security-and-privacy/uts-server
security-and-privacy
/
uts-server
mirror of https://github.com/kakwa/uts-server
1
0
Fork 0
Code Issues Releases Wiki Activity

more secure cryptographic algorithm in example configuration

This commit is contained in:
kakwa 2016-09-12 22:43:00 +02:00
parent 34cdebfaa3
commit e372e96b70
3 changed files with 127 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
conf/uts-server.cnf
View File

@ -69,9 +69,10 @@ request_timeout_ms = 30000
# locations set at OpenSSL compile time. # locations set at OpenSSL compile time.
#ssl_default_verify_paths = yes #ssl_default_verify_paths = yes
# List of enabled ciphers for ssl.
# See https://www.openssl.org/docs/manmaster/apps/ciphers.html # See https://www.openssl.org/docs/manmaster/apps/ciphers.html
# for more detailed # or 'man ciphers' for more detailed.
#ssl_cipher_list = ALL:!eNULL #ssl_cipher_list = ALL:!eNULL:!SSLv3
# Sets the minimal accepted version of SSL/TLS protocol # Sets the minimal accepted version of SSL/TLS protocol
# according to the table: # according to the table:
@ -127,7 +128,9 @@ default_policy = tsa_policy1
other_policies = tsa_policy2, tsa_policy3 other_policies = tsa_policy2, tsa_policy3
# Acceptable message digests. (mandatory) # Acceptable message digests. (mandatory)
digests = md5, sha1 # See https://www.openssl.org/docs/manmaster/apps/dgst.html
# or 'man dgst' to get the list of available digests
digests = md5, sha1, sha224, sha256, sha384, sha512
# Time-Stamp accuracy. (optional) # Time-Stamp accuracy. (optional)
accuracy = secs:1, millisecs:500, microsecs:100 accuracy = secs:1, millisecs:500, microsecs:100

