Implementing NTS options
Gary E. Miller
gem at rellim.com
Sat Feb 2 21:56:43 UTC 2019
Yo Eric!
On Sat, 2 Feb 2019 04:18:26 -0500
"Eric S. Raymond via devel" <devel at ntpsec.org> wrote:
> Achim Gratz via devel <devel at ntpsec.org>:
> > The RFC says the client needs to tell the NTS-KE all supported
> > ciphers. It doesn't say it must support different ciphers for
> > different servers.
Small correction: cipher sets. Multiple, incompatible. TLS1.2, TLS1.3
and AEAD. We keep confusing the three sets.
> Yeah, that second part *really* didn't make any sense to me.
Ditto. But the Proposed RFC says nothing about any other communication
or configuration between the NTS-KE and NTPD server. It is up to us.
I assumed to start it would be just config files.
> So tell me: can we conform by *discovering* the cipher set at startup
> time and shipping that list to NTS-KE?
Remember, the cipher sets are runtime dynamic. They can change under
you in an instant. So replace startup time with runtime.
To find the TLS 1.2 cipers:
openssl ciphers -v | fgrep TLSv1.2
To find the TLS 1.3 cipers:
openssl ciphers -v | fgrep TLSv1.3
I have no idea how to find possible AEAD algorithms.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/c2f09220/attachment.bin>
More information about the devel
mailing list