I have implemented and fully documented a new 'crypto' configuration
with options mintls, maxtls, and enclair. They set globals in
ntpd/nts.c.
The mintls and maxtls options are as discussed on this list. The
"enclair" option is intended to disable crypto negotiation so
certificates are not required and traffic in sent en clair.
Paired with an enclair option on the ntsd side, this should save
us from needing certificate installation when we want to test the
wire protocols.
Similarly, there is now a "cipher" option of the crypto command
intended to force the cipher choice, disabling negotiation.
Note that the documentation for the TLS options has moved to
docs/includes/auth-commands.adoc.
Together with the per-server options already implemented (nts,
ask, enquire, expire, cert, ca) I believe this completes the set of
client-side options we'll need for first ship to Cisco.
If I'm wrong about that, somebody should tell me what's missing
while my brain is still loaded with config parser internals.
--
<a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>
"The best we can hope for concerning the people at large is that they be
properly armed."
-- Alexander Hamilton, The Federalist Papers at 184-188
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