237
docs/configure.rst
View File

@ -5,135 +5,138 @@ Section [ main ]
Main configuration section (mostly http configuration). Main configuration section (mostly http configuration).
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| Parameter | Description | Example Value | | Parameter | Description | Example Value |
+=============================+=====================================================================+======================================+ +=============================+=====================================================================+===========================================+
| access_control_allow_origin | Comma separated list of IP subnets to accept/deny | -0.0.0.0/0,+192.168/16 | | access_control_allow_origin | Comma separated list of IP subnets to accept/deny | -0.0.0.0/0,+192.168/16 |
| | | | | | | |
| | Ex: -0.0.0.0/0,+192.168.0.0/16 | | | | Ex: -0.0.0.0/0,+192.168.0.0/16 | |
| | (deny all accesses, only allow 192.168.0.0/16 subnet) | | | | (deny all accesses, only allow 192.168.0.0/16 subnet) | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| enable_keep_alive | Allows clients to reuse TCP connection for subsequent | no | | enable_keep_alive | Allows clients to reuse TCP connection for subsequent | no |
| | HTTP requests, which improves performance. | | | | HTTP requests, which improves performance. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| listening_ports | Comma-separated list of IP:port tuples to listen on. | 127.0.0.1:2020 | | listening_ports | Comma-separated list of IP:port tuples to listen on. | 127.0.0.1:2020 |
| | If the port is SSL, a letter s must be appended. | | | | If the port is SSL, a letter s must be appended. | |
| | | | | | | |
| | Ex: listening_ports = 80,443s | | | | Ex: listening_ports = 80,443s | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| log_level | Loglevel (debug, info, notice, warn, err, emerg, crit) | info | | log_level | Loglevel (debug, info, notice, warn, err, emerg, crit) | info |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| num_threads | Number of worker threads. | 50 | | num_threads | Number of worker threads. | 50 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| request_timeout_ms | Timeout for network read and network write operations. | 30000 | | request_timeout_ms | Timeout for network read and network write operations. | 30000 |
| | In milliseconds. | | | | In milliseconds. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| run_as_user | Switch to given user credentials after startup. | uts-server | | run_as_user | Switch to given user credentials after startup. | uts-server |
| | Required to run on privileged ports as non root user. | | | | Required to run on privileged ports as non root user. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| ssl_ca_file | Path to a .pem file containing trusted certificates. | /etc/uts-server/ca.pem | | ssl_ca_file | Path to a .pem file containing trusted certificates. | /etc/uts-server/ca.pem |
| | The file may contain more than one certificate. | | | | The file may contain more than one certificate. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| ssl_ca_path | Name of a directory containing trusted CA certificates. | /etc/ssl/ca/ | | ssl_ca_path | Name of a directory containing trusted CA certificates. | /etc/ssl/ca/ |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| ssl_certificate | Path to the SSL certificate file . | /etc/uts-server/cert.pem | | ssl_certificate | Path to the SSL certificate file . | /etc/uts-server/cert.pem |
| | PEM format must contain private key and certificate. | | | | PEM format must contain private key and certificate. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| ssl_cipher_list | See https://www.openssl.org/docs/manmaster/apps/ciphers.html | ALL:!eNULL | | ssl_cipher_list | List of enabled ciphers for ssl. | ALL:!eNULL:!SSLv3 |
| | for more detailed | | | | See https://www.openssl.org/docs/manmaster/apps/ciphers.html | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ | | or 'man ciphers' for more detailed. | |
| ssl_default_verify_paths | Loads default trusted certificates | yes | +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| | locations set at OpenSSL compile time. | | | ssl_default_verify_paths | Loads default trusted certificates | yes |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ | | locations set at OpenSSL compile time. | |
| ssl_protocol_version | Sets the minimal accepted version of SSL/TLS protocol | 3 | +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| | according to the table: | | | ssl_protocol_version | Sets the minimal accepted version of SSL/TLS protocol | 3 |
| | | | | | according to the table: | |
| | - SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0 | | | | | |
| | | | | | - SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0 | |
| | - SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1 | | | | | |
| | | | | | - SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1 | |
| | - TLS1.0+TLS1.1+TLS1.2 -> 2 | | | | | |
| | | | | | - TLS1.0+TLS1.1+TLS1.2 -> 2 | |
| | - TLS1.1+TLS1.2 -> 3 | | | | | |
| | | | | | - TLS1.1+TLS1.2 -> 3 | |
| | - TLS1.2 -> 4 | | | | | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ | | - TLS1.2 -> 4 | |
| ssl_short_trust | Enables the use of short lived certificates | no | +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ | ssl_short_trust | Enables the use of short lived certificates | no |
| ssl_verify_depth | Sets maximum depth of certificate chain. | 9 | +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| | If client's certificate chain is longer | | | ssl_verify_depth | Sets maximum depth of certificate chain. | 9 |
| | than the depth set here connection is refused. | | | | If client's certificate chain is longer | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ | | than the depth set here connection is refused. | |
| ssl_verify_peer | Enable client's certificate verification by the server. | yes | +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ | ssl_verify_peer | Enable client's certificate verification by the server. | yes |
| tcp_nodelay | Enable TCP_NODELAY socket option on client connections. | 0 | +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ | tcp_nodelay | Enable TCP_NODELAY socket option on client connections. | 0 |
