Re: Long delay when opening signed emails

Subject: Re: Long delay when opening signed emails

Date: Tue, 30 Jan 2018 21:47:47 +0100

To: Daniel Kahn Gillmor, notmuch@notmuchmail.org

Cc:

From: Michal Sojka

On Tue, Jan 30 2018, Daniel Kahn Gillmor wrote:
> Hi Michal--
>
> On Tue 2018-01-30 17:17:54 +0100, Michal Sojka wrote:
>> Hi all,
>>
>> I experience annoyingly long delay, when opening some signed emails in
>> Emacs. This is likely related to the following lines appearing in my
>> log when opening the email:
>>
>> Jan 30 17:07:46 dirmngr[7526]: no CRL available for issuer id A401B7A860C859FEA90E1A7EEE2BAF37C7FB918F
>> Jan 30 17:08:06 dirmngr[7526]: resolving 'crl3.digicert.com' failed: Server indicated a failure
>> Jan 30 17:08:06 dirmngr[7526]: can't connect to 'crl3.digicert.com': host not found
>> Jan 30 17:08:06 dirmngr[7526]: error retrieving 'http://crl3.digicert.com/TERENAeSciencePersonalCA3.crl': Server indicated a failure
>> Jan 30 17:08:06 dirmngr[7526]: crl_fetch via DP failed: Server indicated a failure
>> Jan 30 17:08:06 dirmngr[7526]: command 'ISVALID' failed: Server indicated a failure
>>
>> I don't understand why resolving crl3.digicert.com fails, because it
>> works from command line.
>
> I think the e-mail in question is S/MIME-signed.  is that right?

Yes, that's correct.

> It looks like dirmngr is having some problems with network connectivity
> -- perhaps it has the wrong information about DNS resolvers?
>
> as a workaround, have you tried terminating dirmngr to let it restart
> when needed?  you can do that with:
>
>     gpgconf --kill dirmngr
>
> (it should respawn automatically as needed)

That didn't help.

>> Any suggestions how to solve the failure or at least to get rid of the
>> delay?
>
> Apart from the workaround described above, if you decide that you'd
> rather avoid doing CRL checks in general (you might want that to avoid
> metadata leakage at least), you could put "disable-crl-checks" on its
> own line in ~/.gnupg/gpgsm.conf

Perfect, that prevents the delays.

> See also https://dev.gnupg.org/T3348 -- i'm asking upstream to default
> to False there.

Hmm, now I see that my problem is probably the same as in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842291 referenced from
your GPG bug report.

Thank you.
-Michal
_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Thread: