NTS client configuration support has landed

Gary E. Miller gem at rellim.com
Fri Feb 1 22:51:31 UTC 2019


Yo Hal!

On Fri, 01 Feb 2019 14:21:25 -0800
Hal Murray <hmurray at megapathdsl.net> wrote:

> Gary said:
> > No.  There are at least 5 new options for the nts.
> > Worse, some of the options mean different things for server and
> > nts.   
> 
> Would you please write up a summary in a new thread.  There has been
> a lot of discussion in this area and I haven't seen anything that
> makes it obvious that there is anything better than "server foo nts".

Well, it was in nts.adoc, after consensus had been reached, before Eric
removed it.  Discussing this in the live NTPD man page does not seem
like a good place.

I did just add some more of the required NTS-KE client options to
the nts.adoc.  In the section: == NTP Configuration parameters ==.

Here are some, not all of the required new config options:

*ask [address]* Request a particular NTPD server, but do not require it.
*address* may be a hostname, a FQDN, an IPv4 numeric address, an IPv6
numeric addresa (in square brackets).  Address may have the suffix
*:port* to specify a UDP port.

*require [address]* Require a particular NTPD server, fail if it is not
the NTPD sevver address returned.  Otherwise same as *ask*.

*noval* do not validate the server certificate

*cert [file]*  Present the certificate in *file* as our cclient certificate

*tls1.2* Allow TLS1.2 connection.

*tls1.3* Allow TLS1.3 connection.

*tls1.2ciphers [list]*  List of TLS 1.2 ciphers to negotiate, in prefered
order.

*tls1.3ciphers [list]*  List of TLS 1.3 ciphers to negotiate, in prefered
order.  TLS 1.2 and 1.3 ciphers are different and must be specified
separately as OpenSSL needs them separately.

*ntpciphers [list]*  List of ciphers to negotiate, in prefered
order for the NTPD connection.

*expire [seconds]*  How long to use an NTPD association before rekeying
with the NTS-KE server.

More to come, but I'd rather not get too far ahead, as what I had thought
was consensus has disappeared.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190201/bfca3132/attachment.bin>


More information about the devel mailing list