Question about ntp build option

Question about ntp build option

[Fan, Xin]

Hello,

I wonder that why the ntp uses the without-openssl build option and disables the 
openssl by default.

In my opinion, the ntp needs openssl to support public key cryptography and it
should be enabled by default.

Does anyone know the reason?

Best regards
Fan

=====================================================
Fujitsu Computer Technology
Fan Xin
fan.xin@jp.fujitsu.com

Re: Question about ntp build option

[Paul Eggleton]

Hi Fan,

On Friday 28 November 2014 06:05:36 Fan, Xin wrote:
> I wonder that why the ntp uses the without-openssl build option and disables
> the openssl by default.
> 
> In my opinion, the ntp needs openssl to support public key cryptography and
> it should be enabled by default.

I set it up this way originally because I didn't figure SSL to be that 
important for a protocol like ntp for the common case. To my mind, it depends 
on what you are doing with time on the system which is being synchronised - if 
you are only using it to display a clock somewhere for the user, the security 
of the connection to the ntp server isn't really that important vs. avoiding 
the dependency on another library. If on the other hand you are writing logs 
or you are using a time-sensitive protocol such as Kerberos on the same system 
then you might want to consider enabling it.

There will always be differences in how people expect software to be configured 
for whatever target and application they are building for, hence why we make 
it fairly easy to adjust the configuration. In this case you only need to set 
your own PACKAGECONFIG value for ntp to include "openssl" and SSL support will 
be enabled.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: Question about ntp build option

[Paul Eggleton]

On Monday 05 January 2015 14:33:59 Paul Eggleton wrote:
> Hi Fan,
> 
> On Friday 28 November 2014 06:05:36 Fan, Xin wrote:
> > I wonder that why the ntp uses the without-openssl build option and
> > disables the openssl by default.
> > 
> > In my opinion, the ntp needs openssl to support public key cryptography
> > and
> > it should be enabled by default.
> 
> I set it up this way originally because I didn't figure SSL to be that
> important for a protocol like ntp for the common case. To my mind, it
> depends on what you are doing with time on the system which is being
> synchronised - if you are only using it to display a clock somewhere for
> the user, the security of the connection to the ntp server isn't really
> that important vs. avoiding the dependency on another library. If on the
> other hand you are writing logs or you are using a time-sensitive protocol
> such as Kerberos on the same system then you might want to consider
> enabling it.
> 
> There will always be differences in how people expect software to be
> configured for whatever target and application they are building for, hence
> why we make it fairly easy to adjust the configuration. In this case you
> only need to set your own PACKAGECONFIG value for ntp to include "openssl"
> and SSL support will be enabled.

(I should have added, my apologies for the very late reply).

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: Question about ntp build option

[Fan, Xin]

Hi Paul,

First of all, thanks for your reply.

> There will always be differences in how people expect software to be 
> configured for whatever target and application they are building for, 
> hence why we make it fairly easy to adjust the configuration.
Actually, I had the same opinion with you at the beginning.

But in last December, the ntp published 4 serious vulnerabilities(CVE-2014-9293,
CVE-2014-9294,CVE-2014-9295,CVE-2014-9296). So I think even the display a clock 
function, it should　also be protected by openssl for the safety connection.

And I find more packages in Yocto　which also use the openssl as the 
default option, so I think ntp also should set the openssl option as default setting.

What do you think about it?

Cheers,
Fan

-----Original Message-----
From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com] 
Sent: Monday, January 05, 2015 11:34 PM
To: Fan, Xin/樊 シン
Cc: openembedded-devel@lists.openembedded.org
Subject: Re: [oe] Question about ntp build option

Hi Fan,

On Friday 28 November 2014 06:05:36 Fan, Xin wrote:
> I wonder that why the ntp uses the without-openssl build option and 
> disables the openssl by default.
> 
> In my opinion, the ntp needs openssl to support public key 
> cryptography and it should be enabled by default.

I set it up this way originally because I didn't figure SSL to be that important for a protocol like ntp for the common case. To my mind, it depends on what you are doing with time on the system which is being synchronised - if you are only using it to display a clock somewhere for the user, the security of the connection to the ntp server isn't really that important vs. avoiding the dependency on another library. If on the other hand you are writing logs or you are using a time-sensitive protocol such as Kerberos on the same system then you might want to consider enabling it.

There will always be differences in how people expect software to be configured for whatever target and application they are building for, hence why we make it fairly easy to adjust the configuration. In this case you only need to set your own PACKAGECONFIG value for ntp to include "openssl" and SSL support will be enabled.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: Question about ntp build option

[Paul Eggleton]

On Friday 16 January 2015 02:05:27 Fan, Xin wrote:
> > There will always be differences in how people expect software to be
> > configured for whatever target and application they are building for,
> > hence why we make it fairly easy to adjust the configuration.
> 
> Actually, I had the same opinion with you at the beginning.
> 
> But in last December, the ntp published 4 serious
> vulnerabilities(CVE-2014-9293, CVE-2014-9294,CVE-2014-9295,CVE-2014-9296).
> So I think even the display a clock function, it should　also be protected
> by openssl for the safety connection.

