Re: [chrony-users] chrony with NTS: "Error in the pull function." |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]
Dear Miroslav In der Nachricht vom Friday, 17 December 2021 09:38:14 CET schrieb Miroslav Lichvar: > I think that means the connection was unexpectedly closed from the > other end. One possibility is that the client is too slow. The server The client is a i7 11th gen Laptop and the server is just behind the local firewall. > has a 2-second timeout for NTS-KE connections. Does it work from other > computers? No. > You can emulate an NTS-KE client with the following command: > > printf '\x80\x1\x0\x2\x0\x0\x80\x4\x0\x2\x0\xf\x80\x0\x0\x0' | \ > gnutls-cli -p 4460 --alpn=ntske/1 sirup.3eck.net \ > --logfile=/dev/stderr | hexdump -C > > If you see about 50 lines of dumped data, it's working correctly. It yealds the same result: Processed 129 CA certificate(s). Resolving 'sirup.3eck.net:4460'... Connecting to '62.12.167.109:4460'... *** Fatal error: Error in the pull function. The answer is immediate. If I watch chronyc serverstats after trying the above, I see NTS-KE connections accepted: 1 NTS-KE connections dropped : 0 The accepted connections have been increasing from 0 to 1. > If you had chronyd compiled with debugging messages (+DEBUG), you > could try running it in terminal as > > chronyd -d -d |& grep nts_ke > > and see if there are any error messages when the client connects. Yes, that would most probably help. I'm using a precompiled version of Devuan (equal to Debian stable chrony 4.0-8 with a dependency on gnutls: libgnutls30 3.7.1-5). On this server I can't test too much, because it's a public NTP Server. If I install ntpsec locally and set it to use nts on ntp.3eck.net, I see: [...] Dec 18 00:13:05 haiash ntpd[27277]: INIT: OpenSSL 1.1.1k 25 Mar 2021, 101010bf [...] Dec 18 00:14:41 haiash ntpd[27538]: NTSc: DNS lookup of ntp.3eck.net took 0.007 sec Dec 18 00:14:41 haiash ntpd[27538]: NTSc: connecting to ntp.3eck.net:4460 => 62.12.167.109:4460 Dec 18 00:14:41 haiash ntpd[27538]: NTSc: set cert host: ntp.3eck.net Dec 18 00:14:41 haiash ntpd[27538]: NTSc: SSL_connect failed Dec 18 00:14:41 haiash ntpd[27538]: NTSc: NTS-KE req to ntp.3eck.net took 0.012 sec, fail [...] So at least, the 2 seconds limit is not the problem. The request gets through and the server answers it without problems. It is not a problem of gnutls alone on the client, since also openssl doesn't understand the answer. Hmm. Does anybody have Chrony running with Let's encrypt certs (rsa, using subj alt names) installed and NTS is working? Thank you for any more help. Regards, Adrian.
Attachment:
signature.asc
Description: This is a digitally signed message part.
Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |