PGP Key Server

OPDS Logo

A Public Key Shelf

Keyservers play an important role in public key cryptography, as the name implies, the public keys need to be distributed publicly.

  • The recipient of a signed message needs the public key of the sender in order to verify the signature of the message.
  • The sender of an encrypted message needs the public key of the recipient in order to encrypt the message.

Keyservers act as central repositories to distribute these public keys.

In OpenPGP clients connect to OpenPGP keyservers to import public keys it needs, if they are not already stored in its local public key-ring. Keys also need to be updated, after they have changed or revoked.

OpenPGP clients and keyservers use the HKP (OpenPGP HTTP Keyserver Protocol) protocol or HKPS for the the TLS secured version.

How Can I Trust a Keyserver?

Since the keyserver plays such an important role we have to put a great deal of trust in the keyserver and its operators:

  • A keyserver could provide you with his own keys instead of the ones you ask for and subsequently decrypt your messages sent to them or send you signed messages with fake signatures.
  • By asking the server for specific keys, you also disclose with whom you communicate.

So the short answer to the question above is: You can’t!

The Keyserver Pool

But to mitigate the risk of anyone surveying or controlling this important part of the “Web of Trust” keyservers have been organized in large pools of individual keyservers.

A pool is maintained in DNS. When a OpenPGP client needs to talk to a keyserver he asks for the IP address of the host hkps.pool.sks-keyservers.net. A DNS lookup for this host returns many IPv4 and IPv6 addresses of which the client will randomly select one to connect to.

The domain sks-keyservers.net is secured with DNSSEC and therefore can not by spoofed easily.

The keyservers in the pool are run by organizations and individuals voluntarily all over the Internet. Everybody can setup and run a keyserver and thus become part of the pool.

The Synchronizing OpenPGP Key Server (SKS)

To run you own keyserver, be it for your own personal use or network, or to be part of the pool, run the Synchronizing OpenPGP Key Server (SKS) software on your server.

SKS is an OpenPGP key server that correctly handles all OpenPGP features defined in RFC 2440, including photoID packages and multiple subkeys.

This keyserver implementation uses an efficient and reliable reconciliation algorithm to keep the database in sync with other SKS servers. Additionally it can both send and receive PKS style sync emails.

Requirements

Storage Space

  • 9 GB download of a full database dump;
  • 17 GB total after import database import;

Preparations

SKS Mailing List

Join the SKS mailing list where you can ask for peers and will get notified about software issues and updates of SKS.

Database Dump

Rather than starting with an empty database and attempting to populate it by syncing with other keyservers (a bad idea because it loads up your peers with lots of traffic and will probably fail anyway with deadlocks in the conflict resolution system) we’ll grab a static dump from an existing SKS server. Currently known sources are:

As of February 2018 the archive size is approximately 10G, holding around 5 million keys in 199 files.

The download can take several hours. Thats why we start this first in screen session and let it run.

Warning

Don’t download from the current directory on the server! If the server creates new dump files while you are downloading you will have to start over again. Use the directory with the latest date.

The dump is divided into a bunch of individual numbered files so you’ll need to fetch all of them.

$ screen sudo -sH
$ mkdir -p /var/lib/sks/dump
$ cd /var/lib/sks/dump
$ wget --continue \
       -r \
       --page-requisites \
       --execute robots=off \
       --timestamping \
       --level=1 \
       --cut-dirs=3 \
       --no-host-directories \
       https://keyserver.mattrude.com/dump/2018-02-13/

Proceed to import the database dump, when the download completes.

SKS Daemon User

For security reasons its best to run the daemon with its own unprivileged user profile. Create this user on the server system with the following command:

$ sudo adduser --system \
            --home /var/lib/sks
            --shell /bin/bash
            --group \
            debian-sks

IP Address

Add IPv4 and IPV6 network adresses for the keyserver:

$ sudo ip addr add 192.0.2.37/24 dev eth0
$ sudo ip addr add 2001:db8::37/64 dev eth0

Also add them to the file /etc/network/interfaces to make them persistent across system restarts:

# keyserver.example.net
iface eth0 inet static
    address 192.0.2.37/24
iface eth0 inet6 static
    address 2001:db8::37/64

DNS Records

Name Type Content Priority TTL
keyserver A 198.51.100.240   300
keyserver AAAA 2001:db8::37    
_pgpkey-http._tcp.keyserver SRV 0 11371 keyserver.urown.net 10  
_pgpkey-https._tcp.keyserver SRV 0 11372 keyserver.urown.net 10  

Check the “Add also reverse record” when adding the IPv6 entry.

Firewall Rules

IPv4 NAT port forwarding:

Protocol Port No. Forward To Description
TCP 11370 192.0.2.37 OpenPGP Keyserver Recon
TCP 11371 192.0.2.37 OpenPGP Keyserver HKP
TCP 11372 192.0.2.37 OpenPGP Keyserver HKPS

Allowed IPv6 connections:

Protocol Port No. Destination Description
TCP 80 2001:db8::37 OpenPGP Keyserver HKP and HTTP
TCP 443 2001:db8::37 OpenPGP Keyserver HKPS and HTTPS
TCP 11370 2001:db8::37 OpenPGP Keyserver Recon
TCP 11371 2001:db8::37 OpenPGP Keyserver HKP
TCP 11372 2001:db8::37 OpenPGP Keyserver HKPS

Tor Hidden Service

Add a Tor Hidden Service by editing /etc/tor/torrc:

# SKS OpenPGP Key Server Hidden Service for keyserver.example.net
HiddenServiceDir /var/lib/tor/hidden_services/keyserver
HiddenServicePort 80 127.0.0.37:80
HiddenServicePort 443 127.0.0.37:443
HiddenServicePort 11370
HiddenServicePort 11371 127.0.0.37:11371
HiddenServicePort 11372 127.0.0.37:11372

Reload the Tor client:

$ sudo service tor reload

Read the newly generated *.onion hostname:

$ sudo cat /var/lib/tor/hidden_services/keyserver/hostname
duskgytldkxiuqc6.onion

Software Prerequisites

To build, install and run SKS from source we need the Gnu C-compiler, the Ocaml programming language and the Berkeley database libraries.

They can be installed from the Ubuntu software repository:

$ sudo apt-get install gcc ocaml libdb-dev db-util

SKS Source Download

As of September 2016 Ubuntu 16.04 has SKS version 1.1.5 in its repository. Since the servers eligible for inclusion into the SKS server pool need to run version 1.1.6 we install a newer version.

We download the source code from the SKS project website.

The source code is signed by the SKS Keyserver Signing Key. The KeyID and fingerprint are published on their website, which is a secure site wit EV certification to Altassian Inc.

Get that in our keyring, so we can verify downloaded source code is legit:

$ gpg2 --recv-key 0x41259773973A612A
gpg: requesting key 0x41259773973A612A from hkps server hkps.pool.sks-keyservers.net
gpg: key 0x41259773973A612A: public key "SKS Keyserver Signing Key" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Be sure to check that, key-id, name and fingerprint all match with the published information:

$ pub   4096R/0x41259773973A612A 2012-06-27
Key fingerprint = C90E F143 0B3A C0DF D00E  6EA5 4125 9773 973A 612A
uid                 [ unknown] SKS Keyserver Signing Key

If everything checks out, sign the SKS key as trusted:

$ gpg2 --lsign-key 0x41259773973A612A

Now go ahead to download:

$ cd /usr/loca/src
$ wget https://bitbucket.org/skskeyserver/sks-keyserver/downloads/sks-1.1.6.tgz
$ wget https://bitbucket.org/skskeyserver/sks-keyserver/downloads/sks-1.1.6.tgz.asc

Verify the downloaded file:

$ gpg2 --verify sks-1.1.6.tgz.asc
gpg: assuming signed data in `sks-1.1.6.tgz'
gpg: Signature made Sun 07 Aug 2016 04:26:45 PM CEST
gpg:                using RSA key 41259773973A612A
gpg: Good signature from "SKS Keyserver Signing Key" [unknown]
Primary key fingerprint: C90E F143 0B3A C0DF D00E  6EA5 4125 9773 973A 612A

Configuration

$ cd /usr/local/src
$ tar -xzf sks-1.1.6.tgz
$ cd sks-1.1.6
$ cp Makefile.local.unused Makefile.local

Edit Makefile.local by changing the following lines as highlighted below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
BDBLIB=-L/usr/lib
BDBINCLUDE=-I/usr/include
PREFIX=/usr/local
LIBDB=-ldb-5.3
MANDIR=/usr/local/share/man
export BDBLIB
export BDBINCLUDE
export PREFIX
export LIBDB
export MANDIR

Build and Install

$ cd /usr/local/src/sks-1.1.6
$ make dep
$ make all
$ make install

SKS Configuration

/etc/sks/sksconf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# /etc/sks/sksconf
#
# The configuration file for your SKS server.
# You can find more options in sks(8) manpage.

