Mailing List Archive: GnuPG: devel

Proxy problems

Index | Next | Previous | View Threaded

alphasigmax at gmail

Dec 12, 2006, 7:15 AM

Post #1 of 11 (5754 views)
Permalink

Proxy problems

I've now upgraded to the official build of 1.4.6 and still can't get GPG
to talk to my proxy; I've confirmed that it's using Basic authentication:

> $ telnet <proxy> 8080
> Trying <ip>...
> Connected to <proxy>.
> Escape character is '^]'.
> GET http://www.gnupg.org HTTP/1.1
>
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/2.5.STABLE12
> Mime-Version: 1.0
> Date: <date>
> Content-Type: text/html
> Content-Length: 1345
> Expires: <date>
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Proxy-Authenticate: Basic realm="<realm>"
> X-Cache: MISS from <cache>
> X-Cache-Lookup: NONE from <cache>
> Proxy-Connection: close

but trying --keyserver-options
http-proxy="http://user:pass@<proxy>:8080" doesn't work; all I get is

> gpgkeys: HTTP search error 7: couldn't connect: eof

Does anyone know how to fix this?

--
Alphax
Death to all fanatics!
Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g

Attachments:

signature.asc (0.53 KB)

dshaw at jabberwocky

Dec 12, 2006, 7:24 AM

Post #2 of 11 (5707 views)
Permalink

Re: Proxy problems [In reply to]

On Wed, Dec 13, 2006 at 01:45:05AM +1030, Alphax wrote:
> I've now upgraded to the official build of 1.4.6 and still can't get GPG
> to talk to my proxy; I've confirmed that it's using Basic authentication:
>
> > $ telnet <proxy> 8080
> > Trying <ip>...
> > Connected to <proxy>.
> > Escape character is '^]'.
> > GET http://www.gnupg.org HTTP/1.1
> >
> > HTTP/1.0 407 Proxy Authentication Required
> > Server: squid/2.5.STABLE12
> > Mime-Version: 1.0
> > Date: <date>
> > Content-Type: text/html
> > Content-Length: 1345
> > Expires: <date>
> > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> > Proxy-Authenticate: Basic realm="<realm>"
> > X-Cache: MISS from <cache>
> > X-Cache-Lookup: NONE from <cache>
> > Proxy-Connection: close
>
> but trying --keyserver-options
> http-proxy="http://user:pass@<proxy>:8080" doesn't work; all I get is
>
> > gpgkeys: HTTP search error 7: couldn't connect: eof
>
> Does anyone know how to fix this?

Need some more information. Are you using curl or the internal HTTP
support? I'm guessing internal, but I want to be sure. Also, can you
post the output when you set "--keyserver-options debug" and do your
search again?

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

alphasigmax at gmail

Dec 12, 2006, 11:49 PM

Post #3 of 11 (5705 views)
Permalink

Re: Proxy problems [In reply to]

David Shaw wrote:
> On Wed, Dec 13, 2006 at 01:45:05AM +1030, Alphax wrote:
>> I've now upgraded to the official build of 1.4.6 and still can't get GPG
>> to talk to my proxy; I've confirmed that it's using Basic authentication:
>>
<snip>
>> Does anyone know how to fix this?
>
> Need some more information. Are you using curl or the internal HTTP
> support? I'm guessing internal, but I want to be sure. Also, can you
> post the output when you set "--keyserver-options debug" and do your
> search again?
>

gpg --no-options --keyserver hkp://keyserver.noreply.org:80
--keyserver-options debug --keyserver-options
http-proxy="http://<user>:<pass>@<proxy>:8080" --keyserver-options
verbose --keyserver-options verbose --search 0xDEADBEEF

gpg: searching for "0xDEADBEEF" from hkp server keyserver.noreply.org
gpgkeys: curl version = GnuPG curl-shim 1.4.6
Host: keyserver.noreply.org
Port: 80
Command: SEARCH
gpgkeys: search type is 5, and key is "DEADBEEF"
* HTTP proxy is "http://<user>:<pass>@<proxy>:8080"
gpgkeys: HTTP search error 7: couldn't connect: eof
gpg: key "0xDEADBEEF" not found on keyserver

This is using the released build of 1.4.6 on a W32 system.

