Occasionally we have devices which can’t sync with NTP, so we have a container update system time by sending an http request to api.balena-cloud.com/ping and manually updating the time.
Recently there have been a few instances where the request fails because of an SSL certificate error. I have found a workaround of disabling SSL verification but I don’t want to do that by default. Once I use the workaround, the request succeeds and time is updated. After this point, the device does not need to ignore SSL to complete future requests.
Is there some sort of dependence on the correct time for SSL? If so I guess a better implementation would be to attempt with SSL and if that fails then attempt without?
Hi Eric. Yes, TLS requires an accurate(ish) system clock so it can validate the certificates. Falling back to HTTP if HTTPS fails would make MITM attacks trivial so this is unlikely something we would consider.
Yeah, definitely understand the exposure a workout would create. Also thank you for correcting me, I did mean TLS. Thanks for the explanation for the behavior I’m seeing.
I’m not sure, it’s only happened on two devices and they’ve been in different locations. The stranger part is that one location has two devices and only 1 of them has encountered this problem. I’ll do some research on the networking environments the devices are in and work from there. Thanks!