Re: [chrony-users] NTS: Limiting |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] NTS: Limiting
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Wed, 20 Jan 2021 09:45:38 +0100
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1611132344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=wfhpz6MaqsizfV2bUql38zL9rvj4Y6sjCkbrf9HNfBI=; b=diJ3WvuGLbfFOro1lJzebECbhYswvMX479lVmQr/EGNmhGI77ehYooBFoQnTZOwrDVSP3Y 0NUDy981tRiE5Ezpue8jPY8cwT4uawX/NkdTnWA93Z8sTw0vUpouQugNC00ysNwLZT4oOK YddZcoFT4iay2IesoA2JrM/R3OC0QqI=
On Tue, Jan 19, 2021 at 06:45:35PM +0100, Karol Babioch wrote:
> Some examples I'm aware of:
>
> - OpenVPN (via tls-verify option):
> https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
That looks easier to implement. An issue is that it wouldn't work with
the seccomp filter (no exec allowed).
> - Apache (via SSLRequire):
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire (although
> it seems to be deprecated)
This looks more complicated.
I'll need to think about this more.
> > If you control the specific servers signed by Let's Encrypt, maybe you
> > could trust all their certificates individually and then trust all the
> > system certificates except Let's Encrypt?
>
> No, that is rather inflexible. Let's Encrypt certificates change often
> (< 90 days). I don't think it's good practice to change / control the
> configuration of all the downstream clients just because a certificate
> was regularly rotated.
You could use certificates signed by your own CA on those servers and
trust its cert on clients.
I suspect an issue with removing trust for Let's Encrypt as their
certificates are still cross signed by DST Root CA X3. If you remove
both ISRG Root X1 and DST Root CA X3 from trusted certs, won't that
break unrelated servers?
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.