HKPS scheme support for Windows Installer
Closed, ResolvedPublic

Description

GnuPG 2.1.1 fails to refresh, send, receive or search for keys via HKPS as
HKPS schema is not supported in Dirmngr as it hasn't been built with GnuTLS.

Here's the output of KEYSERVER --help in dirmngr:

KEYSERVER --help
S # Known schemata:
S # hkp
S # http
S # finger
S # kdns
S # (Use an URL for engine specific help.)
OK

Details

Version
2.1.15
juanmi set Version to 2.1.1.Jan 4 2015, 1:59 AM
juanmi added projects: dirmngr, Bug Report.
juanmi added a subscriber: juanmi.
werner added a subscriber: werner.Jan 5 2015, 6:24 PM

Sorry, this is not a bug. If you configure with out TLS support it simply can't
do that. In case you are talking about the Windows installer, please note that
this binary version is marked as experimental with several limitations

aheinecke changed Version from 2.1.1 to 2.1.8.
aheinecke claimed this task.
aheinecke added a subscriber: aheinecke.

yeah no, With the gnupg-w32 installer becoming part of gpgwin we really need
support for hkps in that installer. Yeah gnutls sucks but thats what we have.

I'll prepare a patch.

We can't use gnutls because it depends on too many extra libraries duplicating
functionality we already have in gnupg. ntbtls will be the way forward.
Unfortunately too many other tasks delayed its development.

aheinecke reassigned this task from aheinecke to werner.Aug 31 2015, 9:27 AM

Yes I thought to use GnuTLS here.

The depedencies I see [1] are:
gmp -> No further depedencies
libgnurx -> No further dependencies
nettle -> depenendcy to gmp

Apart from that gettext and zlip which we already have.
So it should not be that hard to package. I really would like to get rid of it,
too but until then..

Would you accept a patch against gnupg to include GnuTLS 3.x in the Windows
installer?

1: https://github.com/mxe/mxe/blob/master/src/gnutls.mk

No. I won't maintain all that stuff again.

werner removed a project: Bug Report.
davidw added a subscriber: davidw.Jul 29 2016, 6:08 PM

@werner, if you prefer ntbtls over gnutls, okay. Can you add a link to ntblts
and outline the next steps. We'd probably need tls support for the web key
directory as well, so this needs a solution.

bernhard changed Version from 2.1.8 to 2.1.15.Sep 12 2016, 12:47 PM
bernhard added a project: Bug Report.
bernhard removed a project: Feature Request.

ntbtls is a development from Werner:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=ntbtls.git;a=summary

What about using https://tls.mbed.org/? At least until ntbtls is mature?

Spoke to Werner, it is better to do ntbtls anyway.
Timeline is: this year, hopefully earlier.

For ntbtls also see: https://wiki.gnupg.org/NTBTLS

werner closed this task as Resolved.Feb 23 2017, 8:39 PM
werner added a project: Unreleased.

ntbtls support is now available in master and we will release a TLS enabled
2.1.19 installer for Windows.

Right now it is somewhat limited and does not work with some sites, notably
those which allow only ECC ciphersuites. An example for such a site is
posteo.de. Note that posteo.net sends a a bogus certifcate with rediretion to
posteo.de.

Most other sites work.