Re: [chrony-users] chrony with NTS: "Error in the pull function."

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] chrony with NTS: "Error in the pull function."
From: Adrian Zaugg <chrony.tuxfamily.org@xxxxxxxxxxxxxxx>
Date: Sat, 18 Dec 2021 00:32:58 +0100
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mailgurgler.com; s=main; h=X-MTA-Admin-Wish:Content-Type:MIME-Version: References:In-Reply-To:Message-ID:Date:To:From:Cc:User-Agent: Content-Transfer-Encoding:Content-ID:Content-Description:Content-Language: Autocrypt; bh=By7B3ebFmfaqC9ZZll89aH0zAj4hXpk1uE6WcqFylX8=; b=G318hImhbZf1mXH kmsk8b684v4eBODqsaOIJQ9GgA1Qi1cHDvZDQ4V5a+bBPThocpYVoK61WHtC8lQTGyoAeVCY7Q4v7 SL5lCx6gTeCbfUMzGTzgUaubjJCQOcPzCBSWhw11TPmtKfikiHb6SUNpJ5VLhZRFgMxwllS3/dLCk sjjWKKygscQOaH1GzU5S701R8q5g6pvUbotY4wVROskOcK8gRa2FukPMkGy20Oa+9YrRGe6/LQaJ5 wZbmspdPQWtFJGpBw6L3s0ownwyJRClH5tAk/75Io0oJEg03gthqE0+AZjp0CEd9BnhHFdM7pkeve qiU8EjMwJSQINbn+czw==;

Dear Miroslav

In der Nachricht vom Friday, 17 December 2021 09:38:14 CET schrieb Miroslav 
Lichvar:
> I think that means the connection was unexpectedly closed from the
> other end. One possibility is that the client is too slow. The server
The client is a i7 11th gen Laptop and the server is just behind the local 
firewall.

> has a 2-second timeout for NTS-KE connections. Does it work from other
> computers?
No.
 
> You can emulate an NTS-KE client with the following command:
> 
> printf '\x80\x1\x0\x2\x0\x0\x80\x4\x0\x2\x0\xf\x80\x0\x0\x0' | \
> 	gnutls-cli -p 4460 --alpn=ntske/1 sirup.3eck.net \
> 	--logfile=/dev/stderr | hexdump -C
> 
> If you see about 50 lines of dumped data, it's working correctly.
It yealds the same result:

Processed 129 CA certificate(s).
Resolving 'sirup.3eck.net:4460'...
Connecting to '62.12.167.109:4460'...
*** Fatal error: Error in the pull function.

The answer is immediate. If I watch chronyc serverstats after trying the 
above, I see 
	NTS-KE connections accepted: 1
	NTS-KE connections dropped : 0

The accepted connections have been increasing from 0 to 1.

> If you had chronyd compiled with debugging messages (+DEBUG), you
> could try running it in terminal as
> 
> chronyd -d -d |& grep nts_ke
> 
> and see if there are any error messages when the client connects.
Yes, that would most probably help. I'm using a precompiled version of Devuan 
(equal to Debian stable chrony 4.0-8 with a dependency on gnutls: libgnutls30 
3.7.1-5).
On this server I can't test too much, because it's a public NTP Server.

If I install ntpsec locally and set it to use nts on ntp.3eck.net, I see:
[...]
Dec 18 00:13:05 haiash ntpd[27277]: INIT: OpenSSL 1.1.1k  25 Mar 2021, 
101010bf
[...]
Dec 18 00:14:41 haiash ntpd[27538]: NTSc: DNS lookup of ntp.3eck.net took 
0.007 sec
Dec 18 00:14:41 haiash ntpd[27538]: NTSc: connecting to ntp.3eck.net:4460 => 
62.12.167.109:4460
Dec 18 00:14:41 haiash ntpd[27538]: NTSc: set cert host: ntp.3eck.net
Dec 18 00:14:41 haiash ntpd[27538]: NTSc: SSL_connect failed
Dec 18 00:14:41 haiash ntpd[27538]: NTSc: NTS-KE req to ntp.3eck.net took 
0.012 sec, fail
[...]

So at least, the 2 seconds limit is not the problem. The request gets through 
and the server answers it without problems. It is not a problem of gnutls 
alone on the client, since also openssl doesn't understand the answer. Hmm.

Does anybody have Chrony running with Let's encrypt certs (rsa, using subj alt 
names) installed and NTS is working?

Thank you for any more help.

Regards, Adrian.

Attachment: signature.asc
Description: This is a digitally signed message part.

References:
- [chrony-users] chrony with NTS: "Error in the pull function."
  - From: Adrian Zaugg
- Re: [chrony-users] chrony with NTS: "Error in the pull function."
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-users] (Mis?)Understanding maxchange config line
Next by Date: Re: [chrony-users] chrony with NTS: "Error in the pull function."
Previous by thread: Re: [chrony-users] chrony with NTS: "Error in the pull function."
Next by thread: Re: [chrony-users] chrony with NTS: "Error in the pull function."

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/