Requesting HKPS service from non-HKPS gives "error searching keyserver: General error"
Closed, InvalidPublic

Description

This may be related to T1792

tl;dr: HKPS handler will die when used with non-HKPS hosts in a given pool.

Using setup directions from https://sks-keyservers.net/overview-of-pools.php I
assumed that configuring my GnuPG client to use ipv4.pool.sks-keyservers.net
would provide an appropriate response. It took me quite some time to determine
that HKPS is totally incompatible with the ipv4 (or other) server pools.

This is further confused by the fact that an older version of the GnuPG skeleton
files which includes a clause with examples that mix HKPS and hkp servers (skel
may not necessarily be updated in a user's directory):

<excerpt>

  1. Most users just set the name and type of their preferred keyserver.
  2. Note that most servers (with the notable exception of
  3. ldap://keyserver.pgp.com) synchronize changes with each other. Note
  4. also that a single server name may actually point to multiple
  5. servers via DNS round-robin. hkp://subkeys.pgp.net is an example of
  6. such a "server", which spreads the load over a number of physical
  7. servers.

Keyserver hkps://pool.sks-keyservers.net
Keyserver hkp://subkeys.pgp.net
Keyserver mailto:pgp-public-keys@keys.nl.pgp.net
Keyserver ldap://pgp.surfnet.nl:11370
Keyserver ldap://keyserver.pgp.com
</excerpt>

As a result, I kept encountering the errors reported in
T1792

Here's a simple demonstration of the failure case

$ gpg2 --keyserver hkps://ipv4.pool.sks-keyservers.net --search-keys
2071B08A33BD3F06
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

Contrast with:

$ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys
2071B08A33BD3F06
gpg: data source: https://mud.stack.nl:443
(1) NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>

	  2048 bit RSA key 2071B08A33BD3F06, created: 2014-10-29, expires: 2020-10-30

PERSISTENT FAILURE CASE:
Now, once the failure condition is encountered, further queries FAIL:

$ pkill dirmngr

$ gpg2 --keyserver hkp://pool.sks-keyservers.net --search-keys 2071B08A33BD3F06
gpg: error searching keyserver: No route to host
gpg: keyserver search failed: No route to host

$ gpg2 --keyserver hkps://hkps.sks-keyservers.net --search-keys 2071B08A33BD3F06
gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available

WHAT?! I just specified --keyserver!!!??

Let's see if this can be rectified with clearing the keyserver:

$ gpg-connect-agent --dirmngr keyserver

keyserver --clear

OK

$ gpg2 --keyserver hkps://hkps.sks-keyservers.net --search-keys 2071B08A33BD3F06
gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available

Try this with other VALID --keyserver combinations. Bang head against wall.

The ONLY command that seems to fix this persistent failure case:

$ gpg2 --search-keys 2071B08A33BD3F06

Suddenly, I can use --keyserver again, after this.

My gpg.conf:

no-greeting
keyserver hkps://hkps.pool.sks-keyservers.net

In my opinion, gpg should at least fail gracefully, or clue the user in as to
why HKPS is failing. This seems like a "brittle" failure.

Details

Version
2.1.15
baitisj set Version to 2.1.15.Dec 13 2016, 4:24 AM
baitisj added projects: gnupg, Bug Report, Keyserver.
baitisj added a subscriber: baitisj.
justus claimed this task.Dec 19 2016, 11:37 AM
justus added a subscriber: justus.
justus closed this task as Invalid.Dec 19 2016, 4:18 PM
justus removed a project: Bug Report.

tl;dr: HKPS handler will die when used with non-HKPS hosts in a given pool.

I think dying is reasonable. Maybe it should return a nicer error
than 'general error' and it shouldn't take 10 seconds to figure out
the protocol error.

Using setup directions from
https://sks-keyservers.net/overview-of-pools.php I assumed that
configuring my GnuPG client to use ipv4.pool.sks-keyservers.net
would provide an appropriate response. It took me quite some time to
determine that HKPS is totally incompatible with the ipv4 (or other)
server pools.

This is further confused by the fact that an older version of the
GnuPG skeleton files which includes a clause with examples that mix
HKPS and hkp servers (skel may not necessarily be updated in a
user's directory):

Sorry about that. I think the current skeleton file is clearer on
this.

As a result, I kept encountering the errors reported in
T1792

I don't see a connection to this bug.

Here's a simple demonstration of the failure case

$ gpg2 --keyserver hkps://ipv4.pool.sks-keyservers.net --search-keys
2071B08A33BD3F06
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

Contrast with:

$ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys
2071B08A33BD3F06
gpg: data source: https://mud.stack.nl:443
(1) NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>

 	  2048 bit RSA key 2071B08A33BD3F06, created: 2014-10-29, expires: 2020-10-30

PERSISTENT FAILURE CASE:
Now, once the failure condition is encountered, further queries FAIL:

$ pkill dirmngr

A nicer way to kill the dirmngr is:

  gpg-connect-agent --dirmngr 'killdirmngr' /bye

$ gpg2 --keyserver hkp://pool.sks-keyservers.net --search-keys 2071B08A33BD3F06
gpg: error searching keyserver: No route to host
gpg: keyserver search failed: No route to host

This is strange, and looks like it should work. Works over here. Maybe it is
bad luck and you got a bad host from the roundrobin.

$ gpg2 --keyserver hkps://hkps.sks-keyservers.net --search-keys 2071B08A33BD3F06
gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available

WHAT?! I just specified --keyserver!!!??

Relax. You forgot the '.pool' in the url.

Let's see if this can be rectified with clearing the keyserver:

$ gpg-connect-agent --dirmngr keyserver
> keyserver --clear
OK

$ gpg2 --keyserver hkps://hkps.sks-keyservers.net --search-keys 2071B08A33BD3F06
gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available

Likewise.

  1. Try this with other VALID --keyserver combinations. Bang head against wall. The ONLY command that seems to fix this persistent failure case: $ gpg2 --search-keys 2071B08A33BD3F06 Suddenly, I can use --keyserver again, after this.

I'm pretty sure you just messed up the urls.

werner added a subscriber: werner.Dec 19 2016, 6:23 PM

For the records, the suggested way to kill dirmngr is

gpgconf --kill dirmngr

this makes sure that dirmngr will not be started if it is not running.

> $ gpg2 --keyserver hkps://hkps.sks-keyservers.net --search-keys 2071B08A33BD3F06
> gpg: no keyserver known (use option --keyserver)
> gpg: keyserver search failed: No keyserver available
>
> WHAT?! I just specified --keyserver!!!??

Relax. You forgot the '.pool' in the url.

:facepalm: ... Apparently I need more coffee -- persistent failure state in user
encountered.

Sorry for the noise.

I do wonder about fault-tolerance, though, if a e.g. non-responsive host creeps
in to the pool.

At any rate, this is mainly a cosmetic issue at this point, and this bug report
probably contains sufficient information to help someone who "encounters" the
condition to resolve the protocol error quickly.

baitisj renamed this task from Requesting HKPS service from non-HKPS gives "error searching keyserver: General error"; results in persistent failure state to Requesting HKPS service from non-HKPS gives "error searching keyserver: General error".Dec 19 2016, 6:46 PM