On Tue, Mar 10, 2026 at 04:00:01PM +0000, Polarian wrote:
> Hey,
>
> > I thought that main issue that TLS layer requires already good time,
> > otherwise certificates in the chain may not pass the verification.
>
> That is valid too, however the reason is explained in ntpd.conf(5)
>
> > ntpd(8) can be configured to query the `Date' from trusted HTTPS
> > servers via TLS. This time information is not used for precision but
> > acts as an authenticated constraint, thereby reducing the impact of
> > unauthenticated NTP man-in-the-middle attacks. Received NTP packets
> > with time information falling outside of a range near the constraint
> > will be discarded and such NTP servers will be marked as invalid.
>
> Take care,
> --
> Polarian
> Jabber/XMPP: polarian@icebound.dev
>
The certificate is validated using the time in the received Date
header.
-Otto
No comments:
Post a Comment