# Section for declaring OID mapping. Just add = pairs. [ oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 # Main configuration section (mostly http configuration). [ main ] # Comma-separated list of IP:port tuples to listen on. # If the port is SSL, a letter s must be appended. # # Ex: listening_ports = 80,443s listening_ports = 127.0.0.1:2020 # Allows clients to reuse TCP connection for subsequent # HTTP requests, which improves performance. enable_keep_alive = no # Number of worker threads. num_threads = 50 # Switch to given user credentials after startup. # Required to run on privileged ports as non root user. #run_as_user = uts-server # Limit download speed for clients. # # Throttle is a comma-separated list of key=value pairs: # # - * -> limit speed for all connections # # - x.x.x.x/mask -> limit speed for specified subnet # # The value is a floating-point number of bytes per second, # optionally followed by a k or m character # meaning kilobytes and megabytes respectively. # # A limit of 0 means unlimited rate. # # Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0 throttle = *=0 # Timeout for network read and network write operations. # In milliseconds. request_timeout_ms = 30000 # Path to the SSL certificate file . # PEM format must contain private key and certificate. #ssl_certificate = /etc/uts-server/cert.pem # Enable client's certificate verification by the server. #ssl_verify_peer = yes # Name of a directory containing trusted CA certificates. #ssl_ca_path = /etc/ssl/ca/ # Path to a .pem file containing trusted certificates. # The file may contain more than one certificate. #ssl_ca_file = /etc/uts-server/ca.pem # Sets maximum depth of certificate chain. # If client's certificate chain is longer # than the depth set here connection is refused. #ssl_verify_depth = 9 # Loads default trusted certificates # locations set at OpenSSL compile time. #ssl_default_verify_paths = yes # List of enabled ciphers for ssl. # See https://www.openssl.org/docs/manmaster/apps/ciphers.html # or 'man ciphers' for more detailed. #ssl_cipher_list = ALL:!eNULL:!SSLv3 # Sets the minimal accepted version of SSL/TLS protocol # according to the table: # # - SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0 # # - SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1 # # - TLS1.0+TLS1.1+TLS1.2 -> 2 # # - TLS1.1+TLS1.2 -> 3 # # - TLS1.2 -> 4 #ssl_protocol_version = 3 # Enables the use of short lived certificates #ssl_short_trust = no # Comma separated list of IP subnets to accept/deny # # Ex: -0.0.0.0/0,+192.168.0.0/16 # (deny all accesses, only allow 192.168.0.0/16 subnet) #access_control_allow_origin = -0.0.0.0/0,+192.168/16 # Enable TCP_NODELAY socket option on client connections. tcp_nodelay = 0 # Loglevel (debug, info, notice, warn, err, emerg, crit) log_level = info # Enable logging to syslog (default: yes) log_to_syslog = yes # Enable logging to stdout (default: no) #log_to_stdout = no # TSA configuration parameters. [ tsa ] # TSA root directory. dir = /etc/uts-server/pki # OpenSSL engine to use for signing. #crypto_device = builtin # The TSA signing certificat. (optional) signer_cert = $dir/tsacert.pem # Certificate chain to include in reply. (optional) certs = $dir/cacert.pem # The TSA private key. (optional) signer_key = $dir/private/tsakey.pem # Policy if request did not specify it. (optional) default_policy = tsa_policy1 # Acceptable policies. (optional) other_policies = tsa_policy2, tsa_policy3 # Acceptable message digests. (mandatory) # See https://www.openssl.org/docs/manmaster/apps/dgst.html # or 'man dgst' to get the list of available digests digests = md5, sha1, sha224, sha256, sha384, sha512 # Time-Stamp accuracy. (optional) accuracy = secs:1, millisecs:500, microsecs:100 # Number of decimals for Time-Stamp. (optional) clock_precision_digits = 0 # Is ordering defined for timestamps? (optional, default: no) ordering = yes # Must the TSA name be included in the reply? (optional, default: no) tsa_name = yes # Must the ESS cert id chain be included? (optional, default: no) ess_cert_id_chain = no