TLS Versions

Hal Murray hmurray at megapathdsl.net
Wed Feb 6 22:05:27 UTC 2019


float mintls = 1.2;             /* minimum TLS version allowed */
float maxtls;                   /* maximum TLS version allowed */

Floats?  The API to OpenSSL doesn't work in floats.  We'll have to translate 
those to something useful.  I'd like to push that back to ntp_config.

>From /usr/include/openssl/tls1.h
# define TLS1_VERSION                    0x0301
# define TLS1_1_VERSION                  0x0302
# define TLS1_2_VERSION                  0x0303
# define TLS1_3_VERSION                  0x0304
# define TLS_MAX_VERSION                 TLS1_3_VERSION

We should initialize those slots to TLS1_2_VERSION and TLS_MAX_VERSION

Assuming the NTS-KE server is packaged with ntpd, it will also use those 
version limits.

We can also test by running on recen Fedora which supports 1.3 and Debian or 
older Fedora which only support 1.2.


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list