ntpsec not coming up in openssl fips mode in Debian bookworm release
Hi ,
I use openssl 3.0.9 with fips-mode enabled. When I try to start the ntpsec service, it does not come up. I am new to this, can you please help me figure out what configuration changes I need to make to make ntpsec work in openssl fips?Following the openssl docs, I generated the fips.so and loaded it in memory using the openssl fips API.
**ntpd --version **
ntpd ntpsec-1.2.2**openssl version **
OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)**cat /etc/os-release**
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"The ntp.conf contents
cat /etc/ntpsec/ntp.conf
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
# This should be maxclock 7, but the pool entries count towards maxclock.
tos maxclock 11
# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 4 minsane 3
# Specify one or more NTP servers.
# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict default kod nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1There are the logs for systemctl status ntpsec.
× ntpsec.service - Network Time Service
Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; preset: enabl>
Active: failed (Result: exit-code) since Sat 2023-08-26 10:46:54 UTC; 1 da>
Duration: 265ms
Docs: man:ntpd(8)
Main PID: 397 (code=exited, status=1/FAILURE)
CPU: 53ms
Aug 26 10:46:54 localhost ntpd[397]: INIT: precision = 0.210 usec (-22)
Aug 26 10:46:54 localhost ntpd[397]: INIT: successfully locked into RAM
Aug 26 10:46:54 localhost ntpd[397]: CONFIG: readconfig: parsing file: /etc/ntp>
Aug 26 10:46:54 localhost ntpd[397]: CONFIG: restrict nopeer ignored
Aug 26 10:46:54 localhost ntpd[397]: CLOCK: leapsecond file ('/usr/share/zonein>
Aug 26 10:46:54 localhost ntpd[397]: CLOCK: leapsecond file ('/usr/share/zonein>
Aug 26 10:46:54 localhost ntpd[397]: INIT: Using SO_TIMESTAMPNS(ns)
Aug 26 10:46:54 localhost ntpd[397]: MAC: MD5 init failed
Aug 26 10:46:54 localhost systemd[1]: ntpsec.service: Main process exited, code>
Aug 26 10:46:54 localhost systemd[1]: ntpsec.service: Failed with result 'exit->Edited by binayak mandal