Just for the sake of it (and if anybody else wants to dig deeper in it), I went and tried to get it to work. Enabled TLS.1.3 and it all started working. Warning, this does break FIPS compliance and might break stuff. I'm not a security expert so I can not estimate the real impact of this change. Just putting it here for future reference.
update-crypto-policies --show #FIPS:OSPP #copy the default policy sudo cp /usr/share/crypto-policies/policies/modules/OSPP.pmod \ /etc/crypto-policies/policies/modules/OSPP-TLS13.pmod #modify the original policy to enable tls by commenting out protocol@TLS = -TLS1.3 sudo sed -i -r 's/^(protocol@TLS = -TLS1.3)$/#\0/' /etc/crypto-policies/policies/modules/OSPP-TLS13.pmod # set the policy # some warning that you might break FIPS update-crypto-policies --set FIPS:OSPP-TLS13 sudo systemctl restart chronyd sudo systemctl status chronyd #May 02 12:21:35 repo.x.local chronyd[10582]: Source 194.58.207.75 changed to 194.58.207.80 (nts.netnod.se) On Mon, May 2, 2022 at 11:46 AM Miroslav Lichvar <mlich...@redhat.com> wrote: > On Mon, May 02, 2022 at 11:40:26AM +0200, Timothy D wrote: > > But I see here -VERS-TLS1.3 so I guess it means TLS.1.3 is disabled by > this > > install. Thanks, I guess NTS as a protocole needs TLS1.3 > > Right. The Key Establishment part of NTS uses TLS and it specifically > needs the version 1.3. If the system crypto policy only allows 1.2, > NTS-KE won't work. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org > with "unsubscribe" in the subject. > For help email chrony-users-requ...@chrony.tuxfamily.org > with "help" in the subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > > -- Kind regards, Met vriendelijke groeten, Timothy Dewin
