Yo Hal! On Wed, 11 May 2022 01:53:30 -0700 Hal Murray <halmur...@sonic.net> wrote:
> > I like you suggestion of ntpd using "-g" to get the system time > > close, before checking any certificates. > > It was Richard's suggestion, not mine. The idea was to only skip the > date checks and do the rest of the certificate checking. You can see how well I'm paying attention.... > The main reason is that it's a hole in securty. I don't want to > clutter up security discussions and documentation with that very > unlikely case. It could be a non-default option, coupled with serious warnings. > The second reason is that OpenSSL isn't setup to skip only the date > check. We could easily implement your version of no-check, but that > would make the tiny security hole a big hole. I find that convincing. If OpenSSL does not have the knob, game over. > I think the alternative is to get the clock reasonably close before > running ntpd. And the traditional solution(s). > What is swclock? What distros does it run on? swlock is part of OpenRC. Which is in any OS that runs OpenRC, like Gentoo. On startup it resets the system time to the time of the last shutdown (usually). https://github.com/openrc/openrc/ > I think the Linux kernel sets the clock to the build time or > something similar. Nope. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can't measure it, you can't improve it." - Lord Kelvin
pgpOJGMK60W31.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
