Re: [chrony-users] NTS issue

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

Thanks.

It seems that this must be the problem. RHEL has been installed with NIST sec profile for the most "secure install"
[root@repo ~]# gnutls-cli -p 4460 --alpn=ntske/1 --logfile /dev/stderr \
>         ptbtime1.ptb.de < /dev/null > /dev/null
Processed 143 CA certificate(s).
Resolving 'ptbtime1.ptb.de:4460'...
Connecting to '192.53.103.108:4460'...
*** Fatal error: The TLS connection was non-properly terminated.
[root@repo ~]# grep AVC.*chrony /var/log/audit/audit.log
[root@repo ~]# cat /etc/crypto-policies/back-ends/gnutls.config
SYSTEM=NONE:+MAC-ALL:-SHA1:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-X448:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-RSA-SHA224:-SIGN-DSA-SHA224:-SIGN-ECDSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:-SIGN-ECDSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:+CIPHER-ALL:-AES-256-CCM:-AES-128-CCM:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.3:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM

But I see here -VERS-TLS1.3 so I guess it means TLS.1.3 is disabled by this install. Thanks, I guess NTS as a protocole needs TLS1.3

On Mon, May 2, 2022 at 9:36 AM Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
On Fri, Apr 29, 2022 at 07:00:13PM +0200, Timothy D wrote:
> server nts.netnod.se iburst nts
> server ptbtime1.ptb.de iburst nts
> ntsdumpdir /var/lib/chrony

> Apr 29 18:56:15 repo.x.local systemd[1]: Started NTP client/server.
> Apr 29 18:56:16 repo.x.local chronyd[5507]: Fatal error : Could not
> initialise priority cache : No or insufficient priorities were set.

That looks like chronyd cannot select TLS1.3 or maybe a cipher.

Do you see the same error when you run the following command?

  gnutls-cli -p 4460 --alpn=ntske/1 --logfile /dev/stderr \
        ptbtime1.ptb.de < /dev/null > /dev/null

Do you see any SELinux errors for chrony, e.g. printed by this
command?

  grep AVC.*chrony /var/log/audit/audit.log

Do you have a custom crypto policy configured in
/etc/crypto-policies/?

  cat /etc/crypto-policies/back-ends/gnutls.config

should show the current gnutls configuration.

--
Miroslav Lichvar


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.



--
Kind regards,
Met vriendelijke groeten,

Timothy Dewin

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/