from behind a proxy
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	hlein
	Feb 14 2024, 10:45 PM

Description

When behind a proxy with:

# echo $http_proxy | sed 's/[0-9]/N/g'
http://NNN.NNN.NNN.NNN:NNNN/

# cat ~/.gnupg/dirmngr.conf 
honor-http-proxy

gnupg-2.4.3 can recv-keys fine:

# killall dirmngr 2>/dev/null ; gpg --version | head -n1 ; gpg --keyserver hkps://keys.gentoo.org --recv-keys 39EA32FE8222EEEC
gpg (GnuPG) 2.4.3
gpg: key 39EA32FE8222EEEC: "Ulrich Müller <ulm@gentoo.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

gnupg 2.4.4 fails:

# killall dirmngr 2>/dev/null ; gpg --version | head -n1 ; gpg --keyserver hkps://keys.gentoo.org --recv-keys 39EA32FE8222EEEC
gpg (GnuPG) 2.4.4
gpg: keyserver receive failed: No keyserver available

When I watch the proxy, it is not that 2.4.4 makes no attempt to connect. It's that it doesn't send CONNECT, instead something the proxy server doesn't like:

NNN.NNN.NNN.NNN - - [14/Feb/2024:16:36:19 -0500] "- error:invalid-request HTTP/1.1" 400 3585 397 - "-" "-" NONE_NONE:HIER_NONE

When I sniff this, it's binary goo as soon as the 3WHS completes.

There's mentions of proxy handling changes in the 2.4.4 release notes, but they only talk about Windows systems; this is on Linux.

This might only impact hkps://. I'm having trouble finding an hkp:// server that's still alive, but when I attempt one, I see the client issuing a well-formed GET through the proxy, which of course then times out.

Details

Version: 2.4.4

Revisions and Commits

rG GnuPG
		rG41c022072599 dirmngr: Fix keep-alive flag handling.
		rGc33c4fdf10b7 dirmngr: Fix the regression of use of proxy for TLS connection.
		rGd6c428699db7 dirmngr: Fix proxy with TLS.
		rG2810b934647e dirmngr: Fix keep-alive flag handling.
		rG848546b05ab0 dirmngr: Fix the regression of use of proxy for TLS connection.
	Concern Raised	rG04cbc3074aa9 dirmngr: Fix proxy with TLS.

Related Objects

Mentioned In: T7189: Release GnuPG 2.5.0
T6849: Release GnuPG 2.2.43
T6960: Release GnuPG 2.4.5
Mentioned Here: rG2810b934647e: dirmngr: Fix keep-alive flag handling.
rG848546b05ab0: dirmngr: Fix the regression of use of proxy for TLS connection.
rG845d5e61d8e1: dirmngr: Cleanup the http module.
rG04cbc3074aa9: dirmngr: Fix proxy with TLS.

Event Timeline

hlein created this task.Feb 14 2024, 10:45 PM

thesamesam added a subscriber: thesamesam.Feb 14 2024, 10:50 PM

• gniibe added a commit: rG04cbc3074aa9: dirmngr: Fix proxy with TLS..Feb 15 2024, 7:42 AM

Thank you for the report. There was a problem in: rG845d5e61d8e1: dirmngr: Cleanup the http module.
Pushed the fix in: rG04cbc3074aa9: dirmngr: Fix proxy with TLS.

• ebo moved this task from Backlog to WiP on the gnupg24 board.Feb 15 2024, 8:26 AM

Per https://dev.gnupg.org/rG04cbc3074aa98660b513a80f623a7e9f0702c7c9#83517, it looks like the fix might be incomplete?

• gniibe added a commit: rG848546b05ab0: dirmngr: Fix the regression of use of proxy for TLS connection..Feb 16 2024, 3:39 AM

Right. I was wrong assuming the code in 2.2 branch is stable (that is: well tested).

Another fix is pushed: rG848546b05ab0: dirmngr: Fix the regression of use of proxy for TLS connection.

We need to fix 2.2 branch too.

• gniibe reassigned this task from • gniibe to • werner.Feb 16 2024, 3:44 AM

• gniibe moved this task from Backlog to WiP on the gnupg22 board.

• gniibe moved this task from WiP to QA on the gnupg24 board.Feb 16 2024, 3:50 AM

IIUC, the code for keep_alive is for negotiation of proxy. If so, something like this is the fix:

diff --git a/dirmngr/http.c b/dirmngr/http.c
index ac7e13241..7b206c23a 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
    * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
    */
   auth_basic = !!proxy->uri->auth;
-  hd->keep_alive = 0;
+  hd->keep_alive = !!proxy->outtoken;
 
   /* For basic authentication we need to send just one request.  */
   if (auth_basic
@@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
     }
 
  leave:
+  if (hd->keep_alive)
+    {
+      es_fclose (hd->fp_write);
+      hd->fp_write = NULL;
+      /* The close has released the cookie and thus we better set it
+       * to NULL.  */
+      hd->write_cookie = NULL;
+    }
   /* Restore flags, destroy stream, reset state.  */
   hd->flags = saved_flags;
   es_fclose (hd->fp_read);

Thank you @gniibe! Applied the rG848546b05ab0: dirmngr: Fix the regression of use of proxy for TLS connection. changes here, and 2.4.4 works here now.

I did not try your extra keep_alive fix.

@hlein Thanks a lot for quick testing.

Please note that keep_alive fix is for Windows.

• gniibe added a commit: rG2810b934647e: dirmngr: Fix keep-alive flag handling..Feb 16 2024, 8:27 AM

I was wrong for the semantics of proxy->outtoken. It is zero when run_proxy_connect is called and enabled during the negotiation.

I fix this in: rG2810b934647e: dirmngr: Fix keep-alive flag handling.

• werner added a commit: rGd6c428699db7: dirmngr: Fix proxy with TLS..Feb 21 2024, 3:13 PM

• werner added a commit: rGc33c4fdf10b7: dirmngr: Fix the regression of use of proxy for TLS connection..

• werner added a commit: rG41c022072599: dirmngr: Fix keep-alive flag handling..

Okay, backported to 2.2.

• werner mentioned this in T6960: Release GnuPG 2.4.5.Mar 7 2024, 3:23 PM

• werner moved this task from QA to gnupg-2.4.5 on the gnupg24 board.Mar 7 2024, 3:26 PM

• werner edited projects, added gnupg24 (gnupg-2.4.5); removed gnupg24.

• werner moved this task from WiP to QA on the gnupg22 board.Mar 18 2024, 4:22 PM

• werner mentioned this in T6849: Release GnuPG 2.2.43.Apr 16 2024, 9:47 AM

• werner mentioned this in T7189: Release GnuPG 2.5.0.Jul 5 2024, 2:42 PM

• werner moved this task from QA to gnupg-2.2.43 on the gnupg22 board.Oct 4 2024, 11:38 AM

• werner edited projects, added gnupg22 (gnupg-2.2.43); removed gnupg22.

• werner closed this task as Resolved.Oct 4 2024, 11:46 AM