I think we should put together a recipe for each distro that will get
ntpsec running after a fresh install from their download media.
We probably need a few notes on the "fresh install" step. That's to make
it reproducable and speed things up for those of us who aren't super
familiar with that
https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1430
Should we include it in the release?
Maybe mark it as experimental?
Wait until after the release?
...
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
https://
Yo Hal!
On Tue, 06 Aug 2024 17:48:11 -0700
Hal Murray via devel wrote:
> [From https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1399]
>
> Gary said:
>
> > But I agree with you that howto run non-root needs to be
> > documented, and I would also like tests in ntpd to verify the
> > needed CAPS
[From https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1399]
Gary said:
> But I agree with you that howto run non-root needs to be documented, and
> I would also like tests in ntpd to verify the needed CAPS to run as
> designed.
I expect it will crash if it doesn't have the appropriate caps. M
From: Hal Murray
To:devel@ntpsec.org
Subject: Testing
Does anybody test our code on Apple? Solaris?
In order to test 32 bit and 64 bit big and little endian hosts with the
Trimble driver, I have been using:
LE32: Raspberry Pi 3B with Raspbian
LE64: Xeon with Gentoo
BE32: Power Mac G4 with
On Thu, May 02, 2024 at 02:17:18AM -0700, Hal Murray via devel wrote:
> Does anybody test our code on Apple? Solaris?
I do some of my initial dev work on macOS, but I don't run ntpd on macOS. My
production environment for NTPsec is Linux. I worked with Solaris x86 a few
years ago since I was i
Does anybody test our code on Apple? Solaris?
Does anybody use any of the fancy interface logic?
It's available both vie the command line and the config file.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
https:
There is an option in the config file and more on the command line.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel
If you use the extra port stuff I pushed last night, port 123 stops working.
Ugh, blush. I usually do better than that.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/de
On Wed, Sep 20, 2023 at 08:02:51PM -0700, Hal Murray via devel wrote:
>
> Does anybody have a recipe (or pointer to one) for how to get a system
> running
> without any IPv6?
net.ipv6.conf.all.disable_ipv6=1
> I want something such that isc_net_probeipv6_bool() will return false.
>
> Do we hav
Does anybody have a recipe (or pointer to one) for how to get a system running
without any IPv6?
I want something such that isc_net_probeipv6_bool() will return false.
Do we have to build our own kernel with some config variable turned off?
Or will just not configuring any IPv6 interfaces be g
r via devel"
> >>>> Reply-To: "Gary E. Miller"
> >>>> Content-Type: multipart/mixed;
> >>>> boundary="===3697578452347589219=="
> >>>> Errors-To:devel-boun...@ntpsec.org Sender:
&g
g on the system
"relay.anastrophe.com", has NOT identified this incoming email as
spam. The original message has been attached to this so you can
view it or label similar future email. If you have any questions,
seepostmas...@anastrophe.com for details.
On 11/21/2022 15:09 PM, Gary
take time
sending them.
The next step may be to have lists.ntpsec.org stop forwaiding email to
mx.ntpsec.org and instead try to deliver directly. I'm sure that will
also break something.
With Turkey Day coming, my testing will have to slow down.
On Mon, 21 Nov 2022 16:10:12 -0800
NO_TLS_LAST(0.10)[];
> >>HAS_LIST_UNSUB(-0.01)[];
> >>TO_DN_NONE(0.00)[];
> >>ARC_NA(0.00)[];
> >>TO_EQ_FROM(0.00)[];
> >>RCPT_COUNT_ONE(0.00)[1];
> >>FORGED_RECIPIENTS_MAILLIST(0.00)[];
> >>MIME_TRAC
1.0 (-)
X-Spam-Report: Spam detection software, running on the system
"relay.anastrophe.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If yo
oming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
postmas...@anastrophe.com for details.
On 11/21/2022 15:09 PM, Gary E. Miller via devel wrote:
Yo All!
Testing 7-8-9
RGDS
GARY
---
m-Report: Spam detection software, running on the system
"relay.anastrophe.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you hav
Yo All!
Testing 7-8-9
RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"I
Better. Dropped 18:54:41, delivered 20:22:26, so an hour thirty minutes roughly.
