[Git][NTPsec/ntpsec][master] 8 commits: Fix a broken link
Matt Selsky
gitlab at mg.gitlab.com
Tue Jun 25 04:12:06 UTC 2019
Matt Selsky pushed to branch master at NTPsec / ntpsec
Commits:
75a4733a by Sanjeev Gupta at 2019-06-24T04:30:58Z
Fix a broken link
- - - - -
f9638602 by Sanjeev Gupta at 2019-06-24T04:30:58Z
Some updates and syntax fixes to ntpspeak
- - - - -
b2a0c1f5 by Sanjeev Gupta at 2019-06-24T04:30:58Z
Add the include file for nts man page
- - - - -
26405f22 by Sanjeev Gupta at 2019-06-24T04:30:58Z
Update references to the GPSD project to point to new homepage
Should have done this before the 1.1.4 release :-(
- - - - -
cee3a9bd by Sanjeev Gupta at 2019-06-24T04:30:58Z
Apply suggestion to docs/includes/nts-commands.adoc
- - - - -
3f5d8949 by Sanjeev Gupta at 2019-06-24T04:30:58Z
Apply suggestion to docs/includes/nts-commands.adoc
- - - - -
7315d2a1 by Sanjeev Gupta at 2019-06-24T04:30:58Z
Apply suggestion to docs/includes/nts-commands.adoc
- - - - -
67fae2ff by Sanjeev Gupta at 2019-06-24T04:30:58Z
Apply suggestion to docs/includes/nts-commands.adoc
- - - - -
8 changed files:
- docs/asciidoc.include
- docs/driver_gpsd.adoc
- docs/driver_shm.adoc
- + docs/includes/nts-commands.adoc
- docs/index.adoc
- docs/ntpspeak.adoc
- docs/quick.adoc
- docs/rollover.adoc
Changes:
=====================================
docs/asciidoc.include
=====================================
@@ -8,7 +8,7 @@
:project-security-list: security at ntpsec.org
:project-bug-list: bugs at ntpsec.org
:millshome: http://www.eecis.udel.edu/~mills/
-:GPSD: http://www.catb.org/gpsd/
+:GPSD: https://gpsd.io/
:ntpconf: ntp.conf
// Annoyingly, these have to be *manually* synchronized with the headers
// on their manual pages - asciidoc doesn't expand attributes in header lines.
=====================================
docs/driver_gpsd.adoc
=====================================
@@ -16,7 +16,7 @@ become increasingly popular for UN*Xish platforms. _GPSD_ can manage
several devices in parallel, aggregate information, and acts as a data
hub for client applications. _GPSD_ can also auto-detect and handle PPS
hardware signals on serial ports. Have a look at
-http://www.catb.org/gpsd/[the _GPSD_ project page].
+https://gpsd.io/[the _GPSD_ project page].
*It is important to understand that this driver works best using a GPS
device with PPS support.*
=====================================
docs/driver_shm.adoc
=====================================
@@ -82,7 +82,7 @@ discarded. This check is disabled when _flag1_ is set to 1.
== GPSD
-http://www.catb.org/gpsd/[_GPSD_] knows how to talk to many GPS devices.
+https://gpsd.io/[_GPSD_] knows how to talk to many GPS devices.
It can work with _ntpd_ through the SHM driver.
The _GPSD_ man page suggests setting minpoll and maxpoll to 4. That was
=====================================
docs/includes/nts-commands.adoc
=====================================
@@ -0,0 +1,127 @@
+// NTS commands - included twice
+
+The following command controls NTS authentication. It overrides
+normal TLS protocol negotiation, which is not usually necessary.
+
+[[nts]]
++nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphers+ _name_] [+tlsciphersuites+ _name_]
+
+The options are as follows:
+
++cert+ _file_::
+ Present the certificate in _file_ as our certificate.
+
++key+ _file_::
+ Read the private key to our certificate from _file_.
+
++ca+ _location_::
+ Use the file, or directory, specified by _location_ to
+ validate NTS-KE server certificates instead of the system
+ default root certificates. If a directory is specified, it
+ must have files named with their hash, as created by
+ +openssl rehash+.
+
++cookie+ _location_::
+ Use the file (or directory) specified by _location_ to
+ store the keys used to make and decode cookies. The default
+ is _/var/lib/ntp/nts-keys_.
+
++enable+::
+ Enable NTS-KE server.
+ When enabled, +cert+ and +key+ are required.
+
++disable+::
+ Disable NTS-KE server.
