Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with hkps.pool.sks-keyservers.net
On Fri, Nov 08, 2013 at 03:33:54PM -0500, Nat Howard wrote: results in perfectly good information. How'd you guys do it? The nginx config from https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering doubled for port 443, with the equivalent of this added: ssl on; ssl_certificate cert.pem; ssl_certificate_key key.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; and no other sites on those IPs. It should respond the same way no matter what value is given in the Host header. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with hkps.pool.sks-keyservers.net
Okay, so I get my SSL certificate so I can (in theory) do hkps -- thanks Kristian!I do all the magic, so that things appear to work fine -- for example: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem https://keyserver.witopia.net/pks/lookup?op=stats; Gets me a reasonable return.I can do the appropriate thing with the GPG Key manager and retrieve keys, and I'm clearly talking SSL. I'm done, right? Unfortunately, I made the mistake of asking Kristian if I was done now. And his answer was, Make sure to setup the vhost for hkps.pool.sks-keyservers.net and he was kind enough to give me the exact command that should work: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net' https://keyserver.witopia.net/pks/lookup?op=stats; Unfortunately, after several hours of trying plausible stuff with my apache (Server version: Apache/2.4.6 (FreeBSD) Server built: Sep 1 2013 20:55:47) reverse-proxy setup, this still does not work. Here's the response: $ curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net' https://keyserver.witopia.net/pks/lookup?op=stats; !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title400 Bad Request/title /headbody h1Bad Request/h1 pYour browser sent a request that this server could not understand.br / /p /body/html And in the httpd-error log, I see: [Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname keyserver.witopia.net provided via SNI and hostname hkps.pool.sks-keyservers.net provided via HTTP are different. Here's a sample of the vhosts I've been creating (at the moment, there are three of these, with ServerName set to hkps.pool.sks-keyservers.net, keyserver.witopia.net and an internal name) : VirtualHost *:443 SSLEngine On ServerName hkps.pool.sks-keyservers.net SSLStrictSNIVHostCheck off SSLProxyEngine On #ProxyRequests Off # Local (WiTopia) Server Cert info for all 443 hosts on this system # (prod00.keyserver.dca) SSLCertificateFile /usr/local/etc/apache24/publickey/actual_keys/keyserver.witopia.net.crt SSLCertificateKeyFile /usr/local/etc/apache24/publickey/actual_keys/keyserver.witopia.net.key #SSLCertificateChainFile /usr/local/etc/apache24/publickey/actual_keys/sks-keyservers.netCA.pem SSLCACertificateFile /usr/local/etc/apache24/publickey/actual_keys/sks-keyservers.netCA.pem #CustomLog /dev/null common Proxy * Order deny,allow Allow from all /Proxy ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ # include the Via: to get on the right list. ProxyVia Full SetEnv proxy-nokeepalive 1 /VirtualHost Now, the interesting thing is, if I change the curl command just a little bit, so it uses the -H arg with keyserver.witopia.net instead of hkps.pool.sks-keyservers.net, I get a correct response -- that is, my stats in HTML, and no messages in the log file. That is: this works: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: keyserver.witopia.net' https://keyserver.witopia.net/pks/lookup?op=stats; I've tried creating two VirtualHosts with ServerName set to keyserver.witopia.net in one and hkps.pool.sks-keyservers.net in the other. I've tried ServerAlias. I've tried ProxyPreserveHost On and leaving it off.I feel reasonably sure that there's some simple map 'hkps.pool.sks-keyservers.net' to 'keyserver.witopia.net' directive, but I've yet to find it. I'd love to let people try it, but as I say, I'd rather not leave the port open.Does anyone have any suggestions? P.S. I noticed that some of you in the hkps green zone on the status page *also* don't have this working (I won't name names!). In fact, almost all of the ones I tried didn't have this working (Yes, I changed the https name as appropriate in the curl command). However congratulations to keys.sflc.info -- curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost: hkps.pool.sks-keyservers.net' 'https://keys.sflc.info/pks/lookup?op=stats' results in perfectly good information. How'd you guys do it? signature.asc Description: Message signed with OpenPGP using GPGMail ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with hkps.pool.sks-keyservers.net
