NTS client configuration support has landed

Eric S. Raymond esr at thyrsus.com
Sat Feb 2 04:13:53 UTC 2019


Gary E. Miller via devel <devel at ntpsec.org>:
> Well, it was in nts.adoc, after consensus had been reached, before Eric
> removed it.

Everything I removed I removed because I implemented it and descrubed
the new options in docs/includes.assoc-options.adoc

From now on, you can assume that if I remove stuff from that section
without discussion, another part of the commit has moved it to
docs/includes.assoc-options.adoc

> I did just add some more of the required NTS-KE client options to
> the nts.adoc.  In the section: == NTP Configuration parameters ==.
> 
> Here are some, not all of the required new config options:
> 
> *ask [address]* Request a particular NTPD server, but do not require it.
> *address* may be a hostname, a FQDN, an IPv4 numeric address, an IPv6
> numeric addresa (in square brackets).  Address may have the suffix
> *:port* to specify a UDP port.
> 
> *require [address]* Require a particular NTPD server, fail if it is not
> the NTPD sevver address returned.  Otherwise same as *ask*.

These are already implemented, but they currently stash the raw string rather
than parsing it for the address and port elenent.  I don't think it makes
a lot of difference whether this is done at parse time or at peer initialization
time.

I just copied the address-argument description to the official docs for
the NTS options.

> *noval* do not validate the server certificate

Trivial.  In fact, so trivial that I just implemented it.

> *cert [file]*  Present the certificate in *file* as our cclient certificate
> 
> *tls1.2* Allow TLS1.2 connection.
> 
> *tls1.3* Allow TLS1.3 connection.
> 
> *tls1.2ciphers [list]*  List of TLS 1.2 ciphers to negotiate, in prefered
> order.
> 
> *tls1.3ciphers [list]*  List of TLS 1.3 ciphers to negotiate, in prefered
> order.  TLS 1.2 and 1.3 ciphers are different and must be specified
> separately as OpenSSL needs them separately.
> 
> *ntpciphers [list]*  List of ciphers to negotiate, in prefered
> order for the NTPD connection.
> 
> *expire [seconds]*  How long to use an NTPD association before rekeying
> with the NTS-KE server.

expire is easy, I'll do that next.

I thought the miniumum TLS level was supposed to be 1.3.  Why are we supporting
1.2 options.

Would somebody dig me up lists of the cipher names?

I'd prefer not to have option names with embedded punctuation - I think
tha might force unpleasant complications in the scanner. Try again? 
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190201/fb975f0b/attachment-0001.bin>


More information about the devel mailing list