[chrony-dev] chrony-4.6.1 released |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]
chrony-4.6.1 is now available. This release is addressing an issue that was added in chrony-4.4 with support for AES-128-GCM-SIV keys in NTS. It causes chrony to not interoperate with implementations correctly following the RFC 8915. There are no other known NTS implementations with AES-128-GCM-SIV support yet. A new NTS-KE record is used to negotiate the use of RFC-8915-compliant keys to avoid breaking compatibility with older chrony servers and clients. The source code is available here: https://chrony-project.org/releases/chrony-4.6.1.tar.gz SHA256 sum: 571ff73fbf0ae3097f0604eca2e00b1d8bb2e91affe1a3494785ff21d6199c5c Notable changes since 4.6: Enhancements ------------ * Add ntsaeads directive to enable only selected AEAD algorithms for NTS Workarounds ----------- * Negotiate use of compliant NTS keys with AES-128-GCM-SIV AEAD algorithm [1] (by default the keys are generated differently than in RFC 8915 for compatibility with chrony server and client versions 4.4, 4.5, and 4.6) * Switch to compliant NTS keys if first response from server is NTS NAK [1] https://chrony-project.org/doc/spec/nts-compliant-128gcm.html -- Miroslav Lichvar
Attachment:
signature.asc
Description: PGP signature
Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |