On 4/27/15, Rian Hunter <r...@thelig.ht> wrote: > Hi, > > This totally hosed all of my systems!! >
Sorry to hear that this issue has caused you problems. :( > I think relying on the internal "server_random" member of the ssl data > structure is error prone and to me it's not unexpected that a server would > randomize the timestamp part of their random ssl seed. The erroroneous code > is in "src/tlsdate-helper.c" line 1207. That isn't a bug - code upstream in other proejcts has changed since this was implemented. At the time of creating tlsdate, the TLS spec specifically that it must not be randomized but rather a time stamp. > > My suggestion is that instead of changing the default server, instead > default to using the HTTP Date header. This header is intended to contain > the current time. That's a nice thing to do but realistically - you need to pick a server that you trust. > > I achieved this by changing the DAEMON_OPTS in /etc/default/tlsdated > > DAEMON_OPTS="-- /usr/bin/tlsdate -w" That is a fine way to set it, yes. > > You also have to change how DAEMON_ARGS is set in /etc/init.d/tlsdated. Add > this line after the line that sourced /etc/default/tlsdated: > > [ -r /etc/default/$NAME ] && . /etc/default/$NAME > DAEMON_ARGS="-f /etc/tlsdate/tlsdated.conf $DAEMON_OPTS" > If you think there is a different bug, please open another bug? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
