Yo Richard! On Wed, 30 Jan 2019 15:25:47 -0600 Richard Laager via devel <devel@ntpsec.org> wrote:
> On 1/30/19 1:41 PM, Gary E. Miller via devel wrote: > > On Wed, 30 Jan 2019 01:19:08 -0600 > > Richard Laager via devel <devel@ntpsec.org> wrote: > > > >> So in this example, you have ntp.example.com as the NTS-KE server, > >> and 1.2.3.4 or bob.example.com as the NTP servers? I assume it has > >> to be that way, as TLS doesn't work _in practice_ (yes, I know it > >> is supported in theory) with IP addresses, so 1.2.3.4 can't be the > >> NTS-KE server. > > > > Uh, no. I use TLS with IPs all the time. > > Do you have have full certificate verification on? Of course. Firefox asks me if it is OK, and I just say YES. > It is possible to put an IP address into the subjectAltName, but most > if not all public CAs these days will not issue a certificate that > way. I use LE, they do not allow IPs in certs. > So you can do it if you have an internal CA, but otherwise > you're either bypassing certificate validation or you're not doing it. I'm bypassing. Pretty common in data centers to do that: https://community.letsencrypt.org/t/certificate-for-public-ip-without-domain-name/6082/42 I find TLS to an IP useful for some odd edge cases. Others will avoid host names due to security or connectivity concerns. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpd48rbSJ8f9.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
