diff options
| author | Werner Koch <wk@gnupg.org> | 2020-10-05 17:24:57 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2020-10-05 17:25:24 +0200 |
| commit | 210575d8826ea61e4914e4b61eff7b875c972b85 (patch) | |
| tree | 5a9bbed2552921bb5600528a08e10d98791d7f70 /doc | |
| parent | gpg: Switch to ed25519+cv25519 as default algo. (diff) | |
| download | gnupg2-210575d8826ea61e4914e4b61eff7b875c972b85.tar.xz gnupg2-210575d8826ea61e4914e4b61eff7b875c972b85.zip | |
dirmngr: Add warning on the use of --add-servers.
* tools/gpgconf-comp.c (known_options_dirmngr): Degrade add-servers to
expert mode.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/dirmngr.texi | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index 846057bcf..05fa099e0 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -434,17 +434,22 @@ out. The default are 15 seconds. 0 will never timeout. @opindex add-servers This option makes dirmngr add any servers it discovers when validating certificates against CRLs to the internal list of servers to consult for -certificates and CRLs. - -This option is useful when trying to validate a certificate that has -a CRL distribution point that points to a server that is not already -listed in the ldapserverlist. Dirmngr will always go to this server and -try to download the CRL, but chances are high that the certificate used -to sign the CRL is located on the same server. So if dirmngr doesn't add -that new server to list, it will often not be able to verify the -signature of the CRL unless the @code{--add-servers} option is used. - -Note: The current version of dirmngr has this option disabled by default. +certificates and CRLs. This option should in general not be used. + +This option might be useful when trying to validate a certificate that +has a CRL distribution point that points to a server that is not +already listed in the ldapserverlist. Dirmngr will always go to this +server and try to download the CRL, but chances are high that the +certificate used to sign the CRL is located on the same server. So if +dirmngr doesn't add that new server to list, it will often not be able +to verify the signature of the CRL unless the @code{--add-servers} +option is used. + +Caveat emptor: Using this option may enable denial-of-service attacks +and leak search requests to unknown third parties. This is because +arbitrary servers are added to the internal list of LDAP servers which +in turn is used for all unspecific LDAP queries as well as a fallback +for queries which did not return a result. @item --allow-ocsp |