Yo Hal! On Wed, 27 Mar 2019 22:08:14 -0700 Hal Murray via devel <devel@ntpsec.org> wrote:
> > Only if the cert is not pinned. Pretty much every else I do with > > certs eventually requires pinning. NTPsec will be no different. > > Could somebody please give me a lesson on this area? google and wikipedia are good places to start: https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning etc. > What is pinning? Why have I not encountered it before? You have. Just did not grok it happening. All the browsers do it. Ever noticed when a cert fails with https you are given the option to accept the cert? That is pinning. Browsers also use HPKP, HTTP Public Key Pinning (RFC 7469): https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning Many chat clients do it. Ever notice in pidgin how every time google changes there cert you are asked to approve the new one? That is pinning. Ever notice how when a email to an email list is directed to another email list and it bounces with a DANE error? That is pinning. DANE uses TLSA records in DNS that contain the cert pin hashs. There are many online tools to generate the hash per RFC 6698; https://ssl-tools.net/tlsa-generator > If ntpsec supported it, what would it look like and what would you do > to use it? Right now ostfalia uses a private CA. So to connect I do this: server nts3-e.ostfalia.de:443 nts noval I happen to know the root CA for LE has this pin hash: 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 Since I use LE certs, I have pinning records in my DNS so end users have another way to validate the certs I use: # dig _443._tcp.www.rellim.com ANY ; <<>> DiG 9.12.3-P4 <<>> _443._tcp.www.rellim.com ANY ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39525 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 0b91fbce1dcc17f0b1a287195c9d25e1690aeb81b3edcb63 (good) ;; QUESTION SECTION: ;_443._tcp.www.rellim.com. IN ANY ;; ANSWER SECTION: _443._tcp.www.rellim.com. 86400 IN RRSIG TLSA 8 5 86400 20211216234627 20190322234627 6366 rellim.com. UEtz0oHRGpezsZSHox8NAj2GwZQFeW+MWnf9ioe1nSEn2OBaNnFx7WFB 93UcYdVx9i0XH/oR5FM49MsaJP/9Qb9qLfXSsZAp6KSEgwEOwAOO2uq3 svDjA3Rml3XLXugw49J7WJYNNvbleHb2msv4UakrQeWm53Pj6UVqNYvR D2E= _443._tcp.www.rellim.com. 86400 IN RRSIG TLSA 8 5 86400 20211216234627 20190322234627 9234 rellim.com. lWQN0pFrXwwuyG3ksCou9LVa1WmDWF/eGN0Ypz/+HGoFe7sZYyy58yS4 xP+ruMbjHxM5IxxxeYNcMGnZqm8rNYLxho/4QUXqV9JjYYkGphULivj1 DnV/Bi5u8jmYYPtg6OJq4b0/h35fSI/hDtaAmwEOC9pZ16fhhOh8UDJC OZw= _443._tcp.www.rellim.com. 86400 IN RRSIG TLSA 8 5 86400 20211216234627 20190322234627 14625 rellim.com. F8NQNAIFrv1AEr+Vy817LAAFcLbqpueBPX9VLzlWiOC0kecHcro1SQl9 zdvD6D1x0z5qbfkUBoLQ0e6nfnYrli/Vl8nTzEH9f/4LCjy/lFkcou1c HSiPfqEGq8HvDdxzcPsZF8bbwHAfxPw8AlUGzapb92VK0f43EWjwRTXo Poc= _443._tcp.www.rellim.com. 86400 IN RRSIG TLSA 13 5 86400 20211216234627 20190322234627 10167 rellim.com. wc+u0lQE3nTPLkoK11J9urVamjQbGeSDkR+wvtzYYLnIjPe9Ph5ujSSw eys0uf6iSJ1ZGKi5qfR1SRQ69un5Yw== _443._tcp.www.rellim.com. 86400 IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18 So, if I was going to pin the ostfalia server, I could check to see if they pin in DNS. They do not. So I would generate their pin has, and attach it to their server record: server nts3-e.ostfalia.de:443 nts noval pin 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 To make it eay, NTSs could always generate the hash and put it in the logs. On that note, I'd also like the logs to show the NTPD server and port from the NTS-KE exchange. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpSjcKwYKb27.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
