Skip to content
This repository

secure parasitic rdate replacement

Merge pull request #126 from BrianAker/master

Check return state of write(), otherwise this fails for compilers for un...
latest commit e654bbc92b
\033]2;Jacob Appelbaum\007 authored
Octocat-spinner-32 ca-roots remove TÜRKTRUST from CA list post sub-ca mistakes January 07, 2013
Octocat-spinner-32 etc Fix subprocess watching. June 21, 2013
Octocat-spinner-32 m4 Fix from Paul Wouters to build May 07, 2013
Octocat-spinner-32 man Update manpage with http option October 10, 2013
Octocat-spinner-32 src Check return state of write(), otherwise this fails for compilers for… January 12, 2014
Octocat-spinner-32 tests Refactor event loop. July 17, 2013
Octocat-spinner-32 .gitignore Update .gitignore to reflect ctags/vim usage October 30, 2013
Octocat-spinner-32 .travis.yml Add libtool to .travis.yml April 19, 2013
Octocat-spinner-32 AUTHORS Add Elly as an author May 11, 2013
Octocat-spinner-32 CHANGELOG Mention the recent FreeBSD-specific changes in the CHANGELOG November 21, 2013
Octocat-spinner-32 HACKING.md Lets integrate an image that shows build status April 19, 2013
Octocat-spinner-32 HARDENING Add note on current state of affairs for Windows in HARDENING April 23, 2013
Octocat-spinner-32 INSTALL Mention in INSTALL that tlsdate is expected to work on FreeBSD 9.2 an… November 21, 2013
Octocat-spinner-32 LICENSE first commit January 18, 2012
Octocat-spinner-32 Makefile.am Add tlsdated.service to Makefile October 31, 2013
Octocat-spinner-32 Makefile.android android build scripts and instructions April 12, 2013
Octocat-spinner-32 README Update README to make it timeless, so to speak November 02, 2013
Octocat-spinner-32 TLSDATEPOOL Idea for genepool.tlsdate.net; pool.ntp.org eat your heart out August 01, 2012
Octocat-spinner-32 TODO Add note about servers with weak DH group parameters November 07, 2013
Octocat-spinner-32 apparmor-profile Add /usr/lib/x86_64-linux-gnu/ to AppArmor profile\ October 31, 2013
Octocat-spinner-32 autogen.sh Start MinGW support April 24, 2013
Octocat-spinner-32 configure.ac Use the strchrnul() replacement on FreeBSD versions that need it November 21, 2013
Octocat-spinner-32 mkfile initial plan9 build of tlsdate-helper-plan9.c, doesn't quite build an… April 15, 2013
Octocat-spinner-32 run-tests Refactor event loop. July 17, 2013
Octocat-spinner-32 test.conf Add integration testing. July 08, 2013
Octocat-spinner-32 tlsdate-brew-formula.rb Update brew forumla for tlsdate February 14, 2013
Octocat-spinner-32 tlsdate-seccomp-amd64.policy Add Seccomp-BPF policies to the repo. January 04, 2013
Octocat-spinner-32 tlsdate-seccomp-arm.policy Add Seccomp-BPF policies to the repo. January 04, 2013
Octocat-spinner-32 tlsdate-seccomp-x86.policy Add Seccomp-BPF policies to the repo. January 04, 2013
Octocat-spinner-32 tlsdated.service Add tlsdated.service to Makefile October 31, 2013
README
tlsdate: secure parasitic rdate replacement

 tlsdate sets the local clock by securely connecting with TLS to remote
 servers and extracting the remote time out of the secure handshake. Unlike
 ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS
 enabled service, and provides some protection against adversaries that try to
 feed you malicious time information.

On Debian GNU/Linux and related systems, we provide an init.d script that
controls the tlsdated daemon. It will notice network changes and regularly
invoke tlsdate to keep the clock in sync. Start it like so:

  /etc/init.d/tlsdate start


Here is an example an unprivileged user fetching the remote time:

  % tlsdate -V -n -H encrypted.google.com
  Fri Apr 19 17:56:46 PDT 2013


This is an example run - starting as root and dropping to nobody, setting the
clock and printing it:

  % sudo tlsdate -V
  Fri Apr 19 17:57:49 PDT 2013


Here is an example with a custom host and custom port without verification:

  % sudo tlsdate --skip-verification -p 80 -H rgnx.net

Here is an example where a system may not have any kind of RTC at boot. Do the
time warp to restore sanity and do so with a leap of faith:

  % sudo tlsdate -V -l -t
  Fri Apr 19 18:08:03 PDT 2013


Some SSL/TLS services do not provide accurate time in their handshake process;
tlsdate may also be used to fetch time by processing the HTTP Date headers of
HTTP services:

  % sudo tlsdate -V -l -t -w
  Wed Oct 30 18:08:46 CET 2013


Something went wrong with that request. Please try again.