Skip to content


Subversion checkout URL

You can clone with
Download ZIP
secure parasitic rdate replacement
C Shell Ruby
Latest commit ae396da @ioerror bump to 0.0.13
Failed to load latest commit information.
ca-roots remove TÜRKTRUST from CA list post sub-ca mistakes
dbus CHROMIUM: Initial work eventizing tlsdated
etc Switch from which is sending a randomised time to
init continued merge issues: platform, debug, configs
m4 Fix from Paul Wouters to build
man Switch from which is sending a randomised time to
src Switch from which is sending a randomised time to
systemd Update systemd file
tests continued merge overhaul
.gitignore Update .gitignore to reflect ctags/vim usage
.travis.yml Add libtool to .travis.yml
CHANGELOG bump to 0.0.13 Lets integrate an image that shows build status
HARDENING Add note on current state of affairs for Windows in HARDENING
INSTALL add git-buildpackage to INSTALL
LICENSE first commit Switch from which is sending a randomised time to android build scripts and instructions
README Update README to make it timeless, so to speak
TLSDATEPOOL Idea for; eat your heart out
TODO remove TODO item
apparmor-profile allow the unprivileged helper to read the time Start MinGW support bump to 0.0.13 CHROMIUM: Initial work eventizing tlsdated
mkfile initial plan9 build of tlsdate-helper-plan9.c, doesn't quite build an…
run-tests continued merge overhaul
test.conf Add integration testing.
tlsdate-brew-formula.rb Update brew forumla for tlsdate
tlsdate-seccomp-amd64.policy Add Seccomp-BPF policies to the repo.
tlsdate-seccomp-arm.policy Add Seccomp-BPF policies to the repo.
tlsdate-seccomp-x86.policy Add Seccomp-BPF policies to the repo.


tlsdate: secure parasitic rdate replacement

 tlsdate sets the local clock by securely connecting with TLS to remote
 servers and extracting the remote time out of the secure handshake. Unlike
 ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS
 enabled service, and provides some protection against adversaries that try to
 feed you malicious time information.

On Debian GNU/Linux and related systems, we provide an init.d script that
controls the tlsdated daemon. It will notice network changes and regularly
invoke tlsdate to keep the clock in sync. Start it like so:

  /etc/init.d/tlsdate start

Here is an example an unprivileged user fetching the remote time:

  % tlsdate -V -n -H
  Fri Apr 19 17:56:46 PDT 2013

This is an example run - starting as root and dropping to nobody, setting the
clock and printing it:

  % sudo tlsdate -V
  Fri Apr 19 17:57:49 PDT 2013

Here is an example with a custom host and custom port without verification:

  % sudo tlsdate --skip-verification -p 80 -H

Here is an example where a system may not have any kind of RTC at boot. Do the
time warp to restore sanity and do so with a leap of faith:

  % sudo tlsdate -V -l -t
  Fri Apr 19 18:08:03 PDT 2013

Some SSL/TLS services do not provide accurate time in their handshake process;
tlsdate may also be used to fetch time by processing the HTTP Date headers of
HTTP services:

  % sudo tlsdate -V -l -t -w
  Wed Oct 30 18:08:46 CET 2013

Something went wrong with that request. Please try again.