Thanks. It seems that this must be the problem. RHEL has been installed with NIST sec profile for the most "secure install" [root@repo ~]# gnutls-cli -p 4460 --alpn=ntske/1 --logfile /dev/stderr \ > ptbtime1.ptb.de < /dev/null > /dev/null Processed 143 CA certificate(s). Resolving 'ptbtime1.ptb.de:4460'... Connecting to '192.53.103.108:4460'... *** Fatal error: The TLS connection was non-properly terminated. [root@repo ~]# grep AVC.*chrony /var/log/audit/audit.log [root@repo ~]# cat /etc/crypto-policies/back-ends/gnutls.config SYSTEM=NONE:+MAC-ALL:-SHA1:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-X448:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-RSA-SHA224:-SIGN-DSA-SHA224:-SIGN-ECDSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:-SIGN-ECDSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:+CIPHER-ALL:-AES-256-CCM:-AES-128-CCM:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.3:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
But I see here -VERS-TLS1.3 so I guess it means TLS.1.3 is disabled by this install. Thanks, I guess NTS as a protocole needs TLS1.3 On Mon, May 2, 2022 at 9:36 AM Miroslav Lichvar <mlich...@redhat.com> wrote: > On Fri, Apr 29, 2022 at 07:00:13PM +0200, Timothy D wrote: > > server nts.netnod.se iburst nts > > server ptbtime1.ptb.de iburst nts > > ntsdumpdir /var/lib/chrony > > > Apr 29 18:56:15 repo.x.local systemd[1]: Started NTP client/server. > > Apr 29 18:56:16 repo.x.local chronyd[5507]: Fatal error : Could not > > initialise priority cache : No or insufficient priorities were set. > > That looks like chronyd cannot select TLS1.3 or maybe a cipher. > > Do you see the same error when you run the following command? > > gnutls-cli -p 4460 --alpn=ntske/1 --logfile /dev/stderr \ > ptbtime1.ptb.de < /dev/null > /dev/null > > Do you see any SELinux errors for chrony, e.g. printed by this > command? > > grep AVC.*chrony /var/log/audit/audit.log > > Do you have a custom crypto policy configured in > /etc/crypto-policies/? > > cat /etc/crypto-policies/back-ends/gnutls.config > > should show the current gnutls configuration. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org > with "unsubscribe" in the subject. > For help email chrony-users-requ...@chrony.tuxfamily.org > with "help" in the subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > > -- Kind regards, Met vriendelijke groeten, Timothy Dewin
