On 1/30/19 1:41 PM, Gary E. Miller via devel wrote: > On Wed, 30 Jan 2019 01:19:08 -0600 > Richard Laager via devel <devel@ntpsec.org> wrote: > >> So in this example, you have ntp.example.com as the NTS-KE server, and >> 1.2.3.4 or bob.example.com as the NTP servers? I assume it has to be >> that way, as TLS doesn't work _in practice_ (yes, I know it is >> supported in theory) with IP addresses, so 1.2.3.4 can't be the >> NTS-KE server. > > Uh, no. I use TLS with IPs all the time.
Do you have have full certificate verification on? It is possible to put an IP address into the subjectAltName, but most if not all public CAs these days will not issue a certificate that way. So you can do it if you have an internal CA, but otherwise you're either bypassing certificate validation or you're not doing it. -- Richard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
