Yo Hal! On Sun, 24 Mar 2019 21:38:53 -0700 Hal Murray <hmur...@megapathdsl.net> wrote:
> > My slower RasPi have random startup crashes. Goes away when I do
> > not make them NTS clients. Feels like another mysyslog() thing?
>
> I'd expect garbage in the log files rather than crashes.
Then we have a mystery...
> There is a known bug: nts doesn't work with IP Addresses. Gets a
> segfault. That case might make sense for testing with noval but
> anything with noval is insecure. Better to use old shared key
> authentication.
If you use noval and pinning it is no longer insecure. Potentially
more secure than just validaating the certs against the CSs.
> > The waf install, or runtime, or both, need to make /var/lib/ntp if
> > missing. Not quite sure...
>
> What OS/distro? NetBSD uses /var/db/ rather than /var/lib/
> You can fix it in your ntp.conf
> nts cookie <filename>
I'm on Gentoo. Stable and Unstable.
I'm not missing /var/lib, I'm missing /var/lib/ntp, I would not expect
any distro to add that.
I think Daniel Frank proposed that /var/lib/ntp was the best place.
> > When I set a server cert, is that used as the client cert too?
>
> There is no code for client certs.
Yes, and just reusing the server cert should make that easier to do.
>
> > As the hackathon showed, we'll need cert pinning sooner rather than
> > later.
>
> Please say more? (start a new thread)
The people from Univ. Ostfalia insisted on using their private CA. I
refuse to add random root certs to my cert store. That was partly
solved by my using noval, which as you say is insecure. Until I can
pin their server cert.
Nothing new here, just another real world example.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpncpELUtsv1.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
