Testing NTPSec with NTS

Sanjeev Gupta ghane0 at gmail.com
Thu Mar 21 23:51:01 UTC 2019


Gary,

Adding this to /etc/services seems to fix the issue:
ntp             123/tcp                         # Network Time Protocol

I now see:
-pi3.rellim.com                          .PPS.            1 8    4   64
37 197.8958   0.5317   0.4966
-kong.rellim.com                         204.17.205.17    2 8    5   64
37 211.0267  -1.1571   0.7353
-104.131.155.175                         204.123.2.72     2 8    3   64
37 178.6108   4.1158   0.2288
-178.62.68.79                            17.253.34.253    2 8    -   64
37 185.7613  -2.6144   0.0452

And a snip from the log file says:
2019-03-22T07:43:48 ntpd[12580]: NTSc: nts_probe connecting to
pi3.rellim.com:ntp => 204.17.205.23:123
2019-03-22T07:43:49 ntpd[12580]: NTSc: Using TLSv1.2, AES256-GCM-SHA384
(256)
2019-03-22T07:43:49 ntpd[12580]: NTSc: certificate subject name: /CN=
pi3.rellim.com
2019-03-22T07:43:49 ntpd[12580]: NTSc: certificate issuer name:
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2019-03-22T07:43:49 ntpd[12580]: NTSc: certificate is valid.
2019-03-22T07:43:49 ntpd[12580]: NTSc: read 880 bytes
2019-03-22T07:43:49 ntpd[12580]: NTSc: Got 8 cookies, length 104, aead=15.
2019-03-22T07:43:49 ntpd[12580]: NTSc: NTS-KE req to pi3.rellim.com took
0.863 sec, OK
2019-03-22T07:43:49 ntpd[12580]: DNS: dns_check: processing pi3.rellim.com,
1, 21801
2019-03-22T07:43:49 ntpd[12580]: DNS: Server taking: 204.17.205.23
2019-03-22T07:43:49 ntpd[12580]: DNS: Server poking hole in restrictions
for: 204.17.205.23
2019-03-22T07:43:49 ntpd[12580]: DNS: dns_take_status: pi3.rellim.com=>good,
0

-- 
Sanjeev Gupta
+65 98551208     http://www.linkedin.com/in/ghane


On Fri, Mar 22, 2019 at 7:32 AM Sanjeev Gupta <ghane0 at gmail.com> wrote:

> On Fri, Mar 22, 2019 at 7:24 AM Gary E. Miller via devel <devel at ntpsec.org>
> wrote:
>
>> > I have been lurking and trying to set up NTS to talk to the rellim.com
>> > servers.  This is a recent git head.
>>
>> Cool.
>>
>
> I just did a git pull and rebuilt.
>
>
>> > My ntp.conf snippet:
>> >
>> > nts enable
>> > nts cert /etc/letsencrypt/live/ntpmon.dcs1.biz/fullchain.pem
>> > nts key /etc/letsencrypt/live/ntpmon.dcs1.biz/privkey.pem
>> > server pi3.rellim.com nts
>> > server kong.rellim.com nts
>>
>> Looks good.  What is your server so I can try to connect back?
>>
>
> My server is ntpmon.dcs1.biz .  It is in the pool, BTW.
>
> > Been runnig for a few hours now.  ntpq -pn output:
>> >  pi3.rellim.com  .NTS.   16 u   - 1024 0   0.0000   0.0000   0.0005
>> >  kong.rellim.com .NTS.   16 u    -1024 0   0.0000   0.0000   0.0005
>>
>> Odd, you are not even getting the cookies.
>>
>> > And the log is here:  https://pastebin.com/fM9uDwVi
>>
>> Weird:
>>
>>  2019-03-22T03:56:32 ntpd[21039]: NTSc: nts_probe: DNS error trying to
>> contact pi3.rellim.com: -8, Servname not supported for ai_socktype
>>
>>
>> What version of OpenSSL do you have?  I'm finding that matters.
>>
>
> root at ntpmon:~/ntpsec# openssl version -a
> OpenSSL 1.1.1a  20 Nov 2018
> built on: Thu Nov 22 18:40:54 2018 UTC
> platform: debian-i386
> options:  bn(64,32) rc4(1x,char) des(long) blowfish(ptr)
> compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g
> -O2 -fdebug-prefix-map=/build/openssl-5z4Qxa/openssl-1.1.1a=.
> -fstack-protector-strong -Wformat -Werror=format-security
> -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM
> -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time
> -D_FORTIFY_SOURCE=2
> OPENSSLDIR: "/usr/lib/ssl"
> ENGINESDIR: "/usr/lib/i386-linux-gnu/engines-1.1"
> Seeding source: os-specific
>
> This is debian/testing, up to date.
>
> Thanks,
> --
> Sanjeev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190322/d15e4741/attachment-0001.html>


More information about the devel mailing list