| throttle | Limit download speed for clients. | \*=0 | +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| | | | | throttle | Limit download speed for clients. | \*=0 |
| | Throttle is a comma-separated list of key=value pairs: | | | | | |
| | | | | | Throttle is a comma-separated list of key=value pairs: | |
| | - \* -> limit speed for all connections | | | | | |
| | | | | | - \* -> limit speed for all connections | |
| | - x.x.x.x/mask -> limit speed for specified subnet | | | | | |
| | | | | | - x.x.x.x/mask -> limit speed for specified subnet | |
| | The value is a floating-point number of bytes per second, | | | | | |
| | optionally followed by a k or m character | | | | The value is a floating-point number of bytes per second, | |
| | meaning kilobytes and megabytes respectively. | | | | optionally followed by a k or m character | |
| | | | | | meaning kilobytes and megabytes respectively. | |
| | A limit of 0 means unlimited rate. | | | | | |
| | | | | | A limit of 0 means unlimited rate. | |
| | Ex: throttle = \*=1k,10.10.0.0/16=10m,10.20.0.0/16=0 | | | | | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ | | Ex: throttle = \*=1k,10.10.0.0/16=10m,10.20.0.0/16=0 | |
+-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
Section [ oids ] Section [ oids ]
---------------- ----------------
Section for declaring OID mapping. Just add <name> = <OID> pairs. Section for declaring OID mapping. Just add <name> = <OID> pairs.
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| Parameter | Description | Example Value | | Parameter | Description | Example Value |
+=============================+=====================================================================+======================================+ +=============================+=====================================================================+===========================================+
| tsa_policy1 | | 1.2.3.4.1 | | tsa_policy1 | | 1.2.3.4.1 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| tsa_policy2 | | 1.2.3.4.5.6 | | tsa_policy2 | | 1.2.3.4.5.6 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| tsa_policy3 | | 1.2.3.4.5.7 | | tsa_policy3 | | 1.2.3.4.5.7 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
Section [ tsa ] Section [ tsa ]
--------------- ---------------
TSA configuration parameters. TSA configuration parameters.
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| Parameter | Description | Example Value | | Parameter | Description | Example Value |
+=============================+=====================================================================+======================================+ +=============================+=====================================================================+===========================================+
| accuracy | Time-Stamp accuracy. (optional) | secs:1, millisecs:500, microsecs:100 | | accuracy | Time-Stamp accuracy. (optional) | secs:1, millisecs:500, microsecs:100 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| certs | Certificate chain to include in reply. (optional) | $dir/cacert.pem | | certs | Certificate chain to include in reply. (optional) | $dir/cacert.pem |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| clock_precision_digits | Number of decimals for Time-Stamp. (optional) | 0 | | clock_precision_digits | Number of decimals for Time-Stamp. (optional) | 0 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| crypto_device | OpenSSL engine to use for signing. | builtin | | crypto_device | OpenSSL engine to use for signing. | builtin |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| default_policy | Policy if request did not specify it. (optional) | tsa_policy1 | | default_policy | Policy if request did not specify it. (optional) | tsa_policy1 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| digests | Acceptable message digests. (mandatory) | md5, sha1 | | digests | Acceptable message digests. (mandatory) | md5, sha1, sha224, sha256, sha384, sha512 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ | | See https://www.openssl.org/docs/manmaster/apps/dgst.html | |
| dir | TSA root directory. | /etc/uts-server/pki | | | or 'man dgst' to get the list of available digests | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| ess_cert_id_chain | Must the ESS cert id chain be included? (optional, default: no) | no | | dir | TSA root directory. | /etc/uts-server/pki |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| ordering | Is ordering defined for timestamps? (optional, default: no) | yes | | ess_cert_id_chain | Must the ESS cert id chain be included? (optional, default: no) | no |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| other_policies | Acceptable policies. (optional) | tsa_policy2, tsa_policy3 | | ordering | Is ordering defined for timestamps? (optional, default: no) | yes |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| signer_cert | The TSA signing certificat. (optional) | $dir/tsacert.pem | | other_policies | Acceptable policies. (optional) | tsa_policy2, tsa_policy3 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| signer_key | The TSA private key. (optional) | $dir/private/tsakey.pem | | signer_cert | The TSA signing certificat. (optional) | $dir/tsacert.pem |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| tsa_name | Must the TSA name be included in the reply? (optional, default: no) | yes | | signer_key | The TSA private key. (optional) | $dir/private/tsakey.pem |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
| tsa_name | Must the TSA name be included in the reply? (optional, default: no) | yes |
+-----------------------------+---------------------------------------------------------------------+-------------------------------------------+
Full Configuration File Full Configuration File
======================= =======================

2
tests/cfg/uts-server.cnf
View File

@ -109,7 +109,7 @@ other_policies = tsa_policy2, tsa_policy3
# Acceptable message digests # Acceptable message digests
# (mandatory) # (mandatory)
digests = md5, sha1 digests = md5, sha1, sha224, sha256, sha384, sha512
# (optional) # (optional)
accuracy = secs:1, millisecs:500, microsecs:100 accuracy = secs:1, millisecs:500, microsecs:100