[Git][NTPsec/ntpsec][master] 5 commits: Move NTS command documentation to its own section
Gary E. Miller
gitlab at mg.gitlab.com
Wed Jun 26 16:48:33 UTC 2019
Gary E. Miller pushed to branch master at NTPsec / ntpsec
Commits:
0a43ddaa by Sanjeev Gupta at 2019-06-18T06:16:05Z
Move NTS command documentation to its own section
Was appended to Authentication commnands, which are
about MAC
- - - - -
b8914b05 by Sanjeev Gupta at 2019-06-20T06:04:16Z
Move NTS command documentation to its own section
Was appended to Authentication commnands, which are
about MAC
- - - - -
98394279 by Sanjeev Gupta at 2019-06-20T06:05:12Z
Merge branch 'NTSDOC' of gitlab.com:ghane/ntpsec into NTSDOC
- - - - -
af30ee89 by Sanjeev Gupta at 2019-06-26T08:04:41Z
Move NTS command documentation to its own section
Was appended to Authentication commnands, which are
about MAC
- - - - -
45596db7 by Sanjeev Gupta at 2019-06-26T08:05:26Z
Merge branch 'NTSDOC' of gitlab.com:ghane/ntpsec into NTSDOC
- - - - -
4 changed files:
- docs/includes/assoc-commands.adoc
- docs/includes/auth-commands.adoc
- docs/includes/ntp-conf-body.adoc
- docs/ntp_conf.adoc
Changes:
=====================================
docs/includes/assoc-commands.adoc
=====================================
@@ -14,7 +14,7 @@ link-local IPV6 address with an interface specified in
+peer+ _address_ [+key+ _key_] [+version+ _version_] [+prefer+] [+minpoll+ _minpoll_] [+maxpoll+ _maxpoll_]
+unpeer+ ['address' | 'associd' | +clock+ 'clocktype' [ +unit+ 'unitnum']]::
- These six commands specify the time server name or address to be
+ These four commands specify the time server name or address to be
used and the mode in which to operate. The _address_ can be either a
DNS name or an IP address in dotted-quad notation. If it is a
refclock, it can be +clock+ followed by a type-unit pair as in the
=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -32,128 +32,4 @@ although different keys can be used with different servers.
The _key_ arguments are 32-bit unsigned integers with values from 1 to
65,535.
-The following command controls NTS authentication. It overrides
-normal TLS protocol negotiation, which is not usually necessary.
-
-[[nts]]
-+nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphers+ _name_] [+tlsciphersuites+ _name_]
-
-The options are as follows:
-
-+cert+ _file_::
- Present the certificate in _file_ as our certificate.
-
-+key+ _file_::
- Read the private key to our certificate from _file_.
-
-+ca+ _location_::
- Use the file, or directory, specified by _location_ to
- validate NTS-KE server certificates instead of the system
- default root certificates. If a directory is specified, it
- must have files named with their hash, as created by
- +openssl rehash+.
-
-+cookie+ _location_::
- Use the file (or directory) specified by _location_ to
- store the keys used to make and decode cookies. The default
- is _/var/lib/ntp/nts-keys_.
-
-+enable+::
- Enable NTS-KE server.
- When enabled, _cert_ and _key_ are required.
-
-+disable+::
- Disable NTS-KE server.
-
-+mintls+ _string_::
- Set the lowest allowable TLS version to negotiate. Will be useful in
- the wake of a TLS compromise. Reasonable values are _TLS1.2_ and
- _TLS1.3_ if your system supports it. TLS 1.3 was first supported in
- OpenSSL version 1.1.1.
-
-+maxtls+ _string_::
- Set the highest allowable TLS version to negotiate. By setting
- +mintls+ and +maxtls+ equal, you can force the TLS version for
- testing. Format is as for +mintls+.
-
-// https://crypto.stackexchange.com/questions/8964/sending-tls-messages-with-out-encryption-using-openssl-code
-+tlsciphers+ _string_::
- An OpenSSL cipher list to configure the allowed ciphers for TLS
- versions up to and including TLS 1.2. A single NULL cipher disables
- encryption and use of certificates.
-
-+tlsciphersuites+ _string_::
- An OpenSSL ciphersuite list to configure the allowed ciphersuites for
- TLS 1.3. A single NULL cipher disables encryption and use of certificates.
-
-+aead+ _string_::
- Specify the crypto algorithm to be used on the wire. The choices
- come from RFC 5297. The only options supported are AES_SIV_CMAC_256,
- AES_SIV_CMAC_384, and AES_SIV_CMAC_512. This slot is dual use.
- It is the server default if the remote client doesn't request a
- valid choice and it is also the preference passed to the
- remote client if the server command doesn't specify a preference.
- The default is AES_SIV_CMAC_256.
-
-The following options of the +server+ command configure NTS.
-
-+nts+::
- Use Network Time Security (NTS) for authentication. Normally,
- this is all you have to do to activate the client side of NTS.
- +
- The hostname following the +server+ command is used as the address
- of the NTS key exchange server (NTS-KE) rather than the address
- of a NTP server. The NTS-KE exchange defaults to using the same
- IP address for the NTP server.
- +
- Note that the +server+ hostname must match the name on the NTS-KE
- server's certificate.
-
-+ask+ _address_:: (not implemented)
- Use Network Time Security for authentication. Ask
- for a specific NTP server, which may differ from the NTS server.
- Conforms to RFC 3896 section 3.2.2 prescription for the Host part of
- a URI: that is, the _address_ may be a hostname, an FQDN, an IPv4
- numeric address, or an IPv6 numeric address (in square brackets).
- The address may have the suffix +:port+ to specify a UDP port.
-
-+require+ _address_:: (not implemented)
- Use Network Time Security for authentication and encryption.
- Require a specific NTP server, which may differ from the NTS server.
- Address syntax is as for +ask+.
-
-+noval+::
- Do not validate the server certificate.
-
-+expire+:: (not implemented)
- How long to use a secured NTP association before rekeying with the
- NTS-KE server.
-
-+cert+ _file_:: (not implemented)
- Present the certificate in _file_ as our client certificate,
- overriding the site default.
-
-+ca+ _location_::
- Use the file, or directory, specified by _location_ to validate the
- NTS-KE server certificate, overriding the site default. Do not use
- any other CA. If a directory is specified, it must have files named
- with their hash, as created by +openssl rehash+.
-
-+aead+ _string_::
- Specify the prefered crypto algorithm to be used on the wire.
- The only options supported are AES_SIV_CMAC_256, AES_SIV_CMAC_384, and
- AES_SIV_CMAC_512. The server may ignore the request. See the _aead_
- option above.
- +
- The same _aead_ algorithms are also used to encrypt cookies.
- The default is AES_SIV_CMAC_256. There is no config file option to
- change it, but you can change it by editing the saved cookie key
- file, probably +/var/lib/ntp/nts-keys+. Adjust the _L:_ slot to be
- 48 or 64 and adjust the _I:_ slots to have the right number of bytes.
- Then restart the server. (All old cookies held by clients will be
- rejected so their next 8 NTP requests will be ignored. They should
- recover by retrying NTS-KE to get fresh cookies.)
-
-
-
// end
=====================================
docs/includes/ntp-conf-body.adoc
=====================================
@@ -38,6 +38,7 @@ there are sections describing the following supported functionality and
the options used to control it:
* Authentication Support
+* NTS Support
* Monitoring Support
* Access Control Support
* Automatic NTP Configuration Options
@@ -82,6 +83,10 @@ include::../includes/assoc-auxcommands.adoc[]
include::../includes/auth-commands.adoc[]
+=== NTS Commands
+
+include::../includes/nts-commands.adoc[]
+
[[monit]]
== Monitoring Support
=====================================
docs/ntp_conf.adoc
=====================================
@@ -20,6 +20,7 @@ include::includes/manual.adoc[]
* link:#_description[DESCRIPTION]
* link:#_configuration_support[Configuration Support]
* link:#_authentication_commands[Authentication Commands]
+* link:#_nts_commands[NTS Commands]
* link:#monit[Monitoring Support]
* link:#_access_control_support[Access Control Support]
* link:#_access_control_commands[Access Control Commands]
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/3b23756a75cd8d5889220947bb5605a271926b47...45596db716ebbb0a8d5587b45547d95b20776292
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/3b23756a75cd8d5889220947bb5605a271926b47...45596db716ebbb0a8d5587b45547d95b20776292
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190626/20a02428/attachment-0001.htm>
More information about the vc
mailing list