Re: [chrony-users] chrony with NTS: "Error in the pull function." |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] chrony with NTS: "Error in the pull function."
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Fri, 17 Dec 2021 09:38:14 +0100
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639730301; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dv/GBivTuOGzInrZys5MfqXcuciiqtPRDcye2IiF/78=; b=ITQBxmrDv32t5apK1T0hGBgfwfyBzwbMjvtI0H6RRbU1EJgdBRXZMmHJkIq8ZVgbMeJwE6 /H3OaC7iu8r2ehW2XMnCadhE8tg3Ff6+7l4+g5KJXQVM34yvwAo1r7bTO+cvCGz2LYBukA Dq3LJfO3UlEjLsY8YhdOL+BBQ/5HG6g=
On Fri, Dec 17, 2021 at 03:36:21AM +0100, Adrian Zaugg wrote:
> Dear List
>
> Trying to set up NTS (RFC 8915) with chrony an authenticated request fails.
> The failing client (another chronyd using: server sirup.3eck.net iburst nts)
> reports:
>
> "chronyd[5269]: TLS handshake with 62.12.167.109:4460 (ntp.3eck.net) failed :
> Error in the pull function."
I think that means the connection was unexpectedly closed from the
other end. One possibility is that the client is too slow. The server
has a 2-second timeout for NTS-KE connections. Does it work from other
computers?
You can emulate an NTS-KE client with the following command:
printf '\x80\x1\x0\x2\x0\x0\x80\x4\x0\x2\x0\xf\x80\x0\x0\x0' | \
gnutls-cli -p 4460 --alpn=ntske/1 sirup.3eck.net \
--logfile=/dev/stderr | hexdump -C
If you see about 50 lines of dumped data, it's working correctly.
> The Server starts happily with:
> Dec 17 02:43:35 sirup chronyd[16831]: chronyd version 4.0 starting (+CMDMON
> +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -
> DEBUG
If you had chronyd compiled with debugging messages (+DEBUG), you
could try running it in terminal as
chronyd -d -d |& grep nts_ke
and see if there are any error messages when the client connects.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.