Jacob Appelbaum | 3bb69c8 | 2012-07-09 22:22:27 +0200 | [diff] [blame] | 1 | tlsdate: secure parasitic rdate replacement |
| 2 | |
| 3 | tlsdate sets the local clock by securely connecting with TLS to remote |
| 4 | servers and extracting the remote time out of the secure handshake. Unlike |
| 5 | ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS |
| 6 | enabled service, and provides some protection against adversaries that try to |
| 7 | feed you malicious time information. |
| 8 | |
Jacob Appelbaum | b1e5e8b | 2012-11-05 17:35:08 -0500 | [diff] [blame] | 9 | On Debian GNU/Linux and related systems, we provide an init.d script that |
| 10 | controls the tlsdated daemon. It will notice network changes and regularly |
| 11 | invoke tlsdate to keep the clock in sync. Start it like so: |
| 12 | |
| 13 | /etc/init.d/tlsdate start |
| 14 | |
Jacob Appelbaum | e205d62 | 2012-07-13 18:37:21 +0200 | [diff] [blame] | 15 | Here is an example an unprivileged user fetching the remote time: |
| 16 | |
Jacob Appelbaum | 7a33632 | 2013-04-19 18:08:49 -0700 | [diff] [blame] | 17 | % tlsdate -V -n -H encrypted.google.com |
| 18 | Fri Apr 19 17:56:46 PDT 2013 |
Jacob Appelbaum | e205d62 | 2012-07-13 18:37:21 +0200 | [diff] [blame] | 19 | |
| 20 | |
Jacob Appelbaum | 7a33632 | 2013-04-19 18:08:49 -0700 | [diff] [blame] | 21 | This is an example run - starting as root and dropping to nobody, setting the |
| 22 | clock and printing it: |
Jacob Appelbaum | af07cb5 | 2012-01-18 16:09:19 +1100 | [diff] [blame] | 23 | |
Jacob Appelbaum | 7a33632 | 2013-04-19 18:08:49 -0700 | [diff] [blame] | 24 | % sudo tlsdate -V |
| 25 | Fri Apr 19 17:57:49 PDT 2013 |
| 26 | |
Jacob Appelbaum | b6bfa08 | 2012-01-30 03:46:22 -0800 | [diff] [blame] | 27 | |
Jacob Appelbaum | e205d62 | 2012-07-13 18:37:21 +0200 | [diff] [blame] | 28 | Here is an example with a custom host and custom port without verification: |
Jacob Appelbaum | b6bfa08 | 2012-01-30 03:46:22 -0800 | [diff] [blame] | 29 | |
Jacob Appelbaum | e205d62 | 2012-07-13 18:37:21 +0200 | [diff] [blame] | 30 | % sudo tlsdate -v --skip-verification -p 80 -H rgnx.net |
Jacob Appelbaum | 7a33632 | 2013-04-19 18:08:49 -0700 | [diff] [blame] | 31 | V: tlsdate version 0.0.6 |
Jacob Appelbaum | b6bfa08 | 2012-01-30 03:46:22 -0800 | [diff] [blame] | 32 | V: We were called with the following arguments: |
Jacob Appelbaum | e205d62 | 2012-07-13 18:37:21 +0200 | [diff] [blame] | 33 | V: disable SSL certificate check host = rgnx.net:80 |
| 34 | WARNING: Skipping certificate verification! |
Jacob Appelbaum | 7a33632 | 2013-04-19 18:08:49 -0700 | [diff] [blame] | 35 | V: time is currently 1366419507.456647065 |
| 36 | V: time is greater than RECENT_COMPILE_DATE |
Jacob Appelbaum | e205d62 | 2012-07-13 18:37:21 +0200 | [diff] [blame] | 37 | V: using TLSv1_client_method() |
Jacob Appelbaum | 7a33632 | 2013-04-19 18:08:49 -0700 | [diff] [blame] | 38 | V: Using OpenSSL for SSL |
| 39 | V: opening socket to rgnx.net:80 |
Jacob Appelbaum | e205d62 | 2012-07-13 18:37:21 +0200 | [diff] [blame] | 40 | V: Certificate verification skipped! |
Jacob Appelbaum | 7a33632 | 2013-04-19 18:08:49 -0700 | [diff] [blame] | 41 | V: public key is ready for inspection |
| 42 | V: key type: EVP_PKEY_RSA |
| 43 | V: keybits: 1024 |
| 44 | V: key length appears safe |
| 45 | V: server time 1366419508 (difference is about -1 s) was fetched in 338 ms |
Jacob Appelbaum | e205d62 | 2012-07-13 18:37:21 +0200 | [diff] [blame] | 46 | V: setting time succeeded |
Jacob Appelbaum | af07cb5 | 2012-01-18 16:09:19 +1100 | [diff] [blame] | 47 | |
Jacob Appelbaum | 894d527 | 2012-07-15 14:32:39 -0400 | [diff] [blame] | 48 | Here is an example where a system may not have any kind of RTC at boot. Do the |
Jacob Appelbaum | 920ea03 | 2012-07-15 22:06:02 -0400 | [diff] [blame] | 49 | time warp to restore sanity and do so with a leap of faith: |
Jacob Appelbaum | 894d527 | 2012-07-15 14:32:39 -0400 | [diff] [blame] | 50 | |
Jacob Appelbaum | 7a33632 | 2013-04-19 18:08:49 -0700 | [diff] [blame] | 51 | % sudo tlsdate -V -l -t |
| 52 | Fri Apr 19 18:08:03 PDT 2013 |
Jacob Appelbaum | 3eecb1a | 2012-07-15 21:39:20 -0400 | [diff] [blame] | 53 | |