reading through dirmngr/http.c and dirmngr/ks-engine-http.c, it appears that HTTP_FLAG_TRUST_SYS is being unilaterally set.
This is probably inappropriate in instances where the target is the SKS HKPS pool (hkps.pool.sks-keyservers.net) because we know that that pool should only be authenticated by @kristianf's CA.
| rG GnuPG | |||
| rG58e234fbeb6c dirmngr: Don't add system CAs for SKS HKPS pool. | |||
| rG75e0ec65170b dirmngr: Don't add system CAs for SKS HKPS pool. | |||
To be clear, this would allow the least competent CA in the system root trust anchor list to certify an arbitrary server as a member of hkps.pool.sks-keyservers.net. So it is in some sense a security vulnerability -- it allows for a bypass of the correct authority.
With NTBTLS, it seems it works correctly.
Comparing the path for NTBTLS (which I usually using for my development) and the one for GNUTLS,
I think that following one liner gives us same behavior to respect @kristianf 's CA for GNUTLS.
diff --git a/dirmngr/http.c b/dirmngr/http.c index 81b7ba897..8e0701fab 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -792,6 +792,8 @@ http_session_new (http_session_t *r_session, pemname, gnutls_strerror (rc)); xfree (pemname); } + + add_system_cas = 0; } /* Add configured certificates to the session. */
While I understand incorrectness, the risk in practice is not that high. So, I put this as "normal" priority.
I see. I am also mostly testing with ntbtls so I was wondering about the report. Thanks for reporting and fixing.