Return-path:
Envelope-to:p...@anastrophe.com
Delivery-date: Sun, 20 Nov 2022 20:22:26 -0800
Received: from mx.ntpsec.org ([140.211.9.57]:45636)
by relay.anastrophe.com with esmtps (TLS1.3) tls
TLS_ECDHE_RSA
Yo All!
Test 4-5-6
RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can't m
Worked for me. Thanks.
What did you do/find? Is it likely to stay working?
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel
> HAS_REPLYTO(0.00)[g...@rellim.com];
> FROM_NEQ_ENVFROM(0.00)[devel@ntpsec.org,devel-boun...@ntpsec.org];
> FROM_HAS_DN(0.00)[];
> TAGGED_RCPT(0.00)[ntpsec];
> FREEMAIL_ENVRCPT(0.00)[rogers.com,protonmail.com,yahoo.com];
> REPLYTO_DOM_NEQ_FROM_DO
tified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
postmas...@anastrophe.com for details.
On 11/20/2022 12:00 PM, Gary E. Miller via devel wrote:
Yo All!
Testing 1-2-3...
Yo All!
Testing 1-2-3...
RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"I
Yo Al;!
Testing 1-2-3...
RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"I
On Sun, Sep 06, 2020 at 06:18:40PM -0500, Richard Laager via devel wrote:
> On 9/6/20 5:43 PM, Hal Murray via devel wrote:
> > Anybody using the modem driver?
>
> I tested in November, for fun, not any practical reason. NIST's service
> is still up. The USNO service was dead. I emailed them and re
There is a slight chicken/egg problem. You can't test a released version
until it is released.
Yes you can. The push of the commit and the tagging/pushing of the
release tag can easily be separate events.
--
Achim.
(on the road :-)
___
devel ma
On 9/6/20 5:43 PM, Hal Murray via devel wrote:
> Anybody using the modem driver?
I tested in November, for fun, not any practical reason. NIST's service
is still up. The USNO service was dead. I emailed them and received no
response.
I posted a couple patches, which were merged; see `git log 9a85
> Possibly, but to test some of the code paths (NTS) would take about a day.
> Who wants to donate machine time for the runner?
We can test most of the NTS code paths in a few seconds.
What did you have in mind for "about a day"? The NTS cookie key gets updated
every 24 hours. The last-upda
On Sun, Sep 6, 2020 at 11:13 PM James Browning via devel
wrote:
> On Fri, Sep 4, 2020 at 3:59 PM Hal Murray via devel
> wrote:
> > Can we run ntpd long enough to test the initialization and much of the
> other code?
>
> Possibly, but to test some of the code paths (NTS) would take about a
> day.
On Fri, Sep 4, 2020 at 3:59 PM Hal Murray via devel wrote:
> Can we run ntpd long enough to test the initialization and much of the other
> code?
Possibly, but to test some of the code paths (NTS) would take about a
day. Who wants to donate machine time for the runner?
> I'm thinking of somethi
Can we run ntpd long enough to test the initialization and much of the other
code?
I'm thinking of something like start ntpd, wait a while, then kill it. While
it is running, we can also test ntpq. The idea is to take advantage of the
handful of environments that are readily available.
Is
On Thu, Jul 23, 2020, at 10:59 AM Gary E. Miller via devel
wrote:
>
> Yo All!
>
> Testing 1-2-3. This list has been down since 13 Jul...
Funny, It looks like there were a couple of posts two days ago, and
before that nobody posting for a week. I think it was just sleeping or
hun
Yo All!
Testing 1-2-3. This list has been down since 13 Jul...
RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit
On Mon, Jan 13, 2020 at 10:40 PM Hal Murray wrote:
:::snip:::
> > Any particular distro anyone wants it to run on? j/k
>
> The idea is NOT to run it as part of a normal checkin, but have something in
> addition that could be triggered manually or by the equivalent of a cron job.
> I'm thinking of
matthew.sel...@twosigma.com said:
> I'm not certain how these scripts are much different than our existing CI
> jobs... we already have CI jobs for both Python2 and Python3.
You can run them locally rather than waiting for the CI jobs to find problems.
tests/option-tester.sh tries to test all
> It is, I could throw together a merge request. I am not a CI expert though.
