2016-08-25 23:03:56 +02:00
|
|
|
[ new_oids ]
|
|
|
|
|
|
|
|
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
|
|
|
|
# Add a simple OID like this:
|
|
|
|
# testoid1=1.2.3.4
|
|
|
|
# Or use config file substitution like this:
|
|
|
|
# testoid2=${testoid1}.5.6
|
|
|
|
|
|
|
|
# Policies used by the TSA examples.
|
|
|
|
tsa_policy1 = 1.2.3.4.1
|
|
|
|
tsa_policy2 = 1.2.3.4.5.6
|
|
|
|
tsa_policy3 = 1.2.3.4.5.7
|
|
|
|
|
|
|
|
[ main ]
|
2016-08-25 23:33:41 +02:00
|
|
|
|
|
|
|
# Comma-separated list of ips:ports to listen on.
|
|
|
|
# If the port is SSL, a letter s must be appended.
|
2016-08-25 23:03:56 +02:00
|
|
|
listening_ports = 127.0.0.1:2020
|
|
|
|
#listening_ports = 80,443s
|
|
|
|
|
2016-08-25 23:33:41 +02:00
|
|
|
# Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance.
|
2016-08-25 23:03:56 +02:00
|
|
|
enable_keep_alive = no
|
2016-08-25 23:33:41 +02:00
|
|
|
|
|
|
|
# Number of worker threads.
|
|
|
|
num_threads = 50
|
|
|
|
|
|
|
|
# Switch to given user credentials after startup.
|
|
|
|
# Required to run on privileged ports and not be run as root.
|
|
|
|
# run_as_user = uts-server
|
|
|
|
|
|
|
|
# Limit download speed for clients. throttle is a comma-separated list of key=value pairs:
|
|
|
|
# * limit speed for all connections
|
|
|
|
# x.x.x.x/mask limit speed for specified subnet
|
|
|
|
# The value is a floating-point number of bytes per second, optionally followed by a k or m character
|
|
|
|
# meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate
|
|
|
|
throttle = *
|
|
|
|
#throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0
|
|
|
|
|
|
|
|
# Timeout for network read and network write operations, in milliseconds.
|
2016-08-25 23:03:56 +02:00
|
|
|
request_timeout_ms = 30000
|
2016-08-25 23:33:41 +02:00
|
|
|
|
|
|
|
# Path to the SSL certificate file. (PEM format containing private key and certificate)
|
2016-08-25 23:03:56 +02:00
|
|
|
#ssl_certificate = /etc/uts-server/cert.pem
|
2016-08-25 23:33:41 +02:00
|
|
|
|
|
|
|
# Enable client's certificate verification by the server.
|
2016-08-25 23:03:56 +02:00
|
|
|
#ssl_verify_peer = yes
|
2016-08-25 23:33:41 +02:00
|
|
|
|
|
|
|
# Name of a directory containing trusted CA certificates
|
2016-08-25 23:03:56 +02:00
|
|
|
#ssl_ca_path = /etc/ssl/ca/
|
2016-08-25 23:33:41 +02:00
|
|
|
|
|
|
|
# Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
|
2016-08-25 23:03:56 +02:00
|
|
|
#ssl_ca_file = /etc/uts-server/ca.pem
|
2016-08-25 23:33:41 +02:00
|
|
|
|
|
|
|
# Sets maximum depth of certificate chain.
|
|
|
|
# If client's certificate chain is longer than the depth set here connection is refused.
|
2016-08-25 23:03:56 +02:00
|
|
|
#ssl_verify_depth = 9
|
2016-08-25 23:33:41 +02:00
|
|
|
|
|
|
|
# Loads default trusted certificates locations set at openssl compile time.
|
2016-08-25 23:03:56 +02:00
|
|
|
#ssl_default_verify_paths = yes
|
2016-08-25 23:33:41 +02:00
|
|
|
|
|
|
|
# see https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
|
|
|
|
#ssl_cipher_list = ALL:!eNULL
|
|
|
|
|
|
|
|
# Sets the minimal accepted version of SSL/TLS protocol according to the table:
|
|
|
|
# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0
|
|
|
|
# SSL3+TLS1.0+TLS1.1+TLS1.2 1
|
|
|
|
# TLS1.0+TLS1.1+TLS1.2 2
|
|
|
|
# TLS1.1+TLS1.2 3
|
|
|
|
# TLS1.2 4
|
|
|
|
|
|
|
|
#ssl_protocol_version = 3
|
|
|
|
|
|
|
|
# Enables the use of short lived certificates
|
2016-08-25 23:03:56 +02:00
|
|
|
#ssl_short_trust = no
|
2016-08-25 23:33:41 +02:00
|
|
|
|
|
|
|
# comma separated list of IP subnets to accept/deny
|
|
|
|
# deny all accesses, only allow 192.168/16 subnet
|
|
|
|
#access_control_allow_origin = -0.0.0.0/0,+192.168/16
|
|
|
|
|
|
|
|
# Enable TCP_NODELAY socket option on client connections.
|
2016-08-25 23:03:56 +02:00
|
|
|
tcp_nodelay = 0
|
|
|
|
|
2016-08-26 00:06:56 +02:00
|
|
|
# loglevel
|
|
|
|
# debug, info, notice, warn, err, emerg, crit
|
2016-08-25 23:33:41 +02:00
|
|
|
log_level = info
|
2016-08-25 23:03:56 +02:00
|
|
|
|
|
|
|
####################################################################
|
|
|
|
[ tsa ]
|
|
|
|
|
|
|
|
default_tsa = tsa_config1 # the default TSA section
|
|
|
|
|
|
|
|
[ tsa_config1 ]
|
|
|
|
|
|
|
|
# These are used by the TSA reply generation only.
|
|
|
|
dir = ./demoCA # TSA root directory
|
|
|
|
serial = $dir/tsaserial # The current serial number (mandatory)
|
|
|
|
crypto_device = builtin # OpenSSL engine to use for signing
|
|
|
|
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
|
|
|
# (optional)
|
|
|
|
certs = $dir/cacert.pem # Certificate chain to include in reply
|
|
|
|
# (optional)
|
|
|
|
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
|
|
|
|
|
|
|
|
default_policy = tsa_policy1 # Policy if request did not specify it
|
|
|
|
# (optional)
|
|
|
|
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
|
|
|
digests = md5, sha1 # Acceptable message digests (mandatory)
|
|
|
|
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
|
|
|
|
clock_precision_digits = 0 # number of digits after dot. (optional)
|
|
|
|
ordering = yes # Is ordering defined for timestamps?
|
|
|
|
# (optional, default: no)
|
|
|
|
tsa_name = yes # Must the TSA name be included in the reply?
|
|
|
|
# (optional, default: no)
|
|
|
|
ess_cert_id_chain = no # Must the ESS cert id chain be included?
|
|
|
|
# (optional, default: no)
|