Implementing NTS options
Eric S. Raymond
esr at thyrsus.com
Sat Feb 2 22:21:55 UTC 2019
Gary E. Miller via devel <devel at ntpsec.org>:
> I assumed to start it would be just config files.
Every time you assume a config file something beautiful dies.
The right question to ask is not "how must we configure this", it's
"how do we query our environment to find out the right thing to do".
You should only think in terms of configuration when you are *certain*
you can't do better.
> Remember, the cipher sets are runtime dynamic. They can change under
> you in an instant. So replace startup time with runtime.
Agreed.
> To find the TLS 1.2 cipers:
>
> openssl ciphers -v | fgrep TLSv1.2
>
> To find the TLS 1.3 cipers:
>
> openssl ciphers -v | fgrep TLSv1.3
>
> I have no idea how to find possible AEAD algorithms.
I think we may have a dodge there. IIRC the NTS daft requires support for
a particular one of the AES variants, I forget which. If it's not
available we just error out of TLS.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/c8228120/attachment.bin>
More information about the devel
mailing list