--
Alphax
Death to all fanatics!
Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g

Attachments:

signature.asc (0.53 KB)

wk at gnupg

Dec 13, 2006, 3:30 AM

Post #4 of 11 (5694 views)
Permalink

Re: Proxy problems [In reply to]

On Wed, 13 Dec 2006 08:49, alphasigmax [at] gmail said:

> gpg: searching for "0xDEADBEEF" from hkp server keyserver.noreply.org
> gpgkeys: curl version = GnuPG curl-shim 1.4.6
> Host: keyserver.noreply.org
> Port: 80
> Command: SEARCH
> gpgkeys: search type is 5, and key is "DEADBEEF"
> * HTTP proxy is "http://<user>:<pass>@<proxy>:8080"
> gpgkeys: HTTP search error 7: couldn't connect: eof
> gpg: key "0xDEADBEEF" not found on keyserver
>
> This is using the released build of 1.4.6 on a W32 system.

This is might be related to https://bugs.g10code.com/gnupg/issue739
although I never heard that Squid fails on half-closed connections.

Salam-Shalom,

Werner

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

alphasigmax at gmail

Dec 13, 2006, 3:43 AM

Post #5 of 11 (5708 views)
Permalink

Re: Proxy problems [In reply to]

Werner Koch wrote:
> On Wed, 13 Dec 2006 08:49, alphasigmax [at] gmail said:
>
>> gpg: searching for "0xDEADBEEF" from hkp server keyserver.noreply.org
>> gpgkeys: curl version = GnuPG curl-shim 1.4.6
>> Host: keyserver.noreply.org
>> Port: 80
>> Command: SEARCH
>> gpgkeys: search type is 5, and key is "DEADBEEF"
>> * HTTP proxy is "http://<user>:<pass>@<proxy>:8080"
>> gpgkeys: HTTP search error 7: couldn't connect: eof
>> gpg: key "0xDEADBEEF" not found on keyserver
>>
>> This is using the released build of 1.4.6 on a W32 system.
>
> This is might be related to https://bugs.g10code.com/gnupg/issue739
> although I never heard that Squid fails on half-closed connections.
>

So, would statically linking cURL into a W32 build fix this problem, and
would there be licensing problems?

--
Alphax
Death to all fanatics!
Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g

Attachments:

signature.asc (0.53 KB)

dshaw at jabberwocky

Dec 13, 2006, 5:43 AM

Post #6 of 11 (5687 views)
Permalink

Re: Proxy problems [In reply to]

On Wed, Dec 13, 2006 at 12:30:28PM +0100, Werner Koch wrote:
> On Wed, 13 Dec 2006 08:49, alphasigmax [at] gmail said:
>
> > gpg: searching for "0xDEADBEEF" from hkp server keyserver.noreply.org
> > gpgkeys: curl version = GnuPG curl-shim 1.4.6
> > Host: keyserver.noreply.org
> > Port: 80
> > Command: SEARCH
> > gpgkeys: search type is 5, and key is "DEADBEEF"
> > * HTTP proxy is "http://<user>:<pass>@<proxy>:8080"
> > gpgkeys: HTTP search error 7: couldn't connect: eof
> > gpg: key "0xDEADBEEF" not found on keyserver
> >
> > This is using the released build of 1.4.6 on a W32 system.
>
> This is might be related to https://bugs.g10code.com/gnupg/issue739
> although I never heard that Squid fails on half-closed connections.

Drat. The HTTP_FLAG_NO_SHUTDOWN stuff was removed in the curl-shim.
I can put it back for 1.4.7, but I wonder why do shutdown() at all?
Whether (strictly speaking) this is a problem in the proxy or not, the
half-closed connections seem to cause problems now and then.

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

dshaw at jabberwocky

Dec 13, 2006, 5:46 AM

Post #7 of 11 (5713 views)
Permalink

Re: Proxy problems [In reply to]

On Wed, Dec 13, 2006 at 10:13:43PM +1030, Alphax wrote:
> Werner Koch wrote:
> > On Wed, 13 Dec 2006 08:49, alphasigmax [at] gmail said:
> >
> >> gpg: searching for "0xDEADBEEF" from hkp server keyserver.noreply.org
> >> gpgkeys: curl version = GnuPG curl-shim 1.4.6
> >> Host: keyserver.noreply.org
> >> Port: 80
> >> Command: SEARCH
> >> gpgkeys: search type is 5, and key is "DEADBEEF"
> >> * HTTP proxy is "http://<user>:<pass>@<proxy>:8080"
> >> gpgkeys: HTTP search error 7: couldn't connect: eof
> >> gpg: key "0xDEADBEEF" not found on keyserver
> >>
> >> This is using the released build of 1.4.6 on a W32 system.
> >
> > This is might be related to https://bugs.g10code.com/gnupg/issue739
> > although I never heard that Squid fails on half-closed connections.
> >
>
> So, would statically linking cURL into a W32 build fix this problem, and
> would there be licensing problems?

