-----邮件原件-----
发件人: Miroslav Lichvar [mailto:mlich...@redhat.com]
发送时间: 2022年11月30日 17:26
收件人: chrony-users@chrony.tuxfamily.org
主题: Re: 答复: 答复: [chrony-users] ipV4 and ipV6
On Wed, Nov 30, 2022 at 08:44:35AM +0000, chengyechun wrote:
> Do the certificates contain a different name? If there are multiple
> certificates with the same name, the server will provide only one the clients.
> Different IP addresses
I'm not sure if that is supposed to work. The NTS-KE client doesn't provide the
IP address to the server (at least the
gnutls_server_name_set() function doesn't allow that), and gnutls as a TLS
server probably doesn't check the address of the socket in expectation that
there will be a matching address in one of the certificates. Maybe an RFE could
be submitted for that.
> This is because one client uses IPv6 to communicate with the server, while
> the other uses IPv4. This is because ip_address is used to generate a
> certificate. The template is as follows:
>
> organization = "xiaoyu"
> country = CN
> ip_address = "11.11.7.120"
> serial = 001
> activation_date = "2022-01-01 00:00:00 UTC"
> expiration_date = "2022-12-31 23:59:59 UTC"
> signing_key
> encryption_key
>
>
> The IPv6 template is to modify ip_address. Can this be unified?--
Yes, you can specify multiple addresses in the certificate. Just add more lines
with "ip_address = ...". No need to use separate certificates.
Specifying multiple ip_addresses is valid. I found that when I set ntsrefresh
to 1, the TLS handshake fails every 24s after the TLS handshake fails. This
seems to be regular. Where can I know this from the code?
[cid:image001.png@01D9056D.2A158D90]
--
Miroslav Lichvar
--
To unsubscribe email
chrony-users-requ...@chrony.tuxfamily.org<mailto:chrony-users-requ...@chrony.tuxfamily.org>
with "unsubscribe" in the subject.
For help email
chrony-users-requ...@chrony.tuxfamily.org<mailto:chrony-users-requ...@chrony.tuxfamily.org>
with "help" in the subject.
Trouble? Email
listmas...@chrony.tuxfamily.org<mailto:listmas...@chrony.tuxfamily.org>.
