> I doubt that connection reuse is necessary for NTS-KE. It may even be
> undesirable, if it results in the same session keys (which I don't know if it
> does). We may want to simply turn off that feature in both the client and
> server.
I think I've turned it off.
SSL_CTX_set_session_cache_
Thanks.
Gary said:
>> Unless somebody objects or has a better idea, I'll implement Richard
>> Laager suggestion to disable the NTS-KE server if it can't read the
>> certificate and key.
> I can't think of any other option. Is there?
Sure. Run without a certificate. That won't get very far if
> Just a word of caution: this AppArmor policy is geared towards an NTP client
> and you will need to do some (poorly documented) configuration changes when
> configuring a server so the adaemon can get at the device files for the
> refclock.
I wouldn't use client vs server to distinguish betw
Amy reason to allow or prohibit them?
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
Gary said:
>> Amy reason to allow or prohibit them?
> Do you mean the option to reject certs where the cert name
> is: *.example.com?
> Do you mean for client or server cert checking?
I'm interested in the case where the client is checking the cert from the
server.
OpenSSL doesn't default to
>> I'm calling that "cert and other certs" a chain.
> Except that is not the definition of a cert full chain file.
> Please don't make up new terms for long standing, well settled, concepts.
I didn't call it a "full" chain file.
I pulled the term "chain file" from the API. If you have a URL fo
Gary said:
> Well, in that case, a MUST. Many large server farms are too lazy to get
> individual certs for the individual hosts. They come and go too quickly to
> be micro-managed. That just get a wildcard cert.
Thanks.
--
These are my opinions. I hate spam.
_
More info via man SSL_CTX_get_security_level
The default seems appropriate for now. Some people might want to tighten
things up.
We might need to set it per-client to allow a new system to use servers
running on old systems.
--
These are my opinions. I hate spam.
___
> Very easily done. No you have a prefereence for the name?
Do we want to do something now, or put it on the back burner until we find a
good use case?
I assume your "easily done" refers to the parser. Setting the security level
is easy too. But they we have to test it and such.
--
These
> Because that would be silly. At best I could exercise only a tiny random
> sample of the potential execution paths. Any sense of security we got from
> this would be false.
With the exception of refclocks, I'll bet you could cover most of what we use.
We can easily get traffic to cover most
e...@thyrsus.com said:
> You're driving this piece of the development, and I don't see an
> *architectural* reason to call that one way or the other. You tell me.
Being able to tighten up the security might be good for bragging rites.
Sure, let's do it. That will probably be faster than disc
[105/124] Linking hgm/main/ntpd/ntsd
/usr/bin/ld: libntp/libntp.a(msyslog.c.1.o): in function `addto_syslog':
/home/murray/ntpsec/raw/hgm/main/../../libntp/msyslog.c:171: undefined
reference to `progname'
/usr/bin/ld: libntp/libntp.a(msyslog.c.1.o): in function `init_logging':
/home/murray/ntpsec/
> [105/124] Linking hgm/main/ntpd/ntsd
It's linking ntsd which we aren't interested in so I commented it out.
I think what's going on is that I added a call to msyslog which probably
dragged in a previously unused library.
--
These are my opinions. I hate spam.
___
> I've added a mandatory waf check for the libaes_siv library.
Thanks.
Did you fix the CI checks?
Is anybody working on fixing libeas_siv to build on NetBSD? Until that is
fixed, we won't build on NetBSD.
--
These are my opinions. I hate spam.
How do I tell it that I don't want the doc?
(I don't have a2x on that system.)
How do I get it to use my compiler?
my compiler is at /usr/lib/ccache/gcc
(not lib64)
cmake says
The CMAKE_C_COMPILER:
/usr/lib64/ccache/cc
is not a full path to an existing compiler tool.
Tell CMake whe
dfoxfra...@gmail.com said:
> I think what you did will probably work if you delete your CMakeCache and try
> again
Thanks. That is the hint I needed. I was scp-ing stuff from my main system
to others giving them a bogus cache.
-
It doesn't build on NetBSD. Do you recognize the erro
Has anybody else tried the latest changes on FreeBSD?
