[Git][NTPsec/ntpsec][master] 4 commits: Tweak certificate printout to include SAN:DNS
Hal Murray (@hal.murray)
gitlab at mg.gitlab.com
Mon Aug 1 09:42:33 UTC 2022
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
c0c6ac09 by Hal Murray at 2022-07-17T07:03:44-07:00
Tweak certificate printout to include SAN:DNS
- - - - -
26ba857f by Hal Murray at 2022-07-24T15:01:11-07:00
Change refid from DNS to DNS4/DNS6 when DNS works.
You will see them in ntpq -p after DNS works until NTP works.
Same for NTS4 and NTS6.
- - - - -
a5f6bf40 by Hal Murray at 2022-07-24T17:12:10-07:00
Partial fix for #707
Needs more work. There are 3 types of NTPv1 requests.
mode == 0 (unspecified) This is what the RFC calls for.
mode == Client Nonstandard, but works.
mode == sym-active I don't understand this case.
- - - - -
d0915e05 by Hal Murray at 2022-07-30T20:59:53-07:00
rawstats cleanup, fix #733
It now logs packets that are not used, with their BOGON code.
This lets you see packets that take too long.
- - - - -
8 changed files:
- NEWS.adoc
- docs/decode.adoc
- docs/includes/mon-commands.adoc
- include/ntp.h
- include/ntpd.h
- ntpd/ntp_proto.c
- ntpd/ntp_util.c
- ntpd/nts_client.c
Changes:
=====================================
NEWS.adoc
=====================================
@@ -12,6 +12,13 @@ on user-visible changes.
== Reposatory Head ==
+rawstats now logs dropped packets and their BOGON code
+ Only one per request to avoid DoSing the log file
+ This lets you see packets that take too long.
+
+Add 4 or 6 to DNS/NTS RefID tags to indicate that the
+DNS or NTS-KE has succeeded but NTP has not worked yet.
+
Add --enable-attic (default off)
Works with OpenSSL 3.0
=====================================
docs/decode.adoc
=====================================
@@ -244,6 +244,7 @@ It consists of a number of bits coded in hexadecimal as follows:
| +0400+ | BOGON11 | +peer_dist+ | distance threshold exceeded
| +0800+ | BOGON12 | +peer_loop+ | synchronization loop
| +1000+ | BOGON13 | +peer_unreach+ | unreachable or nonselect
+| +2000+ | BOGON14 | +pkt_oldpkt+ | response took too long
|==============================================================================
The "Tag" field is the name the source code uses for the status bit.
@@ -266,8 +267,13 @@ and implementation. Following is the current list:
| +RATE+ | rate exceeded
| +TIME+ | association timeout
| +STEP+ | step time change
-| +DNS+ | DNS lookup in progress
-| +NTS+ | NTS key exchange in progress
+| +DNS+ | Waiting for DNS lookup
+| +DNS4+, +DNS6+ | DNS lookup succeeded, no NTP response yet
+| +NTS+ | Waiting for NTS key exchange
+| +NTS4+, +NTS6+ | NTS-KE succeeded, no NTP response yet
|==================================================================
+The +4+ or +6+ in the 4th position indicates that the +DNS+ or +NTS-KE+
+resulted in an +IPv4+ or +IPv6+ address.
+
include::includes/footer.adoc[]
=====================================
docs/includes/mon-commands.adoc
=====================================
@@ -119,42 +119,48 @@ show the offset, delay, dispersion and RMS jitter, all in seconds.