# Set server hostname
hostname: keyserver.example.net

# Set recon binding address
recon_address: 127.0.0.1 192.0.2.37 2001:db8::37

# Set recon port number
recon_port: 11370

# Set hkp binding address
hkp_address: 127.0.0.1

# Set hkp port number
hkp_port: 11371

# Have the HKP interface listen on port 80, as well as the hkp_port
#use_port_80:

# From address used in synchronization emails used to communicate with PKS
from_addr: "PGP Key Server Administrator <pgp-public-keys@example.net>"

# The PGP ID for the Server Contact
server_contact:                 0x0123456789ABCDEF

# Disable sending of PKS mailsync messages.
disable_mailsync:

# Command used for sending mail (you can use -f option to specify the
# envelope sender address, if your MTA trusts the sks user)
#sendmail_cmd: /usr/lib/sendmail -t -oi

# Runs database statistics calculation on boot (time and cpu expensive)
initial_stat:

# Maximum interval (in hours) at which membership file is reloaded.
membership_reload_interval:     1

# Hour at which to run database statistics.
stat_hour:                      12

# Maximum number of matches that will be returned from a query.
max_matches:                    500

# bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice
# this caused page deadlocks. I found 8K (16) and 16K (32) to be better values
pagesize:          16

#
# The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had
# very good results with 8196
ptree_pagesize:    16

/etc/sks/membership

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# /etc/sks/membership
#
# With SKS, two hosts can efficiently compare their databases then
# repair whatever differences are found.  In order to set up
# reconciliation, you first need to find other SKS servers that will
# agree to gossip with you. The hostname and port of the server that
# has agreed to do so should be added to this file.
#
# Empty lines and whitespace-only lines are ignored, as are lines
# whose first non-whitespace character is a `#'.
#
# Example:
# keyserver.linux.it 11370

System Configuration

The following is adapted from the Ubuntu/Debian SKS software package.

Directories

Create a system envoronment for SKS, change ownership of the data directory and various other stuff:

$ mkdir -p /var/{lib,log,spool}/sks
$ chown -R debian-sks:debian-sks /var/{lib,log,spool}/sks
$ chmod -R 700 /var/{lib,log,spool}/sks
$ find /var/{lib,log,spool}/sks -type f -exec chmod 600 '{}' ';'
$ chgrp -R adm /var/log/sks
$ chmod -R g+rX /var/log/sks
$ chmod g+s /var/log/sks

System Service

/etc/default/sks

1
2
3
# by default we do NOT start sks!
# Set to yes if you want to start it in the init script.
initstart=no

/etc/init.d/sks

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/sh -e
#
### BEGIN INIT INFO
# Provides:          sks
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO
#
# Start/stops the sks daemons.
#
#

# Reads config file
[ -r /etc/default/sks ] && . /etc/default/sks

DAEMON=/usr/sbin/sks
SKSDBPID=/var/run/sks/sksdb.pid
SKSRECONPID=/var/run/sks/sksrecon.pid

# See if the daemon is there

test -e $DAEMON || exit 0

if [ ! -x $DAEMON ]; then
    echo "ERROR: $DAEMON is not executable"
    exit 1
fi

. /lib/lsb/init-functions

wait_for_deaddaemon () {
	pidfile=$1
	pid=`cat $pidfile 2>/dev/null` || true
	sleep 1
	if test -n "$pid"
	then
		if kill -0 $pid 2>/dev/null
		then
			echo -n "."
			cnt=0
			while kill -0 $pid 2>/dev/null
			do
				cnt=`expr $cnt + 1`
				if [ $cnt -gt 30 ]
				then
					echo " FAILED."
					return 1
				fi
				sleep 2
				echo -n "."
			done
			rm -f $pidfile
		else
			rm -f $pidfile
		fi
	fi
	return 0
}


case "$1" in
    start)
	echo -n "Starting sks daemons:"

	if [ "$initstart" != "yes" ]; then
	    echo " Not starting sks (as configured in /etc/default/sks)"
	    exit 0
	fi

	mkdir -p `dirname "$SKSDBPID"`
	chown debian-sks `dirname "$SKSDBPID"`

	echo -n " sksdb.."

	start-stop-daemon --start --quiet --oknodo \
			  --chuid debian-sks:debian-sks \
			  --make-pidfile \
			  --pidfile $SKSDBPID \
			  --exec $DAEMON -- db &

	echo -n " sksrecon.."

	start-stop-daemon --start --quiet --oknodo \
			  --chuid debian-sks:debian-sks \
			  --make-pidfile \
			  --pidfile $SKSRECONPID \
			  --exec $DAEMON -- recon &

	echo " done."

