Re: [chrony-users] NTS issue

[Timothy D <timothy.dewin@xxxxxxxxx>]

Just for the sake of it (and if anybody else wants to dig deeper in it), I went and tried to get it to work.  Enabled TLS.1.3 and it all started working.  Warning, this does break FIPS compliance and might break stuff. I'm not a security expert so I can not estimate the real impact of this change. Just putting it here for future reference.

update-crypto-policies --show
#FIPS:OSPP

#copy the default policy

sudo cp /usr/share/crypto-policies/policies/modules/OSPP.pmod \
 /etc/crypto-policies/policies/modules/OSPP-TLS13.pmod

#modify the original policy to enable tls by commenting out  protocol@TLS = -TLS1.3
sudo sed -i -r 's/^(protocol@TLS = -TLS1.3)$/#\0/' /etc/crypto-policies/policies/modules/OSPP-TLS13.pmod

# set the policy

# some warning that you might break FIPS
update-crypto-policies --set FIPS:OSPP-TLS13

sudo systemctl restart chronyd

sudo systemctl status chronyd

#May 02 12:21:35 repo.x.local chronyd[10582]: Source 194.58.207.75 changed to 194.58.207.80 (nts.netnod.se)

On Mon, May 2, 2022 at 11:46 AM Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

On Mon, May 02, 2022 at 11:40:26AM +0200, Timothy D wrote:
> But I see here -VERS-TLS1.3 so I guess it means TLS.1.3 is disabled by this
> install. Thanks, I guess NTS as a protocole needs TLS1.3

Right. The Key Establishment part of NTS uses TLS and it specifically
needs the version 1.3. If the system crypto policy only allows 1.2,
NTS-KE won't work.

--
Miroslav Lichvar


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

--

Kind regards,
Met vriendelijke groeten,

Timothy Dewin