[Git][NTPsec/ntpsec][master] Document mintls/maxtls.

Eric S. Raymond gitlab at mg.gitlab.com
Sun Feb 3 10:07:52 UTC 2019 

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
4de4d2cd by Eric S. Raymond at 2019-02-03T10:07:20Z
Document mintls/maxtls.

- - - - -


2 changed files:

- docs/includes/assoc-options.adoc
- docs/includes/auth-commands.adoc


Changes:

=====================================
docs/includes/assoc-options.adoc
=====================================
@@ -72,38 +72,4 @@
   Specifies the version number to be used for outgoing NTP packets.
   Versions 1-4 are the choices, with version 4 the default.
 
-+nts+::
-  Use Network Time Security for authentication and encryption.
-  Request key exchange from the NTP server.  Following options
-  are revelevant only for nts peers, and are thus tagged with 'nts'.
-  that can be omitted when the option is given.
-
-+nts ask+ 'address'::
-  Use Network Time Security for authentication and encryption.  Ask
-  for a specific NTS server, which may differ from the NTP server.
-  Conforms to RFC3896 section 3.2.2 prescription for the Host part of
-  a URI: that is, the +address_ may be a hostname, a FQDN, an IPv4
-  numeric address, an IPv6 numeric addresa (in square brackets).
-  Address may have the suffix +:port+ to specify a UDP port.
-
-+nts require+ 'address'::
-  Use Network Time Security for authentication and encryption.
-  Require a specific NTS server, which may differ from the NTP server.
-  Address syntax is as for +ask+.
-
-+nts noval::
-  Do not validate the server certificate.
-
-+nts expire::
-  How long to use a secured NTP association before rekeying with the
-  NTS-KE server.
-
-+nts cert +file+::
-  Present the certificate in +file+ as our client certificate
-
-+nts ca+ +location+::
-  Use the file, or directory, specified by +location+ to
-  validate the NTS-KE server certificate.  Do not use any other CA.
-
-
 // end


=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -1,5 +1,7 @@
 // Authentication commands - included twice
 
+The following declarations control MAC authentication:
+
 [[controlkey]]
 +controlkey+ _key_::
   Specifies the key identifier to use with the
@@ -24,10 +26,60 @@
   the ... are necessary.  Multiple +trustedkey+ lines are supported
   and trusted keys can also be specified on the command line.
 
-The authentication procedures require that both the local and remote
+The MAC authentication procedures require that both the local and remote
 servers share the same key and key identifier for this purpose,
 although different keys can be used with different servers.
 The _key_ arguments are 32-bit unsigned integers with values from 1 to
 65,535.
 
+The following command controls NTS authentication. It overrides
+normal TLS protocol negotiation, which is not usually necessary.
+
+[[crypto]]
++crypto+ [+mintls+ _version_] [+maxtls+ _version_]
+
+The options are as follows:
+
++mintls+ _number_::
+  Set the lowest allowable TLS version to negotiate. Will be useful in
+  the wake of a TLS compromise.
+
++maxtls+ _number_::
+  Set the highest allowable TLS version to negotiate. By setting
+  mintls and maxtls equal you can force the TLS version for testing.
+
+The following options of the +server+ command configure NTS.
+
++nts+::
+  Use Network Time Security for authentication and encryption.
+  Request key exchange from the NTP server.  if there is an NTS
+  key service running in the same host as the NTP server adding this
+  option is normally all you need to do.
+
++ask+ 'address'::
+  Use Network Time Security for authentication and encryption.  Ask
+  for a specific NTS server, which may differ from the NTP server.
+  Conforms to RFC3896 section 3.2.2 prescription for the Host part of
+  a URI: that is, the +address_ may be a hostname, a FQDN, an IPv4
+  numeric address, an IPv6 numeric addresa (in square brackets).
+  Address may have the suffix +:port+ to specify a UDP port.
+
++require+ 'address'::
+  Use Network Time Security for authentication and encryption.
+  Require a specific NTS server, which may differ from the NTP server.
+  Address syntax is as for +ask+.
+
++noval::
+  Do not validate the server certificate.
+
++expire::
+  How long to use a secured NTP association before rekeying with the
+  NTS-KE server.
+
++cert +file+::
+  Present the certificate in +file+ as our client certificate
+
++ca+ +location+::
+  Use the file, or directory, specified by +location+ to
+  validate the NTS-KE server certificate.  Do not use any other CA.
 // end



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/4de4d2cd6e4d1f4c17c37eecfe6b7c4ea2dfdbe8

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/4de4d2cd6e4d1f4c17c37eecfe6b7c4ea2dfdbe8
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190203/7d4104df/attachment-0001.html>

More information about the vc mailing list