1
0
mirror of https://github.com/kakwa/uts-server synced 2024-12-04 23:15:54 +01:00
Go to file
kakwa e6d637f7ea switching to rst
* rename README
* more cleaning in the configuration
* build real tables for configuration parameters
2016-09-10 03:10:21 +02:00
cmake use civetweb 2016-08-19 00:04:13 +02:00
conf switching to rst 2016-09-10 03:10:21 +02:00
docs init project skeleton 2015-12-16 23:11:08 +01:00
goodies switching to rst 2016-09-10 03:10:21 +02:00
inc enabling multi-threads support 2016-09-08 23:21:53 +02:00
src more consistent log messages 2016-09-09 08:26:31 +02:00
tests displaying the timer every 1000 requests instead of every 10000 2016-09-09 00:03:42 +02:00
.gitignore adding vim swap files in the git ignore 2016-09-09 08:28:21 +02:00
.gitmodules remove submodule for civetweb 2016-09-07 20:56:02 +02:00
.travis.yml adding a small external test 2016-09-07 21:41:21 +02:00
CMakeLists.txt switch version to 0.0.1 2016-09-09 22:19:02 +02:00
LICENSE Initial commit 2015-12-16 22:13:06 +01:00
README.rst switching to rst 2016-09-10 03:10:21 +02:00

uts-server

image

Micro timestamp server (RFC 3161) written in C

Status

Alpha

Dependencies

Runtime dependencies

Build dependencies

  • cmake
  • either gcc or clang

License

Released under the MIT Public License

Usage

$ ./uts-server --help
Usage: uts-server [OPTION...] -c CONFFILE [-d] [-D] [-p <pidfile>]

UTS micro timestamp server (RFC 3161)

  -c, --conffile=CONFFILE    Path to configuration file
  -d, --daemonize            Launch as a daemon
  -D, --debug                STDOUT debugging
  -p, --pidfile=PIDFILE      Path to pid file
  -?, --help                 Give this help list
      --usage                Give a short usage message
  -V, --version              Print program version

Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.

Report bugs to Pierre-Francois Carpentier <carpentier.pf@gmail.com>.

Configuration

main

Main configuration section (mostly http configuration).

param description example value
access_control_allow_origin

Comma separated list of IP subnets to accept/deny

Ex: -0.0.0.0/0,+192.168.0.0/16 (deny all accesses, only allow 192.168.0.0/16 subnet)

-0.0.0.0/0,+192.168/16
enable_keep_alive
Allows clients to reuse TCP connection for subsequent

HTTP requests, which improves performance.

no
listening_ports
Comma-separated list of ips:ports to listen on.

If the port is SSL, a letter s must be appended. Ex: listening_ports = 80,443s

127.0.0.1:2020
log_level Loglevel (debug, info, notice, warn, err, emerg, crit) info
num_threads Number of worker threads. 50
request_timeout_ms
Timeout for network read and network write operations.

In milliseconds.

30000
run_as_user
Switch to given user credentials after startup.

Required to run on privileged ports as non root user.

uts-server
ssl_ca_file
Path to a .pem file containing trusted certificates.

The file may contain more than one certificate.

/etc/uts-server/ca.pem
ssl_ca_path Name of a directory containing trusted CA certificates. /etc/ssl/ca/
ssl_certificate
Path to the SSL certificate file .

PEM format must contain private key and certificate.

/etc/uts-server/cert.pem
ssl_cipher_list
See https://www.openssl.org/docs/manmaster/apps/ciphers.html

for more detailed

ALL:!eNULL
ssl_default_verify_paths
Loads default trusted certificates

locations set at openssl compile time.

yes
ssl_protocol_version
Sets the minimal accepted version of SSL/TLS protocol

according to the table:

SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0 SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1 TLS1.0+TLS1.1+TLS1.2 -> 2 TLS1.1+TLS1.2 -> 3 TLS1.2 -> 4

3
ssl_short_trust Enables the use of short lived certificates no
ssl_verify_depth
Sets maximum depth of certificate chain.

If client's certificate chain is longer than the depth set here connection is refused.

9
ssl_verify_peer Enable client's certificate verification by the server. yes
tcp_nodelay Enable TCP_NODELAY socket option on client connections. 0
throttle

Limit download speed for clients.

throttle is a comma-separated list of key=value pairs: - * -> limit speed for all connections - x.x.x.x/mask -> limit speed for specified subnet

The value is a floating-point number of bytes per second, optionally followed by a k or m character meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate. Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0

*=0

oids

Section for declarinG OID mapping. Just add <name> = <OID> pairs.

param description example value
tsa_policy1 1.2.3.4.1
tsa_policy2 1.2.3.4.5.6
tsa_policy3 1.2.3.4.5.7

tsa

Section defining which TSA section to use.

param description example value
default_tsa Name of the TSA section to use as default. tsa_config1

tsa_config1

Example of timestamp section configuration.

param description example value
accuracy Timestamp accuracy. (optional) secs:1, millisecs:500, microsecs:100
certs Certificate chain to include in reply. (optional) $dir/cacert.pem
clock_precision_digits Number of decimals for timestamp. (optional) 0
crypto_device OpenSSL engine to use for signing. builtin
default_policy Policy if request did not specify it. (optional) tsa_policy1
digests Acceptable message digests. (mandatory) md5, sha1
dir TSA root directory. /etc/uts-server/pki
ess_cert_id_chain Must the ESS cert id chain be included? (optional, default: no) no
ordering Is ordering defined for timestamps? (optional, default: no) yes
other_policies Acceptable policies. (optional) tsa_policy2, tsa_policy3
signer_cert The TSA signing certificat. (optional) $dir/tsacert.pem
signer_key The TSA private key. (optional) $dir/private/tsakey.pem
tsa_name Must the TSA name be included in the reply? (optional, default: no) yes

Building

$ cmake .
$ make -j 2

Playing with it

# building with civetweb embedded (will recover civetweb from github)
$ cmake . -DBUNDLE_CIVETWEB=ON
$ make

# create some test certificates
$ ./tests/cfg/pki/create_tsa_certs

# launching the timestamp server with test configuration in debug mode
$ ./uts-server -c tests/cfg/uts-server.cnf -D

# in another shell, launching a timestamp script on the README.md file
$ ./goodies/timestamp-file.sh -i README.md -u http://localhost:2020 -r -O "-cert";