2

I have a Linux (4.9.171) machine running on ARM Cortex-A processor. The system has internet connection and talks to my server over SSL. At the first boot, I can configure the date and time to it. However, if my system restarts, it won't have a right time and SSL connection can fail in Certification Path Validation Algo. I need a way to keep my system time up-to date (few seconds precision will be fine).

My system doesn't have RTC and I don't want to use NTP as it is not secure and anyone can be MITM and give me compromised certificates to attack my system.

I also researched about NTPSec and NTS but they aren't mature now.

Is there any standard way for this problem statement?

abhiarora
  • 123
  • 4

1 Answers1

2

I can think of two reasonable ways to address this:

  1. Run a VPN, set your NTP client to sync to a server on the other side of the VPN
  2. Look at OpenBSD's implementation of ntpd, from the man page (https://man.openbsd.org/ntpd.conf) :

CONSTRAINTS

ntpd(8) can be configured to query the ‘Date’ from trusted HTTPS servers via TLS. This time information is not used for precision but acts as an authenticated constraint, thereby reducing the impact of unauthenticated NTP man-in-the-middle attacks. Received NTP packets with time information falling outside of a range near the constraint will be discarded and such NTP servers will be marked as invalid.

constraint from url

Specify the URL, IP address or the hostname of an HTTPS server to provide a constraint. If constraint from is used more than once, ntpd(8) will calculate a median constraint from all the servers specified.

The description in the man page seems to be exactly what you are asking.

There is a Linux version of OpenBSD ntpd in the form of portable OpenNTPD maintained by Brent Cook : http://www.openntpd.org/portable.html

Little Code
  • 375
  • 2
  • 11
  • The problem is without the valid date and time, I can't establish the `SSL` connection. Am I right? – abhiarora Nov 06 '19 at 04:32
  • I'm not sure how you intend to do anything without you (or the user) setting some sort of initial time ? "standard" NTP won't work without at least a basic time set to near the "real" time, and I guess the same with SSL. I think you seriously need to think about your design ! – Little Code Nov 06 '19 at 07:01
  • Even if I set some time at first boot, what will happen if system remains shutdown for few days? Just another question, do we need to have right time to establish just HTTP connection? – abhiarora Nov 06 '19 at 07:17
  • Why NTP requires some initial time? – abhiarora Nov 06 '19 at 07:17
  • 1
    It depends on the NTP client and your config. In some instances it might, in some instances it might not. I think you'll need to read the manual. – Little Code Nov 06 '19 at 09:07