[Git][NTPsec/ntpsec][master] 3 commits: Doc tweaks, mostly NTS port 4460
Hal Murray
gitlab at mg.gitlab.com
Tue Aug 25 01:16:55 UTC 2020
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
a69085bb by Hal Murray at 2020-08-24T18:16:08-07:00
Doc tweaks, mostly NTS port 4460
- - - - -
6ee0210d by Hal Murray at 2020-08-24T18:16:08-07:00
Port 123 cleanups
- - - - -
4b8a0244 by Hal Murray at 2020-08-24T18:16:08-07:00
Remove unimplemented server nts options
ask, require, expire, and cert
nts cert <filename> is still needed at the top level
to specify the certificate a NTS-KE server will use.
- - - - -
9 changed files:
- HOWTO-OpenSSL
- docs/NTS-QuickStart.adoc
- docs/debug.adoc
- docs/includes/nts-commands.adoc
- include/nts.h
- libntp/decodenetnum.c
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_sandbox.c
Changes:
=====================================
HOWTO-OpenSSL
=====================================
@@ -6,9 +6,9 @@ This file contains notes on how to download, build, and install 1.1.1g
It also works for testing 3.0.0 alpha
It's rough. Don't be surprised by bugs/oversights.
-Corrections encouraged.
+Corrections, clarifications and feedback encouraged.
-OpenSSL source here:
+Download OpenSSL source from here:
https://www.openssl.org/source/
https://www.openssl.org/source/old/1.1.1/
@@ -21,14 +21,16 @@ for OpenSSL 1.1.1g
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
tar -xzf openssl-1.1.1g.tar.gz
cd openssl-1.1.1g
-for OpenSSL 3.0.0 alpha3
- wget https://www.openssl.org/source/openssl-3.0.0-alpha3.tar.gz
- tar -xzf openssl-3.0.0-alpha3.tar.gz
- cd openssl-3.0.0-alpha3
+for OpenSSL 3.0.0 alpha6
+ wget https://www.openssl.org/source/openssl-3.0.0-alpha6.tar.gz
+ tar -xzf openssl-3.0.0-alpha6.tar.gz
+ cd openssl-3.0.0-alpha6
# Check NOTES.PERL
# for CentOS, you need
sudo yum install perl-core
+ Fedora needs
+ sudo dnf install perl-IPC-Cmd
For make test on Fedora
sudo dnf install perl-Test-Harness perl perl-Pod-Html
@@ -50,5 +52,6 @@ ldconfig
# match where wscript looks for your OS.
# The above works for CentOS 7
-CentOS 7 needs this if you use real certificates:
+Fedora and CentOS 7 need this if you use real certificates:
nts ca /etc/pki/tls/certs/ca-bundle.trust.crt
+
=====================================
docs/NTS-QuickStart.adoc
=====================================
@@ -32,7 +32,7 @@ NTS is a method for using TLS/SSL to authenticate NTP traffic on the net.
That means that bad guys can't forge packets that will give your
system bogus time.
-The RFC hasn't been published yet (December 2019). Nothing has changed
+The RFC hasn't been published yet (August 2020). Nothing has changed
recently, but there may be minor adjustments when it is finalized.
Note: The NTP Pool does not currently support NTS.
@@ -45,8 +45,8 @@ spent debugging. See the link:quick.adoc[Client Quick Start Guide].
== NTS Client Configuration
Append the keyword `nts` to the end of your `server` lines. Do this only for
-servers that speak NTS. If the server uses a port other than 123 for NTS key
-exchange, you also need to specify the port number. As of December 2019, the
+servers that speak NTS. If the server uses a port other than 4460 for NTS key
+exchange, you also need to specify the port number. As of August 2020, the
following should work:
Public NTP servers supporting NTS:
@@ -56,10 +56,7 @@ server time.cloudflare.com:1234 nts # Global, anycast
server nts.ntp.se:4443 nts # Sweden
------------------------------------------------------------
-CloudFlare supports only TLS 1.3. To use TLS 1.3, you must have OpenSSL 1.1.1
-or higher.
-
-Development machines, so there may be gaps in availability:
+These are development machines, so there may be gaps in availability:
------------------------------------------------------------
server ntpmon.dcs1.biz nts # Singapore
@@ -150,30 +147,37 @@ similar to below.
As a client, you should see lines like this:
------------------------------------------------------------
-2019-03-22T08:06:33 ntpd[12915]: DNS: dns_probe: pi3.rellim.com, cast_flags:1, flags:21801
-2019-03-22T08:06:33 ntpd[12915]: NTSc: DNS lookup of pi3.rellim.com took 0.003 sec
-2019-03-22T08:06:33 ntpd[12915]: NTSc: nts_probe connecting to pi3.rellim.com:ntp => 204.17.205.23:123
-2019-03-22T08:06:34 ntpd[12915]: NTSc: Using TLSv1.2, AES256-GCM-SHA384 (256)
-2019-03-22T08:06:34 ntpd[12915]: NTSc: certificate subject name: /CN=pi3.rellim.com
-2019-03-22T08:06:34 ntpd[12915]: NTSc: certificate issuer name: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-2019-03-22T08:06:34 ntpd[12915]: NTSc: certificate is valid.
-2019-03-22T08:06:34 ntpd[12915]: NTSc: read 880 bytes
-2019-03-22T08:06:34 ntpd[12915]: NTSc: Got 8 cookies, length 104, aead=15.
-2019-03-22T08:06:34 ntpd[12915]: NTSc: NTS-KE req to pi3.rellim.com took 0.882 sec, OK
+ 1 Aug 01:58:47 ntpd[43278]: DNS: dns_probe: time.cloudflare.com:1234, cast_flags:1, flags:21901
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: DNS lookup of time.cloudflare.com:1234 took 0.022 sec
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: connecting to time.cloudflare.com:1234 => 162.159.200.1:1234
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: set cert host: time.cloudflare.com
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256)
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: certificate subject name: /C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./CN=time.cloudflare.com
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: certificate issuer name: /C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: certificate is valid.
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: Good ALPN from time.cloudflare.com:1234
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: read 750 bytes
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: Using port 123
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: Got 7 cookies, length 100, aead=15.
+ 1 Aug 01:58:47 ntpd[43278]: NTSc: NTS-KE req to time.cloudflare.com:1234 took 0.033 sec, OK
+ 1 Aug 01:58:47 ntpd[43278]: DNS: dns_check: processing time.cloudflare.com:1234, 1, 21901
+ 1 Aug 01:58:47 ntpd[43278]: DNS: Server taking: 162.159.200.1
+ 1 Aug 01:58:47 ntpd[43278]: DNS: dns_take_status: time.cloudflare.com:1234=>good, 0
------------------------------------------------------------
For initializing a server, you should see lines like this:
------------------------------------------------------------
-27 Dec 12:03:47 ntpd[962738]: INIT: OpenSSL 1.1.1d FIPS 10 Sep 2019, 1010104f
-27 Dec 12:03:47 ntpd[962738]: NTSs: starting NTS-KE server listening on port 123
-27 Dec 12:03:47 ntpd[962738]: NTSs: loaded certificate (chain) from /etc/ntp/fullchain.pem
-27 Dec 12:03:47 ntpd[962738]: NTSs: loaded private key from /etc/ntp/privkey.pem
-27 Dec 12:03:47 ntpd[962738]: NTSs: Private Key OK
-27 Dec 12:03:47 ntpd[962738]: NTSs: OpenSSL security level is 1
-27 Dec 12:03:47 ntpd[962738]: NTSs: listen4 worked
-27 Dec 12:03:47 ntpd[962738]: NTSs: listen6 worked
-27 Dec 12:03:47 ntpd[962738]: NTSc: Using system default root certificates.
+11 Aug 12:24:12 ntpd[789]: INIT: OpenSSL 1.1.1g FIPS 21 Apr 2020, 1010107f
+11 Aug 12:24:12 ntpd[789]: NTSs: starting NTS-KE server listening on port 4460
+11 Aug 12:24:12 ntpd[789]: NTSs: OpenSSL security level is 1
+11 Aug 12:24:12 ntpd[789]: NTSs: starting NTS-KE server listening on port 4460
+11 Aug 12:24:12 ntpd[789]: NTSs: listen4 worked
+11 Aug 12:24:12 ntpd[789]: NTSs: listen6 worked
+11 Aug 12:24:12 ntpd[789]: NTSc: Using system default root certificates.
+11 Aug 12:24:12 ntpd[789]: NTSs: loaded certificate (chain) from /etc/ntp/fullchain.pem
+11 Aug 12:24:12 ntpd[789]: NTSs: loaded private key from /etc/ntp/privkey.pem
+11 Aug 12:24:12 ntpd[789]: NTSs: Private Key OK
------------------------------------------------------------
On a server, each time a client uses TLS to setup cookies,
@@ -181,8 +185,7 @@ you should see lines like these. If all goes well, there is a single
line for each connection.