On 11/08/2013 03:33 PM, Nat Howard wrote: Unfortunately, I made the mistake of asking Kristian if I was done now. And his answer was, Make sure to setup the vhost for hkps.pool.sks-keyservers.net and he was kind enough to give me the exact command that should work: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net' https://keyserver.witopia.net/pks/lookup?op=stats; as your apache error logs point out, this is is not actually the correct command, because curl is extracting the hostname for SNI from the URL string (before the TLS handshake completes), but is sending the overridden Host: HTTP header (after the TLS handshake). No sane HTTP client will do this, so i would not expect your server to consider it a valid request. [Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname keyserver.witopia.net provided via SNI and hostname hkps.pool.sks-keyservers.net provided via HTTP are different. exactly. If you want to test this explicitly (that is, you want the connection to go to your server and your server only, but you want to see how it looks when someone lands there as the result of the DNS rr pool), you can override the DNS system by putting a line in your /etc/hosts: 192.0.2.3 hkps.pool.sks-keyservers.net (replacing 192.0.2.3 with your server's public-facing IP address, of course) and then make a normal connection: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem \ https://keyserver.witopia.net/pks/lookup?op=stats Once you've tested it, remember to remove or comment out the line from /etc/hosts! Now, the interesting thing is, if I change the curl command just a little bit, so it uses the -H arg with keyserver.witopia.net instead of hkps.pool.sks-keyservers.net, I get a correct response -- that is, my stats in HTML, and no messages in the log file. That is: this works: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: keyserver.witopia.net' https://keyserver.witopia.net/pks/lookup?op=stats; right, because this is what curl would have sent as the Host: HTTP header anyway :) I noticed that some of you in the hkps green zone on the status page *also* don't have this working (I won't name names!). If there are misconfigurations or problems, please do name names. We learn from each others' instruction and diagnostics on this mailing list :) In fact, almost all of the ones I tried didn't have this working (Yes, I changed the https name as appropriate in the curl command). However congratulations to keys.sflc.info -- curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost: hkps.pool.sks-keyservers.net' 'https://keys.sflc.info/pks/lookup?op=stats' results in perfectly good information. How'd you guys do it? yeah, what are they doing ? that's pretty weird. --dkg ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with hkps.pool.sks-keyservers.net
Thanks, Daniel and Kristian, for all your help -- I'll give Daniel's plan a try. No news (and keyserver.witopia.net appearing in the green for hkps on the status page) will be good news. On Nov 8, 2013, at 5:18 PM, Daniel Kahn Gillmor wrote: On 11/08/2013 03:33 PM, Nat Howard wrote: Unfortunately, I made the mistake of asking Kristian if I was done now. And his answer was, Make sure to setup the vhost for hkps.pool.sks-keyservers.net and he was kind enough to give me the exact command that should work: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net' https://keyserver.witopia.net/pks/lookup?op=stats; as your apache error logs point out, this is is not actually the correct command, because curl is extracting the hostname for SNI from the URL string (before the TLS handshake completes), but is sending the overridden Host: HTTP header (after the TLS handshake). No sane HTTP client will do this, so i would not expect your server to consider it a valid request. [Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname keyserver.witopia.net provided via SNI and hostname hkps.pool.sks-keyservers.net provided via HTTP are different. exactly. If you want to test this explicitly (that is, you want the connection to go to your server and your server only, but you want to see how it looks when someone lands there as the result of the DNS rr pool), you can override the DNS system by putting a line in your /etc/hosts: 192.0.2.3 hkps.pool.sks-keyservers.net (replacing 192.0.2.3 with your server's public-facing IP address, of course) and then make a normal connection: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem \ https://keyserver.witopia.net/pks/lookup?op=stats Once you've tested it, remember to remove or comment out the line from /etc/hosts! Now, the interesting thing is, if I change the curl command just a little bit, so it uses the -H arg with keyserver.witopia.net instead of hkps.pool.sks-keyservers.net, I get a correct response -- that is, my stats in HTML, and no messages in the log file. That is: this works: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: keyserver.witopia.net' https://keyserver.witopia.net/pks/lookup?op=stats; right, because this is what curl would have sent as the Host: HTTP header anyway :) I noticed that some of you in the hkps green zone on the status page *also* don't have this working (I won't name names!). If there are misconfigurations or problems, please do name names. We learn from each others' instruction and diagnostics on this mailing list :) In fact, almost all of the ones I tried didn't have this working (Yes, I changed the https name as appropriate in the curl command). However congratulations to keys.sflc.info -- curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost: hkps.pool.sks-keyservers.net' 'https://keys.sflc.info/pks/lookup?op=stats' results in perfectly good information. How'd you guys do it? yeah, what are they doing ? that's pretty weird. --dkg ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel signature.asc Description: Message signed with OpenPGP using GPGMail ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel