[ntp:questions] Problems with ntp and openssl self-signed certificates: "packet: flash header 1480"

Leitfaden at gmx.net Leitfaden at gmx.net
Thu Mar 29 10:16:24 UTC 2012


Hello together :)

I have a problem with the following: I wand to build a self-signed CA with openssl and authenticate the traffic between ntp-server and ntp-client.

#Server Settings - Commands I used
> ifconfig eth0 192.168.0.100 up
> ntp-keygen -T -I -p server

#Server Settings - Configuration ntp.conf
crypto pw server
keysdir /etc/ntp-cert/
server 127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile       /var/lib/ntp/ntp.drift
restrict default nomodify nopeer noquery
restrict 127.0.0.1
restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap

#Client Settings - Commands I used
> ifconfig eth0 192.168.0.1 up
> ntp-keygen -H -p client

#Client Settings - Configuration ntp.conf
keysdir /etc/ntp-cert/
crypto pw client
restrict default ignore
restrict 127.0.0.1
restrict 192.168.0.100 nomodify notrap noquery
server 192.168.0.100 autokey
driftfile /var/lib/ntp/ntp.drift

This works perfectly (incl. time synchronisation). But this configuration does not contain my own signed certificates and keys. So I did the following instead of the ntk-keygen commands (in fact, I just changed the keys and certificates):

# Server
> openssl genrsa -aes256 -out server.key 4096
> openssl req -new -key server.key -out server.csr
> openssl ca -name myownca server.csr -out server.pem
additionally, I created the links ntpkey_host_servername and ntpkey_cert_servername pointing on the (encrypted) key and the certificate

#Client
> openssl genrsa -aes256 -out client.key 4096
> openssl req -new -key client.key -out client.csr
> openssl ca -name myownca client.csr -out client.pem
additionally, I created the links ntpkey_host_clientname and ntpkey_cert_clientname pointing on the (encrypted) key and the certificate

After adding the filestamps in the first two comment-lines, ntpd starts fine on the server and on the client, BUT on the client appears
> ntpd -d -c /etc/ntp.conf
[...]
[Repeat many times]
make_keys: 0 f2ec5cf3 00000000 ts 0 fs 0 poll 6
crypto_xmit: flags 0x410001 offset 48 len 76 code 0x202 associd 63751
transmit: at 1311 192.168.0.1->192.168.0.100 mode 3 keyid 10c97382 len 144 index 0
receive: at 1311 192.168.0.1<-192.168.0.100 mode 4 keyid 10c97382 len 76 auth 1
crypto_recv: flags 0x415001 ext offset 48 len 8 code 0x8202 associd 63751
packet: flash header 1480
[/Repeat many times]

On the server appears the following messages:
[Repeat many times]
receive: at 1508 192.168.0.100<-192.168.0.1 mode 3 keyid 67c2c69f len 144 auth 1
crypto_xmit: flags 0x410001 offset 48 len 8 code 0x8202 associd 63751
transmit: at 1508 192.168.0.100->192.168.0.1 mode 4 keyid 67c2c69f len 76
[Repeat many times]

With this configuration, the time synchronisation does not work at all. I get many of these "packet: flash header 1480"-Errors. And these Packets doesn't come just a few times, till the synchronisation is working, but these packet-flash-header messages come all the time (I tested it up to 45 Minutes...)
I also understand, that this errorcode means "peer_unreach", "peer_dist", "pkt_autokey", but I really dont know, how to solve my problem, so I need your help, please. Thank you many times.

Markus
-- 
NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone!                                  
Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a


More information about the questions mailing list