From e372e96b70a1be48b0431c086a4ba9117e01e93e Mon Sep 17 00:00:00 2001 From: kakwa Date: Mon, 12 Sep 2016 22:43:00 +0200 Subject: [PATCH] more secure cryptographic algorithm in example configuration --- conf/uts-server.cnf | 9 +- docs/configure.rst | 237 ++++++++++++++++++++------------------- tests/cfg/uts-server.cnf | 2 +- 3 files changed, 127 insertions(+), 121 deletions(-) diff --git a/conf/uts-server.cnf b/conf/uts-server.cnf index cc20c97..6dff509 100644 --- a/conf/uts-server.cnf +++ b/conf/uts-server.cnf @@ -69,9 +69,10 @@ request_timeout_ms = 30000 # locations set at OpenSSL compile time. #ssl_default_verify_paths = yes +# List of enabled ciphers for ssl. # See https://www.openssl.org/docs/manmaster/apps/ciphers.html -# for more detailed -#ssl_cipher_list = ALL:!eNULL +# or 'man ciphers' for more detailed. +#ssl_cipher_list = ALL:!eNULL:!SSLv3 # Sets the minimal accepted version of SSL/TLS protocol # according to the table: @@ -127,7 +128,9 @@ default_policy = tsa_policy1 other_policies = tsa_policy2, tsa_policy3 # Acceptable message digests. (mandatory) -digests = md5, sha1 +# See https://www.openssl.org/docs/manmaster/apps/dgst.html +# or 'man dgst' to get the list of available digests +digests = md5, sha1, sha224, sha256, sha384, sha512 # Time-Stamp accuracy. (optional) accuracy = secs:1, millisecs:500, microsecs:100 diff --git a/docs/configure.rst b/docs/configure.rst index 463b47e..26f7614 100644 --- a/docs/configure.rst +++ b/docs/configure.rst @@ -5,135 +5,138 @@ Section [ main ] Main configuration section (mostly http configuration). -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| Parameter | Description | Example Value | -+=============================+=====================================================================+======================================+ -| access_control_allow_origin | Comma separated list of IP subnets to accept/deny | -0.0.0.0/0,+192.168/16 | -| | | | -| | Ex: -0.0.0.0/0,+192.168.0.0/16 | | -| | (deny all accesses, only allow 192.168.0.0/16 subnet) | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| enable_keep_alive | Allows clients to reuse TCP connection for subsequent | no | -| | HTTP requests, which improves performance. | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| listening_ports | Comma-separated list of IP:port tuples to listen on. | 127.0.0.1:2020 | -| | If the port is SSL, a letter s must be appended. | | -| | | | -| | Ex: listening_ports = 80,443s | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| log_level | Loglevel (debug, info, notice, warn, err, emerg, crit) | info | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| num_threads | Number of worker threads. | 50 | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| request_timeout_ms | Timeout for network read and network write operations. | 30000 | -| | In milliseconds. | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| run_as_user | Switch to given user credentials after startup. | uts-server | -| | Required to run on privileged ports as non root user. | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ssl_ca_file | Path to a .pem file containing trusted certificates. | /etc/uts-server/ca.pem | -| | The file may contain more than one certificate. | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ssl_ca_path | Name of a directory containing trusted CA certificates. | /etc/ssl/ca/ | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ssl_certificate | Path to the SSL certificate file . | /etc/uts-server/cert.pem | -| | PEM format must contain private key and certificate. | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ssl_cipher_list | See https://www.openssl.org/docs/manmaster/apps/ciphers.html | ALL:!eNULL | -| | for more detailed | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ssl_default_verify_paths | Loads default trusted certificates | yes | -| | locations set at OpenSSL compile time. | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ssl_protocol_version | Sets the minimal accepted version of SSL/TLS protocol | 3 | -| | according to the table: | | -| | | | -| | - SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0 | | -| | | | -| | - SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1 | | -| | | | -| | - TLS1.0+TLS1.1+TLS1.2 -> 2 | | -| | | | -| | - TLS1.1+TLS1.2 -> 3 | | -| | | | -| | - TLS1.2 -> 4 | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ssl_short_trust | Enables the use of short lived certificates | no | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ssl_verify_depth | Sets maximum depth of certificate chain. | 9 | -| | If client's certificate chain is longer | | -| | than the depth set here connection is refused. | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ssl_verify_peer | Enable client's certificate verification by the server. | yes | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| tcp_nodelay | Enable TCP_NODELAY socket option on client connections. | 0 | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| throttle | Limit download speed for clients. | \*=0 | -| | | | -| | Throttle