontela wrote: > If nothing has been modified in the configuration of the server or > in the SKS service, what has happened? As others have commented at length, could this indeed be related to malicious or problematic keys? > I have seen that some other servers that are also hosted on Amazon > datacenters are suffering from the same problem, could it be > Amazon, I do not know, I can not answer that yet. The problem is definitely more widespread than Amazon. I am seeing the same issues on my physical server located in Sydney, Australia. My server has plenty of memory and disk space, so that is not an issue (/var/lib/sks/DB is currently 118GB), but one processor core continually goes in and out of being 100% utilised by the single-threaded "sks db" process. I can confirm that I have not changed any major OS component nor the SKS daemon itself--I'm running an up-to-date Debian installation, uptime is currently 48 days, and the problems appeared the same time everyone else's did, just a couple of weeks ago. Happy to provide log files if anyone is debugging; I myself have not spent much time on this, nor looked through the SKS source code. By the way, I tried Phil Pennock's suggestion of removing peers that were significantly behind mine in terms of number of keys, but that made no difference to the situation. Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Seeking new peers for keyserver.zap.org.au
Hi, Hanor, > > been fairly quiet since then, but the service is still going, so > > it's about time I ask for new peers. > > I wonder what do you expect from more peers? :-) Perhaps an opportunity for new peers to increase their own network of peers? You're right in that I probably don't need to do this for my own keyserver; I'm just catching up on such peer's requests! Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Seeking new peers for keyserver.zap.org.au
Hi, everyone, I have been running keyserver.zap.org.au starting May 2014. I've been fairly quiet since then, but the service is still going, so it's about time I ask for new peers. Any takers? In particular, I'm running the following: * http://keyserver.zap.org.au/- standard HTTP * http://keyserver.zap.org.au:11371/ - standard SKS port * https://keyserver.zap.org.au/ - standard HTTPS (Lets Encrypt) * https://keyserver.zap.org.au:11372/ - HTTPS / SKS port (Lets Encrypt) Please contact me directly for any operational issues. The appropriate membership line is: keyserver.zap.org.au 11370 # John Zaitseff 0xB0F6BC7F46D30F1432FC46190D254111C4EE569B Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Seeking new peers for keyserver.zap.org.au
Hi, everyone, My SKS server, keyserver.zap.org.au, has been running quietly and happily in the background for a number of years now. Unfortunately, many of my peers have vanished during that time. I now need new peers! As you can see from Kristian's web page, I am running SKS 1.1.6 on keyserver.zap.org.au, a Debian server in Sydney, Australia: https://sks-keyservers.net/status/ks-status.php?server=keyserver.zap.org.au Here is the line to include in your membership file: keyserver.zap.org.au 11370 # John Zaitseff 0xB0F6BC7F46D30F1432FC46190D254111C4EE569B Please let me know if you would like to peer with me. Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS logging to syslog using 1.1.6-2~bpo8+1 from debian-packports
Hi, Pete et al., > I just setup a fresh sks installation using version 1.1.6-2~bpo8+1 > from debian-backports. The server is running Debian Jessie. > > By default, all the logs (e.g. what normally would go into db.log and > recon.log) end up in /var/log/syslog, which is not expected or > desired. > > My previous installation, running 1.1.5 on Ubuntu 14.04, sent those > logs to /var/log/sks/db.log and /var/log/sks/recon.log. This stumped me for a while as well, until I looked into it rather more carefully. The issue is that the new Debian package uses systemd(8) instead of the tradition /etc/init.d scripts, and the config files for systemd specify all output goes to syslog. To fix this, create two files, both called override.conf, one in the /etc/systemd/system/sks.service.d directory, the other in the /etc/systemd/system/sks-recon.service.d directory. I'm not sure whether this mailing list allows attachments, so here are the contents of those files: # /etc/systemd/system/sks-recon.service.d/override.conf # [JNZ] Modified 19-Nov-2016 for keyserver.zap.org.au [Service] ExecStart= ExecStart=/usr/sbin/sks recon # /etc/systemd/system/sks.service.d/override.conf # [JNZ] Modified 19-Nov-2016 for keyserver.zap.org.au [Service] ExecStart= ExecStart=/usr/sbin/sks db Restart sks ("systemctl restart sks-recon.service && systemctl restart sks.service", all on one line) and you should be good to go. You could overwrite files in /lib/systemd/system, but they will be overwritten on the next package upgrade. Hope this helps. Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS + ssl + nginx
