SKS keyservers will not gossip when configured as TOR hidden services

[ygrek]

Original report by Sylvain Coriat (Bitbucket: scoriat, GitHub: scoriat).

---

Hello

We have deployed some keyservers into TOR as hidden services. They function fine with the exception of the gossip service which fails. We use 'torsocks' or 'usewithtor' to force the recon server to use TOR and this works but the problem occurs on the callback as the recon server attempts to connect back to the clients IP address as it resolves it rather than the client hostname defined in memberships. Unfortunately these IP addresses resolve to 127.0.0.1 when using TOR and so the recon server cannot connect back to the keyserver to collect keys even though it successfully identifies which keys it needs.

So if we have two servers abc.onion and xyz.onion we set up the membership as follows:

abc.onion membership file:

#!

xyz.onion 11370
127.0.0.1 11370

xys.onion membership file:

#!

abc.onion 11370
127.0.0.1 11370

xyz.onion successfully establishs a gossip connection with abc.onion and lets abc.onion known that there are keys to be synchronized. However abc.onion then uses the resolved IP address to connect back to the HKP service which is 127.0.0.1. Obviously this fails.

is there any way to make the recon service use the given hostname rather than the resolved IP address (from the client connection)?

thank you

[ygrek]

Original comment by Kristian Fiskerstrand (Bitbucket: kristianf, GitHub: krifisk).

---

Running as a Tor service is not currently supported, re-classifying to feature request

[ygrek]

Original comment by Sylvain Coriat (Bitbucket: scoriat, GitHub: scoriat).

---

Thank you for the update. We are looking at a workaround