Page MenuHome GnuPG
Create Task
Maniphest T3937

Dirmgnr: X509 Searches on Windows can hang
Closed, ResolvedPublic
Actions

Description

On Windows (works on GNU/Linux) adding x500.bund.de as an S/MIME Certificate server makes searches in Kleopatra hang indefinitely or at least very long.

This was with latest GnuPG Stable branch (2.7 beta) and Kleopatra master.

I've also received a report (with screenshots) that dirmngr can crash in this configuration. (Crash was with 2.2.6 from Gpg4win-3.1.0)

Hang and problems are reproducible without Kleopatra:

C:\Users\aheinecke>rmdir /S /Q %TMP%\gpghome

C:\Users\aheinecke>set GNUPGHOME=%TMP%\gpghome

C:\Users\aheinecke>mkdir %GNUPGHOME%

C:\Users\aheinecke>echo keyserver x500.bund.de:::: > %GNUPGHOME%\gpgsm.conf

C:\Users\aheinecke>gpgsm --list-external-keys zitis
gpgsm: Die "Keybox" `C:\Users\AHEINE~1\AppData\Local\Temp\gpghome\pubring.kbx' wurde erstellt
gpgsm: listing external keys failed: Not enough space

C:\Users\aheinecke>gpgsm --list-external-keys zitis
gpgsm: listing external keys failed: Not enough space

C:\Users\aheinecke>gpgsm --list-external-keys zitis
[external keys]
---------------
           ID: 0xE6AA5B43
          S/N: 024AFE529A6F45
       Issuer: /CN=CA IVBB Deutsche Telekom AG 15/OU=Bund/O=PKI-1-Verwaltung/C=DE
      Subject: /CN=Koetter Patrick/OU=becon/O=Service/C=DE/SerialNumber=1
          aka: p@sys4.de
     validity: 2016-11-03 12:27:01 through 2019-11-03 23:59:59
     key type: 2048 bit RSA
    key usage: digitalSignature nonRepudiation keyEncipherment
     policies: 1.3.6.1.4.1.7924.1.1:N:
  fingerprint: 99:41:E1:5C:D0:67:E6:FC:48:90:6C:DFgpgsm: listing external keys failed: Not enough space
:02:FA:B4:DA:E6:AA:5B:43


C:\Users\aheinecke>gpgsm --list-external-keys zitis
gpgsm: failed to parse a certificate: BER Fehler
gpgsm: listing external keys failed: Not enough space

C:\Users\aheinecke>gpgsm --list-external-keys zitis
gpgsm: listing external keys failed: Not enough space

C:\Users\aheinecke>gpgsm --list-external-keys zitis
gpgsm: failed to parse a certificate: BER Fehler
gpgsm: listing external keys failed: Not enough space

C:\Users\aheinecke>gpgsm --list-external-keys zitis
gpgsm: listing external keys failed: Not enough space

C:\Users\aheinecke>gpgsm --list-external-keys foobar
^C

Last command hangs. Not enough space seems a wrong error. On the disk are 10GB free space.

I think that this is very much related to T2110 and might be the same issue.

Details

Version
master

Revisions and Commits

rG GnuPG
rG007dde93cc39 dirmngr: Implement timeout for dirmngr_ldap under Windows.
rG3bd793256e2e common,w32: Hide spawned processes by default
rGf9fbfc64e402 dirmngr: Use the LDAP wrapper process also for Windows.
rE libgpg-error
rEb26a227173e8 core,w32: Avoid recursive use of npth_unprotect.

Related Objects
Search...

Event Timeline

aheinecke created this task.Apr 25 2018, 4:38 PM
aheinecke added a subtask: T2110: Gpgsm 2.1 external key search gives duplicated results.Apr 25 2018, 4:52 PM
aheinecke renamed this task from Kleopatra: Dirmgnr: X509 Searches on Windows can hang to Dirmgnr: X509 Searches on Windows can hang.Apr 25 2018, 5:06 PM
aheinecke updated the task description. (Show Details)
aheinecke removed a project: kleopatra.
aheinecke added a comment.Apr 25 2018, 5:58 PM

T2984 might also be related as the fetches are ldap.

Ceterum censeo ldapwrapper-ce esse delendam.

werner claimed this task.Apr 26 2018, 11:15 AM
werner added a project: gnupg (gpg22).
werner added a commit: rGf9fbfc64e402: dirmngr: Use the LDAP wrapper process also for Windows..Apr 27 2018, 12:18 PM
werner changed the task status from Open to Testing.Apr 30 2018, 8:58 AM
aheinecke changed the task status from Testing to Open.Apr 30 2018, 9:46 AM

With latest gpg-error and latest gnupg It still hangs for me after printing the certificate.

Log:

dirmngr.log9 KBDownload

And no the log is not truncated it really ends with the half dirmngr_ldap line.

aheinecke added a comment.Apr 30 2018, 10:01 AM

The hang appears random. It sometimes works 4 out of 5 times.

werner added a commit: rEb26a227173e8: core,w32: Avoid recursive use of npth_unprotect..May 1 2018, 7:56 PM
aheinecke closed subtask T2110: Gpgsm 2.1 external key search gives duplicated results as Resolved.May 2 2018, 1:41 PM
aheinecke added a parent task: T3899: Gpg4win 3.1.1.
aheinecke added a comment.May 2 2018, 1:47 PM

Yes! Works nicely. I tested with unreachable and invalid servers, and with multiple queries against x500.bund.de and ca.intevation.de all is fine!

Two issues which are both no blocker but I think we should at least fix the first one:

  1. The ldap wrapper opens a console window
  2. Ldaptimeout is apparently ignored it appears to time out at 30 secs regardless of the ldaptimeout value.
aheinecke added a commit: rG3bd793256e2e: common,w32: Hide spawned processes by default.May 2 2018, 2:12 PM
aheinecke added a comment.May 2 2018, 2:29 PM

I felt confident enough to push a fix for the console window. The code was obvious and the fix, too.

aheinecke added a comment.May 2 2018, 2:38 PM

A strangeness I see is when I am searching for "zitis" on x500.bund.de I get the same key over and over again (until the list is truncated). I'm not sure if the response from the server is wrong or if we have a bug there. If I search for "Telekom" for example I get 10 different certificates, so it works there.

werner added a comment.May 2 2018, 5:19 PM

Confirmed. it is also not Windows specific.

werner added a commit: rG007dde93cc39: dirmngr: Implement timeout for dirmngr_ldap under Windows..May 2 2018, 6:47 PM
aheinecke closed this task as Resolved.May 3 2018, 10:46 AM

I thoroughly tested this again with the released versions. Works very nicely, including the timeout.