Hal,
It looks like you broke building on macOS:
https://gitlab.com/NTPsec/ntpsec/commit/22c134c8b20e9a897fc5521df871606167067b2e
that links to the pipeline here:
https://gitlab.com/NTPsec/ntpsec/pipelines/101491292
which links to these failed jobs:
https://gitlab.com/NTPsec/ntpsec/-/jobs/37
On 12/9/19 2:56 AM, Hal Murray via devel wrote:
> Is there any reason to support anything older than TLS 1.2?
No. The NTS standard requires TLS 1.2 as a minimum (since NTS is a new
protocol, there is no need for backwards compatibility with old TLS).
--
Richard
signature.asc
Description: Open
dfoxfra...@gmail.com said:
> Nonsense. ALPN predates TLS 1.3 by several years and RFC 7301 doesn't even
> restrict it to TLS 1.2 and up; it even can support 1.0.
Thanks for the heads up. I haven't been able to recreate how I associated
ALPN with needing TLS 1.3.
ALPN was added to OpenSSL 1.0
On Sun, Dec 8, 2019 at 9:15 AM Hal Murray wrote:
> Because ALPN is not supported by TLSv1.2
Nonsense. ALPN predates TLS 1.3 by several years and RFC 7301 doesn't
even restrict it to TLS 1.2 and up; it even can support 1.0.
___
devel mailing list
devel@n
> Why only TLS 1.3? The spec makes it mandatory for all versions.
Because ALPN is not supported by TLSv1.2 and there are many distros that are
still using old versions of OpenSSL that don't support TLSv1.3 It seemed
better to support old systems rather then be hard-nosed about a corner of the
Hal Murray via devel writes:
> Thanks. Interesting that you are the first to notice. It's been there since
> mid September.
It doesn't always happen and then not with all NTS servers. But the
spec is pretty clear that you must not expect a NUL character at the end
of the string.
>> so you can
On Sun, Dec 8, 2019 at 7:58 AM Hal Murray via devel wrote:
> The current code now requires ALPN if using TLSv1.3. ***
Why only TLS 1.3? The spec makes it mandatory for all versions.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/m
Thanks. Interesting that you are the first to notice. It's been there since
mid September.
> The ALPN validation was broken and would always return "bad". Why NTS works
> anyway I don't know
bool bad = true; /* Always return OK for now. */
Leftover from early ALPN debugging.
> so y
The ALPN validation was broken and would always return "bad". Why NTS
works anyway I don't know, but the ALPN negotiated protocol is a counted
string (without an added '\0'), so you can't use strcmp to check you've
got the expected protocol. I've also shortened a way too long (probably
entirely
