Thank you for the clarification. I read both man pages :) When it says “it is not used for precision” I did not make the desired interpretation. I just thought that it could fix the time but not in such a precise way.
On Wed, 13 May 2026 at 22:49, Nick Holland <[email protected]> wrote: > On 5/13/26 16:27, Daniel wrote: > > Hello! > > Thank you for you comments. > > > > I toke a while do read the man pages and also to make some searches... > > Man page says: > > "Time can also be fetched from TLS HTTPS servers to reduce the impact of > unauthenticated NTP man-in-the-middle attacks." > > you need to read the entire man page. You also need to read > the ntpd.conf man page. > > > > So it seams that we can assume that the clock is still corrected having > only "constrains" in ntpd.conf. Maybe that is not enough to have “ntpctl -s > status” saying "clock synced". > > no. > > > > > This is an interesting subject and it would be great to have it really > clear > > I respect you opinion. And I know I am just an openbsd rookie, but I > believe that there can be some contradiction between what the man page says > and your response. > > Much more an interpretation issue... > > NTP is not a secured protocol -- there's no real proof > that you are talking to the server you think you are. So if I > can slip my server in between your server and what you are hoping > is an authoritative source, I can change your clocks. If I can > change your clock, perhaps I can convince you to accept an > expired certificate I stole, or any of a number of other forms > of mischief. > > OpenNTPD tries to make that more difficult by getting a *rough* > time estimate by making an HTTPS connection to a trusted source. > So...if (for example) an HTTPS connection to www.google.com says > the time is a particular time, and the upsream NTP server says it > is within a few seconds of that time -- we can probably trust the > NTP server's time report. If it comes back with a radically > different time, then no, we won't trust the NTP time. > > from man ntpd.conf: > > CONSTRAINTS > ntpd(8) can be configured to query the `Date' from trusted HTTPS > servers > via TLS. This time information is not used for precision but acts > as an > authenticated constraint, thereby reducing the impact of > unauthenticated > NTP man-in-the-middle attacks. Received NTP packets with time > information falling outside of a range near the constraint will be > discarded and such NTP servers will be marked as invalid. > > ntpd MUST use the NTP protocol via the NTP ports. "Constraints" > are just a verification through secured channels that the NTP data > you are getting is plausible -- it isn't used as the answer, ever. > > > Nick. > >