+
++mintls+ _string_::
+ Set the lowest allowable TLS version to negotiate. Will be useful in
+ the wake of a TLS compromise. Reasonable values are _TLS1.2_ and
+ _TLS1.3_ if your system supports it. TLS 1.3 was first supported in
+ OpenSSL version 1.1.1.
+
++maxtls+ _string_::
+ Set the highest allowable TLS version to negotiate. By setting
+ +mintls+ and +maxtls+ equal, you can force the TLS version for
+ testing. Format is as for +mintls+.
+
+// https://crypto.stackexchange.com/questions/8964/sending-tls-messages-with-out-encryption-using-openssl-code
++tlsciphers+ _string_::
+ An OpenSSL cipher list to configure the allowed ciphers for TLS
+ versions up to and including TLS 1.2. A single NULL cipher disables
+ encryption and use of certificates.
+
++tlsciphersuites+ _string_::
+ An OpenSSL ciphersuite list to configure the allowed ciphersuites for
+ TLS 1.3. A single NULL cipher disables encryption and use of certificates.
+
++aead+ _string_::
+ Specify the crypto algorithm to be used on the wire. The choices
+ come from RFC 5297. The only options supported are AES_SIV_CMAC_256,
+ AES_SIV_CMAC_384, and AES_SIV_CMAC_512. This slot is dual use.
+ It is the server default if the remote client doesn't request a
+ valid choice and it is also the preference passed to the
+ remote client if the server command doesn't specify a preference.
+ The default is AES_SIV_CMAC_256.
+
+The following options of the +server+ command configure NTS (as a client).
+
++nts+::
+ Use Network Time Security (NTS) for authentication. Normally,
+ this is all you have to do to activate the client side of NTS.
+ +
+ The hostname following the +server+ command is used as the address
+ of the NTS key exchange server (NTS-KE) rather than the address
+ of a NTP server. The NTS-KE exchange defaults to using the same
+ IP address for the NTP server.
+ +
+ Note that the +server+ hostname must match the name on the NTS-KE
+ server's certificate.
+
++ask+ _address_:: (not implemented)
+ Use Network Time Security for authentication. Ask
+ for a specific NTP server, which may differ from the NTS server.
+ Conforms to RFC 3896 section 3.2.2 prescription for the Host part of
+ a URI: that is, the _address_ may be a hostname, an FQDN, an IPv4
+ numeric address, or an IPv6 numeric address (in square brackets).
+ The address may have the suffix +:port+ to specify a UDP port.
+
++require+ _address_:: (not implemented)
+ Use Network Time Security for authentication and encryption.
+ Require a specific NTP server, which may differ from the NTS server.
+ Address syntax is as for +ask+.
+
++noval+::
+ Do not validate the server certificate.
+
++expire+:: (not implemented)
+ How long to use a secured NTP association before rekeying with the
+ NTS-KE server.
+
++cert+ _file_:: (not implemented)
+ Present the certificate in _file_ as our client certificate,
+ overriding the site default.
+
++ca+ _location_::
+ Use the file, or directory, specified by _location_ to validate the
+ NTS-KE server certificate, overriding the site default. Do not use
+ any other CA. If a directory is specified, it must have files named
+ with their hash, as created by +openssl rehash+.
+
++aead+ _string_::
+ Specify the prefered crypto algorithm to be used on the wire.
+ The only options supported are AES_SIV_CMAC_256, AES_SIV_CMAC_384, and
+ AES_SIV_CMAC_512. The server may ignore the request. See the +aead+
+ option above.
+ +
+ The same +aead+ algorithms are also used to encrypt cookies.
+ The default is AES_SIV_CMAC_256. There is no config file option to
+ change it, but you can change it by editing the saved cookie key
+ file, probably _/var/lib/ntp/nts-keys_. Adjust the _L:_ slot to be
+ 48 or 64 and adjust the _I:_ slots to have the right number of bytes.
+ Then restart the server. (All old cookies held by clients will be
+ rejected so their next 8 NTP requests will be ignored. They should
+ recover by retrying NTS-KE to get fresh cookies.)
+
+
+
+// end
=====================================
docs/index.adoc
=====================================
@@ -44,7 +44,7 @@ configurations utilize multiple redundant servers and diverse network
paths in order to achieve high accuracy and reliability.
For background on the problems NTP solves, see
-http://www.catb.org/gpsd/time-service-intro.html[Introduction to
+https://gpsd.io/time-service-intro.html[Introduction to
Time Service]. This white paper discusses time source types, relative
accuracy, relative cost, and how those figures of merit have changed
in recent decades.
