Amusing quirk, maybe qualifies as bug: NTPD will not work on a machine that has an incorrect system date already, as NTPD uses TLS and TLS is time-sensitive

Sat, 14 Oct 2017 20:46:36 -0700 

Hi,

On a newly installed 6.1 machine, which has its system date set to 15 September 
i.e. 30 days into the past, doing "ntpd -d -s -v" (to not deamonize, to make a 
time sync directly, and print out verbose output), I am told this:

     /var/db/ntpd.drift is empty
     ntp engine ready
     constraint request to 2404:6800:4008:801::2004
     constraint request to 172.217.25.100
     tls constraint failed: 2404:6800:4008:801::2004 (www.google.com): coonect: 
No route to host
     no constraint reply rom 2404:6800:4008:801::2004 received in time, next 
query 900s
     tls write failed: 172.217.25.100 (www.google.com) certificate verification 
failed: certificate not yet valid
     no constraint reply from 172.217.25.100 received in time, next query 900s
     no reply received in time, skipping initial time setting

In other words, LibreSSL will not connect to the remote NTP protocol server, 
because the TLS certificate was issued after 15 Sept 
(https://www.sslshopper.com/ssl-checker.html#hostname=www.google.com says it's 
valid from October 3, 2017 to December 26, 2017), and therefore fail the time 
sync - which leads to reliance that I will update the date manually first to 
make things work.


An effective fix here is to simply remove the "constraints" line in 
/etc/ntpd.conf , this way ntpd makes no attempt to make any TLS connection (to 
https://www.google.com/ which is used as constraint in the default 
/etc/ntpd.conf) and instead just goes into time syncing work with pool.ntp.org .

Maybe the best thing would be to make NTPD obligatorily or optionally, *not* 
dismiss a TLS certificate for the specific reason that its certificate not is 
valid.

If more constraint servers would be added (right now there's only one, 
https://www.google.com) then certainty could be derived from there.

Also, I am not super happy about NTPD connecting by default to www.google.com 
in particular.

A random pool of 50-100 HTTPS servers that are known to generally be available 
out there, would be a better pick. Maybe best thing would be that I simply 
choose some myself and not use the default ntpd.conf .


So to sum up, my best impression presently is that time validation should be 
disabled for TLS certificates within NTPD.

Tinker

Reply via email to