Testing NTPSec with NTS
Sanjeev Gupta
ghane0 at gmail.com
Thu Mar 21 23:51:01 UTC 2019
Gary,
Adding this to /etc/services seems to fix the issue:
ntp 123/tcp # Network Time Protocol
I now see:
-pi3.rellim.com .PPS. 1 8 4 64
37 197.8958 0.5317 0.4966
-kong.rellim.com 204.17.205.17 2 8 5 64
37 211.0267 -1.1571 0.7353
-104.131.155.175 204.123.2.72 2 8 3 64
37 178.6108 4.1158 0.2288
-178.62.68.79 17.253.34.253 2 8 - 64
37 185.7613 -2.6144 0.0452
And a snip from the log file says:
2019-03-22T07:43:48 ntpd[12580]: NTSc: nts_probe connecting to
pi3.rellim.com:ntp => 204.17.205.23:123
2019-03-22T07:43:49 ntpd[12580]: NTSc: Using TLSv1.2, AES256-GCM-SHA384
(256)
2019-03-22T07:43:49 ntpd[12580]: NTSc: certificate subject name: /CN=
pi3.rellim.com
2019-03-22T07:43:49 ntpd[12580]: NTSc: certificate issuer name:
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2019-03-22T07:43:49 ntpd[12580]: NTSc: certificate is valid.
2019-03-22T07:43:49 ntpd[12580]: NTSc: read 880 bytes
2019-03-22T07:43:49 ntpd[12580]: NTSc: Got 8 cookies, length 104, aead=15.
2019-03-22T07:43:49 ntpd[12580]: NTSc: NTS-KE req to pi3.rellim.com took
0.863 sec, OK
2019-03-22T07:43:49 ntpd[12580]: DNS: dns_check: processing pi3.rellim.com,
1, 21801
2019-03-22T07:43:49 ntpd[12580]: DNS: Server taking: 204.17.205.23
2019-03-22T07:43:49 ntpd[12580]: DNS: Server poking hole in restrictions
for: 204.17.205.23
2019-03-22T07:43:49 ntpd[12580]: DNS: dns_take_status: pi3.rellim.com=>good,
0
--
Sanjeev Gupta
+65 98551208 http://www.linkedin.com/in/ghane
On Fri, Mar 22, 2019 at 7:32 AM Sanjeev Gupta <ghane0 at gmail.com> wrote:
> On Fri, Mar 22, 2019 at 7:24 AM Gary E. Miller via devel <devel at ntpsec.org>
> wrote:
>
>> > I have been lurking and trying to set up NTS to talk to the rellim.com
>> > servers. This is a recent git head.
>>
>> Cool.
>>
>
> I just did a git pull and rebuilt.
>
>
>> > My ntp.conf snippet:
>> >
>> > nts enable
>> > nts cert /etc/letsencrypt/live/ntpmon.dcs1.biz/fullchain.pem
>> > nts key /etc/letsencrypt/live/ntpmon.dcs1.biz/privkey.pem
>> > server pi3.rellim.com nts
>> > server kong.rellim.com nts
>>
>> Looks good. What is your server so I can try to connect back?
>>
>
> My server is ntpmon.dcs1.biz . It is in the pool, BTW.
>
> > Been runnig for a few hours now. ntpq -pn output:
>> > pi3.rellim.com .NTS. 16 u - 1024 0 0.0000 0.0000 0.0005
>> > kong.rellim.com .NTS. 16 u -1024 0 0.0000 0.0000 0.0005
>>
>> Odd, you are not even getting the cookies.
>>
>> > And the log is here: https://pastebin.com/fM9uDwVi
>>
>> Weird:
>>
>> 2019-03-22T03:56:32 ntpd[21039]: NTSc: nts_probe: DNS error trying to
>> contact pi3.rellim.com: -8, Servname not supported for ai_socktype
>>
>>
>> What version of OpenSSL do you have? I'm finding that matters.
>>
>
> root at ntpmon:~/ntpsec# openssl version -a
> OpenSSL 1.1.1a 20 Nov 2018
> built on: Thu Nov 22 18:40:54 2018 UTC
> platform: debian-i386
> options: bn(64,32) rc4(1x,char) des(long) blowfish(ptr)
> compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g
> -O2 -fdebug-prefix-map=/build/openssl-5z4Qxa/openssl-1.1.1a=.
> -fstack-protector-strong -Wformat -Werror=format-security
> -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM
> -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time
> -D_FORTIFY_SOURCE=2
> OPENSSLDIR: "/usr/lib/ssl"
> ENGINESDIR: "/usr/lib/i386-linux-gnu/engines-1.1"
> Seeding source: os-specific
>
> This is debian/testing, up to date.
>
> Thanks,
> --
> Sanjeev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190322/d15e4741/attachment-0001.html>
More information about the devel
mailing list