Roundcubemail: Default key servers do not work (because of no CORS support)

Created on 2 May 2020  路  17Comments  路  Source: roundcube/roundcubemail

Hi there,

I'm using RoundCube 1.4.4 with Enigma plugin, version 0.8. This configuration running well inside a Docker container
I have an issue with the search function of GPG keys. After click on search, nothing happen, and after 2 minutes loading bar disappear and nothing happen
I tried to check DNS queries with TcpDump, gpg --search-keys commandis good, and I can capture DNS queries, but I can't see Enigma making DNS queries.
I also configured $config['keyservers'] = array('keys.gnupg.net', 'keyserver.ubuntu.com');. Maybe my syntax is wrong ?
Enigma plugin log is enable but don't give me any clues

Any idea ?

Here, some screenshot
2020-05-02 103845

2020-05-02 103755

2020-05-02 104546

Encryption bug

Most helpful comment

Hey folks. Maintainer of Hagrid / keys.openpgp.org here :) I believe we cover all the points mentioned above: keys.openpgp.org has well-maintained HTTPS, and includes CORS headers on all API endpoints. We support HKP that works mostly as usual, checkout our API specification. If anything doesn't work there feel free to hit me up.

All 17 comments

Check the browser console. gpg is not used for searching, we search client-side (in javascript).

Thanks for your reply
Here an error message in my browser console

2020-05-02 135629

Another investigation show me that my Nginx reverse proxy inside the container missing a header

2020-05-02 145848

Going to investigate on this :
https://stackoverflow.com/questions/50771746/nginx-reverse-proxy-and-access-control-allow-origin-issue

It might be just because many key servers do not support CORS. I have no issues e.g. with http://keys.gnupg.net.

Ok, so it's worse than I thought, from all public key servers I tested only keys.gnupg.net works. Unfortunately we con do nothing about that. We already have a ticket to implement server-side searching in #5999.

I'll leave this ticket open, we should probably change our defaults, as they also do not work.

no, even keys.gnupg.net doesn't work... There the error shown in the browser's console is "certificate authority is invalid".

Enigma could support hkps protocol ?

Indeed, it worked for me because I was testing on http://localhost. When using https:// I get CORS error or mixed content error. That's not good.

Hey folks. Maintainer of Hagrid / keys.openpgp.org here :) I believe we cover all the points mentioned above: keys.openpgp.org has well-maintained HTTPS, and includes CORS headers on all API endpoints. We support HKP that works mostly as usual, checkout our API specification. If anything doesn't work there feel free to hit me up.

@Valodim, We're using this (https://github.com/diafygi/publickeyjs) simple script, which does GET request to https://keys.openpgp.org/pks/lookup?op=index&options=mr&fingerprint=on&search=test@email. It looks like it indeed works if the key is found, but I see the CORS error whenever the request returns 400 or 404, i.e. no match. So, it looks I need to pay more attention to how I do tests. And we need to handle 40X error more nicely. Thanks.

You're right! We're missing a CORS header for error states there. I'll make sure to fix that, thanks for the hint :)

Fixed. No big change, should be deployed in a few minutes. :+1:

Fix confirmed. So, now at least we have one server that works. Anyway, would be better to implement server-side searching to workaround CORS limitations. Pull requests would be appreciated.

Hi Alec,

thanks, can this fix be backported to 1.3.X. (also replacing the outdated keyservers)?

I'm using 1.3.11 and have the same CORS problem.

Fixed. For 1.3 you have to patch publickey.js with https://github.com/diafygi/publickeyjs/pull/4.

Thanks!

this patch for publickey.min.js worked for me in 1.3.11 (I think publickey.js is not used any more?):

28c28
< (function(u){var v=["https://keys.fedoraproject.org/","https://keybase.io/"],p=function(e){this.keyservers=e||v};p.prototype.get=function(e,k,h,c){void 0===h&&(h=0);if(h>=this.keyservers.length)return k(null,c||404);c=this.keyservers[h];var g=this;if(0===c.indexOf("https://keybase.io/")){0===e.indexOf("0x")&&(e=e.substr(2));var b=new XMLHttpRequest;b.open("get","https://keybase.io/_/api/1.0/user/lookup.json?fields=public_keys&key_fingerprint="+e);b.onload=function(){if(200===b.status){var c=JSON.parse(b.responseText);
---
> (function(u){var v=["https://keys.openpgp.org/"],p=function(e){this.keyservers=e||v};p.prototype.get=function(e,k,h,c){void 0===h&&(h=0);if(h>=this.keyservers.length)return k(null,c||404);c=this.keyservers[h];var g=this;if(0===c.indexOf("https://keybase.io/")){0===e.indexOf("0x")&&(e=e.substr(2));var b=new XMLHttpRequest;b.open("get","https://keybase.io/_/api/1.0/user/lookup.json?fields=public_keys&key_fingerprint="+e);b.onload=function(){if(200===b.status){var c=JSON.parse(b.responseText);

Thanks @alecpl for your fix and for considering users issues
Appreciate it

Was this page helpful?
0 / 5 - 0 ratings