Page MenuHome GnuPG

curl-shim TCP half-close causes interop issues
Closed, ResolvedPublic


The mock-cURL curl-shim library uses in GnuPG uses TCP half-closes to finish
sending data. This causes interoperability issues with many keyserver setups,
when they use software which treats a sender-half-close as a connection abort,
since that end of the connection can't tell the difference between a
unidirectional and bidirectional close and the latter is far more common.

Most notably, nginx does this by default (and has issues disabling it in various
versions). Fixing this for all servers, including --fetch-key usages from
arbitrary web-servers, is not entirely feasible, even if the keyservers in pools
all get fixed.

To limit interoperability issues, curl-shim should behave more like curl and avoid
using TCP half-closes, even if theoretically the use of them is "correct".

The stance of the nginx developers:

nginx is used by 17 of the SKS keyserver setups (of 82 total, 50 in the current
pool (not counted how many are in that particular pool)), and at least 3 of the 6
servers in the hkps pool.

This interop issues causes failures which are sensitive to timings and latencies,
leading to sporadic errors, whose likelihood varies by machine setup.



Event Timeline

Am able to reliably trigger the flaw, by using a curl-shim gpg from another
machine on the same network as the keyserver. Close network proximity without
being the exact same machine makes it much easier to trigger the race.

Was fixed with commit fe85638284880805b80778fe87ae551d3de0ca32 for 2.0 which is
a forwardport for the fix in 1.4 (see T739).

werner claimed this task.