[pkg-gnupg-maint] Bug#850184: dirmngr: TLS verification fails with "hostname does not match"

Tomasz Nitecki tnnn at tnnn.pl
Wed Jan 4 19:10:16 UTC 2017


Package: dirmngr
Version: 2.1.17-2
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Maintainer,

After I tried to fetch keys through hkps, I was greeted with "General error"
message. When I retried with clear hkp, everything worked fine.

When I called dirmngr directly, I received the following error:
(...)
dirmngr[13694.0]: TLS verification of peer failed: hostname does not match
dirmngr[13694.0]: DBG: expected hostname: hkps.pool.sks-keyservers.net.
(...)

Full log is attached below.

Downgrading to 2.1.16-3 fixed this issue (log is also below).

This issue seems to be related to #771666 (it might be a regression),
it is also possible that it might be related to #849845 (just a guess).


Regards,
T.


- -- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (100, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dirmngr depends on:
ii  adduser        3.115
ii  libassuan0     2.4.3-2
ii  libc6          2.24-8
ii  libgcrypt20    1.7.5-2
ii  libgnutls30    3.5.7-3
ii  libgpg-error0  1.25-2
ii  libksba8       1.3.5-2
ii  libldap-2.4-2  2.4.44+dfsg-2
ii  libnpth0       1.3-1
ii  lsb-base       9.20161125

Versions of packages dirmngr recommends:
ii  gnupg  2.1.17-2

Versions of packages dirmngr suggests:
ii  tor  0.2.9.8-2

- -- no debconf information

*** /home/tnnn/dev/storage/dirmngr-hostname-issue.log
## dirmngr 2.1.17-2 (hostname matching problem):

user at host:~$ echo -e "KEYSERVER hkps://hkps.pool.sks-keyservers.net\nKS_SEARCH 2071B08A33BD3F06\n" | dirmngr
dirmngr[13694]: error opening '/home/user/.gnupg/dirmngr_ldapservers.conf': No such file or directory
dirmngr[13694.0]: permanently loaded certificates: 0
dirmngr[13694.0]:     runtime cached certificates: 0
# Home: /home/user/.gnupg
# Config: /home/user/.gnupg/dirmngr.conf
OK Dirmngr 2.1.17 at your service
OK
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'sks.spodhuis.org'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'bone.digitalis.org'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'prod00.keyserver.dca.witopia.net'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gpg.NebrWesleyan.edu'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'hufu.ki.iif.hu'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gozer.rediris.es'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:470:1:116::6]'
S PROGRESS tick ? 0 0
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'zimmermann.mayfirst.org'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'bone.digitalis.org' [already known]
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'ip-209-135-211-141.ragingwire.net'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'hufu.ki.iif.hu' [already known]
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gpg.NebrWesleyan.edu' [already known]
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gozer.rediris.es' [already known]
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'sks.spodhuis.org' [already known]
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'ams.sks.heypete.com'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'host-37-191-238-78.lynet.no'
dirmngr[13694.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'cryptonomicon.mit.edu'
dirmngr[13694.0]: TLS verification of peer failed: hostname does not match
dirmngr[13694.0]: DBG: expected hostname: hkps.pool.sks-keyservers.net.
dirmngr[13694.0]: DBG: BEGIN Certificate 'server[0]':
dirmngr[13694.0]: DBG:      serial: 75
dirmngr[13694.0]: DBG:   notBefore: 2016-04-24 18:44:05
dirmngr[13694.0]: DBG:    notAfter: 2017-04-24 18:44:05
dirmngr[13694.0]: DBG:      issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[13694.0]: DBG:     subject: CN=sks.spodhuis.org,OU=PGP Keyserver,O=GlobNIX Systems,C=NL
dirmngr[13694.0]: DBG:   hash algo: 1.2.840.113549.1.1.11
dirmngr[13694.0]: DBG:   SHA1 fingerprint: 3B7F90096DBE8BCEC510652FB0485841A4F4062D
dirmngr[13694.0]: DBG: END Certificate
dirmngr[13694.0]: DBG: BEGIN Certificate 'server[1]':
dirmngr[13694.0]: DBG:      serial: 00AF73C8B4CF9F808F
dirmngr[13694.0]: DBG:   notBefore: 2012-10-09 00:33:37
dirmngr[13694.0]: DBG:    notAfter: 2022-10-07 00:33:37
dirmngr[13694.0]: DBG:      issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[13694.0]: DBG:     subject: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[13694.0]: DBG:   hash algo: 1.2.840.113549.1.1.5
dirmngr[13694.0]: DBG:   SHA1 fingerprint: 791B27A38E667F8027814D4E68E7C478A45D5A17
dirmngr[13694.0]: DBG: END Certificate
dirmngr[13694.0]: TLS connection authentication failed: General error
dirmngr[13694.0]: error connecting to 'https://sks.spodhuis.org:443': General error
dirmngr[13694.0]: command 'KS_SEARCH' failed: General error <Unspecified source>
ERR 1 General error <Unspecified source>