Hi, Mike, > My question is, how have other people managed to get HKPS working > together with their own SSL certs? I'm doing this with the Apache web server for https://keyserver.zap.org.au/, which is part of the SSL pool. Here are the appropriate config file sections; hope this helps: # For non-SSL: Listen 129.94.172.224:11371 ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au ServerAlias *.sks-keyservers.net Require all granted ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au--error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au--access.log combined ServerSignature On # For SSL on https://keyserver.zap.org.au/: Listen *:11372 #NameVirtualHost *:11372 ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au SSLEngine on # Only allow secure ciphers and protocols SSLCipherSuite HIGH:!aNULL:!MD5 SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem Require all granted ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown # For SSL on https://hkps.pool.sks-keyservers.net/: ServerAdmin keymas...@zap.org.au ServerName hkps.pool.sks-keyservers.net ServerAlias *.pool.sks-keyservers.net *.sks-keyservers.net SSLEngine on # Only allow secure ciphers and protocols SSLCipherSuite HIGH:!aNULL:!MD5 SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver-sks.pem SSLCertificateKeyFile /etc/ssl/private/keyserver-sks.pem SSLCACertificateFile /etc/ssl/certs/sks-keyservers.netCA.pem Require all granted ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Please add me to your 'membership'
Hi, Sebastian, > I have a new keyserver running and would like to peer with other > servers. Please add me to your 'membership' file with the following > entry and provide your details in return so I can do the same: > > keys.itunix.eu 11370 # Sebastian Korotkiewicz 0x626DEAC0 I'm guessing others may have pointed out that you very much should put your SKS keyserver behind a reverse proxy. Without this, many people may be reluctant to peer with you. On first reading, it seems all a bit hard, but it's not that hard! More information: https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] 1.1.5 is in wheezy-backports
Hi, Gabor, > > Another small note: the directory should be /var/backups/sks (plural > > "backups", not singular "backup") for consistency with the FHS. > > It is my typo. Script uses correct path. Not on my machine it didn't! :-) Version 1.1.5-1, postinst line 94 and postrm line 5. By the way, I think the contents of /var/lib/sks/www should be conffiles, too... John -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] 1.1.5 is in wheezy-backports
Hi, > > It would be useful if postinst script checks free space before > > copying /var/lib/sks/DB/key to /var/backup/sks/. > > yes, this is https://bugs.debian.org/678924 -- Christoph Martin > and i hope to do some overhauls of the sks maintainer scripts in > debian, but i'm not sure when it's going to happen. If you send > patches to 678...@bugs.debian.org, it'll make it much more likely > to happen sooner! Another small note: the directory should be /var/backups/sks (plural "backups", not singular "backup") for consistency with the FHS. John -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Debian and 1.1.5
Hi, Dirk et al., > Is there a way to install sks 1.1.5 on Ubuntu 13.10? ... ;-) Sort of: I recompiled sks for both Debian Wheezy and Ubuntu 14.04 about a week ago. Put the following in your /etc/apt/sources.list file: deb ftp://ftp.zap.org.au/pub/ubuntu zapgroup-trusty main restricted deb-src ftp://ftp.zap.org.au/pub/ubuntu zapgroup-trusty main restricted If you want to avoid the warnings of unsigned packages, do the following first: wget -N ftp://ftp.zap.org.au/pub/debian/aptkey-zapgroup.asc apt-key add aptkey-zapgroup.asc For Ubuntu 13.10, insert the above lines into /etc/apt/sources.list, then: apt-get source sks cd sks-1.1.5 dpkg-buildpackage -us -uc -b cd .. dpkg -i sks_1.1.5-1~zg1_amd64.deb (You will need the dpkg-dev package installed for dpkg-buildpackage). Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Question: serving two different SSL certificates under Apache?
