NTS: removed "not implemented" on server ca

Gary E. Miller gem at rellim.com
Tue Apr 2 21:39:09 UTC 2019

Yo Hal!

On Tue, 02 Apr 2019 14:27:06 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:

> Gary said:
> >> I think the "-4" is only valid between "server" and the
> >> filename.  The parser may have dropped the rest of the line.  
> filename => hostname  (my typo)
> Note that your "maxpoll 5" didn't make it either.


> > Ouch.  The parser bytes me again.  The lack of parser diagnostics
> > is a PITA...  
> The parser actually does complain.  But if you are like me and put
> the log file in the config file rather than the command line, the
> parser errors go to syslog.

Uh, no:

kong /usr/local/src/GPS/gpsd/gpsd # fgrep NTP /var/log/messages
kong /usr/local/src/GPS/gpsd/gpsd # 

> We could consider having ntpd crash if there are any problems parsing
> the config file.

At least for anything security related.

> The current NTS code will crash (exit) if it has problems with
> various files. I can't tell if that is a bug or feature.

I'll go with feature, if it logs well.

> > Silently failing open is really bad.   
> Not my problem.  Nobody told me to open anything.

We just agreed that my bad config file cause NTPD to connect insecurely
(open) instead of with NTS.  So, noeon told you to open that connection,
but your NTS software did.  I thought NTS was your problem?  Unless you
want to have Eric fix the parser...

Another test.  So I put the pi3 fullchain.pem in /tmp.  I still can
not connect with this config:

server -4 pi3.rellim.com nts maxpoll 5 ca /tmp  # pi3

BTW, will that maxpoll work?

Here is the log:

2019-04-02T14:37:08 ntpd[28498]: DNS: dns_probe: pi3.rellim.com, cast_flags:1, f
2019-04-02T14:37:08 ntpd[28498]: NTSc: DNS lookup of pi3.rellim.com took 0.000 s
2019-04-02T14:37:08 ntpd[28498]: NTSc: nts_probe connecting to pi3.rellim.com:12
3 =>
2019-04-02T14:37:08 ntpd[28498]: NTSc: Using dir /tmp for root certificates.
2019-04-02T14:37:08 ntpd[28498]: NTSc: set cert host: pi3.rellim.com
2019-04-02T14:37:08 ntpd[28498]: NTSc: Using TLSv1.2, AES256-GCM-SHA384 (256)
2019-04-02T14:37:08 ntpd[28498]: NTSc: certificate subject name: /CN=pi3.rellim.
2019-04-02T14:37:08 ntpd[28498]: NTSc: certificate issuer name: /C=US/O=Let's En
crypt/CN=Let's Encrypt Authority X3
2019-04-02T14:37:08 ntpd[28498]: NTSc: certificate invalid: 20=>unable to get lo
cal issuer certificate
2019-04-02T14:37:08 ntpd[28498]: NTSc: NTS-KE req to pi3.rellim.com took 0.023 s
ec, fail
2019-04-02T14:37:08 ntpd[28498]: DNS: dns_check: processing pi3.rellim.com, 1, 2
2019-04-02T14:37:08 ntpd[28498]: DNS: dns_take_status: pi3.rellim.com=>error, 12

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190402/b318aa3e/attachment.bin>

More information about the devel mailing list