Nice overview. There’s been research on secure versions but inertia from big players keeps it from going anywhere. That’s why ESR et al are recoding the vanilla protocol to begin with. The cheat I used in the past was radio synchronization against atomic clocks connected to the computer. Well, at least one computer that NTP’d all the others.
You can find many with varying price ranges Googling for permutations of these terms: atomic clock, radio, USB, PC, sync. Maybe throw Linux in there as a few I saw only mentioned Windows.
One correction, if you are using the bash one-liner on a Mac, use -v, not -s:
date -v "$(curl -sI https://www.google.com/|grep -i 'date:'|sed -e 's/^.ate: //g')"
I’m sure the Linux ecosystem would be open to the changes necessary for openntpd to do its thing on that platform, wouldn’t it?
The interface in question is the use of libtls, but even that is just an API. libtls could be “ported” to OpenSSL trivially.
Since libtls is just a wrapper around the OpenSSL API anyway, this shouldn’t be a show stopper by any means. I suppose @hanno is just unfamiliar with libtls, and hence got a wrong impression.
Edit: See this talk for an intro to libtls and its intentions: https://www.youtube.com/watch?v=Wd_dyRbE4AA
I think I’m aware of the intention of libtls. But intentions are irrelevant.
I think my requirement was stated clearly: It should be available on common Linux distributions. Aka “I want to do [packagemanagement installcommand] openntpd and get the feature”. I don’t think that’s the case right now.
If that would give me a wrapper of libtls around OpenSSL I’d be happy to change my opinion.
Ok, I understand. I agree it would be great if somebody had already done the work to make that happen.
I’m sure it already works on Linux though? At least on Arch and Alpine, OpenNTPD is included in official packages. Some distro I’ve installed recently — IIRC it was Alpine — asked me right in the installer whether I wanted ntpd, chrony or openntpd.
You can install OpenNTPd on nearly all Linux distributions, however, nearly all of them lack constrains support because it depends on LibreSSL’s libtls. Thus, Hanno has a valid point here. I’d love to see a “usable” version of LIbreSSL on Linux.