security-and-privacy/uts-server
security-and-privacy/uts-server
1
0
Fork 0
mirror of https://github.com/kakwa/uts-server synced 2024-11-04 17:08:49 +01:00
Code Issues Releases Wiki Activity
eea38f368c
uts-server/README.rst
kakwa eea38f368c cosmetic changes
2016-09-10 03:30:09 +02:00

19 KiB
Raw Blame History

uts-server

image

Micro timestamp server (RFC 3161) written in C

Status

Alpha

Dependencies

Runtime dependencies

Build dependencies

  • cmake
  • either gcc or clang

License

Released under the MIT Public License

Usage

$ ./uts-server --help
Usage: uts-server [OPTION...] -c CONFFILE [-d] [-D] [-p <pidfile>]

UTS micro timestamp server (RFC 3161)

  -c, --conffile=CONFFILE    Path to configuration file
  -d, --daemonize            Launch as a daemon
  -D, --debug                STDOUT debugging
  -p, --pidfile=PIDFILE      Path to pid file
  -?, --help                 Give this help list
      --usage                Give a short usage message
  -V, --version              Print program version

Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.

Report bugs to Pierre-Francois Carpentier <carpentier.pf@gmail.com>.

Configuration

main

Main configuration section (mostly http configuration).

param description example value
access_control_allow_origin

Comma separated list of IP subnets to accept/deny

Ex: -0.0.0.0/0,+192.168.0.0/16 (deny all accesses, only allow 192.168.0.0/16 subnet)

 -0.0.0.0/0,+192.168/16
enable_keep_alive Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance. no
listening_ports Comma-separated list of ips:ports to listen on. If the port is SSL, a letter s must be appended. Ex: listening_ports = 80,443s 127.0.0.1:2020
log_level Loglevel (debug, info, notice, warn, err, emerg, crit) info
num_threads Number of worker threads. 50
request_timeout_ms Timeout for network read and network write operations. In milliseconds. 30000
run_as_user Switch to given user credentials after startup. Required to run on privileged ports as non root user. uts-server
ssl_ca_file Path to a .pem file containing trusted certificates. The file may contain more than one certificate. /etc/uts-server/ca.pem
ssl_ca_path Name of a directory containing trusted CA certificates. /etc/ssl/ca/
ssl_certificate Path to the SSL certificate file . PEM format must contain private key and certificate. /etc/uts-server/cert.pem
ssl_cipher_list See https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed ALL:!eNULL
ssl_default_verify_paths Loads default trusted certificates locations set at openssl compile time. yes
ssl_protocol_version

Sets the minimal accepted version of SSL/TLS protocol according to the table:

  • SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0
  • SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1
  • TLS1.0+TLS1.1+TLS1.2 -> 2
  • TLS1.1+TLS1.2 -> 3
  • TLS1.2 -> 4
 3
ssl_short_trust Enables the use of short lived certificates no
ssl_verify_depth Sets maximum depth of certificate chain. If client's certificate chain is longer than the depth set here connection is refused. 9
ssl_verify_peer Enable client's certificate verification by the server. yes
tcp_nodelay Enable TCP_NODELAY socket option on client connections. 0
throttle

Limit download speed for clients.

Throttle is a comma-separated list of key=value pairs:

  • * -> limit speed for all connections
  • x.x.x.x/mask -> limit speed for specified subnet

The value is a floating-point number of bytes per second, optionally followed by a k or m character meaning kilobytes and megabytes respectively.

A limit of 0 means unlimited rate.

Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0

 *=0

oids

Section for declarinG OID mapping. Just add <name> = <OID> pairs.

param description example value
tsa_policy1 1.2.3.4.1
tsa_policy2 1.2.3.4.5.6
tsa_policy3 1.2.3.4.5.7

tsa

Section defining which TSA section to use.

param description example value
default_tsa Name of the TSA section to use as default. tsa_config1

tsa_config1

Example of timestamp section configuration.

param description example value
accuracy Timestamp accuracy. (optional) secs:1, millisecs:500, microsecs:100
certs Certificate chain to include in reply. (optional) $dir/cacert.pem
clock_precision_digits Number of decimals for timestamp. (optional) 0
crypto_device OpenSSL engine to use for signing. builtin
default_policy Policy if request did not specify it. (optional) tsa_policy1
digests Acceptable message digests. (mandatory) md5, sha1
dir TSA root directory. /etc/uts-server/pki
ess_cert_id_chain Must the ESS cert id chain be included? (optional, default: no) no
ordering Is ordering defined for timestamps? (optional, default: no) yes
other_policies Acceptable policies. (optional) tsa_policy2, tsa_policy3
signer_cert The TSA signing certificat. (optional) $dir/tsacert.pem
signer_key The TSA private key. (optional) $dir/private/tsakey.pem
tsa_name Must the TSA name be included in the reply? (optional, default: no) yes

Building

$ cmake .
$ make -j 2

Playing with it

# building with civetweb embedded (will recover civetweb from github)
$ cmake . -DBUNDLE_CIVETWEB=ON
$ make

# create some test certificates
$ ./tests/cfg/pki/create_tsa_certs

# launching the timestamp server with test configuration in debug mode
$ ./uts-server -c tests/cfg/uts-server.cnf -D

# in another shell, launching a timestamp script on the README.md file
$ ./goodies/timestamp-file.sh -i README.md -u http://localhost:2020 -r -O "-cert";