NTS client configuration support has landed

Gary E. Miller gem at rellim.com
Sat Feb 2 22:10:42 UTC 2019


Yo Eric!

On Sat, 2 Feb 2019 03:06:23 -0500
"Eric S. Raymond" <esr at thyrsus.com> wrote:

> Gary E. Miller via devel <devel at ntpsec.org>:
> > > Would somebody dig me up lists of the cipher names?  
> > 
> >     openssl ciphers -v | fgerp TLS
> > 
> > Which is incomplete since Gentoo, like almost all distros, does not
> > implement TLS 1.3.  Also incomplete as I have not looked up the AEAD
> > ciphers which are also different.
> > 
> > These ciphers are very dynamic.  In time, by distro, by install
> > options, and by user configuration.  They should not be hard coded
> > We can punt and just feed the lists to OpenSSL and have that tell
> > us which are valid at this exact moment and place.  
> 
> I think there is the germ of a really good idea in what you just said.
> 
> Remember my design rule for GPSD?  Never configure what you can
> discover.

For defaults, yes.  I thought that was already assumed.

> Can we toss out these cipher config options in favor of a mechanism
> that *discovers* what the available cipher are and does the right
> thing?

No.  Required for testing.  Required for crypto emergencies.  The
history of Apache, nginx, postfix and sendmail show these options
have been essential over the years.

Learn from history, do not repeat its mistakes.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/8c588fc3/attachment-0001.bin>


More information about the devel mailing list