NTS client configuration support has landed

Richard Laager rlaager at wiktel.com
Sat Feb 2 00:35:49 UTC 2019


FWIW, I think you've sold me on why we need "nts" separate from
"server". There are a LOT of extra options for NTS.

On 2/1/19 4:51 PM, Gary E. Miller via devel wrote:
> *require [address]* Require a particular NTPD server, fail if it is not
> the NTPD sevver address returned.  Otherwise same as *ask*.

If I specify "require 1.2.3.4" and get back 1.2.3.4:1123, does that fail
because the port doesn't match (because the port, if not specified, is
123)? I'd say yes.

> *cert [file]*  Present the certificate in *file* as our cclient certificate

Good call! I don't use client certificates, but they're a stock part of TLS.

You probably also need a parameter to specify a root certificate list.
This might be for all of ntpd, rather than per association.

> *tls1.2* Allow TLS1.2 connection.
> 
> *tls1.3* Allow TLS1.3 connection.

This does not feel scalable as new versions of TLS get created. I'd
suggest something like tlsminver, which specifies the minimum version of
TLS to accept. The default is 1.2 per the draft. The allowed values are
currently 1.2 and 1.3. For an example of this, see Dovecot 2.3 which
introduced ssl_min_protocol.

> *tls1.2ciphers [list]*  List of TLS 1.2 ciphers to negotiate, in prefered
> order.

Please call this "ciphers" to match OpenSSL and other applications.

> *tls1.3ciphers [list]*  List of TLS 1.3 ciphers to negotiate, in prefered
> order.  TLS 1.2 and 1.3 ciphers are different and must be specified
> separately as OpenSSL needs them separately.

Please call this "ciphersuites" to match OpenSSL and other applications.
Also, if a future TLS 1.4 uses the same list, it will be weird if this
has TLS 1.3 embedded in the name forever.

> *ntpciphers [list]*  List of ciphers to negotiate, in prefered
> order for the NTPD connection.

All three of these take a "list", which is really a single string which
happens to be colon-separated.

-- 
Richard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190201/fff05447/attachment.bin>


More information about the devel mailing list