
Authenticated TLS “contraints” in ntpd(8) - protomyth
http://marc.info/?l=openbsd-tech&m=142356166731390&w=2
======
handsomeransoms
This is very similar to the functionality provided by tlsdate
([https://github.com/ioerror/tlsdate](https://github.com/ioerror/tlsdate)).
They appear to have eschewed tlsdate's default approach of using the timestamp
from the handshake in favor of using the `Date:` field, which tlsdate also
supports. It would be interesting to see whether the randomization of TLS
timestamps in modern implementations of TLS might mean that tlsdate's default
mode is no longer useful. Either way, it's really cool to see this sort of
functionality being included in ntpd by default!

~~~
apenwarr
openntpd has been nothing but trouble for me, but when I switched to djb
clockspeed instead, it made things better. Here's a script that runs on GFiber
devices, which uses tlsdate securely for the initial timewarp, and djb
clockspeed thereafter. Since switching to this we have had extremely accurate
timekeeping.

[https://gfiber.googlesource.com/buildroot/+/master/fs/skelet...](https://gfiber.googlesource.com/buildroot/+/master/fs/skeleton/bin/run-
tlsdate)

~~~
stock_toaster
Which version were you using? If you were using the portable version, I heard
openntpd-portable wasn't updated for quite a while, and fell behind...missing
out on some really big improvements from more recent versions.

The portable tree has apparently recently been picked up again by a new
maintainer.

------
krakensden
That is a really wonderful extension to ntpd. Simple, robust, with the server
implementation for "free".

------
VMG
typo in submission title

~~~
clarry
typo in mail subject