form to the file generation set named _rawstats_:
+
---------------------------------------------------------------------------------
-56285 54575.160 128.4.1.1 192.168.1.5 3565350574.400229473
- 3565350574.442385200 3565350574.442436000
- 3565350575.154505763 0 4 4 1 8 -21 0.000000 0.000320
- PPS 0
+59786 36302.768 2610:20:6f15:15::27 2604:a880:1:20::17:5001 3867818701.119346355 3867818701.152009264 3867818701.152010426 3867818702.768490825 0 3 4 1 13 -29 0.000244 0.000488 .NIST. 0 1 2000
---------------------------------------------------------------------------------
+
[width="100%"]
|==============================================================================
|Item |Units |Description
-|56285 |MJD |date
-|54575.160 |s |time past midnight
-|128.4.1.1 |IP |source address
-|192.168.1.5 |IP |destination address
-|3565350574.400229473|NTP s |origin timestamp
-|3565350574.442385200|NTP s |receive timestamp
-|3565350574.442436000|NTP s |transmit timestamp
-|3565350575.154505763|NTP s |destination timestamp
+|59786 |MJD |date
+|36302.768 |s |time past midnight
+|2610:20:6f15:15::27 |IP |source address
+|2604:a880:1:20::17:5001 |IP |destination address
+|3867818701.119346355|NTP s |origin timestamp
+|3867818701.152009264|NTP s |receive timestamp
+|3867818701.152010426|NTP s |transmit timestamp
+|3867818702.768490825|NTP s |destination timestamp
|0 |0: OK, 1: insert pending, 2: delete pending, 3: not synced |leap warning indicator
-|4 |4 was current in 2012 |NTP version
+|3 |4 was current in 2012 |NTP version
|4 |3: client, 4: server, 6: ntpq |mode
|1 |1-15, 16: not synced |stratum
-|8 |log~2~ seconds |poll
-|-21 |log~2~ seconds |precision
-|0.000000 |seconds |total roundtrip delay from the remote server to the primary reference clock
-|0.000320 |seconds |total dispersion from the remote server to the primary reference clock
-|.PPS. |IP or text |refid, association ID
+|13 |log~2~ seconds |poll
+|-29 |log~2~ seconds |precision
+|0.000244 |seconds |total roundtrip delay from the remote server to the primary reference clock
+|0.000488 |seconds |total dispersion from the remote server to the primary reference clock
+|.NIST. |IP or text |refid, association ID
| 0 |integer |lost packets since last response
+| 1 |integer |dropped packets since last request
+| 2000 |hex integer |0 if packet accecpted, BOGON flag if packet is discarded
|==============================================================================
+
The first two fields show the date (Modified Julian Day) and time
(seconds and fraction past UTC midnight). The next two fields show
-the remote peer or clock identification followed by the local address in
-dotted-quad notation. The final four fields show the originate,
+the remote IP Address followed by the local address.
+The next four fields show the originate,
receive, transmit and final NTP timestamps in order. The timestamp
values are as received and before processing by the various data
smoothing and mitigation algorithms.
++
+A packet that is accecpted is logged.
+At most the first dropped packet per request is logged.
+That avoids DDoSing the log file.
++
+The BOGON flags are decoded link:decode.html#flash[here].
+
+
+sysstats+;;
Enables recording of ntpd statistics counters on a periodic basis.
=====================================
include/ntp.h
=====================================
@@ -60,7 +60,7 @@ void ntp_RAND_priv_bytes(unsigned char *buf, int num);
* NTP protocol parameters. See section 3.2.6 of the specification.
*/
#define NTP_VERSION 4 /* current version number */
-#define NTP_OLDVERSION 2 /* oldest credible version */
+#define NTP_OLDVERSION 1 /* oldest credible version: see #707 */
#define NTP_PORT 123 /* included for non-unix machines */
#define NTP_PORTA "123" /* or unix without /etc/services */
@@ -210,15 +210,16 @@ struct peer_ctl {
#define BOGON5 0x0010 /* bad authentication */
#define BOGON6 0x0020 /* bad synch or stratum */
#define BOGON7 0x0040 /* bad header */
-#define BOGON8 0x0080 /* bad autokey */
-#define BOGON9 0x0100 /* bad crypto */
+#define BOGON8x 0x0080 /* bad autokey -- not used */
+#define BOGON9x 0x0100 /* bad crypto -- not used */
+#define BOGON14 0x2000 /* response took too long */
#define PKT_BOGON_MASK (BOGON1 | BOGON2 | BOGON3 | BOGON4 | BOGON5 |\
- BOGON6 | BOGON7 | BOGON8 | BOGON9)
+ BOGON6 | BOGON7 | BOGON14)
/*
* Peer errors
*/
#define BOGON10 0x0200 /* peer bad synch or stratum */
-#define BOGON11 0x0400 /* peer distance exceeded */
+#define BOGON11 0x0400 /* peer distance exceeded */
#define BOGON12 0x0800 /* peer synchronization loop */
#define BOGON13 0x1000 /* peer unreacable */
#define PEER_BOGON_MASK (BOGON10 | BOGON11 | BOGON12 | BOGON13)
@@ -310,12 +311,15 @@ struct peer {
double jitter; /* peer jitter (squares) */
double disp; /* peer dispersion */
+ unsigned int outcount; /* packets sent without reply */
+ unsigned int bogons; /* bogus packets recvd since last xmit */
+
+ unsigned long update; /* receive epoch */
/*
* End of clear-to-zero area
*/
- unsigned int outcount; /* packets sent without reply */
- unsigned long update; /* receive epoch */
#define end_clear_to_zero update
+
int unreach; /* watchdog counter */
int throttle; /* rate control */
uptime_t outdate; /* send time last packet */
=====================================
include/ntpd.h
=====================================
@@ -223,11 +223,12 @@ extern void record_loop_stats (double, double, double, double, int);
extern void record_clock_stats (struct peer *, const char *);
extern int mprintf_clock_stats(struct peer *, const char *, ...)
NTP_PRINTF(2, 3);
-extern void record_raw_stats (struct peer *,
- int leap, int version, int mode, int stratum,
- int ppoll, int precision, double root_delay,
- double root_dispersion, refid_t refid,
- unsigned int outcount);
+extern void record_raw_stats (
+ struct peer *peer,
+ struct recvbuf *rbufp,
+ unsigned int flag,
+ unsigned int outcount);
+
extern void record_ref_stats(
const struct peer *peer,
int n, /* Number of samples */
=====================================
ntpd/ntp_proto.c
=====================================
@@ -315,10 +315,10 @@ parse_packet(
rbufp->extens_present = false;
rbufp->ntspacket.valid = false;
- if(PKT_VERSION(pkt->li_vn_mode) > 4) {
+ if(PKT_VERSION(pkt->li_vn_mode) > NTP_VERSION) {
/* Unsupported version */
return false;
- } else if(PKT_VERSION(pkt->li_vn_mode) == 4) {
+ } else if(PKT_VERSION(pkt->li_vn_mode) == MODE_SERVER) {
/* Only version 4 packets support extensions. */
/* But they also support shared key authentication. */
if (recv_length > (LEN_PKT_NOMAC+MAX_MAC_LEN)) {
@@ -458,43 +458,73 @@ static bool check_early_restrictions(
PKT_VERSION(rbufp->recv_buffer[0]) != NTP_VERSION));
}
+/* rawstats_filter
+ * Don't print all rejectioned packets or we could get DoSed.
+ * Print the packet we use.
+ * Print the first rejection.
+ * In particular, we get to see why a response is rejected.
+ * Took-too-long, BOGON14 is common.
+ * This lets us see how long it did take.
+ */
+static void rawstats_filter(
+ struct peer *peer,
+ struct recvbuf *rbufp,
+ unsigned int flag,
+ unsigned int outcount) {
+ peer->flash |= flag;
+ peer->bogons += 1;
+ if (peer->bogons > 1) {
+ /* only print one bogon */
+ return;
+ }
+ record_raw_stats(peer, rbufp, flag, outcount);
+#if 0
+ record_raw_stats(peer,
+ PKT_LEAP(rbufp->pkt.li_vn_mode),
+ PKT_VERSION(rbufp->pkt.li_vn_mode),
+ PKT_MODE(rbufp->pkt.li_vn_mode),
+ PKT_TO_STRATUM(rbufp->pkt.stratum),
+ rbufp->pkt.ppoll, rbufp->pkt.precision,
+ rbufp->pkt.rootdelay, rbufp->pkt.rootdisp,
+ /* FIXME: this cast is disgusting */
+ *(const uint32_t*)rbufp->pkt.refid,
+ outcount);
+#endif
+}
+/* Handle MODE_SERVER, replies to our requests.
+ * Authentication done upstream.
+ */
static void
handle_procpkt(
struct recvbuf *rbufp,
struct peer *peer
)
{
- int outcount = peer->outcount;
+ unsigned int outcount = peer->outcount;
peer->flash &= ~PKT_BOGON_MASK;
/* Duplicate detection */
if(rbufp->pkt.xmt == peer->xmt) {
- peer->flash |= BOGON1;
+ rawstats_filter(peer, rbufp, BOGON1, outcount);
+ peer->oldpkt++;
+ return;
+ }
+ if(outcount == 0) {
+ rawstats_filter(peer, rbufp, BOGON1, outcount);
peer->oldpkt++;
return;
}
/* Origin timestamp validation */
- if(PKT_MODE(rbufp->pkt.li_vn_mode) == MODE_SERVER) {
- if(outcount == 0) {
- peer->flash |= BOGON1;
- peer->oldpkt++;
- return;
- }
- if(rbufp->pkt.org == 0) {
- peer->flash |= BOGON3;
- peer->bogusorg++;
- return;
- } else if(rbufp->pkt.org != peer->org_rand) {
- peer->flash |= BOGON2;
- peer->bogusorg++;
- return;
- }
- } else {
- /* This case should be unreachable. */
- stat_proto_total.sys_declined++;
+ if(rbufp->pkt.org == 0) {
+ rawstats_filter(peer, rbufp, BOGON3, outcount);
+ peer->bogusorg++;
+ return;
+ } else if(rbufp->pkt.org != peer->org_rand) {
+ rawstats_filter(peer, rbufp, BOGON2, outcount);
+ peer->bogusorg++;
return;
}
@@ -523,13 +553,13 @@ handle_procpkt(
if (PKT_LEAP(rbufp->pkt.li_vn_mode) == LEAP_NOTINSYNC ||
PKT_TO_STRATUM(rbufp->pkt.stratum) < sys_floor ||
PKT_TO_STRATUM(rbufp->pkt.stratum) >= sys_ceiling) {
- peer->flash |= BOGON6;
+ rawstats_filter(peer, rbufp, BOGON6, outcount);
return;
}
if(scalbn((double)rbufp->pkt.rootdelay/2.0 + (double)rbufp->pkt.rootdisp, -16) >=
sys_maxdisp) {
- peer->flash |= BOGON7;
+ rawstats_filter(peer, rbufp, BOGON7, outcount);
return;
}
@@ -565,9 +595,7 @@ handle_procpkt(
makes the desired security invariant easier to verify.
*/
if(delta > sys_maxdist) {
- peer->flash |= BOGON1; /*XXX we should probably allocate a
- new bogon bit here rather than
- recycling BOGON1. */
+ rawstats_filter(peer, rbufp, BOGON14, outcount);
peer->oldpkt++;
return;
}
@@ -584,23 +612,8 @@ handle_procpkt(
peer->xmt = rbufp->pkt.xmt;
peer->dst = rbufp->recv_time;
- record_raw_stats(peer,
- /* What we want to be reporting is values in
- the packet, not the values in the peer
- structure, but when we reach here they're
- the same thing. Passing the values in the
- peer structure is a convenience, because
- they're already in the l_fp format that
- record_raw_stats() expects. */
- PKT_LEAP(rbufp->pkt.li_vn_mode),
- PKT_VERSION(rbufp->pkt.li_vn_mode),
- PKT_MODE(rbufp->pkt.li_vn_mode),
- PKT_TO_STRATUM(rbufp->pkt.stratum),
- rbufp->pkt.ppoll, rbufp->pkt.precision,
- rbufp->pkt.rootdelay, rbufp->pkt.rootdisp,
- /* FIXME: this cast is disgusting */
- *(const uint32_t*)rbufp->pkt.refid,
- outcount);
+ /* Record good packet */
+ record_raw_stats(peer, rbufp, 0, outcount);
/* If either burst mode is armed, enable the burst.
* Compute the headway for the next packet and delay if
@@ -757,6 +770,7 @@ receive(
stat_proto_total.sys_processed++;
break;
case MODE_SERVER: /* Reply to our request to a server. */
+/* FIXME: Where is the shared key case tested? */
if ((peer->cfg.flags & FLAG_NTS)
&& (!rbufp->extens_present
#ifndef DISABLE_NTS
@@ -2159,6 +2173,7 @@ peer_xmit(
peer->sent++;
peer->outcount++;
+ peer->bogons = 0;
peer->throttle += (1 << peer->cfg.minpoll) - 2;
DPRINT(1, ("transmit: at %u %s->%s mode %d keyid %08x len %u\n",
current_time, peer->dstadr ?
@@ -2247,6 +2262,13 @@ fast_xmit(
* reftime to make sure the reftime isn't later than
* the transmit/receive times.
*/
+ /* Note: This returns the same data for all versions.
+ * Currently, the mode is always Server.
+ * The version is copied from the request.
+ * There are minor differences between v3 and v4.
+ * So far, nobody cares.
+ * Note: There is significant v1 traffic. See #707
+ */
xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_vars.sys_leap,
PKT_VERSION(rbufp->pkt.li_vn_mode), MODE_SERVER);
xpkt.stratum = STRATUM_TO_PKT(sys_vars.sys_stratum);
@@ -2366,6 +2388,25 @@ dns_take_server(
server->cfg.flags &= (unsigned)~FLAG_LOOKUP;
server->srcadr = *rmtadr;
+ { /* HACK: fixup refid to show progress */
+ char tag[REFIDLEN];
+ if (server->cfg.flags & FLAG_NTS) {
+ memcpy(tag, "NTS?", REFIDLEN);
+ } else {
+ memcpy(tag, "DNS?", REFIDLEN);
+ }
+ switch(AF(rmtadr)) {
+ case AF_INET:
+ tag[REFIDLEN-1] = '4';
+ break;
+ case AF_INET6:
+ tag[REFIDLEN-1] = '6';
+ break;
+ default:
+ break;
+ }
+ memcpy(&server->refid, tag, REFIDLEN);
+ }
peer_add_hash(server);
restrict_source(server);
=====================================
ntpd/ntp_util.c
=====================================
@@ -518,46 +518,60 @@ mprintf_clock_stats(
* source IP address (old format) or drivername(unit) (new format)
* destination peer address
* t1 t2 t3 t4 timestamps
- * various other local statistics
+ * various other chunks of the packet
*/
void
record_raw_stats(
- struct peer *peer,
- int leap,
- int version,
- int mode,
- int stratum,
- int ppoll,
- int precision,
- double root_delay, /* seconds */
- double root_dispersion,/* seconds */
- refid_t refid,
- unsigned int outcount
- )
+ struct peer *peer,
+ struct recvbuf *rbufp,
+ unsigned int flag,
+ unsigned int outcount)
{
struct timespec now;
const sockaddr_u *dstaddr = peer->dstadr ? &peer->dstadr->sin : NULL;
+ /* This lies. It shows the time we sent it rather than the
+ * data from the packet which was probably random.
+ * See data minimization in peer_xmit()
+ * That's what code processing rawstats expects.
