ntp.conf changes for NTS
Richard Laager
rlaager at wiktel.com
Wed Jan 30 21:25:47 UTC 2019
On 1/30/19 1:41 PM, Gary E. Miller via devel wrote:
> On Wed, 30 Jan 2019 01:19:08 -0600
> Richard Laager via devel <devel at ntpsec.org> wrote:
>
>> So in this example, you have ntp.example.com as the NTS-KE server, and
>> 1.2.3.4 or bob.example.com as the NTP servers? I assume it has to be
>> that way, as TLS doesn't work _in practice_ (yes, I know it is
>> supported in theory) with IP addresses, so 1.2.3.4 can't be the
>> NTS-KE server.
>
> Uh, no. I use TLS with IPs all the time.
Do you have have full certificate verification on?
It is possible to put an IP address into the subjectAltName, but most if
not all public CAs these days will not issue a certificate that way. So
you can do it if you have an internal CA, but otherwise you're either
bypassing certificate validation or you're not doing it.
--
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190130/d1c06697/attachment.bin>
More information about the devel
mailing list