Re: [chrony-users] NTS: Limiting

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ] 

On Tue, Jan 19, 2021 at 06:45:35PM +0100, Karol Babioch wrote:
> Some examples I'm aware of:
> 
> - OpenVPN (via tls-verify option):
> https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

That looks easier to implement. An issue is that it wouldn't work with
the seccomp filter (no exec allowed).

> - Apache (via SSLRequire):
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire (although
> it seems to be deprecated)

This looks more complicated.

I'll need to think about this more.

> > If you control the specific servers signed by Let's Encrypt, maybe you
> > could trust all their certificates individually and then trust all the
> > system certificates except Let's Encrypt?
> 
> No, that is rather inflexible. Let's Encrypt certificates change often
> (< 90 days). I don't think it's good practice to change / control the
> configuration of all the downstream clients just because a certificate
> was regularly rotated.

You could use certificates signed by your own CA on those servers and
trust its cert on clients.

I suspect an issue with removing trust for Let's Encrypt as their
certificates are still cross signed by DST Root CA X3. If you remove
both ISRG Root X1 and DST Root CA X3 from trusted certs, won't that
break unrelated servers?

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/