Yo Hal!
On Wed, 03 Apr 2019 14:52:14 -0700
Hal Murray via devel wrote:
> > That is zero for ten...
> > I can't say why the results differ from previous tests.
>
> Check the log file. There should be a message telling you the file
> or directory it is using. If you don't find that, you
> That is zero for ten...
> I can't say why the results differ from previous tests.
Check the log file. There should be a message telling you the file or
directory it is using. If you don't find that, you probably typo-ed the
server line.
--
These are my opinions. I hate spam.
Yo Richard!
On Wed, 3 Apr 2019 16:39:19 -0500
Richard Laager via devel wrote:
> On 4/3/19 4:33 PM, Gary E. Miller via devel wrote:
> > So, more methodically, using this prefix:
> >
> > server -4 pi3.rellim.com nts maxpoll 5
> >
> > Fail - ca /tmp/cert.pem
> > Fail - ca /tmp/chain.pem
> > Fail
On 4/3/19 4:33 PM, Gary E. Miller via devel wrote:
> So, more methodically, using this prefix:
>
> server -4 pi3.rellim.com nts maxpoll 5
>
> Fail - ca /tmp/cert.pem
> Fail - ca /tmp/chain.pem
> Fail - ca /tmp/fullchain.pem
> Fail - ca /tmp - with hash for cert.pem
> Fail - ca /tmp
Yo Richard!
On Wed, 3 Apr 2019 15:54:39 -0500
Richard Laager via devel wrote:
> On 4/3/19 3:20 PM, Gary E. Miller via devel wrote:
> >> Does it work with "ca chain.pem" (specifying a file, as opposed to
> >> a directory)? If you already tested this earlier in the thread and
> >> I missed it,
Yo Hal!
On Wed, 03 Apr 2019 13:42:41 -0700
Hal Murray via devel wrote:
> > 3. I see big differences in jitter and latency between IPv4 and
> > IPv6. I want to characterize the diffeence, then select the best.
>
> For testing jitter and latency, you can specify -4 and -6 to get NTP
> using
On 4/3/19 3:12 PM, Hal Murray via devel wrote:
> The parser sets things up with IF_UNSPEC, IF_INET, or IF_INET6 and a name.
> Those get passed to getaddrinfo (the name gets checked for :port, default is
> 123) It uses the first answer for KE, ignoring any others.
This sounds correct.
On 4/3/19 3:20 PM, Gary E. Miller via devel wrote:
>> Does it work with "ca chain.pem" (specifying a file, as opposed to a
>> directory)? If you already tested this earlier in the thread and I
>> missed it, ignore me.
> I just tried it, no joy. The cert.pem that worked when I hashed it
> and "ca
On 4/3/19 3:24 PM, Gary E. Miller via devel wrote:
>> Just curious. What sort of setup are you using where IPv6 is
>> significantly better than IPv4?
> Beats me. All I can see is different paths using traceroute, mtr, etc.
>
> Not unusual for ISPs and backbones to route IPv4 and IPv6 over
> 3. I see big differences in jitter and latency between IPv4 and IPv6.
>I want to characterize the diffeence, then select the best.
For testing jitter and latency, you can specify -4 and -6 to get NTP using the
desired protocol. Is there a reason you need to do KE using the other
> But this brings up another related issue. We're preferring IPv6 by default,
> right? That should be the default, but I just wanted to ask.
It uses the first answer it gets back from getaddrinfo
I just scanned the man page. I didn't see anything about the order of
returned answers.
ntpd
Yo Hal!
On Wed, 03 Apr 2019 13:12:58 -0700
Hal Murray via devel wrote:
> > Why? Well, my IPv6 connections have much less latency and jitter
> > than my IPv4 ones. Without -4 and -6 on the NTP part of NTS I
> > can't make those comparisons easily.
>
> If you put the -4 after the "server",
Yo Richard!
On Wed, 3 Apr 2019 00:35:07 -0500
Richard Laager via devel wrote:
> > If I delete the hash to chain.pem then it fails again. So the hash
> > to cert.pem does not help.
>
> Perfect. That's exactly how it should work. The "ca" option specifies
> CAs, not end certificates.
Fine,
> Why? Well, my IPv6 connections have much less latency and jitter than my
> IPv4 ones. Without -4 and -6 on the NTP part of NTS I can't make those
> comparisons easily.
If you put the -4 after the "server", it does both the KE and NTP using -4.
Is there a reason you need to do KE over one
On 4/3/19 2:44 PM, Gary E. Miller via devel wrote:
> Why? Well, my IPv6 connections have much less latency and jitter than
> my IPv4 ones. Without -4 and -6 on the NTP part of NTS I can't make
> those comparisons easily.
You're interested for testing, which is one thing.
But this brings up
Yo Hal!
On Wed, 03 Apr 2019 04:19:08 -0700
Hal Murray via devel wrote:
> > Most of the thread was about trying all the possible IPv4 and IPv6
> > addresses returned for the NTPD server until one worked. So
> > assuming IPv4 for the NTPD when the NTS-KE is IPv4 is not what the
> > WG expects.
Yo Achim!
On Wed, 03 Apr 2019 20:52:36 +0200
Achim Gratz via devel wrote:
> Gary E. Miller via devel writes:
> >> If you can't get the root cert, you cannot validate anything that
> >> has this root as the trust anchor.
> >
> > And yet, yesterday I was able to use git head to validate using
Gary E. Miller via devel writes:
>> If you can't get the root cert, you cannot validate anything that has
>> this root as the trust anchor.
>
> And yet, yesterday I was able to use git head to validate using just
> a Let's Encrypt chain file. So, yes, you need a root file to validate
> against a
Yo Achim!
On Wed, 03 Apr 2019 20:23:37 +0200
Achim Gratz via devel wrote:
> Gary E. Miller via devel writes:
> >> I think openssl is expecting the root cert.
>
> OpenSSL expects a PKI directory (in which each cert has to have a
> certain filename so it doesn't have to read all files each
Gary E. Miller via devel writes:
>> I think openssl is expecting the root cert.
OpenSSL expects a PKI directory (in which each cert has to have a
certain filename so it doesn't have to read all files each time) or a
bundle file with all the certs concatenated.
> And in the case of ostfalia, I
On 4/3/19 6:51 AM, Hal Murray via devel wrote:
> Most of the time when we say "root cert" we are talking about
> an intermediate cert that is contained in the collection of trusted certs
> distributed by distros.
The trusted certs in your distro definitely contain roots, not
intermediates, at
> No. LE has FIVE root certs. Maybe you can call it a split root. And you
> have no way of knowing which one they use for any particular cert.
> And note the specifically say: "Our roots are kept safely offline."
> So you can't even get the root to check it!
"root" is ambiguous without
> Most of the thread was about trying all the possible IPv4 and IPv6 addresses
> returned for the NTPD server until one worked. So assuming IPv4 for the NTPD
> when the NTS-KE is IPv4 is not what the WG expects.
I didn't see any consensus that we have to implement all possible
combinations,
23 matches
Mail list logo
