[Pkg-gnupg-maint] Bug#771666: dirmngr: Hostname verification uses the wrong hostname

Tristan Seligmann mithrandi at mithrandi.net
Mon Dec 1 11:30:51 UTC 2014 

Package: dirmngr
Version: 2.1.0-1
Severity: normal

When connecting to an hkps keyserver, dirmngr performs hostname
verification using the wrong hostname, like so:

dirmngr[22113.6]: handler for fd 6 started
dirmngr[22113.6]: connection from process 22139 (1000:1000)
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'sks.mrball.net'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': '[2001:67c:2050:1000::3:4]'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': '[2001:1af8:3100:b010:a000::1]'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': '[2001:16d8:ee3d:ee30:215:5dff:fe00:120d]'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'key.ip6.li'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': '[2a00:1280:8000:2:1:8:0:1]'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'key.ip6.li' [already known]
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'keyserver.br.nucli.net'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'zap.org.au'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'cm-84.215.15.221.getinternet.no'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'srv01.secure-u.de'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'srf.secretresearchfacility.com'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': '79.143.214.216'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'stlhs.archreactor.org'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'cryptonomicon.mit.edu'
dirmngr[22113.6]: getnameinfo returned for 'hkps.pool.sks-keyservers.net': 'sks.mrball.net' [already known]
dirmngr[22113.6]: TLS verification of peer failed: hostname does not match
dirmngr[22113.6]: DBG: expected hostname: 79.143.214.216
dirmngr[22113.6]: DBG: BEGIN Certificate 'server[0]':
dirmngr[22113.6]: DBG:      serial: 2A
dirmngr[22113.6]: DBG:   notBefore: 2014-01-09 17:42:19
dirmngr[22113.6]: DBG:    notAfter: 2015-01-09 17:42:19
dirmngr[22113.6]: DBG:      issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[22113.6]: DBG:     subject: 1.2.840.113549.1.9.1=#696E666F40736561726368792E6E6C,CN=keyserver.searchy.nl,O=Searchy Internet Services V.O.F.,ST=Noord-Brabant,C=NL
dirmngr[22113.6]: DBG:   hash algo: 1.2.840.113549.1.1.11
dirmngr[22113.6]: DBG:   SHA1 fingerprint: 903B2364C8765A9768E45C2745E0A5AA9748D5AE
dirmngr[22113.6]: DBG: END Certificate
dirmngr[22113.6]: DBG: BEGIN Certificate 'server[1]':
dirmngr[22113.6]: DBG:      serial: 00AF73C8B4CF9F808F
dirmngr[22113.6]: DBG:   notBefore: 2012-10-09 00:33:37
dirmngr[22113.6]: DBG:    notAfter: 2022-10-07 00:33:37
dirmngr[22113.6]: DBG:      issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[22113.6]: DBG:     subject: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[22113.6]: DBG:   hash algo: 1.2.840.113549.1.1.5
dirmngr[22113.6]: DBG:   SHA1 fingerprint: 791B27A38E667F8027814D4E68E7C478A45D5A17
dirmngr[22113.6]: DBG: END Certificate
dirmngr[22113.6]: TLS connection authentication failed: General error
dirmngr[22113.6]: error connecting to 'https://79.143.214.216:443': General error

I found this mailing list post which suggests this should be fixed
upstream:

http://lists.gnupg.org/pipermail/gnupg-devel/2014-May/028481.html

I was unable to determine whether this is therefore a regression, or
just that the version in Debian is not new enough to include the
upstream fix referenced in that post.

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.17.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_ZA.utf8, LC_CTYPE=en_ZA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages dirmngr depends on:
ii  adduser            3.113+nmu3
ii  libassuan0         2.1.2-2
ii  libc6              2.19-13
ii  libgcrypt20        1.6.2-4
ii  libgnutls-deb0-28  3.3.8-5
ii  libgpg-error0      1.17-2
ii  libksba8           1.3.2-1
ii  libnpth0           1.0-1
ii  lsb-base           4.1+Debian13+nmu1

Versions of packages dirmngr recommends:
ii  libldap-2.4-2  2.4.40-3

dirmngr suggests no packages.

-- no debconf information

More information about the Pkg-gnupg-maint mailing list