Re: NTS: removed "not implemented" on server ca

Gary E. Miller via devel Tue, 02 Apr 2019 14:13:19 -0700

Yo Hal!

On Tue, 02 Apr 2019 13:25:11 -0700
Hal Murray <hmur...@megapathdsl.net> wrote:


> My quick try didn't reproduce your problem.  What's in your log
> file.  There should be something like this:
>  2 Apr 13:11:21 ntpd[4313]: NTSc: Using dir /tmp/ for root
> certificates.

Nope.  And it should just be for the one cert, not always a
root cert.  So if that message says what it means it is not doing
what we want.

> I notice 2 "nts" in your server line, but that shouldn't break
> things.

Ooops. fixed.

> I think the "-4" is only valid between "server" and the
> filename.  The parser may have dropped the rest of the line.

Ouch.  The parser bytes me again.  The lack of parser
diagnostics is a PITA...

Silently failing open is really bad.

Also, the ntp.conf synopsis for "server" fails to mention that, and
other, limitations.

Here is the log:

2019-04-02T11:31:11 ntpd[10911]: DNS: dns_probe: pi3.rellim.com, cast_flags:1, 
flags:21801
2019-04-02T11:31:11 ntpd[10911]: NTSc: DNS lookup of pi3.rellim.com took 0.000 
sec
2019-04-02T11:31:11 ntpd[10911]: NTSc: nts_probe connecting to 
pi3.rellim.com:123 => [2001:470:e815::23]:123
2019-04-02T11:31:11 ntpd[10911]: NTSc: set cert host: pi3.rellim.com
2019-04-02T11:31:11 ntpd[10911]: NTSc: Using TLSv1.2, AES256-GCM-SHA384 (256)
2019-04-02T11:31:11 ntpd[10911]: NTSc: certificate subject name: 
/CN=pi3.rellim.com
2019-04-02T11:31:11 ntpd[10911]: NTSc: certificate issuer name: /C=US/O=Let's 
Encrypt/CN=Let's Encrypt Authority X3
2019-04-02T11:31:11 ntpd[10911]: NTSc: certificate is valid.
2019-04-02T11:31:11 ntpd[10911]: NTSc: matched cert host: pi3.rellim.com
2019-04-02T11:31:11 ntpd[10911]: NTSc: read 880 bytes
2019-04-02T11:31:11 ntpd[10911]: NTSc: Got 8 cookies, length 104, aead=15.
2019-04-02T11:31:11 ntpd[10911]: NTSc: NTS-KE req to pi3.rellim.com took 0.024 
sec, OK
2019-04-02T11:31:11 ntpd[10911]: DNS: dns_check: processing pi3.rellim.com, 1, 
21801
2019-04-02T11:31:11 ntpd[10911]: DNS: Server taking: 2001:470:e815::23
2019-04-02T11:31:11 ntpd[10911]: DNS: Server poking hole in restrictions for: 
2001:470:e815::23
2019-04-02T11:31:11 ntpd[10911]: DNS: dns_take_status: pi3.rellim.com=>good, 0
2019-04-02T11:31:11 ntpd[10911]: PROTO: 2001:470:e815::23 a014 84 reachable

I changed to:

server -4 pi3.rellim.com nts maxpoll 5 ca /tmp  # pi3

Now it gets weird.  I see this in ntpmon:

 pi3.rellim.com  .NTS.           16 u    -   32    0   0.0000   0.0000   0.0001

But NOTHING about pi3 in the logs!

At least it is no longer silently failing to insecure, now it is just
silently failing.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
        g...@rellim.com  Tel:+1 541 382 8588

            Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin

pgppobu1ldMiN.pgp
Description: OpenPGP digital signature

_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: NTS: removed "not implemented" on server ca

Reply via email to