ntp.conf changes for NTS
Gary E. Miller
gem at rellim.com
Wed Jan 30 21:38:19 UTC 2019
Yo Richard!
On Wed, 30 Jan 2019 15:25:47 -0600
Richard Laager via devel <devel at ntpsec.org> wrote:
> On 1/30/19 1:41 PM, Gary E. Miller via devel wrote:
> > On Wed, 30 Jan 2019 01:19:08 -0600
> > Richard Laager via devel <devel at ntpsec.org> wrote:
> >
> >> So in this example, you have ntp.example.com as the NTS-KE server,
> >> and 1.2.3.4 or bob.example.com as the NTP servers? I assume it has
> >> to be that way, as TLS doesn't work _in practice_ (yes, I know it
> >> is supported in theory) with IP addresses, so 1.2.3.4 can't be the
> >> NTS-KE server.
> >
> > Uh, no. I use TLS with IPs all the time.
>
> Do you have have full certificate verification on?
Of course. Firefox asks me if it is OK, and I just say YES.
> It is possible to put an IP address into the subjectAltName, but most
> if not all public CAs these days will not issue a certificate that
> way.
I use LE, they do not allow IPs in certs.
> So you can do it if you have an internal CA, but otherwise
> you're either bypassing certificate validation or you're not doing it.
I'm bypassing. Pretty common in data centers to do that:
https://community.letsencrypt.org/t/certificate-for-public-ip-without-domain-name/6082/42
I find TLS to an IP useful for some odd edge cases. Others will avoid
host names due to security or connectivity concerns.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190130/6eb63c79/attachment.bin>
More information about the devel
mailing list