Re: Getting ready for a release, wildcards
Hi Hal, I don't think we should have a knob for disabling wildcards. This is not the sort of knob that operators expect (what other software provides such a knob?) and we're just adding another code path to test. Are there any other release blockers? If not, I'll update the NEWS for the user-facing/high impact changes and cut a release candidate. Thanks, -Matt ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Release, wildcards, etc
Hi Hal, I'd like to get https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1264 merged and then do the release. Is there anything else that we want in the release? Thanks, -Matt ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Getting ready for a release, wildcards
I just pushed 2 tweaks. One is to update the nts cert documentation to say that it doesn't do any checking on the certificate. The other is a hack patch to aes_siv.c to supress deprecated warnings from OpenSSL 3. Is anybody (else) using OpenSSL 3? It's trivial on FreeBSD. Just install openssl-devel-3.0.2 (3.0.3 will be out soon) For others, HOWTO-OpenSSL should be enough. If not, please fix it, or tell me where you got it trouble or ... -- I think I understand the wildcard tangle. They are generally considered OK. My plan is to fixup the code so that the default is to accept wildcards but it's easy to turn them off. Details TBD. Can anybody think of any other optional features that would make things slightly more secure? We should start collecting ideas in this area. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Release, wildcards, etc
> Sigh. I should get up to speed onmn crypto and certificates. I doubt I can > do it fast enough to be useful on this one, though. Service Names in TLS https://datatracker.ietf.org/doc/draft-ietf-uta-rfc6125bis/ It's 24 pages with the usual amount of boiler plate so only half of that is serious reading. To get in the right mind set, you should watch a few of Moxie Marlinspike's talks. He's a good speaker. DEF CON 17 - Moxie Marlinspike - More Tricks for Defeating SSL https://www.youtube.com/watch?v=5dhSN9aEljg 48 minutes -- hacking SSL DEF CON 18 - Moxie Marlinspike - Changing Threats To Privacy: From TIA to Google https://www.youtube.com/watch?v=DoeNbZlxfUM 43 minutes -- Privacy DEF CON 19 - Moxie Marlinspike - SSL And The Future Of Authenticity https://www.youtube.com/watch?v=UawS3_iuHoA 46 minutes -- trusting CAs -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
