On 03/17/2024 at 2:00 PM PDT, Hal Murray via devel <devel@ntpsec.org> wrote: > > Is anybody thinking about what we should be doing? > > > Here is my list: > > Port to Windows > Does anybody know anything about Windows? > Is there a decent POSIX environment? > How well does waf work on Windows? > We can get the magic code from ntp-classic.
I have forgotten almost everything about MS Windows. It claims to have a POSIX environment, but it is not. IIRC waf works on MS Windows; our main configuration does not so much. The portability shim should still be available at the git-conversion tag, fitting it in will be annoying. > I think we should split ntpd into several independant programs. > More in another message. I gave up on that notion; I lacked the patience to do it. > I think we need a good SNTP client. Something like the old ntpdate. > I'm looking for a clean example. > This would be a good opportunity to experiment with Go and/or Rust. > > Getting off the ground. > There is a chicken-egg problem with getting started when using NTS. TLS > needs the time to check certificates. I think we can do something like skip > the date part of certificate checking, then come back and see if the > certificates pass the date-check after we have a candidate date. Dusting all the corners would be irritating. > Alternate port for use with NTS. > There is a lot of blocking/filtering on port 123. NTS-KE includes > specifying the port to use. We should be able to listen on another port too. > I haven't looked carefully. This feels like medium complexity. Yeah, the IETF NTP WG shot down the notion of NTP alternative port. ... > We should test the config file stuff to see that all the options at least get > past the parser. Better would be to actually run the code. I think somewhere in the middle might be a program that takes config files and dumps them into some format that is easy to eyeball and machine parse. > We should check FIPS mode. Do any of the CI options include FIPS? > I got half way there by building OpenSSL to include FIPS mode but I haven't > made the config file to use it. None of the CI runners support FIPS140-2 at the moment. I don't know how to make them either. > I'd like a script that checks the certificates. When do they expire? That sounds like a simple wrapper around 'openssl x509' would work. If OpenSSL does not work, you are probably looking at something much heavier in the front. > I'd like a script that finds out who signed a certificate and pokes around in > my local certificate collection and tells me a filename so I can add that to > a > server line in the config file. The idea is to make sure that we are using > the right root-cert rather than one from a CA that was arm twisted by your > local repressive govt or broken into by the KBG or NSA. Perhaps we could call it cert-sweep and also dump the hash, notAfter and other data from the certificates to standard out as well. _______________________________________________ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