There would be no licensing problem. cURL's license is GPL
compatible, and there is a special exception to cover the cases where
cURL happens to be linked to OpenSSL (the license of which isn't GPL
compatible).

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Dec 13, 2006, 7:09 AM

Post #8 of 11 (5702 views)
Permalink

Re: Proxy problems [In reply to]

On Wed, 13 Dec 2006 14:43, dshaw [at] jabberwocky said:

> Drat. The HTTP_FLAG_NO_SHUTDOWN stuff was removed in the curl-shim.

I noticed that and it is on my list of things we need to clarify.

> I can put it back for 1.4.7, but I wonder why do shutdown() at all?

Shutting down the write end of the socket used to be necessary at the
time I implemented HKP access. Looking at the ChangeLog does not
reveal the actual reason except that it has been there since the
beginning:

Sat Jan 16 09:27:30 CET 1999 Werner Koch <wk [at] isil>

* http.c: New

Wed Jan 20 21:40:21 CET 1999 Werner Koch <wk [at] isil>

* http.c (http_wait_response): Moved the shutdown behind the dup

2001-04-23 Werner Koch <wk [at] gnupg>

* http.c (http_wait_response): Implement new flag to inhibit the
TCP shutdown.

I assume that the original hkp keyserver required a shutdown because
it implemented only pre HTTP 1.0 and failed to take the empty line
after the headers of a GET as the end of a request. We used to have
an option to suppress the shutdown:

# If you have problems connecting to a HKP server through a buggy http
# proxy, you can use keyserver option broken-http-proxy (see below),
# but first you should make sure that you have read the man page
# regarding proxies (keyserver option honor-http-proxy)

David, you remember why we dropped it?

Salam-Shalom,

Werner

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

dshaw at jabberwocky

Dec 13, 2006, 8:42 AM

Post #9 of 11 (5711 views)
Permalink

Re: Proxy problems [In reply to]

On Wed, Dec 13, 2006 at 04:09:52PM +0100, Werner Koch wrote:

> I assume that the original hkp keyserver required a shutdown because
> it implemented only pre HTTP 1.0 and failed to take the empty line
> after the headers of a GET as the end of a request. We used to have
> an option to suppress the shutdown:
>
> # If you have problems connecting to a HKP server through a buggy http
> # proxy, you can use keyserver option broken-http-proxy (see below),
> # but first you should make sure that you have read the man page
> # regarding proxies (keyserver option honor-http-proxy)
>
> David, you remember why we dropped it?

The real curl code clearly didn't use shutdown, and worked correctly
with all the servers, so I dropped broken-http-proxy when I did the
curl-shim. Unfortunately, I missed that the code defaults to use
shutdown.

I can see how this might have been necessary with old HKP servers in
the past, but they don't really exist any longer. There certainly are
no original PKS servers left at this point. The few (one?) that are
left are running the fixed PKS I made to not eat subkeys. That PKS
also properly handles HTTP/1.0 requests with the blank line.

I think the right fix here is to either hardwire HTTP_FLAG_NO_SHUTDOWN
to on in curl-shim, or just remove the shutdown stuff altogether.

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Dec 14, 2006, 12:13 AM

Post #10 of 11 (5713 views)
Permalink

Re: Proxy problems [In reply to]

On Wed, 13 Dec 2006 17:42, dshaw [at] jabberwocky said:

> The real curl code clearly didn't use shutdown, and worked correctly
> with all the servers, so I dropped broken-http-proxy when I did the
> curl-shim. Unfortunately, I missed that the code defaults to use

Okay. You did far more tests with keyservers than me.

> I think the right fix here is to either hardwire HTTP_FLAG_NO_SHUTDOWN
> to on in curl-shim, or just remove the shutdown stuff altogether.

Lets remove the shutdown code in 1.4. As I use the http code from 2.0
also in other projects I feel safer to keep it but reverse the option
and use HTTP_FLAG_SHUTDOWN.

Shalom-Salam,

Werner

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Dec 14, 2006, 1:22 AM

Post #11 of 11 (5701 views)
Permalink

Re: Proxy problems [In reply to]

Hi,

here is a fix for that problem:

https://bugs.g10code.com/gnupg/file110/ks-proxy-fix-14.diff

also attached.

Salam-Shalom,

Werner

Attachments:

ks-proxy-fix-14.diff (0.80 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads