Re: [chrony-users] chrony with NTS: "Error in the pull function."

[ Thread Index | Date Index | More Archives ]

On Fri, Dec 17, 2021 at 03:36:21AM +0100, Adrian Zaugg wrote:
> Dear List
> Trying to set up NTS (RFC 8915) with chrony an authenticated request fails. 
> The failing client (another chronyd using: server iburst nts) 
> reports:
> "chronyd[5269]: TLS handshake with ( failed : 
> Error in the pull function."

I think that means the connection was unexpectedly closed from the
other end. One possibility is that the client is too slow. The server
has a 2-second timeout for NTS-KE connections. Does it work from other

You can emulate an NTS-KE client with the following command:

printf '\x80\x1\x0\x2\x0\x0\x80\x4\x0\x2\x0\xf\x80\x0\x0\x0' | \
	gnutls-cli -p 4460 --alpn=ntske/1 \
	--logfile=/dev/stderr | hexdump -C

If you see about 50 lines of dumped data, it's working correctly.

> The Server starts happily with:
> Dec 17 02:43:35 sirup chronyd[16831]: chronyd version 4.0 starting (+CMDMON 

If you had chronyd compiled with debugging messages (+DEBUG), you
could try running it in terminal as

chronyd -d -d |& grep nts_ke

and see if there are any error messages when the client connects.

Miroslav Lichvar

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+