NTS: removed "not implemented" on server ca

Gary E. Miller gem at rellim.com
Tue Apr 2 21:20:38 UTC 2019


Yo Hal!

> At least it is no longer silently failing to insecure, now it is just
> silently failing.

Following up on my last post.  2 minutes and 30 seconds later, I finally got
this in my ntp.log:

2019-04-02T14:11:19 ntpd[10524]: DNS: dns_probe: pi3.rellim.com, cast_flags:1, f
lags:21801
2019-04-02T14:11:19 ntpd[10524]: NTSc: DNS lookup of pi3.rellim.com took 0.000 s
ec
2019-04-02T14:11:19 ntpd[10524]: NTSc: nts_probe connecting to pi3.rellim.com:12
3 => 204.17.205.23:123
2019-04-02T14:11:19 ntpd[10524]: NTSc: Using dir /tmp for root certificates.
2019-04-02T14:11:19 ntpd[10524]: NTSc: set cert host: pi3.rellim.com
2019-04-02T14:11:19 ntpd[10524]: NTSc: Using TLSv1.2, AES256-GCM-SHA384 (256)
2019-04-02T14:11:19 ntpd[10524]: NTSc: certificate subject name: /CN=pi3.rellim.
com
2019-04-02T14:11:19 ntpd[10524]: NTSc: certificate issuer name: /C=US/O=Let's En
crypt/CN=Let's Encrypt Authority X3
2019-04-02T14:11:19 ntpd[10524]: NTSc: certificate invalid: 20=>unable to get lo
cal issuer certificate
2019-04-02T14:11:19 ntpd[10524]: NTSc: NTS-KE req to pi3.rellim.com took 0.023 s
ec, fail
2019-04-02T14:11:19 ntpd[10524]: DNS: dns_check: processing pi3.rellim.com, 1, 2
1801
2019-04-02T14:11:19 ntpd[10524]: DNS: dns_take_status: pi3.rellim.com=>error, 12

So it does report something, just not what it should.  "ca" should not need
a "root" or "issuer" cert to work.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190402/b451efb5/attachment.bin>


More information about the devel mailing list