> 2019-03-20T18:11:14 ntpd[3117]: NTSs: TCP accept-ed from [2001:470:e815::%3=
> 589492224]:50860
> Wow, that is one wacky IPv6 address! Bad format string?
The % stuff is telling you which network interface it is associated with. At
the ping level, you can use things like xx%eth0 to tell
Yo James!
On Wed, 20 Mar 2019 20:19:01 -0700
James Browning wrote:
> > Something recently broke in NTPsec when using Python 3.6:
>
> I thought I got that bug with a4453ee5a4 "Fix polyglot library for
> Python3 on NetBSD".
I sorta rememebr that.
> Where did you see that? I tried to repro on
On Wed, 20 Mar 2019, James Browning via devel wrote:
On Wed, Mar 20, 2019 at 6:30 PM Gary E. Miller via devel
wrote:
Yo All!
Something recently broke in NTPsec when using Python 3.6:
?
I thought I got that bug with?a4453ee5a4 "Fix polyglot library for Python3 on
NetBSD".
Wher
On Wed, Mar 20, 2019 at 6:30 PM Gary E. Miller via devel
wrote:
> Yo All!
>
> Something recently broke in NTPsec when using Python 3.6:
I thought I got that bug with a4453ee5a4 "Fix polyglot library for Python3
on NetBSD".
Where did you see that? I tried to repro on Gentoo and could not.
It st
Yo All!
Something recently broke in NTPsec when using Python 3.6:
[291/291] Processing build/main/tests/test_libparse
Waf: Leaving directory `/usr/local/src/NTP/ntpsec/build/main'
Traceback (most recent call last):
File
"/usr/local/src/NTP/ntpsec/.waf3-1.9.15-7481b2b5d90177d4bb747dbff06bef90/w
> I added nts-ke to: pi3.rellim.com, see how that works for you.
Works.
[-4, -6]
> Ah, there it is right on the man page. I can't try it until the crash bug is
> gone.
It doesn't work yet. That's why I needed testers. Thanks for finding it.
> Odd, I tried it yet again, and this time it wor
Yo Hal!
From my logs:
2019-03-20T18:10:39 ntpd[3117]: NTSs: TCP accept-ed from 64.139.1.69:53013
2019-03-20T18:10:39 ntpd[3117]: NTSs: Using TLSv1.2, AES256-GCM-SHA384 (256)
2019-03-20T18:10:39 ntpd[3117]: NTSs: Returned 880 bytes
2019-03-20T18:10:39 ntpd[3117]: NTSs: NTS-KE server took 0.188 sec
Yo Hal!
On Wed, 20 Mar 2019 17:30:11 -0700
Hal Murray via devel wrote:
> > Uh, no. You can get easily get the FQDN from the IP.
>
> That adds DNS to the security chain. Doesn't sound good to me. It
> might work if you are using DNSSEC. Complicated.
I am using DNSSEC.
> > Also, since the
> Uh, no. You can get easily get the FQDN from the IP.
That adds DNS to the security chain. Doesn't sound good to me. It might work
if you are using DNSSEC. Complicated.
> Also, since there is no way to specify IPv4 or IPv6, the only way I can make
> this work is by IP.
> You need to add a
Yo Hal!
On Wed, 20 Mar 2019 17:01:31 -0700
Hal Murray via devel wrote:
> > server 204.17.205.8 nts maxpoll 5 # spidey
> > Now the server starts as before, then, silently dies...
>
> Usually it logs a useful message before it exits.
First thing I tried.
> If you can't find
> one, please tr
> server 204.17.205.8 nts maxpoll 5 # spidey
> Now the server starts as before, then, silently dies...
Usually it logs a useful message before it exits. If you can't find one,
please try gdb.
It doesn't make sense to use "nts" with an IP Address if you expect to do
certificate checking. Fo
Yo Hal!
On Wed, 20 Mar 2019 16:53:05 -0700
Hal Murray via devel wrote:
> >> As long as the old cookies on the client are used in NTP packets
> >> soon enough and hence traded in for new cookies, there is no need
> >> for a NTS-KE type rekey.
>
> > Yeah, I had missed that. So I agree your con
>> As long as the old cookies on the client are used in NTP packets soon
>> enough and hence traded in for new cookies, there is no need for a
>> NTS-KE type rekey.
> Yeah, I had missed that. So I agree your concept looks good so far.
Not my concept. Straight out of the book. (draft?)
Yo Hal!
On Wed, 20 Mar 2019 16:28:36 -0700
Hal Murray via devel wrote:
> > I added this to my ntp.conf:
> > nts enable
> > cert /etc/letsencrypt/live/kong.rellim.com/fullchain.pem
> > key /etc/letsencrypt/live/kong.rellim.com/privkey.pem
> > Fail.