$ find /usr/ -name libaes*
/usr/local/lib/libaes_siv.so.1.0.0
/usr/local/lib/libaes_siv.so.1
/usr/local/lib/libaes_siv.so
/usr/local/lib/libaes_siv.a
$
['/usr/bin/clang', 'test.c.1.o', '-o/home/murray/ntpsec/raw/build/.conf_check_4
be
1ba75
> and what does it buy us?
Gary suggested it would allow a server to restrict its clients without having
to know their IP Address.
> How hard would it be to implement
Depends what "it" is.
If the spec is "signed by one of these (root) certs", that's probably only an
evening/weekend. Round
dfoxfra...@gmail.com said:
> Hal, try putting
> #define _ANSI_SOURCE 1
> #define _ISOC99_SOURCE 1
...
[100%] Linking C executable demo
[100%] Built target demo
-bash-4.4$ make test
Running tests...
Test project /home/murray/ntpsec/libaes_siv
Start 1: test
1/1 Test #1: test .
> Excellent. I just pushed the fix to HEAD.
Thanks.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
I'm getting closer to actually using it.
Of course, it didn't work or you wouldn't be reading this message.
The symptom is that it links but doesn't run. At runtime, it can't find
libaes_siv
It was installed in /usr/local/lib/
It works after I add links from /usr/lib64/ over to /usr/local/l
This is the can't find library problem when run with Python 3.
[199/205] Processing fed/main/tests/pylib/test_agentx_packet.py
[200/205] Processing fed/main/tests/pylib/test_packet.py
[201/205] Processing fed/main/tests/pylib/test_statfiles.py
[202/205] Processing fed/main/tests/pylib/test_util.py
devel@ntpsec.org said:
> This is on Linux? Make sure /usr/local/lib is in your /etc/ld.so.conf and
> then run ldconfig.
Yes, Fedora. Worked. Thanks.
My /etc/ld.so.conf had only:
include ld.so.conf.d/*.conf
and that directory is empty.
--
These are my opinions. I hate spam.
___
It worked a few days ago. It works if I comment out the pair of new lines in
two files.
[ 11%] Building C object CMakeFiles/runtests.dir/aes_siv_test.c.o
In file included from /home/murray/ntpsec/libaes_siv/aes_siv_test.c:3:
In file included from /home/murray/ntpsec/libaes_siv/aes_siv.c:23:
In
> Let us know what work - it should be documented.
This is what I used on Linux:
echo "/usr/local/lib/" > /etc/ld.so.conf.d/libaes_siv.conf
ldconfig
This is what I used on NetBSD and FreeBSD. There is probably a better/cleaner
way, but I wasn't in the mood to go hunting for it.
cd /usr/lib/
> Can you isolate the commit where this got busted?
It was at the top of the message:
>> It worked a few days ago. It works if I comment out the pair
>> of new lines in two files.
That was the fix that made it work on NetBSD.
--
These are my opinions. I hate spam.
It actually uses Daniel's new code so you may have to fix your system so the
run-time loader finds libaes_siv.so.
Has anybody actually tried recent NTS code? Do your cookies work?
I added devel/TODO-NTS
An area that I hadn't thought about much before. We need a new mode in ntpq
and ntp_con
The normal newpeer path gets a zeero-ed block. But if a block gets free-ed,
it doesn't get zeroed when it it put on the free list.
How about we nuke that free list?
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
Google/gmail has been rejecting some of my mail recently.
Daniel said:
> I'm also waiting on Hal to run it through his build farm again to let me know
> if last-minute changes caused any breakage.
The ANSI fix for NetBSD broke FreeBSD.
-- Build files have been written to: /home/murray/ntpsec/lib
There is a rough edge that I don't fully understand.
The man page for AES_SIV_Decrypt says:
These functions return 1 on success and 0 on failure.
There are 2 types of errors: the CMAC check failed, or there was a problem in
some underlying machinery.
Is there any way to distinguish bet
> You also have to add a few lines on the NTP server to reject requests without
> certificates.
I expect that just that "simple" feature would eliminate most of the trash.
For a while.
--
These are my opinions. I hate spam.
___
devel mailing
The client adds the NTS extensions and the server decodes them.
I'm going to stretch my legs and try to catch up on email before starting on
the response side.
Eric: If you feel like hacking, the thing that I'm going to want real soon is
something similar to ntpq's authinfo. I think the ntpq
dfoxfra...@gmail.com said:
> The BSDs work the same way Linux does except on FreeBSD the configuration
> file is called /etc/ld-elf.so.conf and you run 'ldconfig -elf' after you've
> changed it.
