答复: 答复: 答复: [chrony-users] ipV4 and ipV6

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


 

 

-----邮件原件-----
发件人: Miroslav Lichvar [mailto:mlichvar@xxxxxxxxxx]
发送时间: 20221130 17:26
收件人: chrony-users@xxxxxxxxxxxxxxxxxxxx
主题: Re: 答复: 答复: [chrony-users] ipV4 and ipV6

 

On Wed, Nov 30, 2022 at 08:44:35AM +0000, chengyechun wrote:

> Do the certificates contain a different name? If there are multiple certificates with the same name, the server will provide only one the clients.

> Different IP addresses

 

I'm not sure if that is supposed to work. The NTS-KE client doesn't provide the IP address to the server (at least the

gnutls_server_name_set() function doesn't allow that), and gnutls as a TLS server probably doesn't check the address of the socket in expectation that there will be a matching address in one of the certificates. Maybe an RFE could be submitted for that.

 

> This is because one client uses IPv6 to communicate with the server, while the other uses IPv4. This is because ip_address is used to generate a certificate. The template is as follows:

>

> organization = "xiaoyu"

> country = CN

> ip_address = "11..11.7.120"

> serial = 001

> activation_date = "2022-01-01 00:00:00 UTC"

> expiration_date = "2022-12-31 23:59:59 UTC"

> signing_key

> encryption_key

>

>

> The IPv6 template is to modify ip_address. Can this be unified?--

 

Yes, you can specify multiple addresses in the certificate. Just add more lines with "ip_address = ...". No need to use separate certificates.

Specifying multiple ip_addresses is valid. I found that when I set ntsrefresh to 1, the TLS handshake fails every 24s after the TLS handshake fails. This seems to be regular. Where can I know this from the code?

--

Miroslav Lichvar

 

 

--

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx

with "unsubscribe" in the subject.

For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx

with "help" in the subject.

Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

 

 



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/