Index: b/dirmngr/Makefile.am =================================================================== --- b/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -20,6 +20,7 @@ ## Process this file with automake to produce Makefile.in EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem +dist_pkgdata_DATA = sks-keyservers.netCA.pem bin_PROGRAMS = dirmngr dirmngr-client Index: b/dirmngr/http.h =================================================================== --- b/dirmngr/http.h +++ b/dirmngr/http.h @@ -98,7 +98,8 @@ void http_register_tls_ca (const char *fname); gpg_error_t http_session_new (http_session_t *r_session, - const char *tls_priority); + const char *tls_priority, + const char *intended_hostname); http_session_t http_session_ref (http_session_t sess); void http_session_release (http_session_t sess); Index: b/dirmngr/http.c =================================================================== --- b/dirmngr/http.c +++ b/dirmngr/http.c @@ -130,6 +130,8 @@ "01234567890@" \ "!\"#$%&'()*+,-./:;<=>?[\\]^_{|}~" +#define HKPS_POOL_CA_PEM GNUPG_DATADIR "/sks-keyservers.netCA.pem" + /* A long counter type. */ #ifdef HAVE_STRTOULL typedef unsigned long long longcounter_t; @@ -562,7 +564,8 @@ /* Create a new session object which is currently used to enable TLS support. It may eventually allow reusing existing connections. */ gpg_error_t -http_session_new (http_session_t *r_session, const char *tls_priority) +http_session_new (http_session_t *r_session, const char *tls_priority, + const char *intended_hostname) { gpg_error_t err; http_session_t sess; @@ -600,6 +603,23 @@ goto leave; } + /* if the user has not specified a CA list, and they are looking + * for the hkps pool from sks-keyservers.net, then default to + * Kristian's certificate authority: + */ + if (!tls_ca_certlist) + { + if (intended_hostname && + 0 == strcasecmp("hkps.pool.sks-keyservers.net", intended_hostname)) + { + rc = gnutls_certificate_set_x509_trust_file + (sess->certcred, HKPS_POOL_CA_PEM, GNUTLS_X509_FMT_PEM); + if (rc < 0) + log_info ("setting CA from file '" HKPS_POOL_CA_PEM "' failed: %s\n", + gnutls_strerror (rc)); + + } + } for (sl = tls_ca_certlist; sl; sl = sl->next) { rc = gnutls_certificate_set_x509_trust_file Index: b/dirmngr/ks-engine-hkp.c =================================================================== --- b/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -990,7 +990,7 @@ *r_fp = NULL; - err = http_session_new (&session, NULL); + err = http_session_new (&session, NULL, httphost); if (err) goto leave; http_session_set_log_cb (session, cert_log_cb); Index: b/dirmngr/ks-engine-http.c =================================================================== --- b/dirmngr/ks-engine-http.c +++ b/dirmngr/ks-engine-http.c @@ -65,7 +65,7 @@ estream_t fp = NULL; char *request_buffer = NULL; - err = http_session_new (&session, NULL); + err = http_session_new (&session, NULL, NULL); if (err) goto leave; http_session_set_log_cb (session, cert_log_cb); Index: b/dirmngr/t-http.c =================================================================== --- b/dirmngr/t-http.c +++ b/dirmngr/t-http.c @@ -262,7 +262,7 @@ http_register_tls_callback (verify_callback); http_register_tls_ca (cafile); - err = http_session_new (&session, NULL); + err = http_session_new (&session, NULL, NULL); if (err) log_error ("http_session_new failed: %s\n", gpg_strerror (err));