[lug] Understanding a SSL/TLS Certificate Issue

Stephen Kraus ub3ratl4sf00 at gmail.com
Fri Jun 19 11:17:54 MDT 2020 

Most of them ask you to specify an NTP provider, at least the server
installs do.

On Fri, Jun 19, 2020 at 1:16 PM Bear Giles <bgiles at coyotesong.com> wrote:

> But hasn't everything had NTP turned on by default for years? I know
> Ubuntu does, and thought the most recent versions of Windows do. I'm pretty
> sure Comcast pushes NTP info to our routers.
>
> I know that some "no frills" Linux images on AWS don't turn it on but I
> think it's mostly because many sites will use an internal NTP server for
> security reasons. My startup scripts always configure it.
>
> On Fri, Jun 19, 2020 at 11:07 AM Stephen Kraus <ub3ratl4sf00 at gmail.com>
> wrote:
>
>> That's before you get into BIOS clocks with drift issues.
>>
>> On Fri, Jun 19, 2020 at 12:53 PM David Stearns <stearns at dhyw.com> wrote:
>>
>>> I used to regularly run across systems where ntp wasn't running, and
>>> someone had set the month/day/hour/minute by hand (if they set it at all),
>>> but the year was sitting at what ever the bios reset to, so sometimes you'd
>>> have a system that looked fine at first glance but was actually off by over
>>> a decade.
>>>
>>> -DS
>>>
>>> On Fri, Jun 19, 2020 at 10:26 AM Bear Giles <bgiles at coyotesong.com>
>>> wrote:
>>>
>>>> I was a bit confused by that. I use Kerberos and it's important to keep
>>>> the clocks synced with ntp. They don't have to be synced to within a
>>>> fraction of a second but tickets might only be valid for 5 minutes and
>>>> pre-ntp drifts that large or larger were common.
>>>>
>>>> Server certs are usually valid for several months. I think LetsEncrypt
>>>> defaults to 3 months now, although you can request a shorter lifespan if
>>>> desired. It's hard to imagine a system clock being off by months. CA
>>>> working certs are valid for longer periods and should be rotated. E.g.,
>>>> they might be valid for 12 months with a new cert created on 01/01 and
>>>> 07/01. Requests are always signed with the latest cert. That means that
>>>> existing certs will always be backed by a valid cert plus a little more
>>>> time for client software that's a bit more flexible in enforcing validity
>>>> checks.
>>>>
>>>> Bear
>>>> _______________________________________________
>>>> Web Page:  http://lug.boulder.co.us
>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>> Join us on IRC: irc.hackingsociety.org port=6667
>>>> channel=#hackingsociety
>>>
>>> _______________________________________________
>>> Web Page:  http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200619/9c848f85/attachment.html>

More information about the LUG mailing list