[lug] Understanding a SSL/TLS Certificate Issue

Bear Giles bgiles at coyotesong.com
Fri Jun 19 11:16:05 MDT 2020


But hasn't everything had NTP turned on by default for years? I know Ubuntu
does, and thought the most recent versions of Windows do. I'm pretty sure
Comcast pushes NTP info to our routers.

I know that some "no frills" Linux images on AWS don't turn it on but I
think it's mostly because many sites will use an internal NTP server for
security reasons. My startup scripts always configure it.

On Fri, Jun 19, 2020 at 11:07 AM Stephen Kraus <ub3ratl4sf00 at gmail.com>
wrote:

> That's before you get into BIOS clocks with drift issues.
>
> On Fri, Jun 19, 2020 at 12:53 PM David Stearns <stearns at dhyw.com> wrote:
>
>> I used to regularly run across systems where ntp wasn't running, and
>> someone had set the month/day/hour/minute by hand (if they set it at all),
>> but the year was sitting at what ever the bios reset to, so sometimes you'd
>> have a system that looked fine at first glance but was actually off by over
>> a decade.
>>
>> -DS
>>
>> On Fri, Jun 19, 2020 at 10:26 AM Bear Giles <bgiles at coyotesong.com>
>> wrote:
>>
>>> I was a bit confused by that. I use Kerberos and it's important to keep
>>> the clocks synced with ntp. They don't have to be synced to within a
>>> fraction of a second but tickets might only be valid for 5 minutes and
>>> pre-ntp drifts that large or larger were common.
>>>
>>> Server certs are usually valid for several months. I think LetsEncrypt
>>> defaults to 3 months now, although you can request a shorter lifespan if
>>> desired. It's hard to imagine a system clock being off by months. CA
>>> working certs are valid for longer periods and should be rotated. E.g.,
>>> they might be valid for 12 months with a new cert created on 01/01 and
>>> 07/01. Requests are always signed with the latest cert. That means that
>>> existing certs will always be backed by a valid cert plus a little more
>>> time for client software that's a bit more flexible in enforcing validity
>>> checks.
>>>
>>> Bear
>>> _______________________________________________
>>> Web Page:  http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200619/5cc7b441/attachment-0001.html>


More information about the LUG mailing list