Re: [tor-relays] keys.gnupg.net broken; can't add Debian Tor repo

To: tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Subject: Re: [tor-relays] keys.gnupg.net broken; can't add Debian Tor repo

Date: Tue, 11 Jul 2017 02:37:44 +0100

Delivery-date: Mon, 10 Jul 2017 21:38:00 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=L70oPWr9dwBaFLeUTyJq/FUoJ2pnLvKhBYI3QF4cU oY=; b=gcCMByj4BKPkV2lFu+KX0MHEpQ+wUFgZSHrzdzi/9aRxsUsHajRsEyGfL ZMz8ITAWnD1O6AVIjSiRals6fOoTYpdkALFBt4C0lRmDIFzp/Jl4dWfEwTHlQ4/8 rzWSqQaHpEcYJ37JKYJkce5YnYgCE6mTcWIxMGJUKthxtpO8CDZ0/ygkn+5V6aF3 4uQHaclVLGWeoubIrRTIhIuZj2Qoefv7KNJHXQ5C3yJKIfgsZnpskPMolnHSpue/ 7R0qKxEAgxhV76JGwkkqSnbS90CVwAWqRV25dImu35vZeT702JGKH7JCo6s060Vc UNUuaWj2q3/h43V/RWDyRKX+MXJfg==

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On the SSL issue: keys.gnupg.net is an alias to the SKS keyserver pool, which is a number of public volunteer run servers:

My guess is you hit a misconfigured one that redirected you to TLS without checking what host you requested.

For example I redirect http://keyserver.paulfurley.com to https://keyserver.paulfurley.com *only* if the requested host is keyserver.paulfurley.com. Otherwise I would serve a certificate with a mismatching domain.

I'd recommend posting your finding to the sks-devel mailing list since it's probably something the pool should look out for and warn servers they're misconfigured. (I'll post it in the morning if you like.)

Paul

On Jul 10, 2017 at 10:58 pm, <tor> wrote:

Actually, the directions on https://www.torproject.org/docs/debian.html.en work okay. I was trying to automate things with Ansible, but the format changed at some point, from something like:

apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 url="">

to:

apt_key: id=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 keyserver=keys.gnupg.net

The URL at /pks/lookup no longer exists, so I saw a 404. Using the newer format with just the hostname of the keyserver it works okay.

Regarding http://keys.gnupg.net I still don't know why there is a SSL mismatch in the browser, or why you can no longer access the web UI, but it's not as broken as it looked.

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays