-----邮件原件-----
发件人: Miroslav Lichvar [mailto:mlichvar@xxxxxxxxxx]
发送时间: 2022年11月30日
17:26
收件人: chrony-users@xxxxxxxxxxxxxxxxxxxx
主题: Re: 答复:
答复: [chrony-users] ipV4 and ipV6
On Wed, Nov 30, 2022 at 08:44:35AM +0000, chengyechun wrote:
> Do the certificates contain a different name? If there are multiple certificates with the same name, the server will provide only one the clients.
> Different IP addresses
I'm not sure if that is supposed to work. The NTS-KE client doesn't provide the IP address to the server (at least the
gnutls_server_name_set() function doesn't allow that), and gnutls as a TLS server probably doesn't check the address of the socket in expectation that there will be a matching address in one of the certificates. Maybe
an RFE could be submitted for that.
> This is because one client uses IPv6 to communicate with the server, while the other uses IPv4. This is because ip_address is used to generate a certificate. The template is as follows:
>
> organization = "xiaoyu"
> country = CN
> ip_address = "11..11.7.120"
> serial = 001
> activation_date = "2022-01-01 00:00:00 UTC"
> expiration_date = "2022-12-31 23:59:59 UTC"
> signing_key
> encryption_key
>
>
> The IPv6 template is to modify ip_address. Can this be unified?--
Yes, you can specify multiple addresses in the certificate. Just add more lines with "ip_address = ...". No need to use separate certificates.
Specifying multiple ip_addresses is valid. I found that when I set ntsrefresh to 1, the TLS handshake fails every 24s after the TLS handshake fails. This seems to be regular. Where can I know this from the code?
--
Miroslav Lichvar
--
To unsubscribe email
chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email
chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email
listmaster@xxxxxxxxxxxxxxxxxxxx.