dirmngr: Add warning on the use of --add-servers.

* tools/gpgconf-comp.c (known_options_dirmngr): Degrade add-servers to
expert mode.

3 files changed, 23 insertions, 13 deletions

diff --git a/dirmngr/ldap.c b/dirmngr/ldap.c
index ad6b0889b..a9913cbe7 100644
--- a/dirmngr/ldap.c
+++ b/dirmngr/ldap.c
@@ -433,7 +433,12 @@ make_url (char **url, const char *dn, const char *filter)
   gpg_error_t err;
   char *u_dn, *u_filter;
   char const attrs[] = (USERCERTIFICATE ","
-/*                         USERSMIMECERTIFICATE "," */
+                        /* In 2005 wk mentioned in the changelog that
+                         * work on the userSMIMECertificate has
+                         * started but it seems that no further
+                         * progress was made or the whole thing was
+                         * simply forgotten.  */
+                        /* USERSMIMECERTIFICATE "," */
                         CACERTIFICATE ","
                         X509CACERT );
 
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 846057bcf..05fa099e0 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -434,17 +434,22 @@ out.  The default are 15 seconds.  0 will never timeout.
 @opindex add-servers
 This option makes dirmngr add any servers it discovers when validating
 certificates against CRLs to the internal list of servers to consult for
-certificates and CRLs.
-
-This option is useful when trying to validate a certificate that has
-a CRL distribution point that points to a server that is not already
-listed in the ldapserverlist. Dirmngr will always go to this server and
-try to download the CRL, but chances are high that the certificate used
-to sign the CRL is located on the same server. So if dirmngr doesn't add
-that new server to list, it will often not be able to verify the
-signature of the CRL unless the @code{--add-servers} option is used.
-
-Note: The current version of dirmngr has this option disabled by default.
+certificates and CRLs.  This option should in general not be used.
+
+This option might be useful when trying to validate a certificate that
+has a CRL distribution point that points to a server that is not
+already listed in the ldapserverlist.  Dirmngr will always go to this
+server and try to download the CRL, but chances are high that the
+certificate used to sign the CRL is located on the same server. So if
+dirmngr doesn't add that new server to list, it will often not be able
+to verify the signature of the CRL unless the @code{--add-servers}
+option is used.
+
+Caveat emptor: Using this option may enable denial-of-service attacks
+and leak search requests to unknown third parties.  This is because
+arbitrary servers are added to the internal list of LDAP servers which
+in turn is used for all unspecific LDAP queries as well as a fallback
+for queries which did not return a result.
 
 
 @item --allow-ocsp
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index 919bcb357..dacc53328 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -470,7 +470,7 @@ static known_option_t known_options_dirmngr[] =
    { "ignore-ldap-dp",    GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED },
    { "ldap-proxy",        GC_OPT_FLAG_NONE, GC_LEVEL_BASIC },
    { "only-ldap-proxy",   GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED },
-   { "add-servers",       GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED },
+   { "add-servers",       GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT },
    { "ldaptimeout",       GC_OPT_FLAG_NONE, GC_LEVEL_BASIC },
    { "max-replies",       GC_OPT_FLAG_NONE, GC_LEVEL_BASIC },
    { "allow-ocsp",        GC_OPT_FLAG_NONE, GC_LEVEL_BASIC },