dirmngr fails for hkps when http-proxy is in use
Closed, ResolvedPublic

Description

[ note: bug report submission is failing with "not allowed (too many links)", so
i've replaced http:// with http:__ as an attempted workaround here. rest
assured that i actually used the right form when testing. ]

Over in debian bug 818802, Mark reports that dirmngr does not do
well when using hkps and an http-proxy configuration.

I can confirm that this still seems to be the case in 2.1.18.

I have a functional http proxy running locally at http:__proxy.example:3128

I can use the proxy successfully to talk to the sks pool with wget, doing:

https_proxy=http:__proxy.example:3128/ wget --ca-certificate

/usr/share/gnupg/sks-keyservers.netCA.pem https:__hkps.pool.sks-keyservers.net

But when dirmngr.conf has:

    http-proxy http:__proxy.example:3128

Then dirmngr seems to open the connection and just send TLS requests directly to
the proxy, rather than sending an HTTP CONNECT message. I've looked at packet
captures and it is indeed just doing a TLS ClientHello directly to the proxy.

dkg set External Link to https://bugs.debian.org/818802.Feb 5 2017, 9:35 AM
dkg set Version to 2.1.18.
dkg added projects: dirmngr, gnupg, Bug Report, Debian.
dkg added a subscriber: dkg.
werner added a subscriber: werner.Feb 13 2017, 3:43 PM

There has never been support in GnuPG for https via an http proxy.
So can we change this to a feature request?

Oh well, using a curl based key server helper this might have worked in the
past. We better implement that for 2.2

justus moved this task from Backlog to Wishlist on the gnupg (gpg22) board.May 24 2017, 1:16 PM
justus claimed this task.Jul 18 2017, 4:27 PM