SKS keyservers will not gossip when configured as TOR hidden services

Create issue
Issue #23 new
Sylvain Coriat created an issue


We have deployed some keyservers into TOR as hidden services. They function fine with the exception of the gossip service which fails. We use 'torsocks' or 'usewithtor' to force the recon server to use TOR and this works but the problem occurs on the callback as the recon server attempts to connect back to the clients IP address as it resolves it rather than the client hostname defined in memberships. Unfortunately these IP addresses resolve to when using TOR and so the recon server cannot connect back to the keyserver to collect keys even though it successfully identifies which keys it needs.

So if we have two servers abc.onion and xyz.onion we set up the membership as follows:

abc.onion membership file:

xyz.onion 11370 11370

xys.onion membership file:

abc.onion 11370 11370

xyz.onion successfully establishs a gossip connection with abc.onion and lets abc.onion known that there are keys to be synchronized. However abc.onion then uses the resolved IP address to connect back to the HKP service which is Obviously this fails.

is there any way to make the recon service use the given hostname rather than the resolved IP address (from the client connection)?

thank you

Comments (3)

  1. Log in to comment