=====================================
docs/ntpspeak.adoc
=====================================
@@ -97,7 +97,8 @@ include::html.include[]
term is used to refer not only to the original U.S. GPS system,
but newer constellations that work on the same principles, such
as ГЛОНАСС (the Russian GLONASS), 北斗 (the Chinese BeiDou-2),
- and the EU's Galileo.
+ and the EU's Galileo. Regional systems include QZSS (Japan) and
+ NavIC, earlier IRNSS (India).
[[GPSDO]] GPSDO::
GPS Disciplined Oscillator. A good crystal is synchronized to
@@ -109,7 +110,7 @@ include::html.include[]
GPS antenna.
[[GPSD]] GPSD::
- The http://www.catb.org/gpsd[GPS Daemon], an open-source device
+ The https://gpsd.io[GPS Daemon], an open-source device
manager for GPSes and other geodetic sensors. Frequently used as
a clock source by Stratum 1 sites via the link:driver_shm.html[SHM]
interface.
@@ -121,11 +122,9 @@ include::html.include[]
incorrect time 512 weeks (9.8 years) or 1024 weeks (19.6 years) after
it's pivot date. There is generally no way to determine what a given
GPS receiver's pivot date is, or to determine that it has failed in
- this manner.
-
- It is recommended that any critical Stratum 1 NTP server that uses
- a GPS receiver as a refclock not use one that is more than 9 years
- old, and to have a peer or nopeer relationship with other NTP
+ this manner. It is recommended that any critical Stratum 1 NTP server
+ that uses a GPS receiver as a refclock not use one that is more than
+ 9 years old, and to have a peer or nopeer relationship with other NTP
servers, so as to detect when the GPS time is no longer sane.
[[holdover]] holdover::
@@ -176,7 +175,7 @@ include::html.include[]
Mode 6 is a control protocol used to get various kinds of
status information from a running ntpd and configure it on
the fly. So-called from the value 6 (0110) in the packet mode
- field. It is described in detail mode6.html[here].
+ field. It is described in detail link:mode6.html[here].
[[NIST]] NIST::
https://www.nist.gov[National Institute of Standards and
=====================================
docs/quick.adoc
=====================================
@@ -228,7 +228,7 @@ accurate time, provided it has link:ntpspeak.html[PPS] capability.
want check servers from the pool.)
The easiest way to arrange this is by installing
-http://catb.org/gpsd[GPSD] to watch the GPS, and configuring your
+https://gpsd.io[GPSD] to watch the GPS, and configuring your
+ntpd+ to accept time from it. It is also possible to do this with
native +ntpd+ drivers (nmea, trimble, oncore), though these are less
flexible and a bit more difficult to configure.
@@ -246,7 +246,7 @@ to later. Your PPS is likely to be more accurate than the
in-band stream.
For details on setting up the GPSD end, see the
-http://catb.org/gpsd/gpsd-time-service-howto.html[GPSD Time Service
+https://gpsd.io/gpsd-time-service-howto.html[GPSD Time Service
HOWTO].
If you are looking to set up a Stratum 1 timeserver, you may find
=====================================
docs/rollover.adoc
=====================================
@@ -186,7 +186,7 @@ inaccurate; consumer-grade hardware often has jitter of over a tenth
of a second (100ms). On the other hand, carefully designed GPSes
easily deliver 1ms accuracy, and some do 1000 times better than that. For
a more detailed discussion of accuracy budgets see the
-http://www.catb.org/gpsd/time-service-intro.html[Introduction to Time
+https://gpsd.io/time-service-intro.html[Introduction to Time
Service].
Raw GPS time is not leap second corrected, but the satellite messages
@@ -246,7 +246,7 @@ reporting protocols are an awful mess. The closest thing to a
standard is NMEA0183, originally designed for a different purpose; it
is poorly specified and has no standard device-control functions at
all, let alone any for querying base and pivot dates.
-http://www.catb.org/gpsd/[GPSD], the ubiquitous open-source GPS
+https://gpsd.io/[GPSD], the ubiquitous open-source GPS
manager daemon that shares some developers with NTPsec, works around a
lot of the general messiness, but can't solve this problem
because the device capabilities to address it are simply absent.
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/9570474a7b8ea255bb877bed18b9132bc0dff694...67fae2ff13a893bb5013f04643a20484af1c3bcd
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/9570474a7b8ea255bb877bed18b9132bc0dff694...67fae2ff13a893bb5013f04643a20484af1c3bcd
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190625/abc42e5f/attachment-0001.htm>
More information about the vc
mailing list