Tag: sks

CURL and using HTTP Host Header for SNI

Recently I added a HKPS pool to sks-keyservers.net , and in that process I'm validating the SKS keyservers SSL/TLS certificates versus my own Certificate Authority, so only servers with certificates signed by myself are included. This ensure a subjectAltName for the appropriate host, in order to avoid certificate failures. So far so good.

Some servers for various reasons need to have another certificate installed signed by another authority. In order for this to be handled properly, Server Name Indication is used to properly map the request with the virtual host and the certificate to present to the client.

My crawler use curl as the basis for the requests, and as I connect using the hostname found in server-discovery, it use the HTTP Host: header for the pool. The issue with vanilla curl, is however, that there is no way to manually set the SNI hostname to use, and it will default to the hostname of the request.

As such I added a patch that will use the Host header presented instead. I'm adding it here in case it is useful for anyone else.

Back from vacation

This year I spent my summer holiday relaxing back in Norway -- mostly back on the west coast in the area around Ålesund, where I come from.

I started off with some Salmon fishing, granted only got a small one of 1.5kg;

The area is great, and we were lucky with the weather. Below is a picture of the Mardøla streak.

As for computers, I've gotten around to implementing support for Elliptic Curve public keys in SKS , and played around with an updated version of pks2wot to allow interaction with SKS for the wot generation, hence called sks2wot.

Most of the vacation was left to relaxation, and reading up on books and magazine subscriptions.

Year of cryptography?

Over the past few weeks I've been using my spare time to further improve upon sks-keyservers.net , a project I've been running since 2006 (time flies). Most notably, I've constructed and implemented a new calculation of DNS Service Record (SRV) weights, that are used for calculation of which servers are to be included in various geographical sub-pools. As a result of this, the project now has geographical pools for; Europe, North America, Oceania and South America.In addition the server discovery process has been parallelized , and is in general far more robust. So far in 2012 an additional 3,104 lines of code has been added to this particular project.

The actual calculations are described in more details in this PDF document.

 

In addition, the IDEA implementation I wrote for libgcrypt / gnupg back in 2006 has finally been included into the main codebase (with some modifications, mainly by Alon and Ullrich), See [1] and [2].

 

That comes in addition to the publication of my book on sending secure emails. Is 2012 the year of cryptography for me? I certainly hope it continues to involve a lot of it going forwards as well.