+ */
l_fp t1 = peer->org_ts; /* originate timestamp */
- l_fp t2 = peer->rec; /* receive timestamp */
- l_fp t3 = peer->xmt; /* transmit timestamp */
- l_fp t4 = peer->dst; /* destination timestamp */
+ l_fp t2 = rbufp->pkt.rec; /* receive timestamp */
+ l_fp t3 = rbufp->pkt.xmt; /* transmit timestamp */
+ l_fp t4 = rbufp->recv_time; /* destination timestamp */
+ int stratum;
+ refid_t refid = *(const uint32_t*)rbufp->pkt.refid;
+ double rootdelay, rootdisp;
if (!stats_control)
return;
clock_gettime(CLOCK_REALTIME, &now);
filegen_setup(&rawstats, now.tv_sec);
- if (rawstats.fp != NULL) {
- fprintf(rawstats.fp, "%s %s %s %s %s %s %s %d %d %d %d %d %d %.6f %.6f %s %u\n",
- timespec_to_MJDtime(&now),
- peerlabel(peer), dstaddr ? socktoa(dstaddr) : "-",
- ulfptoa(t1, 9), ulfptoa(t2, 9),
- ulfptoa(t3, 9), ulfptoa(t4, 9),
- leap, version, mode, stratum, ppoll, precision,
- root_delay, root_dispersion, refid_str(refid, stratum),
- outcount);
- fflush(rawstats.fp);
- }
+ if (rawstats.fp == NULL) return;
+
+ /* copy of PKT_TO_STRATUM from ntp_proto.c */
+ stratum = rbufp->pkt.stratum;
+ if (stratum == STRATUM_PKT_UNSPEC) stratum = STRATUM_UNSPEC;
+
+ rootdelay = scalbn((double)rbufp->pkt.rootdelay, -16);
+ rootdisp = scalbn((double)rbufp->pkt.rootdisp, -16);
+
+ fprintf(rawstats.fp, "%s %s %s %s %s %s %s %d %d %d %d %d %d %.6f %.6f %s %u %u %x\n",
+ timespec_to_MJDtime(&now),
+ peerlabel(peer), dstaddr ? socktoa(dstaddr) : "-",
+ ulfptoa(t1, 9), ulfptoa(t2, 9),
+ ulfptoa(t3, 9), ulfptoa(t4, 9),
+ PKT_LEAP(rbufp->pkt.li_vn_mode),
+ PKT_VERSION(rbufp->pkt.li_vn_mode),
+ PKT_MODE(rbufp->pkt.li_vn_mode),
+ stratum,
+ rbufp->pkt.ppoll,
+ rbufp->pkt.precision,
+ rootdelay,
+ rootdisp,
+ refid_str(refid, stratum),
+ outcount, peer->bogons, flag);
+ fflush(rawstats.fp);
}
/*
=====================================
ntpd/nts_client.c
=====================================
@@ -316,7 +316,7 @@ int open_TCP_socket(struct peer *peer, const char *hostname) {
struct addrinfo *find_best_addr(struct addrinfo *answer) {
/* default to first one */
- return(answer);
+ return(answer);
}
@@ -327,7 +327,7 @@ struct addrinfo *find_best_addr(struct addrinfo *answer) {
*/
bool connect_TCP_socket(int sockfd, struct addrinfo *addr) {
char errbuf[100];
- int err;
+ int err;
fd_set fdset;
struct timeval timeout;
int so_error;
@@ -369,7 +369,7 @@ bool connect_TCP_socket(int sockfd, struct addrinfo *addr) {
return false;
}
- if (0 != so_error) {
+ if (0 != so_error) {
ntp_strerror_r(so_error, errbuf, sizeof(errbuf));
msyslog(LOG_INFO, "NTSc: connect_TCP_socket: connect failed: %s", errbuf);
return false;
@@ -413,35 +413,69 @@ void set_hostname(SSL *ssl, const char *hostname) {
bool check_certificate(SSL *ssl, struct peer* peer) {
X509 *cert = SSL_get_peer_certificate(ssl);
+ X509_NAME *certname;
+ GENERAL_NAMES *gens;
+ char name[200];
+ int certok;
+ int numgens = 0;
if (NULL == cert) {
msyslog(LOG_INFO, "NTSc: No certificate");
if (!(FLAG_NTS_NOVAL & peer->cfg.flags))
