[Git][NTPsec/ntpsec][master] Fix nts ask/require description

Hal Murray gitlab at mg.gitlab.com
Wed Apr 3 07:08:19 UTC 2019 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
91278329 by Richard Laager at 2019-04-03T07:08:12Z
Fix nts ask/require description

The negotiation determines the NTP server, not the NTS server.  The
negotiation is already occurring with the NTS server.

- - - - -


1 changed file:

- docs/includes/auth-commands.adoc


Changes:

=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -68,7 +68,7 @@ The options are as follows:
 +mintls+ _string_::
   Set the lowest allowable TLS version to negotiate. Will be useful in
   the wake of a TLS compromise.  Reasonable values are _TLS1.2_ and
-  _TLS1.3_ if your system supports it.  1.3 was first supported in
+  _TLS1.3_ if your system supports it.  TLS 1.3 was first supported in
   OpenSSL version 1.1.1.
 
 +maxtls+ _string_::
@@ -100,19 +100,18 @@ The following options of the +server+ command configure NTS.
 +nts+::
   Use Network Time Security (NTS) for authentication.  Normally,
   this is all you have to do to activate the client side of NTS.
-
+  +
   The hostname following the +server+ command is used as the address
   of the NTS key exchange server (NTS-KE) rather than the address
   of a NTP server.  The NTS-KE exchange defaults to using the same
-  IP Address for the NTP server.
-
-  Note that the server name must match the name on the certificate.
-  That is probably a FQDN rather than a short alias that you would
-  probably use to talk to an internal server.
+  IP address for the NTP server.
+  +
+  Note that the +server+ hostname must match the name on the NTS-KE
+  server's certificate.
 
 +ask+ _address_:: (not implemented)
   Use Network Time Security for authentication.  Ask
-  for a specific NTS server, which may differ from the NTP server.
+  for a specific NTP server, which may differ from the NTS server.
   Conforms to RFC 3896 section 3.2.2 prescription for the Host part of
   a URI: that is, the _address_ may be a hostname, an FQDN, an IPv4
   numeric address, or an IPv6 numeric address (in square brackets).
@@ -120,7 +119,7 @@ The following options of the +server+ command configure NTS.
 
 +require+ _address_:: (not implemented)
   Use Network Time Security for authentication and encryption.
-  Require a specific NTS server, which may differ from the NTP server.
+  Require a specific NTP server, which may differ from the NTS server.
   Address syntax is as for +ask+.
 
 +noval+::
@@ -141,16 +140,15 @@ The following options of the +server+ command configure NTS.
   with their hash, as created by +openssl rehash+.
 
 +aead+ _string_::
-   Specify the prefered crypto algorithm to be used on the wire.
-   The only options supported are AES_SIV_CMAC_256, AES_SIV_CMAC_384, and
-   AES_SIV_CMAC_512.  The server may ignore the request.  See the _aead_
-   option above.
-
-
-The same _aead_ algorithms are also used to encrypt cookies.
+  Specify the prefered crypto algorithm to be used on the wire.
+  The only options supported are AES_SIV_CMAC_256, AES_SIV_CMAC_384, and
+  AES_SIV_CMAC_512.  The server may ignore the request.  See the _aead_
+  option above.
+  +
+  The same _aead_ algorithms are also used to encrypt cookies.
   The default is AES_SIV_CMAC_256.  There is no config file option to
   change it, but you can change it by editing the saved cookie key
-  file, probably /var/lib/ntp/nts-keys.  Adjust the _L:_ slot to be
+  file, probably +/var/lib/ntp/nts-keys+.  Adjust the _L:_ slot to be
   48 or 64 and adjust the _I:_ slots to have the right number of bytes.
   Then restart the server.  (All old cookies held by clients will be
   rejected so their next 8 NTP requests will be ignored.  They should



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/91278329f77036f4f23802a762f80b4efd418650

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/91278329f77036f4f23802a762f80b4efd418650
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190403/1145c3b5/attachment-0001.html>

More information about the vc mailing list