Re: [Ntp] RFC 5297 Questions
Miroslav Lichvar <mlichvar@redhat.com> Mon, 30 October 2023 09:00 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ED30C151531 for <ntp@ietfa.amsl.com>; Mon, 30 Oct 2023 02:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L86hEjwy7RIG for <ntp@ietfa.amsl.com>; Mon, 30 Oct 2023 02:00:20 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA3F7C151087 for <ntp@ietf.org>; Mon, 30 Oct 2023 02:00:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1698656419; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=zl2T3/SH02GE/+yqbGCsGkor5iwD3wbPNpbIHFATGIs=; b=dZQ1cPgghWrUSeWQm5x+s1L7esO+T+ggq2hBMzS7JOIJquA3N0mmIBv+gJb4qqyz2C3o0Z 7/UfFeeh5dttzrDzdck0TCxGR8JI0JN2ixXT2RIHEMlkrgpjMWWvxNbuGmqiySBY8CMgFR uU4xgv2CSnhErUeh+dHbAhs0YJGGIRg=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-57-m2gzhQV4PDuEI8jqZMkrTA-1; Mon, 30 Oct 2023 05:00:14 -0400
X-MC-Unique: m2gzhQV4PDuEI8jqZMkrTA-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5BB4389C74E; Mon, 30 Oct 2023 09:00:11 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9ECB51C060BD; Mon, 30 Oct 2023 09:00:10 +0000 (UTC)
Date: Mon, 30 Oct 2023 10:00:04 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Hal Murray <halmurray@sonic.net>
Cc: Daniel Havey <dahavey=40microsoft.com@dmarc.ietf.org>, "ntp@ietf.org" <ntp@ietf.org>
Message-ID: <ZT9wlJg4jY6tzU9U@localhost>
References: <mlichvar@redhat.com> <ZTjBJz4CkgD0LQU6@localhost> <20231028073606.08CDF28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
MIME-Version: 1.0
In-Reply-To: <20231028073606.08CDF28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.7
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/3ZFReYo-rASUcoNNIrI_sRODyJY>
Subject: Re: [Ntp] RFC 5297 Questions
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2023 09:00:21 -0000
On Sat, Oct 28, 2023 at 12:36:06AM -0700, Hal Murray wrote: > > mlichvar@redhat.com said: > > NTS requires TLSv1.3, which is not FIPS-compliant (yet?). At least that's > > what I heard when I asked why gnutls blocks TLSv1.3 in FIPS mode. > > To confirm Daniel's comments, NTS works in NTPsec using OpenSSL in FIPS mode. Looking at the old discussion again, it seems the issue actually is with the OS Protection Profile (OSPP), which is somehow tied to the FIPS mode, at least in our system crypto policy. I know don't know much about these things. I'm sorry for confusion. -- Miroslav Lichvar
- [Ntp] RFC 5297 Questions Daniel Havey
- Re: [Ntp] RFC 5297 Questions Daniel Franke
- Re: [Ntp] RFC 5297 Questions Erik Kline
- Re: [Ntp] RFC 5297 Questions Miroslav Lichvar
- Re: [Ntp] RFC 5297 Questions Daniel Franke
- Re: [Ntp] RFC 5297 Questions Hal Murray
- Re: [Ntp] RFC 5297 Questions Miroslav Lichvar