Implementing NTS options
Richard Laager
rlaager at wiktel.com
Sun Feb 3 00:07:27 UTC 2019
On 2/2/19 4:21 PM, Eric S. Raymond via devel wrote:
> Gary E. Miller via devel <devel at ntpsec.org>:
>> I assumed to start it would be just config files.
>
> Every time you assume a config file something beautiful dies.
>
> The right question to ask is not "how must we configure this", it's
> "how do we query our environment to find out the right thing to do".
> You should only think in terms of configuration when you are *certain*
> you can't do better.
>
>> Remember, the cipher sets are runtime dynamic. They can change under
>> you in an instant. So replace startup time with runtime.
>
> Agreed.
>
>> To find the TLS 1.2 cipers:
>>
>> openssl ciphers -v | fgrep TLSv1.2
>>
>> To find the TLS 1.3 cipers:
>>
>> openssl ciphers -v | fgrep TLSv1.3
>>
>> I have no idea how to find possible AEAD algorithms.
>
> I think we may have a dodge there. IIRC the NTS daft requires support for
> a particular one of the AES variants, I forget which. If it's not
> available we just error out of TLS.
No. That requirement is for the NTP crypto, not TLS!
--
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/c37f69ed/attachment.bin>
More information about the devel
mailing list