uts-server/conf/uts-server.cnf

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

[ main ]

# Comma-separated list of ips:ports to listen on.
# If the port is SSL, a letter s must be appended.
listening_ports = 127.0.0.1:2020
#listening_ports = 80,443s

# Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance.
enable_keep_alive = no

# Number of worker threads.
num_threads = 50

# Switch to given user credentials after startup.
# Required to run on privileged ports and not be run as root.
# run_as_user = uts-server

# Limit download speed for clients. throttle is a comma-separated list of key=value pairs:
# *                   limit speed for all connections
# x.x.x.x/mask        limit speed for specified subnet
# The value is a floating-point number of bytes per second, optionally followed by a k or m character
# meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate
throttle = *
#throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0

# Timeout for network read and network write operations, in milliseconds.
request_timeout_ms = 30000

# Path to the SSL certificate file. (PEM format containing private key and certificate)
#ssl_certificate = /etc/uts-server/cert.pem

# Enable client's certificate verification by the server.
#ssl_verify_peer = yes

# Name of a directory containing trusted CA certificates
#ssl_ca_path = /etc/ssl/ca/

# Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
#ssl_ca_file = /etc/uts-server/ca.pem

# Sets maximum depth of certificate chain.
# If client's certificate chain is longer than the depth set here connection is refused.
#ssl_verify_depth = 9

# Loads default trusted certificates locations set at openssl compile time.
#ssl_default_verify_paths = yes

# see https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
#ssl_cipher_list = ALL:!eNULL

# Sets the minimal accepted version of SSL/TLS protocol according to the table:
# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2  0
# SSL3+TLS1.0+TLS1.1+TLS1.2       1
# TLS1.0+TLS1.1+TLS1.2            2
# TLS1.1+TLS1.2                   3
# TLS1.2                          4

#ssl_protocol_version = 3

# Enables the use of short lived certificates
#ssl_short_trust = no

# comma separated list of IP subnets to accept/deny
# deny all accesses, only allow 192.168/16 subnet
#access_control_allow_origin = -0.0.0.0/0,+192.168/16

# Enable TCP_NODELAY socket option on client connections.
tcp_nodelay = 0

# loglevel 
# debug, info, notice, warn, err, emerg, crit
log_level = info

####################################################################
[ tsa ]

default_tsa = tsa_config1	# the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir		= ./demoCA		# TSA root directory
serial		= ./tsaserial	# The current serial number (mandatory)
crypto_device	= builtin		# OpenSSL engine to use for signing
signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/cacert.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)

default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests		= md5, sha1		# Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
clock_precision_digits  = 0	# number of digits after dot. (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
				# (optional, default: no)
adding default configuration file 2016-08-25 23:03:56 +02:00			`[ new_oids ]`

			`# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.`
			`# Add a simple OID like this:`
			`# testoid1=1.2.3.4`
			`# Or use config file substitution like this:`
			`# testoid2=${testoid1}.5.6`

			`# Policies used by the TSA examples.`
			`tsa_policy1 = 1.2.3.4.1`
			`tsa_policy2 = 1.2.3.4.5.6`
			`tsa_policy3 = 1.2.3.4.5.7`

			`[ main ]`
adding comment on configuration options 2016-08-25 23:33:41 +02:00
			`# Comma-separated list of ips:ports to listen on.`
			`# If the port is SSL, a letter s must be appended.`
adding default configuration file 2016-08-25 23:03:56 +02:00			`listening_ports = 127.0.0.1:2020`
			`#listening_ports = 80,443s`

adding comment on configuration options 2016-08-25 23:33:41 +02:00			`# Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance.`
adding default configuration file 2016-08-25 23:03:56 +02:00			`enable_keep_alive = no`
adding comment on configuration options 2016-08-25 23:33:41 +02:00
			`# Number of worker threads.`
			`num_threads = 50`

			`# Switch to given user credentials after startup.`
			`# Required to run on privileged ports and not be run as root.`
			`# run_as_user = uts-server`

			`# Limit download speed for clients. throttle is a comma-separated list of key=value pairs:`
			`# * limit speed for all connections`
			`# x.x.x.x/mask limit speed for specified subnet`
			`# The value is a floating-point number of bytes per second, optionally followed by a k or m character`
			`# meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate`
			`throttle = *`
			`#throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0`

