Yo Eric! On Sat, 2 Feb 2019 04:18:26 -0500 "Eric S. Raymond via devel" <[email protected]> wrote:
> Achim Gratz via devel <[email protected]>: > > The RFC says the client needs to tell the NTS-KE all supported > > ciphers. It doesn't say it must support different ciphers for > > different servers. Small correction: cipher sets. Multiple, incompatible. TLS1.2, TLS1.3 and AEAD. We keep confusing the three sets. > Yeah, that second part *really* didn't make any sense to me. Ditto. But the Proposed RFC says nothing about any other communication or configuration between the NTS-KE and NTPD server. It is up to us. I assumed to start it would be just config files. > So tell me: can we conform by *discovering* the cipher set at startup > time and shipping that list to NTS-KE? Remember, the cipher sets are runtime dynamic. They can change under you in an instant. So replace startup time with runtime. To find the TLS 1.2 cipers: openssl ciphers -v | fgrep TLSv1.2 To find the TLS 1.3 cipers: openssl ciphers -v | fgrep TLSv1.3 I have no idea how to find possible AEAD algorithms. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 [email protected] Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpaYuHtpVagI.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