is a comma-separated list of key=value pairs: | | -| | | | -| | - \* -> limit speed for all connections | | -| | | | -| | - x.x.x.x/mask -> limit speed for specified subnet | | -| | | | -| | The value is a floating-point number of bytes per second, | | -| | optionally followed by a k or m character | | -| | meaning kilobytes and megabytes respectively. | | -| | | | -| | A limit of 0 means unlimited rate. | | -| | | | -| | Ex: throttle = \*=1k,10.10.0.0/16=10m,10.20.0.0/16=0 | | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| Parameter | Description | Example Value | ++=============================+=====================================================================+===========================================+ +| access_control_allow_origin | Comma separated list of IP subnets to accept/deny | -0.0.0.0/0,+192.168/16 | +| | | | +| | Ex: -0.0.0.0/0,+192.168.0.0/16 | | +| | (deny all accesses, only allow 192.168.0.0/16 subnet) | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| enable_keep_alive | Allows clients to reuse TCP connection for subsequent | no | +| | HTTP requests, which improves performance. | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| listening_ports | Comma-separated list of IP:port tuples to listen on. | 127.0.0.1:2020 | +| | If the port is SSL, a letter s must be appended. | | +| | | | +| | Ex: listening_ports = 80,443s | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| log_level | Loglevel (debug, info, notice, warn, err, emerg, crit) | info | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| num_threads | Number of worker threads. | 50 | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| request_timeout_ms | Timeout for network read and network write operations. | 30000 | +| | In milliseconds. | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| run_as_user | Switch to given user credentials after startup. | uts-server | +| | Required to run on privileged ports as non root user. | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ssl_ca_file | Path to a .pem file containing trusted certificates. | /etc/uts-server/ca.pem | +| | The file may contain more than one certificate. | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ssl_ca_path | Name of a directory containing trusted CA certificates. | /etc/ssl/ca/ | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ssl_certificate | Path to the SSL certificate file . | /etc/uts-server/cert.pem | +| | PEM format must contain private key and certificate. | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ssl_cipher_list | List of enabled ciphers for ssl. | ALL:!eNULL:!SSLv3 | +| | See https://www.openssl.org/docs/manmaster/apps/ciphers.html | | +| | or 'man ciphers' for more detailed. | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ssl_default_verify_paths | Loads default trusted certificates | yes | +| | locations set at OpenSSL compile time. | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ssl_protocol_version | Sets the minimal accepted version of SSL/TLS protocol | 3 | +| | according to the table: | | +| | | | +| | - SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0 | | +| | | | +| | - SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1 | | +| | | | +| | - TLS1.0+TLS1.1+TLS1.2 -> 2 | | +| | | | +| | - TLS1.1+TLS1.2 -> 3 | | +| | | | +| | - TLS1.2 -> 4 | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ssl_short_trust | Enables the use of short lived certificates | no | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ssl_verify_depth | Sets maximum depth of certificate chain. | 9 | +| | If client's certificate chain is longer | | +| | than the depth set here connection is refused. | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ssl_verify_peer | Enable client's certificate verification by the server. | yes | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| tcp_nodelay | Enable TCP_NODELAY socket option on client connections. | 0 | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| throttle | Limit download speed for clients. | \*=0 | +| | | | +| | Throttle is a comma-separated list of key=value pairs: | | +| | | | +| | - \* -> limit speed for all connections | | +| | | | +| | - x.x.x.x/mask -> limit speed for specified subnet | | +| | | | +| | The value is a floating-point number of bytes per second, | | +| | optionally followed by a k or m character | | +| | meaning kilobytes and megabytes respectively. | | +| | | | +| | A limit of 0 means unlimited rate. | | +| | | | +| | Ex: throttle = \*=1k,10.10.0.0/16=10m,10.20.0.0/16=0 | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ Section [ oids ] ---------------- Section for declaring OID mapping. Just add = pairs. -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| Parameter | Description | Example Value | -+=============================+=====================================================================+======================================+ -| tsa_policy1 | | 1.2.3.4.1 | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| tsa_policy2 | | 1.2.3.4.5.6 | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| tsa_policy3 | | 1.2.3.4.5.7 | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| Parameter | Description | Example Value | ++=============================+=====================================================================+===========================================+ +| tsa_policy1 | | 1.2.3.4.1 | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| tsa_policy2 | | 1.2.3.4.5.6 | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| tsa_policy3 | | 1.2.3.4.5.7 | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ Section [ tsa ] --------------- TSA configuration parameters. -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| Parameter | Description | Example Value | -+=============================+=====================================================================+======================================+ -| accuracy | Time-Stamp accuracy. (optional) | secs:1, millisecs:500, microsecs:100 | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| certs | Certificate chain to include in reply. (optional) | $dir/cacert.pem | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| clock_precision_digits | Number of decimals for Time-Stamp. (optional) | 0 | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| crypto_device | OpenSSL engine to use for signing. | builtin | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| default_policy | Policy if request did not specify it. (optional) | tsa_policy1 | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| digests | Acceptable message digests. (mandatory) | md5, sha1 | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| dir | TSA root directory. | /etc/uts-server/pki | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ess_cert_id_chain | Must the ESS cert id chain be included? (optional, default: no) | no | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| ordering | Is ordering defined for timestamps? (optional, default: no) | yes | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| other_policies | Acceptable policies. (optional) | tsa_policy2, tsa_policy3 | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| signer_cert | The TSA signing certificat. (optional) | $dir/tsacert.pem | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| signer_key | The TSA private key. (optional) | $dir/private/tsakey.pem | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ -| tsa_name | Must the TSA name be included in the reply? (optional, default: no) | yes | -+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| Parameter | Description | Example Value | ++=============================+=====================================================================+===========================================+ +| accuracy | Time-Stamp accuracy. (optional) | secs:1, millisecs:500, microsecs:100 | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| certs | Certificate chain to include in reply. (optional) | $dir/cacert.pem | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| clock_precision_digits | Number of decimals for Time-Stamp. (optional) | 0 | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| crypto_device | OpenSSL engine to use for signing. | builtin | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| default_policy | Policy if request did not specify it. (optional) | tsa_policy1 | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| digests | Acceptable message digests. (mandatory) | md5, sha1, sha224, sha256, sha384, sha512 | +| | See https://www.openssl.org/docs/manmaster/apps/dgst.html | | +| | or 'man dgst' to get the list of available digests | | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| dir | TSA root directory. | /etc/uts-server/pki | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ess_cert_id_chain | Must the ESS cert id chain be included? (optional, default: no) | no | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| ordering | Is ordering defined for timestamps? (optional, default: no) | yes | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| other_policies | Acceptable policies. (optional) | tsa_policy2, tsa_policy3 | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| signer_cert | The TSA signing certificat. (optional) | $dir/tsacert.pem | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| signer_key | The TSA private key. (optional) | $dir/private/tsakey.pem | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ +| tsa_name | Must the TSA name be included in the reply? (optional, default: no) | yes | ++-----------------------------+---------------------------------------------------------------------+-------------------------------------------+ Full Configuration File ======================= diff --git a/tests/cfg/uts-server.cnf b/tests/cfg/uts-server.cnf index 010ceea..df9451a 100644 --- a/tests/cfg/uts-server.cnf +++ b/tests/cfg/uts-server.cnf @@ -109,7 +109,7 @@ other_policies = tsa_policy2, tsa_policy3 # Acceptable message digests # (mandatory) -digests = md5, sha1 +digests = md5, sha1, sha224, sha256, sha384, sha512 # (optional) accuracy = secs:1, millisecs:500, microsecs:100