    ;;
    stop)
	echo -n "Stopping sks daemons:"

	echo -n " sksrecon.."
	start-stop-daemon --stop --quiet --oknodo --pidfile $SKSRECONPID
	wait_for_deaddaemon $SKSRECONPID || exit 1

	echo -n " sksdb.."
	start-stop-daemon --stop --quiet --oknodo --pidfile $SKSDBPID
	wait_for_deaddaemon $SKSDBPID || exit 1

	echo " done."

    ;;
    reload)
	# Hupping at least reopens logfiles.
	# membership and mailsync are regularily read anyway
	# not sure about the rest
	#    -- weasel
	echo -n "Reloading sks daemons:"
	echo -n " sksrecon.."
	start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile $SKSRECONPID

	echo -n " sksdb.."
	start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile $SKSDBPID

	echo " done."
    ;;
    restart|force-reload)
	$0 stop
	sleep 1
	$0 start
    ;;
    *)
	echo "Usage: $0 {start|stop|reload|restart|force-reload}"
	exit 1
    ;;
esac

exit 0

Daily Cron Job

/etc/cron.daily/sks

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/bin/sh

# daily cron to cleanup DB's log files.

set -e

[ -r /etc/sks/cron.conf ] && . /etc/sks/cron.conf

# First, remove old diff-1.2.3.4.txt files
# those files hold differences discovered during recon
# eventhing that hasn't been touched in the last 2 weeks
# is probably old and the result of a host that changed IP.

[ -d /var/spool/sks ] || exit 0

find /var/spool/sks -type f -name 'diff-*.txt' -mtime +14 | xargs --no-run-if-empty rm -f

[ -d /var/spool/sks/failed_messages ] || exit 0

# Also remove failed messages
find /var/spool/sks/failed_messages -type f -name 'msg-*.ready' -mtime +14 | xargs --no-run-if-empty rm -f

[ "$REMOVE_DB_LOGS" = "no" ] && exit 0

clean_directory() {
	dir=$1
	if [ -d "$dir" ]
	then
		db_archive -h $dir -d
	fi
	return 0
}

# The DB directory holds indexes and keys.
clean_directory /var/lib/sks/DB

# PTree is for the hashes used with the reconciliation algorithm. (I think)
clean_directory /var/lib/sks/PTree


exit 0

Log Rotation

/etc/logrotate.d/sks

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
/var/log/sks/*.log {
	daily
	rotate 5
	compress
	delaycompress
	missingok
	notifempty
	postrotate
		/etc/init.d/sks reload > /dev/null
	endscript
}

Nginx Web-Server Configuration

For better performance and as requirement of the SKS keyserver pool, SKS traffic is handled by Nginx and sent to SKS as a reverse proxy back-end.

Server

/etc/nginx/servers-available/keyserver.example.net.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#
# keyserver.example.net
# OpenPGP Public SKS Key Server
#

# Unsecured HTTP server
server {

    # IPv4 private address (Port-forwarded from NAT firewall/router)
    listen  192.0.2.10:80;
    #listen  192.0.2.37:11371; Disabled for sslh listener

    # IPv6 global address
    listen  [2001:db8::37]:80;
    listen  [2001:db8::37]:11371;

    server_name keyserver.example.net
                *.sks-keyservers.net *.pool.sks-keyservers.net
                keys.gnupg.net pgp.ipfire.org pgp.mit.edu;

    # Server Default Settings
    include server-defaults/*.conf;

    # Public Documents Root
    root    /var/www/example.net/keyserver/public_html;

    # SKS Keyserver Configuration
    include webapps/sks-keyserver.conf;
}


# Secured HTTPS server
server {

    # IPv4 private address (Port-forwarded from NAT firewall/router)
    listen  192.0.2.10:443 ssl spdy;
    listen  192.0.2.37:11372 ssl spdy;

