Implementing NTS options

Richard Laager rlaager at wiktel.com
Sun Feb 3 00:07:27 UTC 2019


On 2/2/19 4:21 PM, Eric S. Raymond via devel wrote:
> Gary E. Miller via devel <devel at ntpsec.org>:
>> I assumed to start it would be just config files.
> 
> Every time you assume a config file something beautiful dies.
> 
> The right question to ask is not "how must we configure this", it's
> "how do we query our environment to find out the right thing to do".
> You should only think in terms of configuration when you are *certain*
> you can't do better.
> 
>> Remember, the cipher sets are runtime dynamic.  They can change under
>> you in an instant.  So replace startup time with runtime.
> 
> Agreed.
> 
>> To find the TLS 1.2 cipers:
>>
>> 	openssl ciphers -v | fgrep TLSv1.2
>>
>> To find the TLS 1.3 cipers:
>>
>> 	openssl ciphers -v | fgrep TLSv1.3
>>
>> I have no idea how to find possible AEAD algorithms.
> 
> I think we may have a dodge there. IIRC the NTS daft requires support for
> a particular one of the AES variants, I forget which. If it's not
> available we just error out of TLS.

No. That requirement is for the NTP crypto, not TLS!

-- 
Richard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/c37f69ed/attachment.bin>


More information about the devel mailing list