NTS client configuration support has landed

Gary E. Miller gem at rellim.com
Sat Feb 2 05:46:12 UTC 2019


Yo Eric!

On Fri, 1 Feb 2019 23:13:53 -0500
"Eric S. Raymond" <esr at thyrsus.com> wrote:

> Gary E. Miller via devel <devel at ntpsec.org>:
> > Well, it was in nts.adoc, after consensus had been reached, before
> > Eric removed it.  
> 
> Everything I removed I removed because I implemented it and descrubed
> the new options in docs/includes.assoc-options.adoc

Sorry, don't agree.

> From now on, you can assume that if I remove stuff from that section
> without discussion, another part of the commit has moved it to
> docs/includes.assoc-options.adoc

OK.  But can we hold off until we are all agreed?

> > *require [address]* Require a particular NTPD server, fail if it is
> > not the NTPD sevver address returned.  Otherwise same as *ask*.  
> 
> These are already implemented, but they currently stash the raw
> string rather than parsing it for the address and port elenent.  I
> don't think it makes a lot of difference whether this is done at
> parse time or at peer initialization time.

Has to be before peer intialization.  One: for good error messages.
Two: we need to do the NTS-KE dance before peering.

> I just copied the address-argument description to the official docs
> for the NTS options.

Which were not done yet.

> I thought the miniumum TLS level was supposed to be 1.3.  Why are we
> supporting 1.2 options.

Not according to the Proposed RFC.  And, as a practical matter, TLS 1.3
does not exist yet in practice.  Yeah, I know about all the PR, but
it does not really work yet.

> Would somebody dig me up lists of the cipher names?

    openssl ciphers -v | fgerp TLS

Which is incomplete since Gentoo, like almost all distros, does not
implement TLS 1.3.  Also incomplete as I have not looked up the AEAD
ciphers which are also different.

These ciphers are very dynamic.  In time, by distro, by install options,
and by user configuration.  They should not be hard coded We can punt
and just feed the lists to OpenSSL and have that tell us which are valid
at this exact moment and place.

> I'd prefer not to have option names with embedded punctuation - I
> think tha might force unpleasant complications in the scanner. Try
> again? 

Roger and I have already gone around on this.  These are WIP.  Not
remotely close to final.  Suggestions welcome.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190201/3feec2b7/attachment.bin>


More information about the devel mailing list