    # IPv6 global address
    listen  [2001:db8::37]:443 ssl spdy;
    listen  [2001:db8::37]:11372 ssl spdy;

    server_name keyserver.example.net
                *.sks-keyservers.net *.pool.sks-keyservers.net
                keys.gnupg.net pgp.ipfire.org pgp.mit.edu;

    # Server Default Settings
    include server-defaults/*.conf;

    # Public Documents Root
    root    /var/www/example.net/keyserver/public_html;

    # SKS Keyserver Configuration
    include webapps/sks-keyserver.conf;
}


# Tor Hidden Service
server {

    # IPv4 local address (Port-forwarded from Tor Onion router)
    listen  127.0.0.37:80;
    listen  127.0.0.37:11371;

    server_name duskgytldkxiuqc6.onion;

    # Server Default Settings
    include server-defaults/*.conf;

    # Public Documents Root
    root    /var/www/example.net/keyserver/public_html;

    # SKS Keyserver Configuration
    include webapps/sks-keyserver.conf;
}

SKS Web Application

/etc/nginx/webapps/sks-keyserver.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#
# SKS Keyserver Proxy
#

rewrite ^/stats         /pks/lookup?op=stats;
rewrite ^/s/(.*)        /pks/lookup?search=$1;
rewrite ^/search/(.*)   /pks/lookup?search=$1;
rewrite ^/g/(.*)        /pks/lookup?op=get&search=$1;
rewrite ^/get/(.*)      /pks/lookup?op=get&search=$1;
rewrite ^/d/(.*)        /pks/lookup?op=get&options=mr&search=$1;
rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;

location /pks {
    proxy_pass                  http://127.0.0.1:11371;
    proxy_pass_header           Server;
    add_header                  Via "1.1 $server_name:$proxy_port (nginx)";
    proxy_ignore_client_abort   on;
    client_max_body_size        8m;
    proxy_intercept_errors      off;

    # Disallow Search Engines to index keyserver search results
    add_header                  X-Robots-Tag 'noindex, nofollow' always;

    # Client Security HTTP Headers
    include                     server-conf.d/20_client-security.conf;

    # Content Security Policy (CSP)
    include                     csp/sks.csp.conf;

    # Strict Transport Security (HSTS)
    include                     hsts.conf;

}

Keyserver Website

Keyservers can be accessed by normal web-browsers, apart from OpenPGP clients. Typically you can search for, view, download and upload keys on a rudimentary web-interface. They usually look like the web was invented only last week.

Luckily Matt Rude has created a more modern OpenPGP Keyserver Website available from Github:

$ sudo mkdir -p /var/www/example.net/keyserver/public_html
$ cd /var/www/example.net/keyserver/public_html
$ sudo git clone https://github.com/mattrude/pgpkeyserver-lite.git
$ sudo chown -R www-data:www-data /var/www/example.net/keyserver/public_html

Restart Nginx

$ sudo ln -s /etc/nginx/servers-available/keyserver.example.net /etc/nginx/sites-enabled/
$ sudo service nginx restart

HKP and HSTS

The Problem

With our Nginx configuration web-browser can access the HTML interface over plain unencrypted HTTP on the standard HTTP TCP port 80 and the non-standard HTTP (but standard HKP) TCP port 11371. For the security aware encrypted HTTPS connections are provided on port 443. the standard TCP port for both, HKP and HTTPS.

Now if your domain and sub-domains have strict HSTS enabled, this creates a problem.

If a modern browser is directed to a website on a non-standard TCP port in a HSTS enabled domain, the browser will attempt to initiate a TLS connection on that port, even if the URL starts with http:// and not https://. If that fails, an error page is displayed to the user and thats it.

So users visiting our keyservers web-interface on port 11371 will be greeted with a security error message.

This behavior may seem strange but its currently the only way of ensuring security. The browser MUST enforce HSTS but also has no secure way to learn about or assume on what other presumably non-standard TCP port number, he could attempt a secure connection.

The problem and and subsequent decision on how this needs to be handled are described in this blog post by Andy Steingruebl.

