NTS client configuration support has landed

Gary E. Miller gem at rellim.com
Sun Feb 3 00:32:48 UTC 2019 

Yo Richard!

On Sat, 2 Feb 2019 17:55:22 -0600
Richard Laager via devel <devel at ntpsec.org> wrote:

> On 2/2/19 3:06 PM, Gary E. Miller via devel wrote:
> >>
> >> We have a min option.  
> > As previously discussed her.  A min options was tried by others in
> > the past, and failed.  When SSL 2 gave way to TLS 1, the min
> > broke.  
> 
> Huh? What's the problem here?

The problem is SSL version 2 is not a number.  So we can't encode the
minimum as a number.  It has to be a token.

Or, to look another way, the OpenSSL function we call takes a token, not
a number, to allow for name changes.  Since we have to get to that, why
not start there?

> The epoch in renumbering from SSL 2 & 3
> to TLS 1.0?

Yup.  We got bit by that last time.  Don't get bit by it next name
change.  OpenSSL knows this, that is why the specify min with a token,
not a number.  We have to turn the number into a token, why not start
with a token?

> At this point, a minimum TLS version seems perfectly
> reasonable.

Yes, but soon, when TLS 1.2 is replaced with XXX 1.0, it is no longer
reasonable.  The same mess That happened from SSL to TLS, all over
again.

> So is a list of versions, but a minimum is simpler.

Yes, IFF the minimum is a token, not a number.  But, we then need a
maximum, so we can both do testing, and have a way to talk to servers
with broken TLS 1.3.

So, flip a coin: min/max, or list.  Similar results, but the latter is
what Apache and others do, so is more familiar to the admin.

You just can't use a number.

These are all lessons from the past, let us not repeat those mistakes.


RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/bfe28da7/attachment.bin>

More information about the devel mailing list