adding test configuration for ssl setup

2025-01-07 12:14:31 +01:00 · 2016-09-11 23:57:25 +02:00 · 2016-09-11 23:57:25 +02:00 · 1e8f0d7248
commit 1e8f0d7248
parent 3080d00e45
2 changed files with 161 additions and 2 deletions
--- a/tests/cfg/pki/create_tsa_certs
+++ b/tests/cfg/pki/create_tsa_certs
@ -28,7 +28,7 @@ create_tsa_cert () {
    export INDEX
    EXT=$2
    TSDNSECT=ts_cert_dn
-    export TSDNSECT   
+    export TSDNSECT
    openssl req -new \
        -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
@ -41,13 +41,34 @@ echo Using extension $EXT
    test $? != 0 && error
 }
 create_cert () {
    INDEX=$1
    export INDEX
    TSDNSECT=ts_cert_dn
    export TSDNSECT
    openssl req -new \
        -out tsa_req${INDEX}.pem -keyout ssl_key${INDEX}.pem
    test $? != 0 && error
    openssl x509 -req \
        -in tsa_req${INDEX}.pem -out ssl_cert${INDEX}.pem \
        -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
        -extensions server_cert
    test $? != 0 && error
    cat ssl_key${INDEX}.pem ssl_cert${INDEX}.pem >ssl_keycerts${INDEX}.pem
 }
 echo "Creating CA for TSA tests..."
 create_ca
 echo "Creating tsa_cert1.pem TSA server cert..."
 create_tsa_cert 1 tsa_cert
-echo "Creating tsa_cert2.pem non-TSA server cert..."
+echo "Creating tsa_cert2.pem TSA server cert..."
 create_tsa_cert 2 tsa_cert
 echo "Creating ssl_keycerts1.pem for ssl"
 create_cert 1
 exit 0
--- a/tests/cfg/uts-server-ssl.cnf
+++ b/tests/cfg/uts-server-ssl.cnf
@ -0,0 +1,138 @@
 [ oids ]
 # Policies used by the TSA examples.
 tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 [ main ]
 # Comma-separated list of ips:ports to listen on.
 # If the port is SSL, a letter s must be appended.
 listening_ports = 127.0.0.1:2020s
 #listening_ports = 80,443s
 # Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance.
 enable_keep_alive = no
 # Number of worker threads
 num_threads = 10
 # Switch to given user credentials after startup.
 # Required to run on privileged ports and not be run as root.
 #run_as_user = uts-server
 # Limit download speed for clients. throttle is a comma-separated list of key=value pairs:
 # *                   limit speed for all connections
 # x.x.x.x/mask        limit speed for specified subnet
 # The value is a floating-point number of bytes per second, optionally followed by a k or m character
 # meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate
 throttle = *=0
 #throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0
 # Timeout for network read and network write operations, in milliseconds.
 request_timeout_ms = 30000
 # Path to the SSL certificate file. (PEM format containing private key and certificate)
 ssl_certificate = ./pki/ssl_keycerts1.pem
 # Enable client's certificate verification by the server.
 ssl_verify_peer = no
 # Name of a directory containing trusted CA certificates
 #ssl_ca_path = /etc/ssl/ca/
 # Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
 ssl_ca_file = ./pki/tsaca.pem
 # Sets maximum depth of certificate chain.
 # If client's certificate chain is longer than the depth set here connection is refused.
 #ssl_verify_depth = 9
 # Loads default trusted certificates locations set at openssl compile time.
 #ssl_default_verify_paths = yes
 # see https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
 ssl_cipher_list = ALL:!eNULL
 # Sets the minimal accepted version of SSL/TLS protocol according to the table:
 # SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2  0
 # SSL3+TLS1.0+TLS1.1+TLS1.2       1
 # TLS1.0+TLS1.1+TLS1.2            2
 # TLS1.1+TLS1.2                   3
 # TLS1.2                          4
 ssl_protocol_version = 3
 # Enables the use of short lived certificates
 #ssl_short_trust = no
 # comma separated list of IP subnets to accept/deny
 # deny all accesses, only allow 192.168/16 subnet
 #access_control_allow_origin = -0.0.0.0/0,+192.168/16
 # Enable TCP_NODELAY socket option on client connections.
 tcp_nodelay = 0
 # loglevel
 # debug, info, notice, warn, err, emerg, crit
 log_level = info
 ####################################################################
 [ tsa ]
 # The default TSA section.
 default_tsa = tsa_config1
 [ tsa_config1 ]
 # These are used by the TSA reply generation only.
 # TSA root directory
 dir		= ./pki
 # OpenSSL engine to use for signing
 crypto_device	= builtin
 # The TSA signing certificat
 # (optional)
 signer_cert	= $dir/tsa_cert1.pem
 # Certificate chain to include in reply
 # (optional)
 certs		= $dir/tsaca.pem
 # The TSA private key
 # (optional)
 signer_key	= $dir/tsa_key1.pem
 # Policy if request did not specify it
 # (optional)
 default_policy	= tsa_policy1
 # Acceptable policies
 # (optional)
 other_policies	= tsa_policy2, tsa_policy3
 # Acceptable message digests
 # (mandatory)
 digests		= md5, sha1
 # (optional)
 accuracy	= secs:1, millisecs:500, microsecs:100
 # Number of digits after dot.
 # (optional)
 clock_precision_digits  = 0
 # Is ordering defined for timestamps?
 # (optional, default: no)
 ordering		= yes
 # Must the TSA name be included in the reply?
 ## (optional, default: no)
 tsa_name		= yes
 # Must the ESS cert id chain be included?
 # (optional, default: no)
 ess_cert_id_chain	= no