Update

Hal Murray hmurray at megapathdsl.net
Sat Feb 9 14:20:01 UTC 2019


I've got the start of the NTS-KE server working.  All is does after the TLS 
setup is read some data and echo it back.

Logging is verbose for debugging.  I'm using  NTSc: and NTSs: as the tag for 
client and server and NTS: for subroutines that might get called from either 
side.

It reads certificates from /etc/ntp/cert-chain.pem and the private key from 
/etc/ntp/key.pem

The cert-chain is probably your cert and the issuers intermediate cert cat-ed 
together.

The client side expects the root certificate to be available via the system 
defaults.

I'm starting to pay attention to some of the configuration options.

It seems strange to use "crypto" for the keyword when we are talking about NTS 
or NTS-KE.

The documentation for crypto enable says:
  Enable NTS service. The default.

The comment on the struct says:
    bool ntsenable;             /* enable NTS on this ntpd instance */


The first says "service" rather than "server".
The latter could mean client side too.

Currently, what it does is enable starting the NTS KE server.  You can use 
client side NTS without a server (on your system).

The current code defaults to false to minimize near term surprises.

-----------

Are we ever going to want to use anything older than TLS1.2?  Spec says no, 
but it might be interesting for testing.  New OpenSSL has routines to set the 
min/max allowed protocol versions.  With older versions, the API only allows 
you to disable versions so I disabled everything but TLS1.2

----------

Client side:
 9 Feb 03:36:14 ntpd[16029]: NTSc: nts_probe connecting to 
hgm.example.com=192.168.1.2
 9 Feb 03:36:14 ntpd[16029]: NTSc: Using TLS1.3
 9 Feb 03:36:14 ntpd[16029]: NTSc: Using TLS_AES_256_GCM_SHA384 with 256 
secret bits
 9 Feb 03:36:14 ntpd[16029]: NTSc: certificate subject name: 
/C=US/ST=CA/L=Menlo Park/O=Glypnod/CN=hgm.example.com
 9 Feb 03:36:14 ntpd[16029]: NTSc: certificate issuer name: 
/C=US/ST=CA/O=Glypnod/CN=Glypnod-Int
 9 Feb 03:36:14 ntpd[16029]: NTSc: certificate is valid.
 9 Feb 03:36:14 ntpd[16029]: NTS: C2S c8 14 a2 53 77
 9 Feb 03:36:14 ntpd[16029]: NTS: S2C 45 85 8d 65 fc
 9 Feb 03:36:14 ntpd[16029]: NTSc: read 16 bytes

Server side:
 9 Feb 03:36:13 ntpd[16029]: NTSs: Private Key OK
...
 9 Feb 03:36:47 ntpd[16029]: NTSs: TCP accept-ed from 192.168.1.2
 9 Feb 03:36:47 ntpd[16029]: NTSs: SSL accept-ed from 192.168.1.2
 9 Feb 03:36:47 ntpd[16029]: NTSs: Using TLS version TLSv1.3, cipher 
TLS_AES_256_GCM_SHA384 with 256 secret bits
 9 Feb 03:36:47 ntpd[16029]: NTS: C2S be 97 43 38 ee
 9 Feb 03:36:47 ntpd[16029]: NTS: S2C 20 1a 61 3c 4f


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list