提交 2cc7acd2 编写于 作者: D Dr. Stephen Henson

Use better defaults for TSA.

Use SHA256 for TSA and setted permitted digests to a sensible value.

Based on PR#4141
Reviewed-by: NMatt Caswell <matt@openssl.org>
上级 e20b4727
......@@ -340,7 +340,7 @@ signer_digest = sha1 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
......
......@@ -335,11 +335,11 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha1 # Signing digest to use. (Optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
......
......@@ -28,7 +28,7 @@ B<-reply>
[B<-passin> password_src]
[B<-signer> tsa_cert.pem]
[B<-inkey> private.pem]
[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>]
[B<-sha1|-sha224|-sha256|-sha384|-sha512>]
[B<-chain> certs_file.pem]
[B<-policy> object_id]
[B<-in> response.tsr]
......@@ -216,7 +216,7 @@ variable of the config file. (Optional)
The signer private key of the TSA in PEM format. Overrides the
B<signer_key> config file option. (Optional)
=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
=item B<-sha1|-sha224|-sha256|-sha384|-sha512>
Signing digest to use. Overrides the B<signer_digest> config file
option. (Optional)
......@@ -405,8 +405,7 @@ command line option. (Optional)
=item B<signer_digest>
Signing digest to use. The same as the
B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
command line option. (Optional)
B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional)
=item B<default_policy>
......
......@@ -35,7 +35,7 @@ private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_md = sha1 # which md to use.
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
......@@ -132,11 +132,11 @@ signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
certs = $dir/tsaca.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
signer_digest = sha1 # Signing digest to use. (Optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
......@@ -156,8 +156,8 @@ signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
# (optional)
signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
signer_digest = sha1 # Signing digest to use. (Optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册