Thanks.
My NetBSD systems don't have a ldconfig.
My FreeBSD systems don't come with a /etc/ld-elf
dfoxfra...@gmail.com said:
> What version of OpenSSL are you building against on FreeBSD? I want to go
> through sources to figure out exactly why it fails.
Current release:
12.0-RELEASE
/usr/include/openssl/opensslv.h:# define OPENSSL_VERSION_NUMBER 0x1010101fL
Fails
An older system:
11.2-RE
dfoxfra...@gmail.com said:
> Try the new HEAD (3562205). I changed ANSI to POSIX.1-2001 which should
> hopefully make FreeBSD happy again while still suppressing the colliding
> symbols on NetBSD.
Works on both FreeBSD and NetBSD.
Thanks.
--
These are my opinions. I hate spam.
dfoxfra...@gmail.com said:
> You can assume it's a verification failure because "failure in underlying
> machinery" shouldn't be possible. The call doesn't allocate memory and
> doesn't make any system calls. There's nothing that can fail.
Thanks.
It would be nice to have that in the man page.
> I'll study authinfo and get back to you, probably tomorrow.
authinfo is a bad example. ntpq has its own copy of that list.
I thought there was at least one command that didn't need it's own list, but I
can't find an example.
Beware, you may get sucked in. The swamp is pretty deep, but it's
e...@thyrsus.com said:
> What I will do, unless you tell me there's something really important about
> those three wired-in order tables in ntp_control.c, is move them to ntpq.
I think the 3 tables are in 3 different spaces. There is the main table of
global variables. There is the one for th
I'm getting close. I'm debugging by printf. I think I just processed the
first NTS round trip. Then I get this:
19 Feb 17:58:54 ntpd[23678]: DNS: dns_take_status: rp11.example.com=>good, 0
ECR: 10, 32, 180
ECR: 13, 144, 144
ECRa: 108, 16
ECRb: 1, 108
ECR: 11, 104, 104
ECRx: 1, 8
Segmentation
Found it. I was storing a cookie into slot 8 of an 8 element array.
Cleanup time.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
The server side needs a cookie and private key.
The K and I used to encrypt cookies is a hack constant so old cookies work
over server reboots.
The client side defaults to using the system root certificates. You can
provide your own.
With the NTS flag, the client side tries NTS-KE, and drop
> Excellent. What's the bext thing you need from me?
Testing. Get it up and running in your local environment. If you have a real
certificate and are willing to support some testing traffic, tell me/us the
host name and/or send us the root certificate.
If you want to write code, we need to s
The t column is a "u" for user/client. (Looks like "l" for refclocks. It
used to be interesting for broadcast and such, but I think you can figure that
out from the remote address.)
We can put 0-8 in that slot to indicate that we are talking to that server
with NTS and show the number of co
This is from an old ntpq -p
The new ntpq is similar.
remoterefid st t when poll reach delay offset
jitter
===
=
0.0.0.0 .POOL. 16 p- 2560..
0.
> If I have a real certifucate, I don't know it.
You have one on any web server that supports https. I don't know where it
lives. Probably someplace in apache land.
Gary says it's easy to get them via Lets Encrypt. Their web page says you
need to control the domain. Gary said you only need a
dfoxfra...@gmail.com said:
>> The K and I used to encrypt cookies is a hack constant so old
>> cookies work over server reboots.
> I assume this is temporary while you work on this code, right? Obviously if K
> is a hardcoded constant you have no security.
Right. Total hack to allow debugging
e...@thyrsus.com said:
> The peers display looks OK, so my test to see if a number should be inserted
> in the status field is probably busted. Should be trivial to fix once ntpd
> ships the right thing.
The peers display is often somewhat screwy. I suspect something in your
recent table cle
It's a lot better. I haven't seen digits replacing the u.
The hostname isn't getting printed out in a few cases:
remoterefid st t when poll reach delay offset
jitter
===
=
0.0.0.0
[161/208] Compiling tests/ntpd/nts.c
In file included from ../../tests/unity/unity.h:16:0,
from ../../tests/ntpd/nts.c:3:
../../tests/ntpd/nts.c: In function âTEST_nts_nts_append_record_null_â:
../../tests/unity/unity_internals.h:658:121: warning: cast from pointer to
integer
My bad - warnings, not errors.
It works. (on 32 bit systems)
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
gha...@gmail.com said:
> I have a server running ntpsec git head, in the pool. It has a valid SSL
> certificate. I would like to turn on NTS, etc, and see what happens.
Looks like you are debugging the documentation as well as the code.
Eric: Should we have a simple man page on how to setup t
Things seem to be mostly working. Some of my observed quirks may have
involved older versions of client or server. It''s probably best to ignore
all my previous reports and start over.
elif srcadr.startswith("224."):
ptype = 'a' # manycastclient (compatibility
gha...@gmail.com said:
> I have a server running ntpsec git head, in the pool. It has a valid SSL
> certificate. I would like to turn on NTS, etc, and see what happens.
One thing that nobody has tried/checked yet...
If the secret key file for your certificate needs a password, ntpd may have
Try server where foo doesn't resolve via DNS. It may need a nts in
there.
remoterefid st t when poll reach delay offset
jitter
===
=
0.0.0.0 .INIT. 16 u- 640 0
I was cleaning up a quirk, while I was at it, I added the IPv6 listener. That
turned into an interesting adventure. By default, on most systems, it also
listens on IPv4. If you already have an IPv4 listener on that port, it fails
with an Address already in use error. There is a socket option
What do these mean?
ask address
Use Network Time Security for authentication and encryption. Ask
for a specific NTS server, which may differ from the NTP server.
Conforms to RFC 3896 section 3.2.2 prescription for the Host part
of a URI: that is,
Gary said:
> Yes, it is confisuing, that is why there way a proposal for a different
> syntax that Eric vetoed. You are making the exact mistake we foresaw. This
> will contoinue with the current syntax.
Thanks. Now that I understand the ideas, I'll see if I can clean up the
wording.
> Uh
It now talks to Martin Langer's server.
I added another hack to ntpq. (The hack is actually in ntpd, but you see in
in ntpq -p) Where it used to show INIT in the refid column to indicate that
it hasn't received any packets yet, it will now show NTS or DNS if it is
waiting for NTS/DNS lookup.
Argh. I forgot to mention that the bits on the wire have changed. If you are
testing NTS, you will have to update both ends.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/
Eric said:
> So this means ntpd is shipping these strings in the refid field?
Yes
> I want to document this. Not sure where it goes.
For things like that, I grep -r docs/
That misses the man pages that are in the directory with program sources.
INIT gets 2 hits. Neither looked like what you
Eric said:
> Good. I'm in favor of anything it can do to export more meaningful status
> information, and this definitely qualifies.
I assume that includes putting a digit in the t column to show the number of
cookies and hence indicate that a slot is using NTS.
There is currently a bug in th
[0 not showing up in ntpq -p t column for NTS clients.]
Eric said:
> I'd fix this, but I'm not sure whether you're talking server or client side.
The problem is in ntpq. Somebody returns 0 for slots that don't exist. The
check for >= 0 needs to do a preliminary check to see if the slot exists.
> What still needs to be done to fully land this feature? Key rotation?
> Anything else?
I've been collecting major items in devel/TODO-NTS
Mostly, it needs testing and probably an overview level documentation.
Something high level rather than the details of how to configure it. Maybe a
HOW
> I've tried defaulting ntscookies to -1 and testing for > that - change pushed.
Thanks. Looks good.
That now exposes a subtle detail. If you see NTS in the refid column, look at
the t column. If it is "u", then the NTS-KE level didn't work. If you see a
"0" there, then the NTS-KE worked bu
Eric said:
>> I've been collecting major items in devel/TODO-NTS
> Is there some reason this isn't just a section in nts.adoc? (Which may need
> some GC at this point.) The whole idea of that document was to be a planning
> whiteboard.
Only signal to noise. I was trying to capture the big ide
Gary said:
> It is missing key rotation. Also how to share keys between standalone NTS-KE
> and NTPD.
Why do we need a standalone NTS-KE server?
> Gary said:
> "noval" is not mostly for debugging. It is essential for off network
> operation.
I don't understand that use case. Without checkin
Gary said:
> Because that is the initial use case. If each ntpd had nts-ke in it then
> there would be no need for such a complicated protocol.
> The way Mark explained it to me, you want one NTS-KE per aisle, or per rack.
> That limits the number of servers, with keys, that need to be protecte
> And the NTS-KE and NTPD are NOT on the same host?
No. I misinterpreted your question.
>> I don't understand that use case. Without checking the certificate,
>> you have no real security.
> Not complete security, but at least encryption. And there are levels of
> validation. If you are off
> I'll take responsibility for the documentation.
Thanks.
Be sure to include a section that says that NTS doesn't guarantee good time,
just that you are talking to the system you expect to talk to. (modulo typos
and such)
--
These are my opinions. I hate spam.
___
e...@thyrsus.com said:
>> My big concern is that nobody else seems to be testing it. There may be
>> dragons that I haven't poked.
> Understood. Unfortunately I myself can't be much help here - my outside view
> of NTP is still weak, I have only limited ability to recognize what normal
> opera
Gary said:
>> Which ones do you intend to relax? And in any case you don't need a
>> whole CA, you can pin a self-signed cert and still do full validation
>> on it.
> Except we can't. The current NTPsec code does not support any cert
> fanciness.
For some value of "any" or "fancy".
You can pr
Achim Gratz said:
>> Why do we need a standalone NTS-KE server?
> Because you only want one NTS-KE per any number of ntpd on a large fleet of
> hardware (think a warehouse full of compute racks) and of course the NTP pool
> servers will not work with NTS any other way.
There is no security in t
devel@ntpsec.org said:
> Partial validation means you don't follow the cert chain to the root. In the
> off-net scenario, it means you stop folloing the chain when you'd have to go
> outside the network perimeter you're in. ...
> https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinnin
> Let me take a different tack: can we move the aut computation off path?
Nope. The auth includes the whole packet. Can't do the auth until you know
the time that you are going to put in the packet.
We can measure how long it takes and advance the time to compensate.
--
These are my opinions
k...@roeckx.be said:
> If this is something you're worried about, this can be solved with the
> interleave mode, which was removed.
How well does it work?
Is there an option to get a kernel timestamp on transmit packets?
--
These are my opinions. I hate spam.
___
Eric said:
> I meant to mention that there are actually *two* big benefits in prospect
> from a Go port. The obvious one is being able to junk a lot of fiddly,
> error-prone C memory-management stuff.
I'm actually surprised that you haven't simplified a lot of that yet.
There are several plac
My strawman for REFCLOCKD is something like the touring test. You can't tell
the difference by poking around with ntpq. (Maybe you don't get to poke too
deep.)
There are two parts to the refclock code.
The first operates on the second time scale. The main thread calls the
refclock receive
I will be seriously disappointed if you drop that code.
You need it to verify that you don't need it.
Some of us are interested in that level of detail. If you start removing
things like that, I will probably spend less time here.
Your comments in the tour document are biased. (I'm probably
e...@thyrsus.com said:
>> My strawman for REFCLOCKD is something like the touring test.
>> You can't tell the difference by poking around with ntpq. (Maybe
>> you don't get to poke too deep.)
> It'd need its own UDP port.
I don't understand. All I was trying to say is that splitting out the
> We've established not so long ago that a single NTP server can serve a lot of
> clients. The number of servers is driven by the network topology more
> likely, i.e. say you want one NTP server per network span or subnet, so the
> server has low latency to each of its clients and doesn't send p
>> There is no security in the pool anyway, so let's put that discussion
>> aside for a while.
> I'd take exception with that statement. If the pool was upgraded to use NTS
> one way or the other, it _would_ provide some extra security over the status
> quo. It's a different kind of security th
Gary said:
>> Otherwise, either do full validation or don't bother with NTS
>> at all. Pinning counts as full validation.
> I'd be happy if we had per host pinning instead of "noval".
How is per-host pinning normally implemented?
We have the option to use a local file of trusted/root certific
Eric said:
> Trying to change that by breaking out a separate NTS-KE server would
> introduce a lot of complexity when we could achieve the same result by
> pointing the ntpd instances at a common key on a fileshare.
That adds the fileshare to the security tangle and probably complicates the
sta
Gary said:
> Think data center. The data center controls the LAN, but the customers
> control what is in the containers. Or the hacker that used the latest
> Wordpress bug to take over the contrainer. And breaking out of a container
> to infect the motherboard is not that hard.
I would assum
Eric said:
>> I don't understand. All I was trying to say is that splitting
>> out the refclock drivers to another process shouldn't make
>> any difference that is easily visible.
> Maybe. The devil is in the details.
> I expect some issues around Mode 6. We'd still need to exchange control
>
e...@thyrsus.com said:
>> You need it to verify that you don't need it.
> Interesting point. How do you account for the fact that nobody noticed when
> it was accidentally disabled for six months, though? Definitely the kind of
> thing I'd expect either you or Gary to pick up on, if it made an
Gary said:
>> I would assume that critical infrastructure would be run in a less
>> insecure environment.
> Bad assumption. Just look at any data center. There is no way to secure
> customer machines. Unless you get rid of the customers.
Right. But why would you run your NTS-KE server on a
rlaa...@wiktel.com said:
> CNAMEs don't really help. Certificate validation uses the original name
> anyway.
I was assuming we could intercept the CNAME and use that for certificate
validation. Maybe I should have said SRV or TXT or ???
The normal getaddrinfo and friends automatically follow
dfoxfra...@gmail.com said:
> One thing to keep in mind is that if the client is using SO_TIMESTAMP but the
> server isn't, or vice versa, you're going to introduce a persistent
> inaccuracy on the order of a microsecond, due to the resulting asymmetry in
> the point at which the timestamp is capt
dfoxfra...@gmail.com said:
> If you try to measure the cost of the authentication code using log messages
> you're going to get total noise, because the cost of logging a message is
> higher than the cost of doing the authentication. Each invocation of AES-SIV
> should take, in round numbers, 250
e...@thyrsus.com said:
> The two most obvious pain points here are the fudgetime variables. Some
> refclocks set their own custom clock variables, as well; the generic driver
> in particular, I think one other as well.
The fudgetime variables can remain in ntpd.
If the problem is the driver se
e...@thyrsus.com said:
>> Do you have an example of where we need to change a
>> driver variable on the fly?
> No, I'm bothered because I'm (a) not sure we'll never need to do it, and (b)
> pretty sure what the Dread God Finagle will arrange if I assume we won't. :-)
I just looked at the code.
> The intended design for running NTS with pool servers is that only the pool
> operator runs an NTS-KE server. The NTS-KE server then picks an NTS-enabled
> NTP server out of the pool and serves you an appropriate NTPv4 Server
> Negotiation Record. Individual server operators, on a one-time basi
> There is one interesting area that it doesn't cover. The kernel (on most
> OSes) has an optional PLL that locks on to a PPS source. ntpd acts as a
> sanity check and turns that on and off. If we want to use that mode, we need
> a back channel, or an ugly wart in ntpd. We can probably get t
Eric said:
> You yourself advocated that Mode 6 ought to be replaced by an HTTP service on
> TCP port 123. I think that's a good idea, if we can do it. The problem is
> than NTS-KE *also* wants to have TCP 123.
I don't want the UI side of HTTP in ntpd.
> What that says to me is that whatever
> The spec already mandates that ALPN always be used and allocates a tag with
> IANA.
My call to
SSL_CTX_set_alpn_protos(client_ctx, alpn, sizeof(alpn));
is inside
#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
> tcp/123 is already a new firewall hole. If you want to work around
> unchangeabl
Gary said:
> But I would like something like SIGHUP to get ntpd to re-read the config file
> and yet keep state.
I think something like that is possible. It's not simple, but not horrible.
The HUP logic is there. It works for a new leap file and new log file when it
gets rotated.
The confi
wscript says MacOS doesn't have it.
timer_create seems pretty basic. Is that still accurate? Or perhaps leftover
from an old version that is no longer supported?
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
ht
> Maybe this isn't a good path to go down after all.
This has been requested for a long time. I think it's worth the effort. We
just have to find the right person (team?) and the right time.
It may involve cleaning up that area, but that's not bad. Or maybe just
rearranging, or maybe just a
dfoxfra...@gmail.com said:
[using ALPN]
> I've never tried it myself, but I think Nginx can handle this. Use
> ngx_stream_ssl_preread_module to check ALPN, then based on what's there
> either terminate TLS locally or forward traffic at the TCP layer to some
> other port on ::1. AFAIK Apache users
1601 - 1700 of 1887 matches
Mail list logo
