From owner-freebsd-questions@FreeBSD.ORG Sun Apr 12 05:25:37 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E50BDDBA for ; Sun, 12 Apr 2015 05:25:37 +0000 (UTC) Received: from btw.pki2.com (btw.pki2.com [IPv6:2001:470:a:6fd::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A0E13B72 for ; Sun, 12 Apr 2015 05:25:37 +0000 (UTC) Received: from localhost (localhost [IPv6:::1]) by btw.pki2.com (8.14.9/8.14.9) with ESMTP id t3C5PPs4054209; Sat, 11 Apr 2015 22:25:25 -0700 (PDT) (envelope-from freebsd@pki2.com) DMARC-Filter: OpenDMARC Filter v1.3.1 btw.pki2.com t3C5PPs4054209 Authentication-Results: btw.pki2.com; dmarc=none header.from=pki2.com DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pki2.com; s=pki2; t=1428816325; bh=9Qntox89bgtk1BWZXwHbWpR4t/QkSg9TLeOY/F9XhDM=; h=Subject:From:To:Cc:Date:In-Reply-To:References; z=Subject:=20Re:=20NTP=20peering=20broken=20since=20recent=20securi ty=20update?|From:=20Dennis=20Glatting=20|To:=20 Kent=20Kuriyama=20|Cc:=20Arthur=20Chance= 20,=20FreeBSD-Questions=0D=0A=09=20|Date:=20Sat,=2011=20Apr=202015=2022:25:25=20 -0700|In-Reply-To:=20|References:=20<5526A2F1.5030609@qeng-ho. org>=0D=0A=09=20; b=PPs41IQme5OkZ70LTsioli0bCBXmG5B+GaqJ1+TdshaoTnHd9wxaMOzXpokt7ZXyR /kPCQ2Bj+rEQ6qgoCGVvAggDcISDPrcgnCC/YYhWOn4iqZUY6HzoXWA9ujjvgA5S+Y RXFC7AWTMadpz8HMXvIjfJmKFUZ7TsAFzDu4aK2LC16Dzjv/4CqdE0xMAv7qLReJn7 vG4l7owXfMWscV4WeqKSm+K5aY8ziUrRug+ehVeLs+49nEl8qBp1mFByN1v6qdJFSk Hmf+Lxrvoqe+xFn605Ky+1VzPbE7oH9HbFLylyOOBK8nOpHalMoUFwqXH/T8ycIQ/4 ybH/Jtrp03llA== Message-ID: <1428816325.33049.17.camel@pki2.com> Subject: Re: NTP peering broken since recent security update? From: Dennis Glatting To: Kent Kuriyama Date: Sat, 11 Apr 2015 22:25:25 -0700 In-Reply-To: References: <5526A2F1.5030609@qeng-ho.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-SoftwareMunitions-MailScanner-Information: Dennis Glatting X-SoftwareMunitions-MailScanner-ID: t3C5PPs4054209 X-SoftwareMunitions-MailScanner: Found to be clean X-MailScanner-From: freebsd@pki2.com Cc: Arthur Chance , FreeBSD-Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Apr 2015 05:25:38 -0000 On Thu, 2015-04-09 at 08:14 -1000, Kent Kuriyama wrote: > Are you doing any NTP authentication between peers? > ntp_proto.c appears to be the problem. * If you restore the prior ntp_proto.c, peering works (at least for me). * If you make the diffs from the enclosed patch against the updated ntp_proto.c (i.e., the updated version from svn), peering works. * Peering works for net/ntp and net/ntp-devel. For a while I suspected it was an optimizer problem because it isn't obvious to me why the patch works. I had resorted to backing chunks of the updated ntp_proto.c and ntp_crypto.c out. I'm still testing. I found my leap seconds file was way out of date. The installed ntpd didn't report the problem but net/ntp complained. Marvin# diff -c ntp_proto.c.orig ntp_proto.c *** ntp_proto.c.orig Sat Apr 11 23:51:43 2015 --- ntp_proto.c Sat Apr 11 23:54:54 2015 *************** *** 948,957 **** peer->flash |= TEST2; /* bogus packet */ } ! /* ! * If unsynchronized or bogus abandon ship. If the crypto machine ! * breaks, light the crypto bit and plaint the log. ! */ if (peer->flash & PKT_TEST_MASK) { #ifdef OPENSSL if (crypto_flags && (peer->flags & FLAG_SKEY)) { --- 948,960 ---- peer->flash |= TEST2; /* bogus packet */ } ! /* ! * Update the origin and destination timestamps. If ! * unsynchronized or bogus abandon ship. If the crypto machine ! * breaks, light the crypto bit and plaint the log. ! */ ! peer->org = p_xmt; ! peer->rec = rbufp->recv_time; if (peer->flash & PKT_TEST_MASK) { #ifdef OPENSSL if (crypto_flags && (peer->flags & FLAG_SKEY)) { *************** *** 994,1005 **** /* * That was hard and I am sweaty, but the packet is squeaky * clean. Get on with real work. - * - * Update the origin and destination timestamps. */ - peer->org = p_xmt; - peer->rec = rbufp->recv_time; - peer->received++; peer->timereceived = current_time; if (is_authentic == AUTH_OK) --- 997,1003 ---- > On Thu, Apr 9, 2015 at 6:04 AM, Arthur Chance wrote: > > > I have three NTP servers on my internal networks. Each of them uses > > various external machines as servers but they also peer with the other two > > internal ones to give some resilience in case the outside world goes away. > > Since the update and restart associated with FreeBSD-SA-15:07.ntp the ntpd > > processes appear to be unable to see peers (reach = 0) although they're > > locking onto the servers quite happily. > > > > Anyone else seeing this? > > > > -- > > Those who do not learn from computing history are doomed to > > GOTO 1 > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions- > > unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"