return false;
return true;
+ }
+
+ certname = X509_get_subject_name(cert);
+ X509_NAME_oneline(certname, name, sizeof(name));
+ msyslog(LOG_INFO, "NTSc: certificate subject name: %s", name);
+ certname = X509_get_issuer_name(cert);
+ X509_NAME_oneline(certname, name, sizeof(name));
+ msyslog(LOG_INFO, "NTSc: certificate issuer name: %s", name);
+ /* print SAN:DNS strings */
+ gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
+ if (gens) {
+ char buff[150];
+ numgens = sk_GENERAL_NAME_num(gens);
+ buff[0] = 0;
+ for (int i = 0; i<numgens; i++) {
+ const GENERAL_NAME *gen;
+ const char *dnsname;
+ unsigned int len;
+ gen = sk_GENERAL_NAME_value(gens, i);
+ if (gen->type != GEN_DNS)
+ continue;
+ // string is NUL terminated but may have internal NULs
+ len = (unsigned int)ASN1_STRING_length(gen->d.ia5);
+ dnsname = (const char *)ASN1_STRING_get0_data(gen->d.ia5);
+ if (0 != buff[0])
+ strlcat(buff, ", ", sizeof(buff));
+ strlcat(buff, dnsname, sizeof(buff));
+ if (len != strlen(dnsname))
+ strlcat(buff, "??", sizeof(buff));
+ }
+ msyslog(LOG_INFO, "NTSc: SAN:DNS %s", buff);
+ GENERAL_NAMES_free(gens);
+ }
+ if (0 == numgens) {
+ const char *peername = SSL_get0_peername(ssl);
+ msyslog(LOG_INFO, "NTSc: matching with subject:CN %s", peername);
+ } else if (1 > numgens) {
+ const char *peername = SSL_get0_peername(ssl);
+ msyslog(LOG_INFO, "NTSc: matching with SAN:DNS: %s", peername);
+ }
+ X509_free(cert);
+ certok = SSL_get_verify_result(ssl);
+ if (X509_V_OK == certok) {
+ msyslog(LOG_INFO, "NTSc: certificate is valid.");
} else {
- X509_NAME *certname;
- char name[200];
- int certok;
- certname = X509_get_subject_name(cert);
- X509_NAME_oneline(certname, name, sizeof(name));
- msyslog(LOG_INFO, "NTSc: certificate subject name: %s", name);
- certname = X509_get_issuer_name(cert);
- X509_NAME_oneline(certname, name, sizeof(name));
- msyslog(LOG_INFO, "NTSc: certificate issuer name: %s", name);
- X509_free(cert);
- certok = SSL_get_verify_result(ssl);
- if (X509_V_OK == certok) {
- msyslog(LOG_INFO, "NTSc: certificate is valid.");
- } else {
- msyslog(LOG_ERR, "NTSc: certificate invalid: %d=>%s",
- certok, X509_verify_cert_error_string(certok));
- if (FLAG_NTS_NOVAL & peer->cfg.flags) {
- msyslog(LOG_INFO, "NTSc: noval - accepting invalid cert.");
- return true;
- }
- return false;
+ msyslog(LOG_ERR, "NTSc: certificate invalid: %d=>%s",
+ certok, X509_verify_cert_error_string(certok));
+ if (FLAG_NTS_NOVAL & peer->cfg.flags) {
+ msyslog(LOG_INFO, "NTSc: noval - accepting invalid cert.");
+ return true;
}
+ return false;
}
return true;
}
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/64e2c355ac601b57eebec75a13da40e7d47fbf54...d0915e05f5b6f950c8a6ad7bd69b5333465e2fe4
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/64e2c355ac601b57eebec75a13da40e7d47fbf54...d0915e05f5b6f950c8a6ad7bd69b5333465e2fe4
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20220801/c75fa917/attachment-0001.htm>
More information about the vc
mailing list