dirmngr: Since 2.1 windows firewall asks about dirmngr access
Closed, ResolvedPublic

Description

Since GnuPG 2.1 when dirmngr is queried for the first time and does network access the Windows Firewall pops up and asks the user if dirmngr should be allowed.

Todo here:

  • Investigate what exactly triggeres the Firewall question.
  • If the Firewall rule is really necessary add the rule as part of the installation.

This is the question:

If you allow this it will create a rule for dirmngr allowing dirmngr all access to and from any IP to any port. Both for TCP and UDP.

I can trigger this even with a WKD_GET which should only open a local connection. Neither if I allow or if I disallow the connection do I see any difference in a debug-level guru log.

werner added a subscriber: werner.Dec 12 2017, 10:13 AM

This is very likely dirmngr's DNS resolver which uses UDP by default. Fixies: a) use Tor. b) We add an option to use only TCP queries.

Well the problem is both TCP and UDP. Somehow dirmngr tries to open a listening socket. I think that may be some feature probing in the DNS resolver. Because if the Firewall access is denied I don't see any feature loss.

And it only happens once per dirmngr run, not once per connection.

aheinecke reassigned this task from aheinecke to werner.Apr 13 2018, 8:10 AM
aheinecke raised the priority of this task from Normal to High.

Werner it would be great if you could look into this. This is currently my most annoying 2.1. regression. Especially with auto-key-locate it is unintuitive when the Firewall question pops up and appears to come out of nowhere (e.g. adding recipients in GpgOL or in Kleopatra).

To reproduce it you can edit the windows firewall settings and remove the dirmngr entries.

I will try to figure out what exactly triggers the firewall. This should really be fixed as it leads to a bad "first contact" with Gpg4win, especially as we do more locate-keys nowadays so the question pops up randomly for the user.

gniibe added a subscriber: gniibe.Jun 19 2018, 10:02 AM

I found dirmngr tries to bind some random port. It might be the cause.

If so, this patch can stop the symptom.

aheinecke reassigned this task from aheinecke to gniibe.Jun 19 2018, 11:58 AM

@gniibe Thank you very much!
I've tested the change on Windows 7 and Windows 10 and the Firewall warning is indeed gone with this.

I leave it to you to decide how to commit this. Maybe with an ifdef for windows?

gniibe changed the task status from Open to Testing.Jun 20 2018, 2:16 AM

Good. I don't think there is any reason to select the ephemeral port in user space (by default).
So, I disabled the feature for all OSes.

Fixed in master and 2.2.

werner closed this task as Resolved.Jul 12 2018, 3:26 PM