I'm not sure this follows. Correct me if I'm wrong, but SSL doesn't actually 
prevent me as an unauthorised user from making a connection - it just ensures 
that when I connect to a server that firstly the data sent over the connection 
is encrypted, and furthermore that the connection is directly to the server I 
think it is and not someone else masquerading as that server. This would mean 
that for example any buffer overflows such as the ones in the vulnerabilities 
you point to would still be accessible and potentially exploitable even if the 
connection were only available as encrypted using SSL, at least as far as I 
can tell.

> And I find more packages in Yocto　which also use the openssl as the
> default option, so I think ntp also should set the openssl option as default
> setting.

In a lot of other cases SSL is on by default because it really makes sense; 
for example it's common to want to fetch files from https servers so in the 
general case you would want curl to be built with SSL support by default. I'm 
not sure the same can be said of ntp. Again, I'm happy to be corrected though.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: Question about ntp build option

[Peter A. Bigot]

On 01/16/2015 05:54 AM, Paul Eggleton wrote:
> On Friday 16 January 2015 02:05:27 Fan, Xin wrote:
>>> There will always be differences in how people expect software to be
>>> configured for whatever target and application they are building for,
>>> hence why we make it fairly easy to adjust the configuration.
>> Actually, I had the same opinion with you at the beginning.
>>
>> But in last December, the ntp published 4 serious
>> vulnerabilities(CVE-2014-9293, CVE-2014-9294,CVE-2014-9295,CVE-2014-9296).
>> So I think even the display a clock function, it should　also be protected
>> by openssl for the safety connection.
> I'm not sure this follows. Correct me if I'm wrong, but SSL doesn't actually
> prevent me as an unauthorised user from making a connection - it just ensures
> that when I connect to a server that firstly the data sent over the connection
> is encrypted, and furthermore that the connection is directly to the server I
> think it is and not someone else masquerading as that server.

Though this is the common mode of operation, ssl also permits client 
authentication through certificates, so the server knows that the client 
is who it says it is.  I generally run public-facing restricted access 
web servers this way, in addition to using HTTP authentication.  I don't 
know but would assume ntp would support the same capability through 
configuration files if ssl is enabled in the build.

I doubt the number of people in the world that would configure ntp that 
way is very large, though. As long as it's available through 
PACKAGECONFIG (and it is) I'm not convinced changing the default is 
critical, but it's probably not a big deal either unless the added 
dependencies are a burden for somebody's small-footprint installation. 
(In which case they could override PACKAGECONFIG. That's what I love 
about Yocto.)

Peter

>   This would mean
> that for example any buffer overflows such as the ones in the vulnerabilities
> you point to would still be accessible and potentially exploitable even if the
> connection were only available as encrypted using SSL, at least as far as I
> can tell.
>
>> And I find more packages in Yocto　which also use the openssl as the
>> default option, so I think ntp also should set the openssl option as default
>> setting.
> In a lot of other cases SSL is on by default because it really makes sense;
> for example it's common to want to fetch files from https servers so in the
> general case you would want curl to be built with SSL support by default. I'm
> not sure the same can be said of ntp. Again, I'm happy to be corrected though.
>
> Cheers,
> Paul
>

Re: Question about ntp build option

[Fan, Xin]

OK, I understand. Thanks for your kindly reply.

I have learned a lot from this discussion. Thank you again.

Cheers,
Fan

-----Original Message-----
From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com] 
Sent: Friday, January 16, 2015 8:55 PM
To: Fan, Xin/樊 シン
Cc: openembedded-devel@lists.openembedded.org
Subject: Re: [oe] Question about ntp build option

On Friday 16 January 2015 02:05:27 Fan, Xin wrote:
> > There will always be differences in how people expect software to be 
> > configured for whatever target and application they are building 
> > for, hence why we make it fairly easy to adjust the configuration.
> 
> Actually, I had the same opinion with you at the beginning.
> 
> But in last December, the ntp published 4 serious 
> vulnerabilities(CVE-2014-9293, CVE-2014-9294,CVE-2014-9295,CVE-2014-9296).
> So I think even the display a clock function, it should　also be 
> protected by openssl for the safety connection.

I'm not sure this follows. Correct me if I'm wrong, but SSL doesn't actually prevent me as an unauthorised user from making a connection - it just ensures that when I connect to a server that firstly the data sent over the connection is encrypted, and furthermore that the connection is directly to the server I think it is and not someone else masquerading as that server. This would mean that for example any buffer overflows such as the ones in the vulnerabilities you point to would still be accessible and potentially exploitable even if the connection were only available as encrypted using SSL, at least as far as I can tell.

> And I find more packages in Yocto　which also use the openssl as the 
> default option, so I think ntp also should set the openssl option as 
> default setting.

In a lot of other cases SSL is on by default because it really makes sense; for example it's common to want to fetch files from https servers so in the general case you would want curl to be built with SSL support by default. I'm not sure the same can be said of ntp. Again, I'm happy to be corrected though.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre