NTS dropping TLS 1.2
Richard Laager
rlaager at wiktel.com
Mon Mar 23 18:27:40 UTC 2020
On 3/23/20 5:43 AM, Eric S. Raymond via devel wrote:
> Hal Murray <hmurray at megapathdsl.net>:
>> We can do several things:
>> 1) clean out the ifdefs that make things work with older versions of OpenSSL.
>> That is drop support for systems that haven't upgraded their OpenSSL to a
>> supported version.
>> 2) leave things alone, ignore the RFC.
>> Or maybe add some nasty warning messages
>> How long?
>> 3) make a configure option to disable NTS so that NTPsec builds on older
>> OSes but doesn't support NTS.
>>
>> I propose option 1. Simple and clean. I don't think we will drop many
>> systems.
>
> I concur.
+1. In the Debian package, I was recommending a minimum of TLS 1.3
anyway, since NTS was by definition greenfield (and CloudFlare was doing
the same thing).
The export string change is annoying, but that's a risk we all take when
running a draft protocol. I guess we'll just eat that in a flag day. It
would be nice if that would be the same flag day for switching to the
IANA-allocated port (whenever that happens, assuming it isn't 123/tcp),
but we probably won't be that lucky.
--
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200323/3abb88af/attachment.bin>
More information about the devel
mailing list