mintls?

Rick Bollar newsletters at bollar.com
Thu Mar 12 13:09:04 UTC 2020 

Thanks Hal,

It was an experiment that doesn't seem to have worked and I've since reverted to TLS 1.3. I can connect as a client to all of the NTS servers on my list, and usually have eight cookies. However, I have what seems like a high "wrong version number" failure rate when operating as a server:

2020-03-11T17:32:31 ntpd[5050]: NTSs: starting NTS-KE server listening on port 123
2020-03-11T17:32:31 ntpd[5050]: NTSs: loaded certificate (chain) from /etc/...
2020-03-11T17:32:31 ntpd[5050]: NTSs: loaded private key from /etc/...
2020-03-11T17:32:31 ntpd[5050]: NTSs: Private Key OK
2020-03-11T17:32:31 ntpd[5050]: NTSs: OpenSSL security level is 2
2020-03-11T17:32:31 ntpd[5050]: NTSs: listen4 worked
2020-03-11T17:32:31 ntpd[5050]: NTSs: listen6 worked
2020-03-11T17:36:40 ntpd[5050]: NTSs: SSL accept from 172.58.236.43:30410 failed: wrong version number, took 0.161 sec
2020-03-11T17:36:56 ntpd[5050]: NTSs: SSL accept from 172.58.236.43:45279 failed: wrong version number, took 0.105 sec
2020-03-11T17:37:39 ntpd[5050]: NTSs: SSL accept from 172.58.235.134:20923 failed: wrong version number, took 0.121 sec
2020-03-11T17:38:26 ntpd[5050]: NTSs: SSL accept from 172.58.235.134:49358 failed: wrong version number, took 0.116 sec
2020-03-11T22:53:25 ntpd[5050]: NTSs: SSL accept from 73.94.32.175:50275 failed: wrong version number, took 0.065 sec
2020-03-12T01:46:58 ntpd[5050]: NTSs: NTS-KE from 83.135.66.196:60104, Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256), took 0.526 sec
2020-03-12T05:29:53 ntpd[5050]: NTSs: SSL accept from 96.39.136.239:49153 failed: wrong version number, took 0.074 sec
2020-03-12T06:02:01 ntpd[5050]: NTSs: NTS-KE from 195.74.94.50:53622, Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256), took 0.518 sec
2020-03-12T06:02:16 ntpd[5050]: NTSs: NTS-KE from 188.210.44.50:60438, Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256), took 0.453 sec
2020-03-12T06:23:24 ntpd[5050]: NTSs: NTS-KE from 195.74.94.50:57434, Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256), took 0.501 sec
2020-03-12T06:23:46 ntpd[5050]: NTSs: NTS-KE from 188.210.44.50:45552, Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256), took 0.449 sec
2020-03-12T06:58:15 ntpd[5050]: NTSs: SSL accept from 107.11.213.209:34039 failed: wrong version number, took 0.132 sec
2020-03-12T07:13:18 ntpd[5050]: NTSs: SSL accept from 98.167.97.154:49156 failed: wrong version number, took 0.074 sec

     remote                                   refid      st t when poll reach   delay   offset   jitter
=======================================================================================================
oPPS(0)                                  .PPS.            0 l    1    1  377   0.0000   0.0006   0.0007
*SHM(1)                                  .GPSD.           1 l   12   16  377   0.0000   0.0003   0.0003
+time.cloudflare.com                     10.15.8.88       3 8  272 1024  377  21.9685  -2.3802   3.3376
-ntsts.sth.ntp.se                        194.58.202.20    2 6  46m 1024  104 155.7774   5.4018   1.2719
-ntp1.glypnod.com                        64.142.1.20      2 8  422 1024  377  68.7917   0.0204   0.9546
-nts1.time.nl                            94.198.159.10    2 6  38m 1024  104 145.0095  -2.7184   2.2529
-ntpmon.dcs1.biz                         .PPS.            1 8   41 1024  377 237.7880  13.5593   8.2662
+c-67-164-22-151.hsd1.ca.comcast.net     .PPS.            1 8  286 1024  377  78.8399  -2.1489   1.5073
 102.133.170.121                         146.64.58.41     2 u  371 1024  377 301.2170  -1.6712   1.3562
 time-b-wwv.nist.gov                     .NIST.           1 u  197 1024  377  44.0145   3.1387   2.0530
 usdal2-ntp-001.aaplimg.com              .SHM.            1 u  511 1024  377  20.8681   3.4903   1.0935
 time2.google.com                        .GOOG.           1 u  338 1024  377  45.3608  -0.8476   1.7814

2020-03-11T17:32:44 ntpd[5050]: NTSc: DNS lookup of ntp1.glypnod.com took 0.061 sec
2020-03-11T17:32:44 ntpd[5050]: NTSc: nts_probe connecting to ntp1.glypnod.com:123 => 104.131.155.175:123
2020-03-11T17:32:44 ntpd[5050]: NTSc: set cert host: ntp1.glypnod.com
2020-03-11T17:32:44 ntpd[5050]: NTSc: Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256)
2020-03-11T17:32:44 ntpd[5050]: NTSc: certificate subject name: /CN=ntp1.glypnod.com
2020-03-11T17:32:44 ntpd[5050]: NTSc: certificate issuer name: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2020-03-11T17:32:44 ntpd[5050]: NTSc: certificate is valid.
2020-03-11T17:32:44 ntpd[5050]: NTSc: Good ALPN from: ntp1.glypnod.com
2020-03-11T17:32:44 ntpd[5050]: NTSc: read 880 bytes
2020-03-11T17:32:44 ntpd[5050]: NTSc: Got 8 cookies, length 104, aead=15.
2020-03-11T17:32:44 ntpd[5050]: NTSc: NTS-KE req to ntp1.glypnod.com took 0.271 sec, OK

Rick

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, March 12, 2020 5:09 AM, Hal Murray <hmurray at megapathdsl.net> wrote:

> > I've resolved some firewall issues and reduced mintls to 1.2.
> 

> One of the comments by reviewers was roughly "Why are you allowing TLS 1.2
> when there is nothing to be backward compatible with?"
> 

> I assume you are trying to talk to a system that is still running an old
> version of OpenSSL. Do you know what distro/OS/version?
> 

> 

> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 

> These are my opinions. I hate spam.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 217 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/users/attachments/20200312/401895ed/attachment.bin>

More information about the users mailing list