NTS: removed "not implemented" on server ca

Gary E. Miller gem at rellim.com
Tue Apr 2 21:12:13 UTC 2019


Yo Hal!

On Tue, 02 Apr 2019 13:25:11 -0700
Hal Murray <hmurray at megapathdsl.net> wrote:

> My quick try didn't reproduce your problem.  What's in your log
> file.  There should be something like this:
>  2 Apr 13:11:21 ntpd[4313]: NTSc: Using dir /tmp/ for root
> certificates.

Nope.  And it should just be for the one cert, not always a
root cert.  So if that message says what it means it is not doing
what we want.

> I notice 2 "nts" in your server line, but that shouldn't break
> things.

Ooops. fixed.

> I think the "-4" is only valid between "server" and the
> filename.  The parser may have dropped the rest of the line.

Ouch.  The parser bytes me again.  The lack of parser
diagnostics is a PITA...

Silently failing open is really bad.

Also, the ntp.conf synopsis for "server" fails to mention that, and
other, limitations.

Here is the log:

2019-04-02T11:31:11 ntpd[10911]: DNS: dns_probe: pi3.rellim.com, cast_flags:1, flags:21801
2019-04-02T11:31:11 ntpd[10911]: NTSc: DNS lookup of pi3.rellim.com took 0.000 sec
2019-04-02T11:31:11 ntpd[10911]: NTSc: nts_probe connecting to pi3.rellim.com:123 => [2001:470:e815::23]:123
2019-04-02T11:31:11 ntpd[10911]: NTSc: set cert host: pi3.rellim.com
2019-04-02T11:31:11 ntpd[10911]: NTSc: Using TLSv1.2, AES256-GCM-SHA384 (256)
2019-04-02T11:31:11 ntpd[10911]: NTSc: certificate subject name: /CN=pi3.rellim.com
2019-04-02T11:31:11 ntpd[10911]: NTSc: certificate issuer name: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2019-04-02T11:31:11 ntpd[10911]: NTSc: certificate is valid.
2019-04-02T11:31:11 ntpd[10911]: NTSc: matched cert host: pi3.rellim.com
2019-04-02T11:31:11 ntpd[10911]: NTSc: read 880 bytes
2019-04-02T11:31:11 ntpd[10911]: NTSc: Got 8 cookies, length 104, aead=15.
2019-04-02T11:31:11 ntpd[10911]: NTSc: NTS-KE req to pi3.rellim.com took 0.024 sec, OK
2019-04-02T11:31:11 ntpd[10911]: DNS: dns_check: processing pi3.rellim.com, 1, 21801
2019-04-02T11:31:11 ntpd[10911]: DNS: Server taking: 2001:470:e815::23
2019-04-02T11:31:11 ntpd[10911]: DNS: Server poking hole in restrictions for: 2001:470:e815::23
2019-04-02T11:31:11 ntpd[10911]: DNS: dns_take_status: pi3.rellim.com=>good, 0
2019-04-02T11:31:11 ntpd[10911]: PROTO: 2001:470:e815::23 a014 84 reachable

I changed to:

server -4 pi3.rellim.com nts maxpoll 5 ca /tmp  # pi3

Now it gets weird.  I see this in ntpmon:

 pi3.rellim.com  .NTS.           16 u    -   32    0   0.0000   0.0000   0.0001

But NOTHING about pi3 in the logs!

At least it is no longer silently failing to insecure, now it is just
silently failing.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190402/f18e05d6/attachment.bin>


More information about the devel mailing list