We only need a rough time to get clocks to within cert/OCSP boundaries
here. If the clock is too broken to connect normally via TLS, can we just
fetch a time from an openbsd.org host using a pinned key hash instead?
(ignoring certificate date errors, and there's not any need to do CA checks).
Hi,
it is an expected behavior and a proof that constraints are working
correctly: the certificate check fails because it is not valid.
I don't see a technical solution here because we'd either have to
disable constraint checks and loose their security benefit or we keep
them enabled and rely
Hi
I found a corner case about ntpd where ntpd -s can't set the date because of a
constraint in ntpd.conf.
Using default ntpd.conf:
servers pool.ntp.org
sensor *
constraints from "https://www.google.com;
it's reproducible with the following command
$ doas /etc/rc.d/ntpd
$ doas date 0701
