[ntp:questions] Problems with ntp and openssl self-signed certificates: "packet: flash header 1480"

Leitfaden at gmx.net Leitfaden at gmx.net
Thu Mar 29 10:16:24 UTC 2012

Hello together :)

I have a problem with the following: I wand to build a self-signed CA with openssl and authenticate the traffic between ntp-server and ntp-client.

#Server Settings - Commands I used
> ifconfig eth0 up
> ntp-keygen -T -I -p server

#Server Settings - Configuration ntp.conf
crypto pw server
keysdir /etc/ntp-cert/
fudge stratum 10
driftfile       /var/lib/ntp/ntp.drift
restrict default nomodify nopeer noquery
restrict mask nomodify nopeer notrap

#Client Settings - Commands I used
> ifconfig eth0 up
> ntp-keygen -H -p client

#Client Settings - Configuration ntp.conf
keysdir /etc/ntp-cert/
crypto pw client
restrict default ignore
restrict nomodify notrap noquery
server autokey
driftfile /var/lib/ntp/ntp.drift

This works perfectly (incl. time synchronisation). But this configuration does not contain my own signed certificates and keys. So I did the following instead of the ntk-keygen commands (in fact, I just changed the keys and certificates):

# Server
> openssl genrsa -aes256 -out server.key 4096
> openssl req -new -key server.key -out server.csr
> openssl ca -name myownca server.csr -out server.pem
additionally, I created the links ntpkey_host_servername and ntpkey_cert_servername pointing on the (encrypted) key and the certificate

> openssl genrsa -aes256 -out client.key 4096
> openssl req -new -key client.key -out client.csr
> openssl ca -name myownca client.csr -out client.pem
additionally, I created the links ntpkey_host_clientname and ntpkey_cert_clientname pointing on the (encrypted) key and the certificate

After adding the filestamps in the first two comment-lines, ntpd starts fine on the server and on the client, BUT on the client appears
> ntpd -d -c /etc/ntp.conf
[Repeat many times]
make_keys: 0 f2ec5cf3 00000000 ts 0 fs 0 poll 6
crypto_xmit: flags 0x410001 offset 48 len 76 code 0x202 associd 63751
transmit: at 1311> mode 3 keyid 10c97382 len 144 index 0
receive: at 1311<- mode 4 keyid 10c97382 len 76 auth 1
crypto_recv: flags 0x415001 ext offset 48 len 8 code 0x8202 associd 63751
packet: flash header 1480
[/Repeat many times]

On the server appears the following messages:
[Repeat many times]
receive: at 1508<- mode 3 keyid 67c2c69f len 144 auth 1
crypto_xmit: flags 0x410001 offset 48 len 8 code 0x8202 associd 63751
transmit: at 1508> mode 4 keyid 67c2c69f len 76
[Repeat many times]

With this configuration, the time synchronisation does not work at all. I get many of these "packet: flash header 1480"-Errors. And these Packets doesn't come just a few times, till the synchronisation is working, but these packet-flash-header messages come all the time (I tested it up to 45 Minutes...)
I also understand, that this errorcode means "peer_unreach", "peer_dist", "pkt_autokey", but I really dont know, how to solve my problem, so I need your help, please. Thank you many times.

NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone!                                  
Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a

More information about the questions mailing list