On Fri, Dec 17, 2021 at 03:36:21AM +0100, Adrian Zaugg wrote: > Dear List > > Trying to set up NTS (RFC 8915) with chrony an authenticated request fails. > The failing client (another chronyd using: server sirup.3eck.net iburst nts) > reports: > > "chronyd[5269]: TLS handshake with 62.12.167.109:4460 (ntp.3eck.net) failed : > Error in the pull function."
I think that means the connection was unexpectedly closed from the other end. One possibility is that the client is too slow. The server has a 2-second timeout for NTS-KE connections. Does it work from other computers? You can emulate an NTS-KE client with the following command: printf '\x80\x1\x0\x2\x0\x0\x80\x4\x0\x2\x0\xf\x80\x0\x0\x0' | \ gnutls-cli -p 4460 --alpn=ntske/1 sirup.3eck.net \ --logfile=/dev/stderr | hexdump -C If you see about 50 lines of dumped data, it's working correctly. > The Server starts happily with: > Dec 17 02:43:35 sirup chronyd[16831]: chronyd version 4.0 starting (+CMDMON > +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 - > DEBUG If you had chronyd compiled with debugging messages (+DEBUG), you could try running it in terminal as chronyd -d -d |& grep nts_ke and see if there are any error messages when the client connects. -- Miroslav Lichvar -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.