GnuPG discards the port from SRV in constructing the URL for libcurl, as evidenced
by:
gpg2 --keyserver-options no-check-cert,debug,verbose --keyserver
hkps://keys.kfwebs.net --recv-key 0x0B7F8B60E3EDFAE3
Analysis and line numbers of keyserver/gpgkeys_hkp.c as per git as of commit
76055d49d1c8b8e4f6245e6729cae81b1eaecbf6.
if the scheme is hkps: then you set:
695 if(ascii_strcasecmp(opt->scheme,"hkps")==0)
696 {
697 proto="https";
698 port="443";
699 }
then we hit:
729 if(opt->port)
730 port=opt->port;
731 else if(try_srv)
732 {
733 char *srvtag;
734
735 if(ks_strcasecmp(opt->scheme,"hkp")==0)
736 srvtag="pgpkey-http";
737 else if(ks_strcasecmp(opt->scheme,"hkps")==0)
738 srvtag="pgpkey-https";
739 else
740 srvtag=NULL;
741
742 #ifdef HAVE_LIBCURL
743 /* We're using libcurl, so fake SRV support via our wrapper.
744 This isn't as good as true SRV support, as we do not try all
745 possible targets at one particular level and work our way
746 down the list, but it's better than nothing. */······
747 srv_replace(srvtag);
Now srv_replace will set opt->port:
531 if(newname && newport)
532 {
533 free(opt->host);
534 free(opt->port);
535 opt->host=newname;
536 snprintf(newport,MAX_PORT,"%u",srvlist->port);
537 opt->port=newport;
538 }
but then in get_key():
266 strcpy(request,proto);
267 strcat(request,"://");
268 strcat(request,opt->host);
269 strcat(request,":");
270 strcat(request,port);
271 strcat(request,opt->path);
[...]
294 curl_easy_setopt(curl,CURLOPT_URL,request);
So, there's a port and an opt->port; the SRV lookups set opt->port
but not port, while the URL given to curl uses port.
It seems like changing 537 to:
port = opt->port = newport
should fix it as a stop-gap.