Re: 答复: 答复: [chrony-users] ipV4 and ipV6

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Wed, Nov 30, 2022 at 08:44:35AM +0000, chengyechun wrote:
> Do the certificates contain a different name? If there are multiple certificates with the same name, the server will provide only one the clients.
> Different IP addresses

I'm not sure if that is supposed to work. The NTS-KE client
doesn't provide the IP address to the server (at least the
gnutls_server_name_set() function doesn't allow that), and gnutls as a
TLS server probably doesn't check the address of the socket in
expectation that there will be a matching address in one of the
certificates. Maybe an RFE could be submitted for that.

> This is because one client uses IPv6 to communicate with the server, while the other uses IPv4. This is because ip_address is used to generate a certificate. The template is as follows:
> 
> organization = "xiaoyu"
> country = CN
> ip_address = "11.11.7.120"
> serial = 001
> activation_date = "2022-01-01 00:00:00 UTC"
> expiration_date = "2022-12-31 23:59:59 UTC"
> signing_key
> encryption_key
> 
> 
> The IPv6 template is to modify ip_address. Can this be unified?--

Yes, you can specify multiple addresses in the certificate. Just add
more lines with "ip_address = ...". No need to use separate
certificates.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.