Okay, so I get my SSL certificate so I can (in theory) do hkps -- thanks Kristian! I do all the magic, so that things appear to work fine -- for example:
curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem "https://keyserver.witopia.net/pks/lookup?op=stats"; Gets me a reasonable return. I can do the appropriate thing with the GPG Key manager and retrieve keys, and I'm clearly talking SSL. I'm done, right? Unfortunately, I made the mistake of asking Kristian if I was done now. And his answer was, "Make sure to setup the vhost for hkps.pool.sks-keyservers.net" and he was kind enough to give me the exact command that should work: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net' "https://keyserver.witopia.net/pks/lookup?op=stats"; Unfortunately, after several hours of trying "plausible" stuff with my apache (Server version: Apache/2.4.6 (FreeBSD) Server built: Sep 1 2013 20:55:47) reverse-proxy setup, this still does not work. Here's the response: $ curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net' "https://keyserver.witopia.net/pks/lookup?op=stats"; <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> </body></html> And in the httpd-error log, I see: [Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname keyserver.witopia.net provided via SNI and hostname hkps.pool.sks-keyservers.net provided via HTTP are different. Here's a sample of the vhosts I've been creating (at the moment, there are three of these, with "ServerName" set to hkps.pool.sks-keyservers.net, keyserver.witopia.net and an internal name) : <VirtualHost *:443> SSLEngine On ServerName hkps.pool.sks-keyservers.net SSLStrictSNIVHostCheck off SSLProxyEngine On # ProxyRequests Off # Local (WiTopia) Server Cert info for all 443 hosts on this system # (prod00.keyserver.dca) SSLCertificateFile /usr/local/etc/apache24/publickey/actual_keys/keyserver.witopia.net.crt SSLCertificateKeyFile /usr/local/etc/apache24/publickey/actual_keys/keyserver.witopia.net.key # SSLCertificateChainFile /usr/local/etc/apache24/publickey/actual_keys/sks-keyservers.netCA.pem SSLCACertificateFile /usr/local/etc/apache24/publickey/actual_keys/sks-keyservers.netCA.pem # CustomLog /dev/null common <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ # include the Via: to get on the right list. ProxyVia Full SetEnv proxy-nokeepalive 1 </VirtualHost> Now, the interesting thing is, if I change the curl command just a little bit, so it uses the "-H" arg with "keyserver.witopia.net" instead of "hkps.pool.sks-keyservers.net", I get a "correct" response -- that is, my stats in HTML, and no messages in the log file. That is: this works: curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: keyserver.witopia.net' "https://keyserver.witopia.net/pks/lookup?op=stats"; I've tried creating two VirtualHosts with ServerName set to keyserver.witopia.net in one and "hkps.pool.sks-keyservers.net" in the other. I've tried "ServerAlias". I've tried "ProxyPreserveHost On" and leaving it off. I feel reasonably sure that there's some simple "map 'hkps.pool.sks-keyservers.net' to 'keyserver.witopia.net'" directive, but I've yet to find it. I'd love to let people try it, but as I say, I'd rather not leave the port open. Does anyone have any suggestions? P.S. I noticed that some of you in the "hkps green zone" on the status page *also* don't have this working (I won't name names!). In fact, almost all of the ones I tried didn't have this working (Yes, I changed the https name as appropriate in the curl command). However congratulations to keys.sflc.info -- curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost: hkps.pool.sks-keyservers.net' 'https://keys.sflc.info/pks/lookup?op=stats' results in perfectly good information. How'd you guys do it?
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