> Next close person would be Matt Selsky I think.
> Any particular distro anyone wants it to run on? j/k
The idea is NOT to run it as part of a normal checkin, but have something in
addition that could be triggered
On Mon, Jan 13, 2020 at 5:58 PM Eric S. Raymond via devel
wrote:
>
> Hal Murray via devel :
> > A year or 2 ago, I put together a script to test as many build time options
> > as
> > I thought reasonable. It's in ./tests/option-tester.sh
> >
> > Does anybody other than me use it?
>
> I've run it
Hal Murray via devel :
> A year or 2 ago, I put together a script to test as many build time options
> as
> I thought reasonable. It's in ./tests/option-tester.sh
>
> Does anybody other than me use it?
I've run it once or twice, but's not easty to see how to integraste
it into our regularr tes
On Mon, Jan 13, 2020 at 05:06:01PM -0800, Hal Murray via devel wrote:
> A year or 2 ago, I put together a script to test as many build time options
> as
> I thought reasonable. It's in ./tests/option-tester.sh
>
> Does anybody other than me use it?
>
> It's a bit of a CPU hog -- too much to r
What can we do about testing things like ntpq?
>
> Is there a ntpd running on the gitlab build boxes? Is it worthwhile to just
> run commands without checking the answers? (catch crashes but not much else)
Most of the build boxes are containers. There's no persistence, or daemons
th
ago. (but forgot to finish typing
this message)
-
How does waf tell the c compiler which Python.h to use?
My system has:
/usr/include/python2.7/Python.h
/usr/include/python3.7m/Python.h
-
What can we do about testing things like ntpq?
Is there a ntpd running on the gitla
On Sat, Aug 24, 2019 at 02:42:08AM -0700, Hal Murray via devel wrote:
> Stage: build
> Name: fedora-rawhide-refclocks-gpsd
> Trace: GPG Keys are configured as:
> file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-
> 31-x86_64
> Public key for glibc-common-2.30.9000-1.fc32.x86_64.rpm is not installed.
>
Stage: build
Name: fedora-rawhide-refclocks-gpsd
Trace: GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-
31-x86_64
Public key for glibc-common-2.30.9000-1.fc32.x86_64.rpm is not installed.
Failing package is: glibc-common-2.30.9000-1.fc32.x86_64
GPG Keys are configured as:
the binaries and install them on a bare system to see if they
> really work and/or to build a dependencies list?
>
> Should we build a matrix of distro and refclock? Some drivers have options
> to support various devices that are similar but different enough to be worth
> tes
we could automate the procedure so
I didn't have to go through the whole list every time we do a release.
Testing at commit/push time is just a bonus. Examples:
Does "pool" work? Do all the forms of crypto work? All OSes/distros? Does
a single server work? Does local clock w
Hal Murray via devel writes:
> Are the specs and implementation for IEEE floating point tight enough so that
> I should get the exact same result if I run a test on a different CPU
> chip?
Formally yes, if you aren't straying into denormals and you keep
yourself to elementary operations that actu
Yo Hal!
On Mon, 15 Jul 2019 17:15:34 -0700
Hal Murray via devel wrote:
> Are the specs and implementation for IEEE floating point tight enough
> so that I should get the exact same result if I run a test on a
> different CPU chip?
Better than it used to be, but you will still want to use a guar
On Mon, Jul 15, 2019, 5:15 PM Hal Murray via devel wrote:
>
> tenterl...@gmail.com said:
> > I come from a scientific background, where we compare results somewhat as
> > analog values. If the test result is off the expected by 1000%, that's
> bad.
> > If it's off 1%, better. If the error is .000
tenterl...@gmail.com said:
> I come from a scientific background, where we compare results somewhat as
> analog values. If the test result is off the expected by 1000%, that's bad.
> If it's off 1%, better. If the error is .1%, probably within achievable
> accuracy.
There is a difference b
Please excuse an outsider jumping into the conversation.
AIUI, the testing under discussion is what I think of as the system
programming type - if we have inputs A and B to a black box, and the
test reproduces output C exactly, bit-for-bit, then the test is a
success, otherwise it is a complete
Hal Murray :
>
> > It's...hm...maybe a good way to put it is that the structure of the NTPsec
> > state space and sync algorithms is extremely hostile to testing.
>
> I still don't have a good understanding of why TESTFRAME didn't work. I
> can'
> Can you get them to specify exactly what they want?
One thing to add to the list if you are going to collect NTP data...
If you know that the clocks at both ends are accurate, rawstats will give you
the transit times in each direction.
NTP assumes the transit times in each direction are equal
Mark Atwood, Project Manager :
> Oh, believe me, cloud scale devops shops know what to do with all the
> timing information.
Can you get them to specify exactly what they want?
--
http://www.catb.org/~esr/";>Eric S. Raymond
___
devel m
> This would actually be pretty easy to do, mechanically speaking. The
hard question is what you do with this timing information once you have it.
Oh, believe me, cloud scale devops shops know what to do with all the
timing information.
On Sun, Jul 14, 2019 at 3:19 PM Eric S. Raymond wrote:
>
> It's...hm...maybe a good way to put it is that the structure of the NTPsec
> state space and sync algorithms is extremely hostile to testing.
I still don't have a good understanding of why TESTFRAME didn't work. I can't
explain it to somebody.
We've got
co
Mark Atwood :
> I want to encourage Hal to think of ways of cracking these problems.
>
> Especially the idea of verifying key parts of the state space, even if
> we can't verify it all.
I wish him the best of luck...
> And especially if there was a way to usefully log the relative timing
> of va
> Especially the idea of verifying key parts of the state space, even if we
> can't verify it all. And especially if there was a way to usefully log the
> relative timing of various important state transitions. (That is something
> on the wishlist of the AWS NTP Kronos team.)
What are they loo
ases.
It's...hm...maybe a good way to put it is that the structure of the
NTPsec state space and sync algorithms is extremely hostile to
testing.
In reposurgeon, when I want to test a command it's generally not too
difficult to hand-craft a repository with the relevant features, run
the
e...@thyrsus.com said:
> A lot of configuration options - even things like minsane - effectively
> change the FSM.
Right. But as you said, that's a configuration option.
> Sure, you can think of the config as part of the input state - this isn't a
> code mutation. But it also means you can on
al. In a good way that other forms of auth share.
There's a kind of decomposability about it - you can say with reasonable
confidence that once you're past a certain fairly early stage in the
packet-processing pipeline nothing about auth matters any more.
So yes, that's a corner of
e...@thyrsus.com said:
> https://blog.ntpsec.org/2017/02/22/testframe-the-epic-failure.html
> Read that and think about it for a while. This is a very hard problem. I
> hit it and bounced.
Thanks.
>From the blog page:
> In effect, the entire logic of the sync algorithms is a gigantic free
> p
Hal Murray via devel :
> Eric: What is the name/term for your attempt at capturing and replaying
> things? Is there a good writeup of why it didn't work?
https://blog.ntpsec.org/2017/02/22/testframe-the-epic-failure.html
Read that and think about it for a while. This is a very hard
problem. I
(Context is that I went to edit a config file to test something and I ran into
some cruft leftover from testing something else.)
Handwave...
There are a zillion corner cases that I'd like to be able to test. A typical
example is something like: with configuration X, Y should happen. Yo
I'm adding a trap to ntplib/lib_getbuf() that needs to get initialized.
I found main() in tests/common/tests_main.c, but I can't find any similar
initialization in the python testers.
Where should I be looking?
--
These are my opinions. I hate spam.
___
I split out the ssl parts of processing in nts_server. I didn't change
nts_client yet.
I think I put the routines you want into nts.h
I think you can test cookies. That will exercise the AES_SIV crypto routines.
You will need to call nts_cookie_init (to setup the crypto context)
On 4/1/19 12:00 AM, Hal Murray via devel wrote:
There is some cleanup I've wanted to do in that area anyway. I'll try to get
to it tonight.
Noted, will wait before stirring it up.
Only that it seemed reasonable at the time. I was more interested in getting
things working than how to test
> After staring at the code for long enough I see a number of natural cleavage
> points for solving this issue. MR in a few days.
There is some cleanup I've wanted to do in that area anyway. I'll try to get
to it tonight.
> Is there any particular reason why SSL structs need to be passed al
After staring at the code for long enough I see a number of natural
cleavage points for solving this issue. MR in a few days.