------------------------------------------------------------
- 1 Dec 22:42:21 ntpd[237777]: NTSs: NTS-KE from 192.168.1.71:43560, Using TLSv1.3, TLS_CHACHA20_POLY1305_SHA256 (256), took 0.018 sec
- 1 Dec 22:42:56 ntpd[237777]: NTSs: NTS-KE from 192.168.1.61:33930, Using TLSv1.2, ECDHE-RSA-AES256-GCM-SHA384 (256), took 0.075 sec
+11 Aug 12:29:38 ntpd[789]: NTSs: NTS-KE from 64.139.1.69:49253, Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256), took 0.437 sec
------------------------------------------------------------
Servers on the big bad internet will get a lot of garbage connections.
@@ -198,7 +201,8 @@ The common cases produce a single line. Less common cases will have additional
reporting them back to the server.
The logging prefix *NTSs* is for the NTS server component. The *NTSc*
-component is for the NTS client part, where you are talking to NTS servers.
+component is for the NTS client part, where your +ntpd+ is talking
+to other NTS servers.
=== Check with ntpq
=====================================
docs/debug.adoc
=====================================
@@ -35,13 +35,12 @@ requires reference to the sources. However, a single +-d+ does produce
only mildly cryptic output and can be very useful in finding problems
with configuration and network troubles.
-Some problems are immediately apparent when the daemon first starts
-running. The most common of these are the lack of a UDP port for NTP
-(123) in the Unix +/etc/services+ file (or equivalent in some systems).
-*Note that NTP requires port 123 for both source and destination ports.*
-These facts should be pointed out to firewall administrators.
-If you are using link:authentic.html#nts[NTS], you also need to
-add an entry for TCP port 123.
+Any Firewall needs to allow NTP traffic.
+The server side of +ntpd+ listens on UDP port 123. The client side
+also sends from port 123 but not all implementations do that
+and +ntpq+ sends from system assigned ports.
+If you are running an link:authentic.html#nts[NTS] server, you also
+need to allow TCP port 4460.
Other problems are apparent in the system log, which ordinarily shows
the startup banner, some cryptic initialization data and the computed
@@ -61,7 +60,7 @@ problems reported to the NTP newsgroup are not NTP problems, but
problems with the network or firewall configuration.
If you use GPS, and your time is off by 19 years, you may have been
-bitten by the GPS rollover bug.
+bitten by the GPS 1024 week number rollover bug - WNRO.
Please see link:rollover.html[Rollover issues in time sources]
== Verifying Correct Operation
@@ -227,14 +226,15 @@ If the +ntpq+ or program does not show that messages are being
received by the daemon or that received messages do not result in
correct synchronization, verify the following:
-1. Verify the +/etc/services+ file host machine has an entry for 123/udp.
-If you are using NTS, you must also have an entry for 123/tcp.
-
-2. Check the system log for +ntpd+ messages about configuration errors,
+1. Check the system log for +ntpd+ messages about configuration errors,
name-lookup failures or initialization problems. Common system log
messages are summarized on the link:msyslog.html[+ntpd+ System Log
-Messages] page. Check to be sure that only one copy of +ntpd+ is
-running.
+Messages] page. If you specify a log file, be sure to check in
+your main syslog file (and be sure it logs entries from ntpd) since
+some of the errors are logged before it switches to the specified
+log file.
+
+2. Check to be sure that only one copy of +ntpd+ is running.
3. Verify using +ping+ or other utility that packets actually do make
the round trip between the client and server. Verify using +dig+,
=====================================
docs/includes/nts-commands.adoc
=====================================
@@ -73,30 +73,9 @@ The following options of the +server+ command configure NTS (as a client).
Note that the +server+ hostname must match the name on the NTS-KE
server's certificate.
-+ask+ _address_:: (not implemented)
- Use Network Time Security for authentication. Ask
- for a specific NTP server, which may differ from the NTS server.
- Conforms to RFC 3896 section 3.2.2 prescription for the Host part of
- a URI: that is, the _address_ may be a hostname, an FQDN, an IPv4
- numeric address, or an IPv6 numeric address (in square brackets).
- The address may have the suffix +:port+ to specify a UDP port.
-
-+require+ _address_:: (not implemented)
- Use Network Time Security for authentication and encryption.
- Require a specific NTP server, which may differ from the NTS server.
- Address syntax is as for +ask+.
-
+noval+::
Do not validate the server certificate.
-+expire+:: (not implemented)
- How long to use a secured NTP association before rekeying with the
- NTS-KE server.
-
-+cert+ _file_:: (not implemented)
- Present the certificate in _file_ as our client certificate,
- overriding the site default.
-
+ca+ _location_::
Use the file, or directory, specified by _location_ to validate the
NTS-KE server certificate, overriding the site default. Do not use
=====================================
include/nts.h
=====================================
@@ -100,11 +100,8 @@ uint16_t next_bytes(BufCtl* buf, uint8_t *data, int length);
* All are optional.
* part of peer struct */
struct ntscfg_t {
- char *server; /* desired server; default is same as NTS-KE server */
char *ca; /* root/trusted certificates */
- char *cert; /* client certificate */
char *aead; /* AEAD algorithms on wire */
- uint32_t expire;
};
/* Client-side state per connection to server */
=====================================
libntp/decodenetnum.c
=====================================
@@ -10,6 +10,7 @@
#include <netdb.h>
#include <netinet/in.h>
+#include "ntp.h"
#include "ntp_stdlib.h"
#include "ntp_assert.h"
@@ -131,7 +132,7 @@ decodenetnum(
either the IP address or the port is well-formed, but at
least they're unambiguously delimited from each other.
Let getaddrinfo() perform all further validation. */
- retcode = getaddrinfo(ip, port_start == NULL ? "123" : port_start,
+ retcode = getaddrinfo(ip, port_start == NULL ? NTP_PORTA : port_start,
&hints, &ai);
if(retcode) {
return retcode;
=====================================
ntpd/keyword-gen.c
=====================================
@@ -198,10 +198,7 @@ struct key_tok ntp_keywords[] = {
{ "drop", T_Drop, FOLLBY_TOKEN },
/* NTS */
{ "nts", T_Nts, FOLLBY_TOKEN },
-{ "ask", T_Ask, FOLLBY_STRING },
-{ "require", T_Require, FOLLBY_STRING },
{ "noval", T_Noval, FOLLBY_TOKEN },
-{ "expire", T_Expire, FOLLBY_TOKEN },
{ "cert", T_Cert, FOLLBY_TOKEN },
{ "ca", T_Ca, FOLLBY_TOKEN },
{ "mintls", T_Mintls, FOLLBY_TOKEN },
=====================================
ntpd/ntp_config.c
=====================================
@@ -627,10 +627,6 @@ create_peer_node(
}
break;
- case T_Expire:
- my_node->ctl.nts_cfg.expire = option->value.u;
- break;
-
case T_Aead:
my_node->ctl.nts_cfg.aead = option->value.s;
break;
@@ -639,10 +635,6 @@ create_peer_node(
my_node->ctl.nts_cfg.ca = option->value.s;
break;
- case T_Cert:
- my_node->ctl.nts_cfg.cert = option->value.s;
- break;
-
case T_Minpoll:
if (option->value.i < NTP_MINPOLL ) {
msyslog(LOG_INFO,
@@ -710,16 +702,6 @@ create_peer_node(
my_node->ctl.bias = option->value.d;
break;
- case T_Ask:
- my_node->ctl.flags |= FLAG_NTS_ASK;
- my_node->ctl.nts_cfg.server = estrdup(option->value.s);
- break;
-
- case T_Require:
- my_node->ctl.flags |= FLAG_NTS_REQ;
- my_node->ctl.nts_cfg.server = estrdup(option->value.s);
- break;
-
#ifdef REFCLOCK
case T_Path:
my_node->ctl.path = estrdup(option->value.s);
=====================================
ntpd/ntp_sandbox.c
=====================================
@@ -492,6 +492,7 @@ int scmp_sc[] = {
void CheckFreeBSDdroproot(uid_t uid) {
/* This checks that mac_ntpd.ko is loaded.
* It defaults to 123 and enabled, aka what we want.
+ * (That 123 is a user number, not a port number.)
* We could also check security.mac.ntpd.enabled.
*/
uid_t need;
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/3f7f795b9dae35bf11cf93a58eb487fb5ba77b49...4b8a024454390b94f8340a7edca4eeb298e0733e
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/3f7f795b9dae35bf11cf93a58eb487fb5ba77b49...4b8a024454390b94f8340a7edca4eeb298e0733e
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200825/0e210e12/attachment-0001.htm>
More information about the vc
mailing list