diff options
| author | Werner Koch <wk@gnupg.org> | 2021-06-25 19:15:24 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2021-08-24 18:09:56 +0200 |
| commit | 55b5928099bafbd5409d3377a42259c11e394cd0 (patch) | |
| tree | 553c3ff0add040041e4a6a6343c78e4417982075 /doc | |
| parent | po: In German always use "Passwort" instead of "Passphrase". (diff) | |
| download | gnupg2-55b5928099bafbd5409d3377a42259c11e394cd0.tar.xz gnupg2-55b5928099bafbd5409d3377a42259c11e394cd0.zip | |
dirmngr: Change the default keyserver.
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.
* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.
* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--
Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore. Thus it is better to change them.
For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.
For http based access the Dutch Surfnet keyserver is used. However
due to a non-standard TLS certificate this server can not easily be
made the default for https.
Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.
(cherry picked from commit 47c4e3e00a7ef55f954c14b3c237496e54a853c1)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/dirmngr.texi | 13 | ||||
| -rw-r--r-- | doc/wks.texi | 2 |
2 files changed, 6 insertions, 9 deletions
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index a9237edee..1638d7d84 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -321,9 +321,8 @@ provided. These are the same as the @option{--keyserver-options} of @command{gpg}, but apply only to this particular keyserver. Most keyservers synchronize with each other, so there is generally no -need to send keys to more than one server. The keyserver -@code{hkp://keys.gnupg.net} uses round robin DNS to give a different -keyserver each time you use it. +need to send keys to more than one server. Somes keyservers use round +robin DNS to give a different keyserver each time you use it. If exactly two keyservers are configured and only one is a Tor hidden service (.onion), Dirmngr selects the keyserver to use depending on @@ -331,7 +330,7 @@ whether Tor is locally running or not. The check for a running Tor is done for each new connection. If no keyserver is explicitly configured, dirmngr will use the -built-in default of @code{hkps://hkps.pool.sks-keyservers.net}. +built-in default of @code{https://keyserver.ubuntu.com}. Windows users with a keyserver running on their Active Directory may use the short form @code{ldap:///} for @var{name} to access this directory. @@ -596,10 +595,8 @@ the file is in PEM format a suffix of @code{.pem} is expected for @var{file}. This option may be given multiple times to add more root certificates. Tilde expansion is supported. -If no @code{hkp-cacert} directive is present, dirmngr will make a -reasonable choice: if the keyserver in question is the special pool -@code{hkps.pool.sks-keyservers.net}, it will use the bundled root -certificate for that pool. Otherwise, it will use the system CAs. +If no @code{hkp-cacert} directive is present, dirmngr will use the +system CAs. @end table diff --git a/doc/wks.texi b/doc/wks.texi index ad239f132..48e534b7d 100644 --- a/doc/wks.texi +++ b/doc/wks.texi @@ -57,7 +57,7 @@ Directory. @mansect description The @command{gpg-wks-client} is used to send requests to a Web Key -Service provider. This is usuallay done to upload a key into a Web +Service provider. This is usually done to upload a key into a Web Key Directory. With the @option{--supported} command the caller can test whether a |