The Workaroud

There is software who can sniff out the protocol connecting on a given port. OpenVPN for example supports this, so you can hide your secret VPN gateway behind a unsuspicious website and may also help clients to connect trough overzealous firewalls.

sslh is one such an Applicative Protocol Multiplexer who allows to run multiple protocols on the same port.

sslh Installation

sslh is available in the Ubuntu, Debian, SUSE and Fedora software package repositories:

$ sudo apt-get install sslh

sslh configuration

Configuration is stored in the file /etc/sslh.cfg. The installation does not create that, but an example configuration file is provided in /usr/share/doc/sslh/examples/example.cfg.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#
# sslh configuration for HKP OpenPGP keyservers
#

verbose: false;
foreground: false;
inetd: false;
numeric: true;
timeout: 2;
user: "sslh";
pidfile: "/var/run/sslh.pid";

# List of interfaces on which we should listen
listen:
(
    { host: "192.0.2.37"; port: "11371"; },
    { host: "2001:db8::37"; port: "11371"; }
);

# List of protocols
protocols:
(
     { name: "http"; host: "127.0.0.37"; port: "11371"; probe: "builtin"; },
     { name: "https"; host: "127.0.0.37"; port: "443"; probe: [ "" ]; }
);

# Fallback protocol
on-timeout: "http";

Testing

Launch it by hand to see of it is working alright:

$ sudo sslh -F /etc/sslh.cfg --verbose --foreground

Then open https://keyserver.example.net:11371/ with your browser.

Output should look about as follows:

http addr: 127.0.0.37:hkp. libwrap service: (null) family 2 2
ssl addr: 127.0.0.37:https. libwrap service: (null) family 2 2
listening on:
    192.0.2.37:hkp
    keyserver.example.net:hkp
timeout: 2
on-timeout: http
listening to 2 addresses
turning into nobody
sslh-fork 1.15 started
accepted fd 5
**** writing defered on fd -1
probing for http
probe http successful
connecting to 127.0.0.37:hkp family 2 len 16
connection from some-client.some.net:43635 to keyserver.example.net:hkp forwarded from localhost:47333 to 127.0.0.37:hkp
flushing defered data to fd 4
client socket closed
connection closed down
...
connection from some-other-client.some-other.net:43730 to keyserver.example.net:hkp forwarded from localhost:38496 to 127.0.0.37:https
flushing defered data to fd 4
accepted fd 5
**** writing defered on fd -1
probing for http
probing for ssl
probe ssl successful
connecting to 127.0.0.37:https family 2 len 16
...
server socket closed
connection closed down

If you got a connection from the SKS pool testing scripts during your test-run, you may visit your server status page on the SKS pool website, to see if it still works.

Set up as Service

If test are successful, set it up as service.

Open /etc/default/sslh.

  • Enable the service by changing the line 12 from “no” to “yes”.
  • Replace the the command line options on line 17 with a reference to our configuration file.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# Default options for sslh initscript
# sourced by /etc/init.d/sslh

# Disabled by default, to force yourself
# to read the configuration:
# - /usr/share/doc/sslh/README.Debian (quick start)
# - /usr/share/doc/sslh/README, at "Configuration" section
# - sslh(8) via "man sslh" for more configuration details.
# Once configuration ready, you *must* set RUN to yes here
# and try to start sslh (standalone mode only)

RUN=yes

# binary to use: forked (sslh) or single-thread (sslh-select) version
DAEMON=/usr/sbin/sslh

DAEMON_OPTS="-F /etc/sslh.cfg"

Start the Service

$ sudo service sslh start

Database Import

Lets hope the download of the database dump we started earlier has completed in the meantime.

If so check that all the pieces have been downloaded correctly by comparing their checksums against the list published by the dump provider:

$ cd /var/lib/sks/dump
$ md5sum -c metadata-sks-dump.txt
sks-dump-0000.pgp: OK
...
sks-dump-0261.pgp: OK

The dump now needs to be imported into the SKS database. There are two ways to do this: either a full build (which reads in the dump you just downloaded and leaves you with a complete, self-contained database) or a fastbuild (which just references the dump and requires it to be left in place after the fastbuild is complete):

$ cd /var/lib/sks
$ sudo /usr/local/bin/sks_build.sh

On the next screen, choose 2.

Please select the mode in which you want to import the keydump:

1 - fastbuild
    only an index of the keydump is created and the keydump cannot be
    removed.

2 - normalbuild

    all the keydump will be imported in a new database. It takes longer
    time and more disk space, but the server will run faster (depending
    from the source/age of the keydump).
    The keydump can be removed after the import.

Enter enter the mode (1/2): 2

This took around 4 hours on my machine (Intel Core2 Duo CPU @ 2.10GHz with 3GB RAM) doing a normal build (option 2).

Start

$ sudo service sks start