Re: [chrony-users] chrony with NTS: "Error in the pull function."

[ Thread Index | Date Index | More Archives ]

Dear Miroslav

In der Nachricht vom Friday, 17 December 2021 09:38:14 CET schrieb Miroslav 
> I think that means the connection was unexpectedly closed from the
> other end. One possibility is that the client is too slow. The server
The client is a i7 11th gen Laptop and the server is just behind the local 

> has a 2-second timeout for NTS-KE connections. Does it work from other
> computers?
> You can emulate an NTS-KE client with the following command:
> printf '\x80\x1\x0\x2\x0\x0\x80\x4\x0\x2\x0\xf\x80\x0\x0\x0' | \
> 	gnutls-cli -p 4460 --alpn=ntske/1 \
> 	--logfile=/dev/stderr | hexdump -C
> If you see about 50 lines of dumped data, it's working correctly.
It yealds the same result:

Processed 129 CA certificate(s).
Resolving ''...
Connecting to ''...
*** Fatal error: Error in the pull function.

The answer is immediate. If I watch chronyc serverstats after trying the 
above, I see 
	NTS-KE connections accepted: 1
	NTS-KE connections dropped : 0

The accepted connections have been increasing from 0 to 1.

> If you had chronyd compiled with debugging messages (+DEBUG), you
> could try running it in terminal as
> chronyd -d -d |& grep nts_ke
> and see if there are any error messages when the client connects.
Yes, that would most probably help. I'm using a precompiled version of Devuan 
(equal to Debian stable chrony 4.0-8 with a dependency on gnutls: libgnutls30 
On this server I can't test too much, because it's a public NTP Server.

If I install ntpsec locally and set it to use nts on, I see:
Dec 18 00:13:05 haiash ntpd[27277]: INIT: OpenSSL 1.1.1k  25 Mar 2021, 
Dec 18 00:14:41 haiash ntpd[27538]: NTSc: DNS lookup of took 
0.007 sec
Dec 18 00:14:41 haiash ntpd[27538]: NTSc: connecting to =>
Dec 18 00:14:41 haiash ntpd[27538]: NTSc: set cert host:
Dec 18 00:14:41 haiash ntpd[27538]: NTSc: SSL_connect failed
Dec 18 00:14:41 haiash ntpd[27538]: NTSc: NTS-KE req to took 
0.012 sec, fail

So at least, the 2 seconds limit is not the problem. The request gets through 
and the server answers it without problems. It is not a problem of gnutls 
alone on the client, since also openssl doesn't understand the answer. Hmm.

Does anybody have Chrony running with Let's encrypt certs (rsa, using subj alt 
names) installed and NTS is working?

Thank you for any more help.

Regards, Adrian. 

Attachment: signature.asc
Description: This is a digitally signed message part.

Mail converted by MHonArc 2.6.19+