Current status

[Hal Murray]

Gary said:
>> The server reads the certificate chain from /etc/ntp/cert-chain.pem
>> The server reads the private key from /etc/ntp/key.pem
> Which will, eventually, need to be configurable.  Plus, when needed, the key
> to the kep.pem file, somewhere. 

The code to configure file names is in there now.

Unless somebody objects or has a better idea, I'll implement Richard Laager 
suggestion to disable the NTS-KE server if it can't read the certificate and 
key.

I don't see how to implement your file for key to key file.  There is no API 
for that.  Besides, that doesn't seem like the right approach.  If you want to 
startup without typing in something, make the key file without a password.  Am 
I missing something?


>> The client checks the certificate using the system root certs.
> Which also needs to be configuable, eventually. 

I think that's implemented now.


>> Are we interested in client certificates?  If so, why?
> Absolutely.  But maybe last thing to do.  A big user, like AWS, will want the
> options of allowing only some clients, with client certs, to access the
> Stratum 1. 

Does that work and/or is there a simpler way?  Why not filter on IP Address?  
Is the existing restrict stuff good enough?


> Maybe, maybe not.  A lot of people do not like to make their own chain files.
>  Then you need a filename for the ca, the chain, and the cert.  Plus the key
> file and the, optional, key to the key file. 

The API is that you give it a chain rather than just a simple cert.  The chain 
TLS client gives the chain to the server.  The chain has the cert and any 
intermediate certs needed to get to the root.  There may be no intermediate 
certs.  That would be a chain of one rather than what may be typical two.




-- 
These are my opinions.  I hate spam.