提交 2cc7acd2 编写于 作者: D Dr. Stephen Henson

Use better defaults for TSA.

Use SHA256 for TSA and setted permitted digests to a sensible value.

Based on PR#4141
Reviewed-by: NMatt Caswell <matt@openssl.org>
上级 e20b4727
...@@ -340,7 +340,7 @@ signer_digest = sha1 # Signing digest to use. (Optional) ...@@ -340,7 +340,7 @@ signer_digest = sha1 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it default_policy = tsa_policy1 # Policy if request did not specify it
# (optional) # (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory) digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional) accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional) clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps? ordering = yes # Is ordering defined for timestamps?
......
...@@ -335,11 +335,11 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate ...@@ -335,11 +335,11 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate
certs = $dir/cacert.pem # Certificate chain to include in reply certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional) # (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha1 # Signing digest to use. (Optional) signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it default_policy = tsa_policy1 # Policy if request did not specify it
# (optional) # (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory) digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional) accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional) clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps? ordering = yes # Is ordering defined for timestamps?
......
...@@ -28,7 +28,7 @@ B<-reply> ...@@ -28,7 +28,7 @@ B<-reply>
[B<-passin> password_src] [B<-passin> password_src]
[B<-signer> tsa_cert.pem] [B<-signer> tsa_cert.pem]
[B<-inkey> private.pem] [B<-inkey> private.pem]
[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>] [B<-sha1|-sha224|-sha256|-sha384|-sha512>]
[B<-chain> certs_file.pem] [B<-chain> certs_file.pem]
[B<-policy> object_id] [B<-policy> object_id]
[B<-in> response.tsr] [B<-in> response.tsr]
...@@ -216,7 +216,7 @@ variable of the config file. (Optional) ...@@ -216,7 +216,7 @@ variable of the config file. (Optional)
The signer private key of the TSA in PEM format. Overrides the The signer private key of the TSA in PEM format. Overrides the
B<signer_key> config file option. (Optional) B<signer_key> config file option. (Optional)
=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> =item B<-sha1|-sha224|-sha256|-sha384|-sha512>
Signing digest to use. Overrides the B<signer_digest> config file Signing digest to use. Overrides the B<signer_digest> config file
option. (Optional) option. (Optional)
...@@ -405,8 +405,7 @@ command line option. (Optional) ...@@ -405,8 +405,7 @@ command line option. (Optional)
=item B<signer_digest> =item B<signer_digest>
Signing digest to use. The same as the Signing digest to use. The same as the
B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional)
command line option. (Optional)
=item B<default_policy> =item B<default_policy>
......
...@@ -35,7 +35,7 @@ private_key = $dir/private/cakey.pem# The private key ...@@ -35,7 +35,7 @@ private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for default_days = 365 # how long to certify for
default_md = sha1 # which md to use. default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering preserve = no # keep passed DN ordering
policy = policy_match policy = policy_match
...@@ -132,11 +132,11 @@ signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate ...@@ -132,11 +132,11 @@ signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
certs = $dir/tsaca.pem # Certificate chain to include in reply certs = $dir/tsaca.pem # Certificate chain to include in reply
# (optional) # (optional)
signer_key = $dir/tsa_key1.pem # The TSA private key (optional) signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
signer_digest = sha1 # Signing digest to use. (Optional) signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it default_policy = tsa_policy1 # Policy if request did not specify it
# (optional) # (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory) digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional) accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
ordering = yes # Is ordering defined for timestamps? ordering = yes # Is ordering defined for timestamps?
# (optional, default: no) # (optional, default: no)
...@@ -156,8 +156,8 @@ signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate ...@@ -156,8 +156,8 @@ signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
# (optional) # (optional)
signer_key = $dir/tsa_key2.pem # The TSA private key (optional) signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
signer_digest = sha1 # Signing digest to use. (Optional) signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it default_policy = tsa_policy1 # Policy if request did not specify it
# (optional) # (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory) digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册