Re: [chrony-users] Chronyd does not use non-nts servers

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]



On Thu, Oct 29, 2020 at 11:43 AM Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
On Thu, Oct 29, 2020 at 04:09:32AM -0400, William Holmes wrote:
> [root@hostname /tmp]# date +%Y%m%d -s '19900101'

> Jan  1 00:00:21 hostname chronyd[44348]: TLS handshake with
> 194.58.202.218:4460 (nts.sth2.ntp.se) failed : Error in the certificate
> verification. The certificate is NOT trusted. The certificate chain uses
> not yet valid certificate.

Unfortunately, this is a chicken-and-egg problem with NTS. It needs
the clock to be reasonably close to the true time (say within days or
weeks) to be able to verify the certificates. The whole point of NTS
is to synchronize the clock securely, so it cannot just fall back to
unauthenticated NTP.

Most computers have an RTC backed up by a battery. Once corrected
manually, it should be good enough to keep NTS working even if the
machine is turned off for years at a time.

With no RTC or battery, you can use the -s option to restore the time
from the previous shutdown/reboot. That should work well for machines
that are not turned off for too long.

As a last resort, you can disable the certificate time checks with the
nocerttimecheck directive in chrony.conf, but it has an impact on
security.

I actually like to consider if "nts nocerttimecheck 1" would be a reasonable default config for what we ship in distros.
People that can rely on their environment could further opt-in by dropping the nocerttimecheck.
People with bad systems/clocks are not totally broken as the initial sync would be ok at least. And once the time is good after the first run it would be ok and use NTS.

To me it seems that "nts" is more safe than "nts nocerttimecheck 1".
But "nts nocerttimecheck 1" is much better than "".

The question to me is if there are general drawbacks that I'd overlook when we generally would enable this.
E.g. much higher cpu consumptions which if you scale plenty of cloud guests would be a problem.

Are there opinions or experiences from trying "nts nocerttimecheck 1"?
 
--
Miroslav Lichvar


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.



--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/