Hi, Phil et al., > > To clarify: I want to serve my own ZAP Group certificate when HTTPS > > queries come to keyserver.zap.org.au, and the sks-keyservers.net > > certificate when queries come to *.sks-keyservers.net. Can I do > > this with ONE block in Apache, or must I use two? > > I can't definitively say that one block might not be made to work: > never discount human ingenuity. I can say that it would be > "interesting" to see. In the end, I ended up with TWO blocks in the Apache config after all. All works now, as long as you remember to add "NameVirtualHost *:443"! For reference, the following is my full Apache config for HTTPS on keyserver.zap.org.au: # /etc/apache2/sites-available/zapgroup-keyserver-ssl: Keyserver website server configuration # [JNZ] Modified 02-Jun-2014 for keyserver.zap.org.au Listen *:11372 Listen *:443 NameVirtualHost *:11372 NameVirtualHost *:443 ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au SSLEngine on # Only allow secure ciphers and protocols: SSLv3 and TLSv1 SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem Order allow,deny Allow from all ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown ServerAdmin keymas...@zap.org.au ServerName hkps.pool.sks-keyservers.net ServerAlias *.pool.sks-keyservers.net *.sks-keyservers.net SSLEngine on # Only allow secure ciphers and protocols: SSLv3 and TLSv1 SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver-sks.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/sks-keyservers.netCA.pem Order allow,deny Allow from all ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Question: serving two different SSL certificates under Apache?
Hi, Martin, > Again, I'm sorry I missed the point of the question. Not at all! And thanks for your suggestions, too! John -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Question: serving two different SSL certificates under Apache?
Hi, > This link might help. > https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI Thanks, Martin. However, I've already read that, and it doesn't answer my specific question. To clarify: I want to serve my own ZAP Group certificate when HTTPS queries come to keyserver.zap.org.au, and the sks-keyservers.net certificate when queries come to *.sks-keyservers.net. Can I do this with ONE block in Apache, or must I use two? Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Question: serving two different SSL certificates under Apache?
Hi, I am setting up https://keyserver.zap.org.au/ to be used by hkps.pool.sks-keyservers.net. I am trying to serve different SSL certificates depending on the incoming hostname. Does anyone know if this is possible within the SAME VirtualHost configuration block under Apache? My current configuration includes: ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au ServerAlias *.sks-keyservers.net SSLEngine on # Only allow secure ciphers and protocols: SSLv3 and TLSv1 SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem Order allow,deny Allow from all ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 ... I know I can create a second VirtualHost block with SSLCertificateFile, SSLCertificateKeyFile and SSLCACertificateFile pointing to the sks-keyservers.net-generated certificates, but is it possible to do this within the SAME VirtualHost block, based on environment variables, etc.? Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Seeking peers for keyserver.zap.org.au
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, I am looking for peers for a new public SKS server. The server belongs to The ZAP Group and is running SKS version 1.1.5 at http://keyserver.zap.org.au:11371/. The server is physically located in Sydney, Australia, and currently only has IPv4 connectivity. The initial key dump was taken from http://keys.niif.hu/keydump on Monday, 26th May. I have 3,631,075 keys loaded. I have also set up an SSL version at https://keyserver.zap.org.au:11372/; that still needs an appropriate certificate from Kristian. I am willing to add peers! By all means, contact me directly for any operational issues. keyserver.zap.org.au 11370 # John Zaitseff 0x0D254111C4EE569B Yours truly, John Zaitseff - -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTh7j8AAoJEA0lQRHE7labZ5gQAJG16mq+1qmJE8poHETWx8Ci 15ntPsDCzZNqCyO+fVYfI8HuFltIiHdXD6vG/SNqMYGWY0jdCuFal/TNgWd3ZEW7 75FJ+2Lp/a8kkeCSlBmEuS6MxRYmrlKvX3Z6b/mr+xbfvdEv1Cx3QE9fy/wp1FK1 s23gLuJHUZFEgaM0USn1uMGru8MoGKkBvP8YgC+zI9yM9v146G5icDaFRZNRxPgs IsGwwZ5oP90mCliFxmsR37afg7tUBD+qB7NiA//aGarRTtgoDiRQUisNIycUKDV7 K7TQhf7OxFGYIH9MazIMxd40hHNPwoDJV0e+W8EHOXBTbOM/i3stx6F2zJvzDI4I InlGQ8WxKca7ywPwXbNDfaY3PeKTsRyiz6HV+volKLNY8X8PEemauI6FBEozz0yj VUTv2I6GhgJR5qMC3SNpfaWJKVxmncGwTPgFhVEgGy3bT7DperLfFaiTwI1C+203 E92jMpymb+CuwbbqTVEmGywlbjwytn12rzUIrwvN6MVmGPOvwhdiHZAXpyPEsBmR TgDdfmFRd/7gbez6zkSd4xr/rbX/inY2yBBgLVdBOb6fafVJYgks9yiFs9PE5TFR 1CjqPU9mgD8c2neYpqiXLOloaLP/3wxuTSi6Itj4MtK8kU0PkQZ/X308bE+RuGKJ D/giAQVdaQzIa28lkZT3 =9cSi -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel