Yo Hal!
On Sun, 24 Mar 2019 21:38:53 -0700
Hal Murray wrote:
> > My slower RasPi have random startup crashes. Goes away when I do
> > not make them NTS clients. Feels like another mysyslog() thing?
>
> I'd expect garbage in the log files rather than crashes.
Then we have a mystery...
> Th
> My slower RasPi have random startup crashes. Goes away when I do not make
> them NTS clients. Feels like another mysyslog() thing?
I'd expect garbage in the log files rather than crashes.
There is a known bug: nts doesn't work with IP Addresses. Gets a segfault.
That case might make sen
Yo Hal!
I updated more of my servers to NTS. A few notes:
The waf install, or runtime, or both, need to make /var/lib/ntp if
missing. Not quite sure...
My slower RasPi have random startup crashes. Goes away when I
do not make them NTS clients. Feels like another mysyslog() thing?
When I set
Yo Matthew!
On Sat, 23 Mar 2019 02:25:02 +
Matthew Selsky wrote:
> In ntpd/wscript, try replacing this:
>
> use="libntpd_obj ntp M parse RT CAP SECCOMP PTHREAD NTPD "
> "SSL CRYPTO DNS_SD %s SOCKET NSL SCF" % use_refclock,
>
> With:
>
> use="M SSL CRYPTO DNS_SD
On Fri, Mar 22, 2019 at 06:32:10PM -0700, Gary E. Miller via devel wrote:
> I think this is what you want:
Perfect.
> I tried to modify the wscript to do that, but failed...
In ntpd/wscript, try replacing this:
use="libntpd_obj ntp M parse RT CAP SECCOMP PTHREAD NTPD "
"SSL
Yo Matthew!
On Sat, 23 Mar 2019 01:08:06 +
Matthew Selsky wrote:
> This sounds like:
> https://ubuntuforums.org/archive/index.php/t-985136.html
Sure does.
> "The solution is simple, for some reason, when linking the library,
> -lssl must be in front of -lcrypto."
Fingers crossed.
> Can y
On Fri, Mar 22, 2019 at 04:52:33PM -0700, Gary E. Miller via devel wrote:
> Yo Hal!
>
> New issue. I have a really old server that has been running NTPsec
> git head until recently. Now it fails, the openssl is too old.
>
> # openssl version
> OpenSSL 1.0.2o 27 Mar 2018
>
> I know I can updat
Yo Hal!
New issue. I have a really old server that has been running NTPsec
git head until recently. Now it fails, the openssl is too old.
# openssl version
OpenSSL 1.0.2o 27 Mar 2018
I know I can update the openssl, but many people will not be able to...
How do I disable building with openss
Yo Mike!
On Fri, 22 Mar 2019 22:16:43 +
Mike Simpson via devel wrote:
>
> My server khronos.mikieboy.net is also publicly available and running
> current
Cool, I can connect just fine.
> so could be added for the hackathon.
You'll have to context them directly:
NTP WG
"Dieter
> On 22 Mar 2019, at 22:07, Gary E. Miller via devel wrote:
>
> Yo Hal!
>
> On Fri, 22 Mar 2019 14:14:19 -0700
> Hal Murray via devel wrote:
>
> 2019-03-22T12:55:52 ntpd[10362]: DNS: Server skipping:
> 2001:470:e815::23
>>
>>> Looking at this again, when kong connects to pi3, there
Yo Hal!
On Fri, 22 Mar 2019 14:14:19 -0700
Hal Murray via devel wrote:
> > > > 2019-03-22T12:55:52 ntpd[10362]: DNS: Server skipping:
> > > > 2001:470:e815::23
>
> > Looking at this again, when kong connects to pi3, there is no
> > duplicate connection.
>
> Then where did that skipping com
> > > 2019-03-22T12:55:52 ntpd[10362]: DNS: Server skipping:
> > > 2001:470:e815::23
> Looking at this again, when kong connects to pi3, there is no duplicate
> connection.
Then where did that skipping come from? Either there is some other server
slot that has that IP Address, or the NTS path
> Uh, oh. You mean I can't have both an NTS and a non-NTS connection to the
> same address? I want that to compare latency and jitter. That needs a very
> clear error message.
Nope. It might be possible to change, but I doubt if it's worth the effort.
You can compare -4 with -6.
I've adde
Yo Hal!
> > > 2019-03-22T12:55:52 ntpd[10362]: NTSc: Got 8 cookies, length 104,
> > > aead=15. 2019-03-22T12:55:52 ntpd[10362]: NTSc: NTS-KE req to
> > > pi3.rellim.com took 0.028 sec, OK 2019-03-22T12:55:52 ntpd[10362]:
> > > DNS: dns_check: processing pi3.rellim.com, 1, 21801
> > > 2019-03-22T12
Yo Hal!
On Fri, 22 Mar 2019 13:30:48 -0700
Hal Murray via devel wrote:
> >> 2. A way to see both the NTS name/IP and matching NTPD name/IP
>
> 2019-03-22T12:55:52 ntpd[10362]: NTSc: nts_probe connecting to
> pi3.rellim.com:123 => [2001:470:e815::23]:123
>
> Is that enough? (client side)
I
>> I have 1.1.0j (Debian) talking to 1.0.2o (FreeBSD)
>> Works.
> And vice-versa?
Yes.
>> 2. A way to see both the NTS name/IP and matching NTPD name/IP
2019-03-22T12:55:52 ntpd[10362]: NTSc: nts_probe connecting to
pi3.rellim.com:123 => [2001:470:e815::23]:123
Is that enough? (clie
Yo Hal!
On Fri, 22 Mar 2019 01:19:23 -0700
Hal Murray via devel wrote:
> >>> Gentoo unstable is on 1.1.0j. Stable is on 1.0.2r. =20
> >> I'd expect that case to work.
> > Me too.
>
> I have 1.1.0j (Debian) talking to 1.0.2o (FreeBSD)
> Works.
And vice-versa?
> >> Do you get an intere
Yo Hal!
On Fri, 22 Mar 2019 01:22:37 -0700
Hal Murray via devel wrote:
> > I don't care if it is ntpq, ntpmon, log files, whatever. Right now
> > I don't know how to get the info any way.
>
> I still don't know what you want.
As I said before:
> > 2. A way to see both the NTS name/IP and
> I don't care if it is ntpq, ntpmon, log files, whatever. Right now I don't
> know how to get the info any way.
I still don't know what you want.
I've tried hard to make sure that everything interesting is in the log files
while at the same time not making things too verbose. Please look c
>>> Gentoo unstable is on 1.1.0j. Stable is on 1.0.2r. =20
>> I'd expect that case to work.
> Me too.
I have 1.1.0j (Debian) talking to 1.0.2o (FreeBSD)
Works.
>> Do you get an interesting error message?
>Nope. The client gets the 8 cookies, but the NTPD fails, silently.
Does the 8 count dow
Yo Hal!
On Thu, 21 Mar 2019 17:39:07 -0700
Hal Murray via devel wrote:
> > I found why my pi3 can NTS connect to my kong, but not vice versa.
> > My pi3 is running OpenSSL 1.0.2r
> > My kong is running 1.1.0j
> > Gentoo unstable is on 1.1.0j. Stable is on 1.0.2r.
>
> I'd expect that case to
Yo Hal!
On Thu, 21 Mar 2019 18:21:06 -0700
Hal Murray via devel wrote:
> > Feature requests:
> > 1. selectable TCP ports for NTSc and NTSs.
>
> The client side already works. Use
> server ntp.example.com:1234 nts
>
> The server side should be easy to add.
Cool.
> > 2. A way to see both
> Feature requests:
> 1. selectable TCP ports for NTSc and NTSs.
The client side already works. Use
server ntp.example.com:1234 nts
The server side should be easy to add.
> 2. A way to see both the NTS name/IP and matching NTPD name/IP
I'm not sure what you are asking for. It sounds like
> I found why my pi3 can NTS connect to my kong, but not vice versa.
> My pi3 is running OpenSSL 1.0.2r
> My kong is running 1.1.0j
> Gentoo unstable is on 1.1.0j. Stable is on 1.0.2r.
I'd expect that case to work. Do you get an interesting error message?
[I think I can setup something close
Yo Hal!
I found why my pi3 can NTS connect to my kong, but not vice versa.
My pi3 is running OpenSSL 1.0.2r
My kong is running 1.1.0j
Gentoo unstable is on 1.1.0j. Stable is on 1.0.2r.
RGDS
GARY
---
Gary E. Miller Rellim
Yo Hal!
Feature requests:
1. selectable TCP ports for NTSc and NTSs.
We can't depend on others picking TCP 123 for the NTS-KE port.
2. A way to see both the NTS name/IP and matching NTPD name/IP
Currently don't know what the "remote" is saying.
RGDS
GARY
--
>> It was a big/long gpsd log file. Was there something in particular I
>> was supposed to look for?
> Yeah, the munged IPv6 logs that do not tell me the remote IPv6 address.
It's a gpsd log file, not from ntpd.
[IPv6 truncated printout]
> I'll go scan the NTS code.
> Thanks. Funny what yo
Yo Hal!
On Thu, 21 Mar 2019 13:23:53 -0700
Hal Murray via devel wrote:
> >> No, it's the far end IP address and the local interface you use to
> >> get there.
> > Look again:
> > 2019-03-20T18:11:14 ntpd[3117]: NTSs: TCP accept-ed from
> > [2001:470:e815::%3= =3D 589492224]:50860
>
> > What
>> No, it's the far end IP address and the local interface you use to
>> get there.
> Look again:
> 2019-03-20T18:11:14 ntpd[3117]: NTSs: TCP accept-ed from [2001:470:e815::%3=
> =3D 589492224]:50860
> What IPv6 address do you think that is?
Maybe it's truncated?
I haven't figured out what's g
Yo Hal!
On Thu, 21 Mar 2019 12:37:21 -0700
Hal Murray via devel wrote:
> > So it is the near end network, not the far end IP? I'd really like
> > to know the far end IP.
>
> No, it's the far end IP address and the local interface you use to
> get there.
Look again:
2019-03-20T18:11:14 ntp
> So it is the near end network, not the far end IP? I'd really like to know
> the far end IP.
No, it's the far end IP address and the local interface you use to get there.
> And what is the equal sign and the thing after it?
=3D is mail escape stuff. 3D is hex for =. = is the escape chara
Yo Hal!
On Wed, 20 Mar 2019 23:35:17 -0700
Hal Murray via devel wrote:
> > 2019-03-20T18:11:14 ntpd[3117]: NTSs: TCP accept-ed from
> > [2001:470:e815::%3= 589492224]:50860
> > Wow, that is one wacky IPv6 address! Bad format string?
>
> The % stuff is telling you which network interface it
> 2019-03-20T18:11:14 ntpd[3117]: NTSs: TCP accept-ed from [2001:470:e815::%3=
> 589492224]:50860
> Wow, that is one wacky IPv6 address! Bad format string?
The % stuff is telling you which network interface it is associated with. At
the ping level, you can use things like xx%eth0 to tell
> I added nts-ke to: pi3.rellim.com, see how that works for you.
Works.
[-4, -6]
> Ah, there it is right on the man page. I can't try it until the crash bug is
> gone.
It doesn't work yet. That's why I needed testers. Thanks for finding it.
> Odd, I tried it yet again, and this time it wor
Yo Hal!
From my logs:
2019-03-20T18:10:39 ntpd[3117]: NTSs: TCP accept-ed from 64.139.1.69:53013
2019-03-20T18:10:39 ntpd[3117]: NTSs: Using TLSv1.2, AES256-GCM-SHA384 (256)
2019-03-20T18:10:39 ntpd[3117]: NTSs: Returned 880 bytes
2019-03-20T18:10:39 ntpd[3117]: NTSs: NTS-KE server took 0.188 sec
Yo Hal!
On Wed, 20 Mar 2019 17:30:11 -0700
Hal Murray via devel wrote:
> > Uh, no. You can get easily get the FQDN from the IP.
>
> That adds DNS to the security chain. Doesn't sound good to me. It
> might work if you are using DNSSEC. Complicated.
I am using DNSSEC.
> > Also, since the
> Uh, no. You can get easily get the FQDN from the IP.
That adds DNS to the security chain. Doesn't sound good to me. It might work
if you are using DNSSEC. Complicated.
> Also, since there is no way to specify IPv4 or IPv6, the only way I can make
> this work is by IP.
> You need to add a
Yo Hal!
On Wed, 20 Mar 2019 17:01:31 -0700
Hal Murray via devel wrote:
> > server 204.17.205.8 nts maxpoll 5 # spidey
> > Now the server starts as before, then, silently dies...
>
> Usually it logs a useful message before it exits.
First thing I tried.
> If you can't find
> one, please tr
> server 204.17.205.8 nts maxpoll 5 # spidey
> Now the server starts as before, then, silently dies...
Usually it logs a useful message before it exits. If you can't find one,
please try gdb.
It doesn't make sense to use "nts" with an IP Address if you expect to do
certificate checking. Fo
Yo Hal!
On Wed, 20 Mar 2019 16:53:05 -0700
Hal Murray via devel wrote:
> >> As long as the old cookies on the client are used in NTP packets
> >> soon enough and hence traded in for new cookies, there is no need
> >> for a NTS-KE type rekey.
>
> > Yeah, I had missed that. So I agree your con
>> As long as the old cookies on the client are used in NTP packets soon
>> enough and hence traded in for new cookies, there is no need for a
>> NTS-KE type rekey.
> Yeah, I had missed that. So I agree your concept looks good so far.
Not my concept. Straight out of the book. (draft?)
Yo Hal!
On Wed, 20 Mar 2019 16:28:36 -0700
Hal Murray via devel wrote:
> > I added this to my ntp.conf:
> > nts enable
> > cert /etc/letsencrypt/live/kong.rellim.com/fullchain.pem
> > key /etc/letsencrypt/live/kong.rellim.com/privkey.pem
> > Fail.
>
> You need "nts" in front of t
> I added this to my ntp.conf:
> nts enable
> cert /etc/letsencrypt/live/kong.rellim.com/fullchain.pem
> key /etc/letsencrypt/live/kong.rellim.com/privkey.pem
> Fail.
You need "nts" in front of the cert and key. Or else one loong line. There
is no "cert" top level command.
If yo
Yo Hal!
The ntp.conf man page needs a bit of work...
I added this to my ntp.conf:
nts enable
cert /etc/letsencrypt/live/kong.rellim.com/fullchain.pem
key /etc/letsencrypt/live/kong.rellim.com/privkey.pem
Fail.
2019-03-20T16:15:23 ntpd[21595]: NTSs: starting NTS-KE server listening
Yo Hal!
On Wed, 20 Mar 2019 16:00:55 -0700
Hal Murray via devel wrote:
> Gary said:
> >>> Only if you figure out how to not have a huge daily rush to
> >>> rekey.
> >> Under normal conditions, there is never any need to rekey.
> > We've gone around on that many times before. We disagree.
>
Gary said:
>>> Only if you figure out how to not have a huge daily rush to rekey.
>> Under normal conditions, there is never any need to rekey.
> We've gone around on that many times before. We disagree.
> Using the same master key (with a ratchet) will eventually give the attacker
> enought dat
Yo Hal!
On Wed, 20 Mar 2019 15:22:33 -0700
Hal Murray via devel wrote:
> Gary said:
> > Only if you figure out how to not have a huge daily rush to rekey.
>
> Under normal conditions, there is never any need to rekey.
We've gone around on that many times before. We disagree.
Using the same
Gary said:
> Only if you figure out how to not have a huge daily rush to rekey.
Under normal conditions, there is never any need to rekey.
The server holds 2 cookie keys. When it makes a new key, the current key gets
moved to the old key and the previous old key is lost.
Cookies using either t
Yo Hal!
On Wed, 20 Mar 2019 12:10:25 -0700
Hal Murray via devel wrote:
> Gary said:
> > I' waiting for Gentoo to have the required openssl version.
>
> It should work -- unless Gentoo is using something really
> pre-historic.
Ah, Gentoo unstable updated to openssl 1.1.0j on March 6th.
Do I
Gary said:
> I' waiting for Gentoo to have the required openssl version.
It should work -- unless Gentoo is using something really pre-historic. There
are a handful of #ifdef-s to handle old versions. NetBSD 8 ships with 1.0.2k.
I test that. It builds on 1.0.1, but I'd have to check to see
Yo Hal!
On Wed, 20 Mar 2019 03:45:21 -0700
Hal Murray via devel wrote:
> Is anybody else testing things?
I' waiting for Gentoo to have the required openssl version.
> I just fixed the cookie-key timer so that it actually rotates
> cookies. You need to delete your current cookie file
> at /var
Is anybody else testing things?
I just fixed the cookie-key timer so that it actually rotates cookies. You
need to delete your current cookie file at /var/lib/ntp/nts-keys
The timer is set to an hour rather than a day. So if your clients poll
interval gets up to 1024, it will use some old c
> I've tried defaulting ntscookies to -1 and testing for > that - change pushed.
Thanks. Looks good.
That now exposes a subtle detail. If you see NTS in the refid column, look at
the t column. If it is "u", then the NTS-KE level didn't work. If you see a
"0" there, then the NTS-KE worked bu
Hal Murray :
> [0 not showing up in ntpq -p t column for NTS clients.]
>
> Eric said:
> > I'd fix this, but I'm not sure whether you're talking server or client side.
>
> The problem is in ntpq. Somebody returns 0 for slots that don't exist. The
> check for >= 0 needs to do a preliminary check
[0 not showing up in ntpq -p t column for NTS clients.]
Eric said:
> I'd fix this, but I'm not sure whether you're talking server or client side.
The problem is in ntpq. Somebody returns 0 for slots that don't exist. The
check for >= 0 needs to do a preliminary check to see if the slot exists.
Hal Murray :
>
> Eric said:
> > Good. I'm in favor of anything it can do to export more meaningful status
> > information, and this definitely qualifies.
>
> I assume that includes putting a digit in the t column to show the number of
> cookies and hence indicate that a slot is using NTS.
Yes.
Eric said:
> Good. I'm in favor of anything it can do to export more meaningful status
> information, and this definitely qualifies.
I assume that includes putting a digit in the t column to show the number of
cookies and hence indicate that a slot is using NTS.
There is currently a bug in th
Hal Murray :
> Eric said:
> > So this means ntpd is shipping these strings in the refid field?
> Yes
Good. I'm in favor of anything it can do to export more meaningful status
information, and this definitely qualifies.
> > I want to document this. Not sure where it goes.
>
> For things like t
Eric said:
> So this means ntpd is shipping these strings in the refid field?
Yes
> I want to document this. Not sure where it goes.
For things like that, I grep -r docs/
That misses the man pages that are in the directory with program sources.
INIT gets 2 hits. Neither looked like what you
Hal Murray via devel :
> It now talks to Martin Langer's server.
>
> I added another hack to ntpq. (The hack is actually in ntpd, but you see in
> in ntpq -p) Where it used to show INIT in the refid column to indicate that
> it hasn't received any packets yet, it will now show NTS or DNS if it
Argh. I forgot to mention that the bits on the wire have changed. If you are
testing NTS, you will have to update both ends.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/
It now talks to Martin Langer's server.
I added another hack to ntpq. (The hack is actually in ntpd, but you see in
in ntpq -p) Where it used to show INIT in the refid column to indicate that
it hasn't received any packets yet, it will now show NTS or DNS if it is
waiting for NTS/DNS lookup.
62 matches
Mail list logo
