gpgkeys_curl doesn't allow the use of cURL's compiled-in certificate store
Closed, ResolvedPublic

Description

The gpgkeys_curl helper always sets the libcurl option CURLOPT_CAINFO, even if
it has not been specified by the user using "keyserver-options ca-cert-file=
<file>". Unfortunately, this prevents the user from using the library's
compiled-in default certificate store, making it somewhat difficult to verify an
arbitrary endpoint's SSL certificate.

For example, I have published my gpg key in DNS using an https uri:

huber._pka.paradoxical.net. 300 IN TXT
"v=pka1\;fpr=DDA523C5ECAD69B8C11503B8AD285BC0E9FE1298\;uri=https://www.paradoxic
al.net/keyinfo/E9FE1298.pub.asc"

When attempting to use auto-key-locate pka, server cert verification fails:

$ gpg -v -v -v --keyserver-options debug --auto-key-locate pka -ea -r
huber@paradoxical.net
gpg: using character set `utf-8'
gpg: requesting key E9FE1298 from https server www.paradoxical.net
gpgkeys: curl version = libcurl/7.22.0 GnuTLS/2.12.14 zlib/1.2.3.4 libidn/1.23
librtmp/2.3

  • About to connect() to www.paradoxical.net port 443 (#0)
  • Trying 66.228.43.185... * connected
  • server certificate verification failed. CAfile: none CRLfile: none
  • Closing connection #0

gpgkeys: https fetch error 60: server certificate verification failed. CAfile:
none CRLfile: none

With the attached patch, which only specifies CURLOPT_CAINFO if it has been
configured by the user, the certification verification succeeds.

Details

Version
2.0.21
werner added a subscriber: werner.Oct 4 2013, 8:32 AM

Fixed with commit e957b9b for 2.0 - will be backported to 1.4 soon.

Thanks.

werner closed this task as Resolved.Oct 4 2013, 8:32 AM
werner claimed this task.