[chrony-dev] chrony-4.6.1 released

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


chrony-4.6.1 is now available. This release is addressing an issue
that was added in chrony-4.4 with support for AES-128-GCM-SIV keys
in NTS. It causes chrony to not interoperate with implementations
correctly following the RFC 8915. There are no other known NTS
implementations with AES-128-GCM-SIV support yet. A new NTS-KE record
is used to negotiate the use of RFC-8915-compliant keys to avoid
breaking compatibility with older chrony servers and clients.

The source code is available here:
https://chrony-project.org/releases/chrony-4.6.1.tar.gz

SHA256 sum:
571ff73fbf0ae3097f0604eca2e00b1d8bb2e91affe1a3494785ff21d6199c5c

Notable changes since 4.6:

Enhancements
------------
* Add ntsaeads directive to enable only selected AEAD algorithms for NTS

Workarounds
-----------
* Negotiate use of compliant NTS keys with AES-128-GCM-SIV AEAD algorithm [1]
  (by default the keys are generated differently than in RFC 8915 for
  compatibility with chrony server and client versions 4.4, 4.5, and 4.6)
* Switch to compliant NTS keys if first response from server is NTS NAK

[1] https://chrony-project.org/doc/spec/nts-compliant-128gcm.html

-- 
Miroslav Lichvar

Attachment: signature.asc
Description: PGP signature



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/