Page MenuHome GnuPG
Create Task
Maniphest T4597

Support GCM modes for ntbtls.
Closed, ResolvedPublic
Actions

Description

Trying to configure gpg to use the new https://keys.openpgp.org on Windows 10, GPG4Win 3.1.9.

I receive the following errors when attempting to refresh keys:

2019-07-01 07:03:23 dirmngr[248] DBG: dns: dnsserver[0] '8.8.8.8'
2019-07-01 07:03:23 dirmngr[248] DBG: dns: dnsserver[1] '4.4.4.4'
2019-07-01 07:03:23 dirmngr[248] DBG: dns: libdns initialized
2019-07-01 07:03:24 dirmngr[248] DBG: dns: getsrv(_pgpkey-https._tcp.keys.openpgp.org) -> 0 records
2019-07-01 07:03:24 dirmngr[248] DBG: dns: resolve_dns_name(keys.openpgp.org): Success
2019-07-01 07:03:24 dirmngr[248] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known]
2019-07-01 07:03:24 dirmngr[248] DBG: Using TLS library: NTBTLS 0.1.2
2019-07-01 07:03:24 dirmngr[248] DBG: http.c:connect_server: trying name='keys.openpgp.org' port=443
2019-07-01 07:03:24 dirmngr[248] DBG: dns: resolve_dns_name(keys.openpgp.org): Success
2019-07-01 07:03:24 dirmngr[248] DBG: http.c:1899:socket_new: object 0x02eb85d0 for fd 868 created
2019-07-01 07:03:24 dirmngr[248] TLS handshake failed: Fatal alert message received <TLS>
2019-07-01 07:03:24 dirmngr[248] error connecting to 'https://keys.openpgp.org:443': Fatal alert message received

Possibly related to T3411, but it seems NTBTLS 0.1.2 should support keys.openpgp.org TLS with no problems.

I can't find a way to enable NTBTLS debug logging, let me know if that's possible and would provide useful info.

I should note that I have an identical keyserver conf on a Fedora 30 machine and refreshing keys finishes without TLS errors using GnuTLS 3.6.8.

Related Objects

Event Timeline

historic_bruno created this task.Jul 1 2019, 3:03 PM
historic_bruno created this object in space S1 Public.
werner triaged this task as Normal priority.Jul 1 2019, 5:46 PM
werner added a project: Feature Request.
werner added a subscriber: werner.

They can't agree on a common ciphersuite. The reason is that the server does not support any CBC mode. Which is a bad idea because CBC is still a very common cipher mode.

I re-title the this bug as a feature request to support an GCM mode in ntbtls.

werner renamed this task from TLS handshake failed: Fatal alert message received (hkps://keys.openpgp.org, Windows, GPG4Win 3.1.9, NTBTLS 0.1.2) to Support GCM modes for ntbtls..Jul 1 2019, 5:48 PM
Valodim added a subscriber: Valodim.Jul 2 2019, 4:02 PM

Which is a bad idea because CBC is still a very common cipher mode.

I checked ntbtls' ciphersuites.c, and it seemed to be up to date. What ciphersuite do you suggest we include for compatibility in the meantime?

werner added a comment.Jul 2 2019, 4:19 PM

Anything using CBC mode - ECC is just fine.

Valodim added a comment.Jul 2 2019, 5:39 PM

Done. Hopefully this works now :)

https://www.ssllabs.com/ssltest/analyze.html?d=keys.openpgp.org

historic_bruno added a comment.Jul 3 2019, 2:22 PM
In T4597#127637, @Valodim wrote:

Done. Hopefully this works now :)

https://www.ssllabs.com/ssltest/analyze.html?d=keys.openpgp.org

It does, thanks!

gniibe claimed this task.Jul 10 2019, 4:51 AM
gniibe added a subscriber: gniibe.

I pushed my change as: rT7b2c4d9dd50b: Support GCM.
Please test.

gniibe changed the task status from Open to Testing.Mar 12 2020, 6:33 AM
gniibe added a project: Restricted Project.
werner closed this task as Resolved.Aug 27 2020, 9:34 AM

0.2.0 was just released with support for GCM. Tested against openpgpkeys.pm.me

Valodim mentioned this in T5813: Locating Keys via WKD with gpg4win fails with unknown error..Feb 3 2022, 11:59 AM