Hi all, I was investigating some 'unsupported date format' messages that ntpd was logging and found that one constraint server served a time that was quite a ways off from actual time.
Turns out that the website in question is fronted by some CDN that caches the page, including the date:-header. To account for this, they add an age:-header that reflects when the page was last updated from upstream. These stale date:-headers could be problematic when using them for ntpd constraints; the server I found was about 8 minutes behind the others, significantly more than CONSTRAINT_ERROR_MARGIN (set to 4). Of course, there are also CDNs that send a current date:-header *AND* an age:-header - so I don't think this can be fixed in code by just adding 'age:' seconds to the time learned from 'date:'. Perhaps comparing both 'date:' and 'date: + age:' with other constraints or NTP time and then picking one of the two could work, but that way lies madness, I fear. For now, i've checked all constraints I have configured and removed those that send an age:-header. Of course any website may change to a CDN at any time, so periodic checking makes sense. Would it make sense to alert the user to this potential pitfall in the manpage? A first stab included below, although I'm not very happy with the wording myself. While looking into this, I also found a typo in a comment in ntpd/client.c, a patch for that is also included. Cheers, Paul 'WEiRD' de Weerd PS: In the end, the 'unsupported date format' was ANOTHER site that sends "UTC" instead of "GMT" in the date:-header - also removed that from my config. [1]: http://man.openbsd.org/ntpd.conf#CONSTRAINTS Index: ntpd.conf.5 =================================================================== RCS file: /home/OpenBSD/cvs/src/usr.sbin/ntpd/ntpd.conf.5,v retrieving revision 1.47 diff -u -p -r1.47 ntpd.conf.5 --- ntpd.conf.5 6 Jan 2021 13:03:13 -0000 1.47 +++ ntpd.conf.5 4 Jun 2021 15:35:36 -0000 @@ -213,6 +213,8 @@ man-in-the-middle attacks. Received NTP packets with time information falling outside of a range near the constraint will be discarded and such NTP servers will be marked as invalid. +Care must be taken to use HTTPS websites that aren't cached by CDNs +or otherwise serve poor time. .Bl -tag -width Ds .It Ic constraint from Ar url [ip...] Specify the URL, IP address or the hostname of an HTTPS server to Index: client.c =================================================================== RCS file: /home/OpenBSD/cvs/src/usr.sbin/ntpd/client.c,v retrieving revision 1.116 diff -u -p -r1.116 client.c --- client.c 21 Apr 2021 09:38:11 -0000 1.116 +++ client.c 4 Jun 2021 15:59:04 -0000 @@ -267,7 +267,7 @@ handle_auto(uint8_t trusted, double offs /* * -1: Not processed, not an NTP message (e.g. icmp induced ECONNREFUSED) - * 0: Not prrocessed due to validation issues + * 0: Not processed due to validation issues * 1: NTP message validated and processed */ int -- >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] http://www.weirdnet.nl/