NTS: removed "not implemented" on server ca

Gary E. Miller gem at rellim.com
Tue Apr 2 23:26:04 UTC 2019


Yo Hal!

On Tue, 02 Apr 2019 16:10:35 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:

> > If nts in on the server line, any failure should be fatal.  
> 
> If the "nts" is after the error, the parser won't see it.

Yup, that's the bug.  Bad.

> >> You can switch the log file from the command line.  
> > I'd prefer a sane default.   
> 
> The default is syslog.
> 
> I think most distros have some way to split the syslog stuff into
> various piles (files).

I already split off ntpd into /var/log/ntp.log, except at startup.
I'd like it always there.  But not essential, just confounding...


> > On that note, when NTS returns "pi3.rellim.com", how do I tell NTPD
> > to use the IPv4 or IPv6?   
> 
> That's what the -4 or -6 after "server" does.  Works for NTS the same
> way it does for DNS.

Except when it just errors out the entire line...

That is not in ntp.conf man page.

> > Also, still broken for me when the fullchain.pem is in /tmp:  
> 
> No (easy/reasonable) way that I know of to fix that.  The API I'm
> using works with root certs.

And yet, other programs make it work.  I'd be happy with pinning
instead.  Which is what I wanted before "ca".


> > Well, I don't have one.  Remember, LE has no "the root cert".   
> 
> Sure it does.  It's already installed on your system so the normal
> case works.

No.  LE has FIVE root certs.  Maybe you can call it a split root.  And
you have no way of knowing which one they use for any particular cert.

Check out the ugly diagram at the bottom:

    https://letsencrypt.org/certificates/

And note the specifically say: "Our roots are kept safely offline."

So you can't even get the root to check it!

> > Well, that is wrong.  I want a cert in the chain of the server I'm
> > trying to NTS to.  Specifically NOT a system root cert.   
> 
> Sorry.  I don't see how to provide that.

Then better document that in "ca", it is not what people expect.

And if you think you are testing against an LE cert, you can't be.
As above they keep their roots offline.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190402/5deefe6e/attachment.bin>


More information about the devel mailing list