[ipxe-devel] SSL certificate validation and NTP
Michael Brown
mbrown at fensystems.co.uk
Thu Mar 22 17:37:06 UTC 2012
On Thursday 22 Mar 2012 17:05:19 Phil Martin wrote:
> I've been experimenting with the HTTPS functions in iPXE over the last
> day or so. Since you've enabled the checking of the certificate
> validity period, will you be including some sort of NTP functionality
> to set the system clock before checking the certificate? Currently, if
> for some reason a machine has lost time (or doesn't have a CMOS clock
> at all), it will fail to boot over HTTPS as the certificate won't yet
> be valid, according to the machine's clock at least. Perhaps it could
> use the NTP servers at pool.ntp.org by default, but be overridden if
> option 42 was specified in DHCP?
Wouldn't that make the validity period check essentially worthless, since a
man-in-the-middle attacker could simply fake the current NTP time? How can we
do this securely?
Michael
More information about the ipxe-devel
mailing list