			`# Timeout for network read and network write operations, in milliseconds.`
adding default configuration file 2016-08-25 23:03:56 +02:00			`request_timeout_ms = 30000`
adding comment on configuration options 2016-08-25 23:33:41 +02:00
			`# Path to the SSL certificate file. (PEM format containing private key and certificate)`
adding default configuration file 2016-08-25 23:03:56 +02:00			`#ssl_certificate = /etc/uts-server/cert.pem`
adding comment on configuration options 2016-08-25 23:33:41 +02:00
			`# Enable client's certificate verification by the server.`
adding default configuration file 2016-08-25 23:03:56 +02:00			`#ssl_verify_peer = yes`
adding comment on configuration options 2016-08-25 23:33:41 +02:00
			`# Name of a directory containing trusted CA certificates`
adding default configuration file 2016-08-25 23:03:56 +02:00			`#ssl_ca_path = /etc/ssl/ca/`
adding comment on configuration options 2016-08-25 23:33:41 +02:00
			`# Path to a .pem file containing trusted certificates. The file may contain more than one certificate.`
adding default configuration file 2016-08-25 23:03:56 +02:00			`#ssl_ca_file = /etc/uts-server/ca.pem`
adding comment on configuration options 2016-08-25 23:33:41 +02:00
			`# Sets maximum depth of certificate chain.`
			`# If client's certificate chain is longer than the depth set here connection is refused.`
adding default configuration file 2016-08-25 23:03:56 +02:00			`#ssl_verify_depth = 9`
adding comment on configuration options 2016-08-25 23:33:41 +02:00
			`# Loads default trusted certificates locations set at openssl compile time.`
adding default configuration file 2016-08-25 23:03:56 +02:00			`#ssl_default_verify_paths = yes`
adding comment on configuration options 2016-08-25 23:33:41 +02:00
			`# see https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed`
			`#ssl_cipher_list = ALL:!eNULL`

			`# Sets the minimal accepted version of SSL/TLS protocol according to the table:`
			`# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0`
			`# SSL3+TLS1.0+TLS1.1+TLS1.2 1`
			`# TLS1.0+TLS1.1+TLS1.2 2`
			`# TLS1.1+TLS1.2 3`
			`# TLS1.2 4`

			`#ssl_protocol_version = 3`

			`# Enables the use of short lived certificates`
adding default configuration file 2016-08-25 23:03:56 +02:00			`#ssl_short_trust = no`
adding comment on configuration options 2016-08-25 23:33:41 +02:00
			`# comma separated list of IP subnets to accept/deny`
			`# deny all accesses, only allow 192.168/16 subnet`
			`#access_control_allow_origin = -0.0.0.0/0,+192.168/16`

			`# Enable TCP_NODELAY socket option on client connections.`
adding default configuration file 2016-08-25 23:03:56 +02:00			`tcp_nodelay = 0`

adding possible values for syslog level 2016-08-26 00:06:56 +02:00			`# loglevel`
			`# debug, info, notice, warn, err, emerg, crit`
adding comment on configuration options 2016-08-25 23:33:41 +02:00			`log_level = info`
adding default configuration file 2016-08-25 23:03:56 +02:00
			`####################################################################`
			`[ tsa ]`

			`default_tsa = tsa_config1 # the default TSA section`

			`[ tsa_config1 ]`

			`# These are used by the TSA reply generation only.`
			`dir = ./demoCA # TSA root directory`
adding creation for the ts context 2016-08-26 01:28:34 +02:00			`serial = ./tsaserial # The current serial number (mandatory)`
adding default configuration file 2016-08-25 23:03:56 +02:00			`crypto_device = builtin # OpenSSL engine to use for signing`
			`signer_cert = $dir/tsacert.pem # The TSA signing certificate`
			`# (optional)`
			`certs = $dir/cacert.pem # Certificate chain to include in reply`
			`# (optional)`
			`signer_key = $dir/private/tsakey.pem # The TSA private key (optional)`

			`default_policy = tsa_policy1 # Policy if request did not specify it`
			`# (optional)`
			`other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)`
			`digests = md5, sha1 # Acceptable message digests (mandatory)`
			`accuracy = secs:1, millisecs:500, microsecs:100 # (optional)`
			`clock_precision_digits = 0 # number of digits after dot. (optional)`
			`ordering = yes # Is ordering defined for timestamps?`
			`# (optional, default: no)`
			`tsa_name = yes # Must the TSA name be included in the reply?`
			`# (optional, default: no)`
			`ess_cert_id_chain = no # Must the ESS cert id chain be included?`
			`# (optional, default: no)`