diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2015-11-19 15:50:15 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2015-11-20 13:40:53 +0000 |
| commit | 2cc7acd273bc39f1360aed52400d18bb65b88a95 (patch) | |
| tree | 1b18d8ea7223e4d5919d8927cca4978755070636 | |
| parent | e20b47275109aafc559446d731e6baad4a1f55d1 (diff) | |
| download | openssl-2cc7acd273bc39f1360aed52400d18bb65b88a95.zip openssl-2cc7acd273bc39f1360aed52400d18bb65b88a95.tar.gz openssl-2cc7acd273bc39f1360aed52400d18bb65b88a95.tar.bz2 | |
Use better defaults for TSA.
Use SHA256 for TSA and setted permitted digests to a sensible value.
Based on PR#4141
Reviewed-by: Matt Caswell <matt@openssl.org>
| -rw-r--r-- | apps/openssl-vms.cnf | 2 | ||||
| -rw-r--r-- | apps/openssl.cnf | 4 | ||||
| -rw-r--r-- | doc/apps/ts.pod | 7 | ||||
| -rw-r--r-- | test/CAtsa.cnf | 10 |
4 files changed, 11 insertions, 12 deletions
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index ba6977c..51a296b2 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -340,7 +340,7 @@ signer_digest = sha1 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = md5, sha1 # Acceptable message digests (mandatory) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 473c884..53c4bef 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -335,11 +335,11 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) -signer_digest = sha1 # Signing digest to use. (Optional) +signer_digest = sha256 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = md5, sha1 # Acceptable message digests (mandatory) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod index 038dfae..82b9e55 100644 --- a/doc/apps/ts.pod +++ b/doc/apps/ts.pod @@ -28,7 +28,7 @@ B<-reply> [B<-passin> password_src] [B<-signer> tsa_cert.pem] [B<-inkey> private.pem] -[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>] +[B<-sha1|-sha224|-sha256|-sha384|-sha512>] [B<-chain> certs_file.pem] [B<-policy> object_id] [B<-in> response.tsr] @@ -216,7 +216,7 @@ variable of the config file. (Optional) The signer private key of the TSA in PEM format. Overrides the B<signer_key> config file option. (Optional) -=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> +=item B<-sha1|-sha224|-sha256|-sha384|-sha512> