On Tue, Jul 06, 2021 at 12:18:26PM -0500, Richard Laager via devel wrote:
> On 7/5/21 8:38 AM, Eric S. Raymond via devel wrote:
> > > There is a close-to-RFC to handle this area. "Interleave" is the
> > > buzzword. I
> > > haven't studied it. The idea is to grab a transmit time stamp, then
> >
On Mon, Mar 22, 2021 at 02:24:50PM -0700, Hal Murray via devel wrote:
>
> Since you mentioned PTP, can we use the PTP time stamping stuff to get better
> time stamps for NTP packets? (without dragging in any/much PTP stuff)
NTP can make use of some of the features that PTP hardware supports.
NT
On Mon, Jun 15, 2020 at 11:54:57PM -0700, Hal Murray via devel wrote:
>
> They are up to alpha3. I've been trying it.
>
> I added a tweak to wscript to support this, and some notes in HOWTO-OpenSSL
> That recipe also works for getting 1.1.1 on old systems so they can use NTS.
>
> -
>
>
On Fri, Oct 25, 2019 at 01:26:53AM -0700, Hal Murray via devel wrote:
> I haven't seen any examples of OpenSSL on distros that are so old that they
> don't support TLS 1.2
TLS 1.2 got added in 1.0.1, which was released in 2012. I'm
guessing there are some old redhat versions that are still
suppor
On Sat, Mar 30, 2019 at 08:05:41PM -0700, Hal Murray wrote:
> > A sockaddr is not meant to store the address, ...
>
> But the API wants a sockaddr.
>int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
> There is no hint in the man page that an IPv6 address won't fit.
>
> so
On Sat, Mar 30, 2019 at 02:35:18PM -0700, Hal Murray via devel wrote:
> I just pushed a fix. It was an interesting quirk. The API for accepet
> includes a pointer and length to a place to put the IP Address of the remote
> site. The type of that place is struct sockaddr. sockaddr is generic,
On Mon, Mar 25, 2019 at 04:00:23AM -0700, Hal Murray via devel wrote:
>
> I thought it had been removed.
>
> Job #183497467 ( https://gitlab.com/NTPsec/ntpsec/-/jobs/183497467 )
>
> Stage: build
> Name: debian-oldoldstable-refclocks
> Trace: Err http://deb.debian.org oldoldstable-updates/main am
On Sun, Mar 03, 2019 at 03:30:53PM -0800, Gary E. Miller via devel wrote:
> Yo Kurt!
>
> On Mon, 4 Mar 2019 00:19:44 +0100
> Kurt Roeckx via devel wrote:
>
> > > Actually getting timestamps from the NIC is fairly involved. The NIC
> > > has its own clock and
On Sun, Mar 03, 2019 at 05:59:11PM -0500, Daniel Franke wrote:
> On Sun, Mar 3, 2019 at 8:45 AM Kurt Roeckx via devel wrote:
> > On Sun, Mar 03, 2019 at 05:23:31AM -0800, Hal Murray wrote:
> > >
> > > k...@roeckx.be said:
> > > > If this is something you&#x
On Sun, Mar 03, 2019 at 10:25:31PM +0100, Achim Gratz via devel wrote:
> Kurt Roeckx via devel writes:
> > I don't see how it can work with the current pool system. You look
> > something up like pool.ntp.org and get some IP addresses. But none
> > of those will have a ce
On Sun, Mar 03, 2019 at 08:56:55PM +0100, Achim Gratz via devel wrote:
> Hal Murray via devel writes:
> > There is no security in the pool anyway, so let's put that discussion
> > aside for a while.
>
> I'd take exception with that statement. If the pool was upgraded to use
> NTS one way or the o
On Sun, Mar 03, 2019 at 05:23:31AM -0800, Hal Murray wrote:
>
> k...@roeckx.be said:
> > If this is something you're worried about, this can be solved with the
> > interleave mode, which was removed.
>
> How well does it work?
It works great, the errors are much smaller when it's enabled.
> Is
On Sat, Mar 02, 2019 at 09:23:51PM -0800, Hal Murray via devel wrote:
> *) There is actually one interesting point that authentication makes more
> interesting. On receive, we get a time stamp when the packet arrives. We
> can
> take all day to inspect the packet and run authentication code.
On Wed, Feb 06, 2019 at 10:31:39PM -0800, Hal Murray wrote:
>
> k...@roeckx.be said:
> > Please use 0 instead of TLS_MAX_VERSION, it means the same. I've marked
> > TLS_MAX_VERSION for deprecation.
>
> Thanks for the heads up.
>
> Is there any documentation on that? (man page?)
There is SSL_C
On Wed, Feb 06, 2019 at 02:05:27PM -0800, Hal Murray via devel wrote:
>
> float mintls = 1.2; /* minimum TLS version allowed */
> float maxtls; /* maximum TLS version allowed */
>
> Floats? The API to OpenSSL doesn't work in floats. We'll have to translate
> those
On Sun, Feb 03, 2019 at 03:15:55PM -0600, Richard Laager via devel wrote:
> On 2/3/19 1:01 PM, Eric S. Raymond wrote:
> > I guess it will have to be an empty string that disables encryption.
>
> I'm not sure if you wrote this before the recent messages on the NULL
> ciphers. But you said you were
On Sat, Feb 02, 2019 at 05:52:25PM -0500, Eric S. Raymond via devel wrote:
> Gary E. Miller via devel :
> > On Sat, 2 Feb 2019 06:16:45 -0500 (EST)
> > "Eric S. Raymond via devel" wrote:
> >
> > > NEVER CONFIGURE WHAT YOU CAN DISCOVER
> > >
> > > These are from nts.adoc:
> > >
> > > *tls1
On Fri, Jul 06, 2018 at 06:05:49PM -0700, Hal Murray wrote:
>
> k...@roeckx.be said:
> > Note that this change in OpenSSL's behaviour to reseed can cause problems
> > for
> > processes that chroot and don't have access to /dev/urandom in the chroot
> > nor
> > have a system call like getentropy(
On Fri, Jul 06, 2018 at 01:27:30PM -0700, Hal Murray via devel wrote:
> Also, it didn't check the return code. That raises an interesting question.
> What should we do if there isn't enough entropy?
>
> How much entropy is there in a typical system? Can a malicious user use it
> all up? Coul
On Tue, May 29, 2018 at 03:15:15PM -0400, Eric S. Raymond via devel wrote:
> [[interface]]
> +interface+ [+listen+ | +ignore+ | +drop+] [+all+ | +ipv4+ | +ipv6+ |
> +wildcard+ | 'name' | 'address'[/'prefixlen']]::
> This command controls which network addresses +ntpd+ opens, and
> whether inpu
On Fri, Jan 05, 2018 at 02:41:39PM -0800, Hal Murray wrote:
>
> > I have no idea how it's used in NTP. But I understand it's some kind of
> > shared password? You should clearly look in how it's being used and if that
> > actually makes sense. Maybe it needs more than just replacing the hash
> > a
On Fri, Jan 05, 2018 at 04:24:01PM -0500, Eric S. Raymond wrote:
> Kurt Roeckx :
> > On Fri, Jan 05, 2018 at 10:04:44AM -0500, Eric S. Raymond via devel wrote:
> > > > MD5 is no longer considered safe.
> > > > Is SHA1 considered safe? What other types should we test and/or
> > > > suggest
> > >
On Fri, Jan 05, 2018 at 10:04:44AM -0500, Eric S. Raymond via devel wrote:
> > MD5 is no longer considered safe.
> > Is SHA1 considered safe? What other types should we test and/or suggest
> > people use?
>
> No, SHA1 is no longer considered safe. The first collision was generated
> early last
On Sun, Dec 03, 2017 at 02:43:04PM -0500, Eric S. Raymond via devel wrote:
> All hands alert. We have our first, or maybe second depending on how
> you count, serious bug. About 33% of the time, NTPsec is eliciting bad
> packets from Amazon time service. Classic does not have this problem.
I woul
On Sat, Nov 25, 2017 at 01:26:18AM -0800, Hal Murray via devel wrote:
> (gdb) bt
> #0 0x76ebf104 in futex_wake (private=0, processes_to_wake=2147483647,
> futex_word=0x76eaf618) at ../sysdeps/unix/sysv/linux/futex-internal.h:231
> #1 __pthread_once_slow (once_control=0x76eaf618, init_routine
On Sat, Nov 25, 2017 at 05:09:02AM -0800, Hal Murray wrote:
>
> k...@roeckx.be said:
> > This means that when we initialize a global variable we use the
> > pthread_once() function, which internally uses the futex to do that. It's
> > not using threads itself, it's just making sure that if you use
26 matches
Mail list logo
