Current status
Hal Murray
hmurray at megapathdsl.net
Wed Feb 13 07:14:47 UTC 2019
Gary said:
>> The server reads the certificate chain from /etc/ntp/cert-chain.pem
>> The server reads the private key from /etc/ntp/key.pem
> Which will, eventually, need to be configurable. Plus, when needed, the key
> to the kep.pem file, somewhere.
The code to configure file names is in there now.
Unless somebody objects or has a better idea, I'll implement Richard Laager
suggestion to disable the NTS-KE server if it can't read the certificate and
key.
I don't see how to implement your file for key to key file. There is no API
for that. Besides, that doesn't seem like the right approach. If you want to
startup without typing in something, make the key file without a password. Am
I missing something?
>> The client checks the certificate using the system root certs.
> Which also needs to be configuable, eventually.
I think that's implemented now.
>> Are we interested in client certificates? If so, why?
> Absolutely. But maybe last thing to do. A big user, like AWS, will want the
> options of allowing only some clients, with client certs, to access the
> Stratum 1.
Does that work and/or is there a simpler way? Why not filter on IP Address?
Is the existing restrict stuff good enough?
> Maybe, maybe not. A lot of people do not like to make their own chain files.
> Then you need a filename for the ca, the chain, and the cert. Plus the key
> file and the, optional, key to the key file.
The API is that you give it a chain rather than just a simple cert. The chain
TLS client gives the chain to the server. The chain has the cert and any
intermediate certs needed to get to the root. There may be no intermediate
certs. That would be a chain of one rather than what may be typical two.
--
These are my opinions. I hate spam.
More information about the devel
mailing list