Raspberry Pi startup: certificate is not yet valid

Gary E. Miller gem at rellim.com
Wed May 11 18:33:31 UTC 2022


Yo Hal!

On Wed, 11 May 2022 01:53:30 -0700
Hal Murray <halmurray at sonic.net> wrote:

> > I like you suggestion of ntpd using "-g" to get the system time
> > close, before checking any certificates.   
> 
> It was Richard's suggestion, not mine.  The idea was to only skip the
> date checks and do the rest of the certificate checking.

You can see how well I'm paying attention....

> The main reason is that it's a hole in securty.  I don't want to
> clutter up security discussions and documentation with that very
> unlikely case.

It could be a non-default option, coupled with serious warnings.

> The second reason is that OpenSSL isn't setup to skip only the date
> check.  We could easily implement your version of no-check, but that
> would make the tiny security hole a big hole.

I find that convincing.  If OpenSSL does not have the knob, game over.

> I think the alternative is to get the clock reasonably close before
> running ntpd.

And the traditional solution(s).

> What is swclock?  What distros does it run on?

swlock is part of OpenRC. Which is in any OS that runs OpenRC, like Gentoo.

On startup it resets the system time to the time of the last shutdown
(usually).

https://github.com/openrc/openrc/

> I think the Linux kernel sets the clock to the build time or
> something similar.

Nope.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20220511/4c918e0b/attachment.bin>


More information about the devel mailing list