make tls certificate problems more understandable
Open, WishlistPublic

Description

If there is a TLS error checking the certificate, the error message of gpg does not tell that it is a TLS problem
and it is hard to find out with the usual method of adding (-v).

gpg: error retrieving 'bernhard@intevation.org' via WKD: Wrong name
gpg: error reading key: Wrong name

(note the intevation.org which is our second domain)

"Wrong name" could be anything, at first users will believe it has to do with the name of the person they are sending the email to. A hint towards TLS failing would be helpful.

Also the verbose version does not tell:

gpg -vvv --locate-key bernhard@intevation.org
gpg: using character set 'iso-8859-1'
gpg: using pgp trust model
gpg: error retrieving 'bernhard@intevation.org' via Local: No public key
gpg: error retrieving 'bernhard@intevation.org' via WKD: Wrong name
gpg: error reading key: Wrong name

Problem reproduced with gnupg-2.2.1 (self-build) and gnupg-2.2.4 (Gpg4win 3.0.3).

bernhard created this task.Feb 28 2018, 8:51 AM
bernhard created this object in space S1 Public.
An additional note: It is harder than with gpg-2.0 to get more details about a failed attempt to receive pubkey material. The keyserver options cannot be called from gpg direclty, but have to be given to dirmngr. I don't have a solution this, it is just an observation.

Debugging network problems is always hard and applications should not include tcpdump facilities. Right, I consider TLS network failures identical to layer 3 network failures because we should assume that all traffic is encrypted. Wrong certificates are also a severe network failure much like wrong voltage levels at layer one ;-).

What we can do in this case is to print a hint on the cause of the Wrong Name error in gpg. Maybe a text similar to what Firefox tells you:

The owner of intevation.org has configured their website improperly. To protect the data from being manipulated, GnuPG has not retrieved this data.
bernhard added a comment.EditedFeb 28 2018, 1:23 PM

Note that "Wrong name" severely misses information about that it is connection related in any way. :)
Just adding "Connection problem: TLS: " would already help a lot.

$ gpg-error --desc GPG_ERR_WRONG_NAME
313 = (0, 313) = (GPG_ERR_SOURCE_UNKNOWN, GPG_ERR_WRONG_NAME) = (Unspecified source, Unknown error code)

  NTBTLS: - Hostname does not match the certificate
werner triaged this task as Wishlist priority.Apr 17 2018, 7:38 PM