On 3/31/19 2:33 PM, Ian Bruene wrote:
Is there any particular reason why SSL structs need to be passed all
over the place to functions that do not depend on SSL itse
Is there any particular reason why SSL structs need to be passed all
over the place to functions that do not depend on SSL itself?
The notable example here is nts_ke_do_recieve, which only uses the SSL
to pass to SSL_read. I don't see any obvious reason that couldn't be
done in the calling f
Yo Hal!
On Thu, 21 Mar 2019 21:49:31 -0700
Hal Murray via devel wrote:
> > What's your environment? I'm passing "ntp" to getaddrinfo.
> > Ah, that's the bug. Don't do that. There is no offical tcp/ntp
> > port assigned. So trying to look it up is not going to work
> > well...
>
> For "n
> What's your environment? I'm passing "ntp" to getaddrinfo.
> Ah, that's the bug. Don't do that. There is no offical tcp/ntp port
> assigned. So trying to look it up is not going to work well...
For "not going to work", it took a long time to fail.
Fix pushed.
--
These are my opinions.
Gary,
It works with a mix of NTS and NTP, I removed the NTP to force it to sync
with your servers.
All seems OK now.
On Fri, Mar 22, 2019, 12:20 PM Gary E. Miller wrote:
> Yo Sanjeev!
>
> On Fri, 22 Mar 2019 08:31:34 +0800
> Sanjeev Gupta wrote:
>
> > I removed all non-NTS servers from my co
Yo Sanjeev!
On Fri, 22 Mar 2019 08:31:34 +0800
Sanjeev Gupta wrote:
> I removed all non-NTS servers from my config,and I am now synced!!!
Weird. I can run with a mix of plain NTPD and NTS/NTPD.
> No rest for the helpful: How do I check if I am an NTS server?
I like Hal's suggestions. I also
Yo Hal!
On Thu, 21 Mar 2019 17:49:55 -0700
Hal Murray via devel wrote:
> > 2019-03-22T03:56:32 ntpd[21039]: NTSc: nts_probe: DNS error trying
> > to contact pi3.rellim.com: -8, Servname not supported for
> > ai_socktype
>
> What's your environment? I'm passing "ntp" to getaddrinfo.
Ah, tha
> No rest for the helpful: How do I check if I am an NTS server?
The real check is that somebody can connect to your server.
Other maybe helpful sources of info:
netstat -tl
Should show:
tcp0 0 0.0.0.0:ntp 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ntp
> Been runnig for a few hours now. ntpq -pn output:
...
> And the log is here: https://pastebin.com/fM9uDwVi
Thanks.
> 2019-03-22T03:56:32 ntpd[21039]: NTSc: nts_probe: DNS error trying to contact
> pi3.rellim.com: -8, Servname not supported for ai_socktype
What's your environment? I'm passi
Gary,
I removed all non-NTS servers from my config,and I am now synced!!!
root@ntpmon:~/ntpsec# ntpq -p
remote refid st t when poll
reach delay offset jitter
==
N -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM
> -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> -DECP_NISTZ256_ASM -DPADLOCK
Yo Sanjeev!
> > Looks good. What is your server so I can try to connect back?
> My server is ntpmon.dcs1.biz . It is in the pool, BTW.
I can't connect to any NTS from kong now. Not getting any cookies.
Some of my other 3 still work in various combinations.
I'm not putting NTS on my one pool s
SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM
-DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
-DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time
-D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/i386-linux-gnu/engines-1.
Yo Sanjeev!
On Fri, 22 Mar 2019 07:14:29 +0800
Sanjeev Gupta via devel wrote:
> I have been lurking and trying to set up NTS to talk to the rellim.com
> servers. This is a recent git head.
Cool.
> My ntp.conf snippet:
>
> nts enable
> nts cert /etc/letsencrypt/live/ntpmon.dcs1.biz/fullchain.
Hi,
I have been lurking and trying to set up NTS to talk to the rellim.com
servers. This is a recent git head.
My ntp.conf snippet:
nts enable
nts cert /etc/letsencrypt/live/ntpmon.dcs1.biz/fullchain.pem
nts key /etc/letsencrypt/live/ntpmon.dcs1.biz/privkey.pem
server pi3.rellim.com nts
server
gha...@gmail.com said:
> I have a server running ntpsec git head, in the pool. It has a valid SSL
> certificate. I would like to turn on NTS, etc, and see what happens.
One thing that nobody has tried/checked yet...
If the secret key file for your certificate needs a password, ntpd may have
gha...@gmail.com said:
> I have a server running ntpsec git head, in the pool. It has a valid SSL
> certificate. I would like to turn on NTS, etc, and see what happens.
Looks like you are debugging the documentation as well as the code.
Eric: Should we have a simple man page on how to setup t
On Wed, Feb 20, 2019 at 2:04 PM Hal Murray via devel
wrote:
>
> Testing. Get it up and running in your local environment. If you have a
> real
> certificate and are willing to support some testing traffic, tell me/us
> the
> host name and/or send us the root certificate.
dfoxfra...@gmail.com said:
>> The K and I used to encrypt cookies is a hack constant so old
>> cookies work over server reboots.
> I assume this is temporary while you work on this code, right? Obviously if K
> is a hardcoded constant you have no security.
Right. Total hack to allow debugging
On 2/20/19 7:26 AM, Hal Murray via devel wrote:
> For non public IP Addresses (aka behind a NAT box) you can use self signed
> certificates.
In that scenario, you can still use Let's Encrypt. Use the DNS challenge
method. The Let's Encrypt client (on the NTS-KE server) uses nsupdate
(or similar)
On Wed, Feb 20, 2019 at 12:48 AM Hal Murray via devel wrote:
> The K and I used to encrypt cookies is a hack constant so old cookies work
> over server reboots.
I assume this is temporary while you work on this code, right?
Obviously if K is a hardcoded constant you have no security.
> With the
> If I have a real certifucate, I don't know it.
You have one on any web server that supports https. I don't know where it
lives. Probably someplace in apache land.
Gary says it's easy to get them via Lets Encrypt. Their web page says you
need to control the domain. Gary said you only need a
Hal Murray :
> > Excellent. What's the bext thing you need from me?
>
> Testing. Get it up and running in your local environment. If you have a
> real
> certificate and are willing to support some testing traffic, tell me/us the
> host name and/or send us the root
> Excellent. What's the bext thing you need from me?
Testing. Get it up and running in your local environment. If you have a real
certificate and are willing to support some testing traffic, tell me/us the
host name and/or send us the root certificate.
If you want to write code, we
Hal Murray via devel :
>
> The server side needs a cookie and private key.
>
> The K and I used to encrypt cookies is a hack constant so old cookies work
> over server reboots.
>
> The client side defaults to using the system root certificates. You can
> provide your own.
>
> With the NTS fl
The server side needs a cookie and private key.
The K and I used to encrypt cookies is a hack constant so old cookies work
over server reboots.
The client side defaults to using the system root certificates. You can
provide your own.
With the NTS flag, the client side tries NTS-KE, and drop
Don't remove it just yet, I will email someone about it.
On Thu, Jan 31, 2019 at 11:42 AM Eric S. Raymond via devel
wrote:
> Hal Murray via devel :
> > Or does anybody know if that path has been tested? If so, when?
> >
> > In case you don't recognize the term, it's when you get with
> --enable
$TTL 86400
@ IN SOA thyrsus.com. root.thyrsus.com. (
8 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; ttl
)
;; Her
Mostly for Ian, who was trying to recall where he left off with ntpsnmpd.
I had a working ntpsnmpd instance running on a workstation which has, sadly,
been consumed by entropy along with the rest of the assay I was using. However,
I do recall that I had a Cacti instance collecting data from ntps
Hal Murray via devel :
> Or does anybody know if that path has been tested? If so, when?
>
> In case you don't recognize the term, it's when you get with --enable-mssntp
> ntpd calls out to a Microsoft server to authenticate a response packet.
I don't know ethat has ever been tested.
Having loo
Or does anybody know if that path has been tested? If so, when?
In case you don't recognize the term, it's when you get with --enable-mssntp
ntpd calls out to a Microsoft server to authenticate a response packet.
--
These are my opinions. I hate spam.
__
1 - 100 of 227 matches
Mail list logo
