Verifying an NTPSec server

How can I check that a client can securely connect to my NTPSec server?

Many thanks.

Does this meet your needs: NTP Server Online Test Tool (IPv4 & IPv6)

That link seems to just use the traditional, insecure NTP protocol: time.cloudflare.com. But thanks.

You asked about NTPsec, which supports both NTP and NTS. Did you mean NTS?
I am unaware of a similar public website for NTS.

If you don’t find other resources, I’d be glad to poll your NTS server.
Note: Since NTS packets are larger than the traditional 48 bytes, they are vulnerable to NTP filtering.

1 Like

I did say that the client should be able to connect securely to the server.

I find it lacking that the utilities that are provided along with NTPSec do not provide an option to connect to a server securely.

Not sure if this is what you are looking for, but I sometimes do this:

openssl s_client -connect ntppool1.time.nl:4460 -tlsextdebug -alpn 'ntske/1' -status < /dev/null

Or, after replacing certs, I also do this:

https://whatsmychaincert.com/?ntppool1.time.nl:4460

If your client is Chrony, than perhaps this:

chronyc -N authdata

Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
ntp.time.nl                    -     0    0    0    -    0    0    0    0
ntppool1.time.nl             NTS     3   15  256  25d    0    0    8  100
ntppool2.time.nl             NTS     4   15  256   9d    0    0    8  100

If the daemon is not running, this is also an option:

chronyd -q -t 1 'server ntppool1.time.nl iburst nts maxsamples 1'

And with ntpq you could do this (see the ‘auth’ column, but it’s worth noting that this column isn’t solely reserved for NTS authentication; it’s also used for traditional NTP authentication methods, if I’m not mistaken.):

ntpq> associations

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 17767  b61a   yes   yes  none  sys.peer    sys_peer  1
  2 17768  f314   yes   yes   ok    outlier   reachable  1
  3 17769  f414   yes   yes   ok  candidate   reachable  1
ntpq>
1 Like

Yes, I verified the TLS aspects using openssl.

However, short of adding one’s own server to a client, there’s no easy way to poke an NTPSec server.

1 Like

Why would you even want to secure a time protocol at all?

It’s just giving time and people that rely on time will use more then 1 source and use GPS to check the correct time.

I’m very sorry, but if time is important, you have your own GPS in use.

Even if you use the ‘secure’ protocol, how do you know the time they supply is correct?
As such it’s useless to put time in such, just use more then 1 server to verify and if needed use your own GPS module to make sure it’s correct.

It’s the same nonsense as forcing public websites to https when there is no sensitive information being transferred.

Sorry, I do not get this, not at all.

1 Like

Obviously, you do not. And this is not the right thread to discuss it.

2 Likes

Out of curiosity, I determined that my ISP filters out packets through port 123 longer than 450 bytes.