FWIW, I think you've sold me on why we need "nts" separate from "server". There are a LOT of extra options for NTS.
On 2/1/19 4:51 PM, Gary E. Miller via devel wrote: > *require [address]* Require a particular NTPD server, fail if it is not > the NTPD sevver address returned. Otherwise same as *ask*. If I specify "require 1.2.3.4" and get back 1.2.3.4:1123, does that fail because the port doesn't match (because the port, if not specified, is 123)? I'd say yes. > *cert [file]* Present the certificate in *file* as our cclient certificate Good call! I don't use client certificates, but they're a stock part of TLS. You probably also need a parameter to specify a root certificate list. This might be for all of ntpd, rather than per association. > *tls1.2* Allow TLS1.2 connection. > > *tls1.3* Allow TLS1.3 connection. This does not feel scalable as new versions of TLS get created. I'd suggest something like tlsminver, which specifies the minimum version of TLS to accept. The default is 1.2 per the draft. The allowed values are currently 1.2 and 1.3. For an example of this, see Dovecot 2.3 which introduced ssl_min_protocol. > *tls1.2ciphers [list]* List of TLS 1.2 ciphers to negotiate, in prefered > order. Please call this "ciphers" to match OpenSSL and other applications. > *tls1.3ciphers [list]* List of TLS 1.3 ciphers to negotiate, in prefered > order. TLS 1.2 and 1.3 ciphers are different and must be specified > separately as OpenSSL needs them separately. Please call this "ciphersuites" to match OpenSSL and other applications. Also, if a future TLS 1.4 uses the same list, it will be weird if this has TLS 1.3 embedded in the name forever. > *ntpciphers [list]* List of ciphers to negotiate, in prefered > order for the NTPD connection. All three of these take a "list", which is really a single string which happens to be colon-separated. -- Richard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
