How can I check that a client can securely connect to my NTPSec server?
Many thanks.
How can I check that a client can securely connect to my NTPSec server?
Many thanks.
Does this meet your needs: NTP Server Online Test Tool (IPv4 & IPv6)
That link seems to just use the traditional, insecure NTP protocol: time.cloudflare.com. But thanks.
You asked about NTPsec, which supports both NTP and NTS. Did you mean NTS?
I am unaware of a similar public website for NTS.
If you don’t find other resources, I’d be glad to poll your NTS server.
Note: Since NTS packets are larger than the traditional 48 bytes, they are vulnerable to NTP filtering.
I did say that the client should be able to connect securely to the server.
I find it lacking that the utilities that are provided along with NTPSec do not provide an option to connect to a server securely.
Not sure if this is what you are looking for, but I sometimes do this:
openssl s_client -connect ntppool1.time.nl:4460 -tlsextdebug -alpn 'ntske/1' -status < /dev/null
Or, after replacing certs, I also do this:
https://whatsmychaincert.com/?ntppool1.time.nl:4460
If your client is Chrony, than perhaps this:
chronyc -N authdata
Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen
=========================================================================
ntp.time.nl - 0 0 0 - 0 0 0 0
ntppool1.time.nl NTS 3 15 256 25d 0 0 8 100
ntppool2.time.nl NTS 4 15 256 9d 0 0 8 100
If the daemon is not running, this is also an option:
chronyd -q -t 1 'server ntppool1.time.nl iburst nts maxsamples 1'
And with ntpq you could do this (see the ‘auth’ column, but it’s worth noting that this column isn’t solely reserved for NTS authentication; it’s also used for traditional NTP authentication methods, if I’m not mistaken.):
ntpq> associations
ind assid status conf reach auth condition last_event cnt
===========================================================
1 17767 b61a yes yes none sys.peer sys_peer 1
2 17768 f314 yes yes ok outlier reachable 1
3 17769 f414 yes yes ok candidate reachable 1
ntpq>
Yes, I verified the TLS aspects using openssl
.
However, short of adding one’s own server to a client, there’s no easy way to poke an NTPSec server.
Why would you even want to secure a time protocol at all?
It’s just giving time and people that rely on time will use more then 1 source and use GPS to check the correct time.
I’m very sorry, but if time is important, you have your own GPS in use.
Even if you use the ‘secure’ protocol, how do you know the time they supply is correct?
As such it’s useless to put time in such, just use more then 1 server to verify and if needed use your own GPS module to make sure it’s correct.
It’s the same nonsense as forcing public websites to https when there is no sensitive information being transferred.
Sorry, I do not get this, not at all.
Obviously, you do not. And this is not the right thread to discuss it.
Out of curiosity, I determined that my ISP filters out packets through port 123 longer than 450 bytes.