Current status

Hal Murray hmurray at megapathdsl.net
Tue Feb 12 05:49:46 UTC 2019


 There is the start of the NTS-KE client and server.  The client does the TLS 
handshake, saves the cookies, sets up C2S and S2C, then ignores them.  The 
server returns fake cookies.

They are using TCP port 123.

It's the minimal I could get away with and get this far.  It doesn't pay 
attention to any of the configuration parameters.  (other than nts enable and 
server foo nts)

The server reads the certificate chain from /etc/ntp/cert-chain.pem
The server reads the private key from /etc/ntp/key.pem

There is lots of logging.  As much as possible, it blunders on after errors.

The server runs in a separate thread.  It doesn't spawn a thread for each new 
connection so a DoS would be trivial.  I don't have timeouts working yet.  ...

The client doesn't run in a separate thread.  (We can copy what DNS does.)

The client checks the certificate using the system root certs.

----------

Are we interested in client certificates?  If so, why?

struct ntsconfig_t has:
/* Configuration data for an NTS server or client instance */
    char *ca;                   /* site default */
    char *cert;                 /* site default */

I assume that cert is the filename for the server's certificate chain.  If so, 
the second "site default" is bogus.

We need a slot in there for the private key.

doc for ca says:
  Use the file (or directory) specified by _location_ to
  validate NTS-KE server certificates. This is a default
  for all client and server connections.

OpenSSL has separate slots for root-cert dir and file.  How should I tell 
which?  Should we have separate config options?

I think Fedora and Debian cat all the certs in a directory into a file and 
then use that for the default.  Sounds like a speedup.

There is a similar ca slot per server.
    char *ca;           /* if NULL, use the site default (normal case) */
Why?  Are we really interested in per server root certs for certificate 
checking?  If so, example please?

------------

I think it's ready for people to see if their certificates work.

Let me know if you find problems and/or need an option processed.


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list