## dirmngr 2.1.16-3 (worked flawlessly):

user at host:~$ echo -e "KEYSERVER hkps://hkps.pool.sks-keyservers.net\nKS_SEARCH 2071B08A33BD3F06\n" | dirmngr
dirmngr[14969]: error opening '/home/user/.gnupg/dirmngr_ldapservers.conf': No such file or directory
dirmngr[14969.0]: permanently loaded certificates: 0
dirmngr[14969.0]:     runtime cached certificates: 0
# Home: /home/user/.gnupg
# Config: /home/user/.gnupg/dirmngr.conf
OK Dirmngr 2.1.16 at your service
OK
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'prod00.keyserver.dca.witopia.net'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'bone.digitalis.org'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'oteiza.siccegge.de'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'hufu.ki.iif.hu'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'sks.spodhuis.org'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:470:1:116::6]'
S PROGRESS tick ? 0 0
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gozer.rediris.es'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gpg.NebrWesleyan.edu'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'bone.digitalis.org' [already known]
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'oteiza.siccegge.de' [already known]
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'zimmermann.mayfirst.org'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gpg.NebrWesleyan.edu' [already known]
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gozer.rediris.es' [already known]
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'sks.spodhuis.org' [already known]
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'hufu.ki.iif.hu' [already known]
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'ams.sks.heypete.com'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'cryptonomicon.mit.edu'
dirmngr[14969.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'ip-209-135-211-141.ragingwire.net'
dirmngr[14969.0]: resolving 'ip-209-135-211-141.ragingwire.net' failed: No name
dirmngr[14969.0]: can't connect to 'ip-209-135-211-141.ragingwire.net': host not found
dirmngr[14969.0]: error connecting to 'https://ip-209-135-211-141.ragingwire.net:443': Unknown host
dirmngr[14969.0]: marking host 'ip-209-135-211-141.ragingwire.net' as dead
dirmngr[14969.0]: can't connect to '2001:470:1:116::6': Network is unreachable
dirmngr[14969.0]: error connecting to 'https://[2001:470:1:116::6]:443': Network is unreachable
dirmngr[14969.0]: marking host '[2001:470:1:116::6]' as dead
S SOURCE https://gpg.NebrWesleyan.edu:443
D info:1:1%0Apub:031EC2536E580D8EA286A9F22071B08A33BD3F06:1:2048:1414544163:1604045657:%0Auid:NIIBE Yutaka (GnuPG Release Key) <gniibe at fsij.org>:1477383257::%0A%0D%0A
OK

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfAsN5+pZkhF7ovXM5scQ4uXB5KMFAlhtSIEACgkQ5scQ4uXB
5KO+ow//fXllUEbzVEoUHysjWMzN+FR7QczQOubDQZ7j6mlHo86MttrQ+7xK9lRZ
lgY5Kj2U0ASz6agvf8NEsMfiVslveAaDWUUKY2GFgO9QmVVcXc2XEw/aUwcAL45Q
j9Lk48A+PRgdDLfYBunmYa82uZOR0K8blNN/cKGYVQiNyUCEO2NV89G4vF1xMKGW
mnSPwucmDSeMrfFQmKD94rv5XPO03vdO9utNK28zXTL5N/QIGYZEu544r0wo6TNJ
ewpfYAU0QQL7cI6WymCExPoOGUPN60Vkz6Y0gIZOukQh+ZhOadlJJdGFavWkihZm
igLyPaxI1tq5Zc2Jv7GWCtoIMJhsk/xK+v4fxjeNJmlZ7O3wS/PFIoDyaRIGfgg9
Chidz1VqAXjbLkRcSz6ZruR6q5O82BtAhoqNKnTw0grchdN8ZdcVeQthVZ+bacLa
AcQ9joiAnD6XDaJAd0mSJa1E4IzFkHyFs/pxEcsOI+0L6o6UrXU2oWd6uSIgrOA3
cCB3wEj7k/fCMFrMCwVLmi+MaeF4jD/NswWKSaJ6EcnnrYWwxYTuYpGqYibPQ0d6
sluyoHRuLqaxl8cuwdVnn2CSq6LLmxM7a4wPGLnKlNQWoOv4G6brJT+FrelYvxZU
W/MAnpm4LpDMZLsrG9xqcqQHZxQvx0bcKEregCTbBlg0iRBB3zs=
=AOkT
-----END PGP SIGNATURE-----



More information about the pkg-gnupg-maint mailing list