Package: sks Version: 1.1.1+dpkgv3-6 Forwarded: http://lists.nongnu.org/archive/html/sks-devel/2012-04/msg00005.html Tags: patch upstream fixed-upsteam
SKS 1.1.1 emits non-standards-compliant POST requests from its recon
process (the part that synchronizes data with other keyservers). As a
result, it is incapable of fetching key updates from keyservers running
behind standards-compliant HTTP reverse proxies.
This is fixed in 1.1.2, by the trivial patch attached.
Details
-------
HTTP 0.9 did not specify a POST request method. The only valid request
method was GET. [0]
HTTP 1.0 explicitly requires an HTTP version indicator in the request
line. [1]
Since SKS emitted a request line of the form "POST /pks/hashquery", this
is neither valid HTTP 0.9 nor valid HTTP 1.0.
Since reverse HTTP proxies appear to be necessary to protect SKS
keyservers against a trivial denial of service attack [2], more SKS
deployments are adopting this approach; debian's 1.1.1 keyservers will
be unable to synchronize with any of these deployments without using the
attached patch.
Thanks for maintaining SKS in debian,
--dkg
[0] http://www.w3.org/Protocols/HTTP/AsImplemented.html
[1] https://tools.ietf.org/html/rfc1945#section-5.1
[2] http://lists.nongnu.org/archive/html/sks-devel/2012-03/msg00006.html
--- sks-1.1.1/reconComm.ml 2009-03-25 22:14:44.000000000 -0400 +++ sks-1.1.2/reconComm.ml 2011-10-01 08:23:23.000000000 -0400 @@ -81,7 +81,7 @@ let sout = Channel.new_buffer_outc 0 in CMarshal.marshal_list ~f:CMarshal.marshal_string sout hashes; let msg = sout#contents in - cout#write_string "POST /pks/hashquery\r\n"; + cout#write_string "POST /pks/hashquery HTTP/1.0\r\n"; cout#write_string (sprintf "content-length: %d\r\n\r\n" (String.length msg)); cout#write_string msg;
pgpxxRsWTKiNn.pgp
Description: PGP signature