>
> You need "nts" in front of t
> I added this to my ntp.conf:
> nts enable
> cert /etc/letsencrypt/live/kong.rellim.com/fullchain.pem
> key /etc/letsencrypt/live/kong.rellim.com/privkey.pem
> Fail.
You need "nts" in front of the cert and key. Or else one loong line. There
is no "cert" top level command.
If yo
Yo Hal!
The ntp.conf man page needs a bit of work...
I added this to my ntp.conf:
nts enable
cert /etc/letsencrypt/live/kong.rellim.com/fullchain.pem
key /etc/letsencrypt/live/kong.rellim.com/privkey.pem
Fail.
2019-03-20T16:15:23 ntpd[21595]: NTSs: starting NTS-KE server listening
I recently switched from namecheap to Gandi, because Gandi has better
DNSSec support.
Namecheap will offer you a .xyz or .vip domain for under $2 for the first
year, $10 renewal.
Basic DNS is included by all. But if you want something better,please have
a look at https://dns.he.net. HE has serv
Yo Hal!
On Wed, 20 Mar 2019 16:00:55 -0700
Hal Murray via devel wrote:
> Gary said:
> >>> Only if you figure out how to not have a huge daily rush to
> >>> rekey.
> >> Under normal conditions, there is never any need to rekey.
> > We've gone around on that many times before. We disagree.
>
Gary said:
>>> Only if you figure out how to not have a huge daily rush to rekey.
>> Under normal conditions, there is never any need to rekey.
> We've gone around on that many times before. We disagree.
> Using the same master key (with a ratchet) will eventually give the attacker
> enought dat
Yo Hal!
On Wed, 20 Mar 2019 15:22:33 -0700
Hal Murray via devel wrote:
> Gary said:
> > Only if you figure out how to not have a huge daily rush to rekey.
>
> Under normal conditions, there is never any need to rekey.
We've gone around on that many times before. We disagree.
Using the same
Gary said:
> Only if you figure out how to not have a huge daily rush to rekey.
Under normal conditions, there is never any need to rekey.
The server holds 2 cookie keys. When it makes a new key, the current key gets
moved to the old key and the previous old key is lost.
Cookies using either t
Yo Hal!
On Wed, 20 Mar 2019 12:10:25 -0700
Hal Murray via devel wrote:
> Gary said:
> > I' waiting for Gentoo to have the required openssl version.
>
> It should work -- unless Gentoo is using something really
> pre-historic.
Ah, Gentoo unstable updated to openssl 1.1.0j on March 6th.
Do I
I've been testing with self-signed certificates. It's time to shift to real
certificates. They need a FQDN which I don't have, so it's time to get a
domain. (I want one for other reasons anyway.) Anybody have suggestions for
vendors? Low cost is obviously good, but so is low hassle and I
Everything about init scripts should be assumed distro-specific and
'make install' should not be attempting to touch them. Leave that up
to distro packagers.
On Wed, Mar 20, 2019 at 2:57 PM Gary E. Miller via devel
wrote:
>
> Yo Hal!
>
> On Tue, 19 Mar 2019 22:07:26 -0700
> Hal Murray via devel
Gary said:
> I' waiting for Gentoo to have the required openssl version.
It should work -- unless Gentoo is using something really pre-historic. There
are a handful of #ifdef-s to handle old versions. NetBSD 8 ships with 1.0.2k.
I test that. It builds on 1.0.1, but I'd have to check to see
Yo Hal!
On Tue, 19 Mar 2019 22:07:26 -0700
Hal Murray via devel wrote:
> If we are going to install it, can we bypass the install if the
> currently installed file is identical to the to-be-installed
> version?
More interesting to me, what do you do if it is NOT identical?
Many people dual ins
Yo Richard!
On Wed, 20 Mar 2019 00:54:50 -0500
Richard Laager via devel wrote:
> On 3/20/19 12:07 AM, Hal Murray via devel wrote:
> > Is that the right thing to do? Most of our stuff gets installed in
> > /usr/local/ and similar where it doesn't overwrite any system
> > files. ntpd.service is
Yo Hal!
On Wed, 20 Mar 2019 03:45:21 -0700
Hal Murray via devel wrote:
> Is anybody else testing things?
I' waiting for Gentoo to have the required openssl version.
> I just fixed the cookie-key timer so that it actually rotates
> cookies. You need to delete your current cookie file
> at /var
Is anybody else testing things?
I just fixed the cookie-key timer so that it actually rotates cookies. You
need to delete your current cookie file at /var/lib/ntp/nts-keys
The timer is set to an hour rather than a day. So if your clients poll
interval gets up to 1024, it will use some old c
29 matches
Mail list logo
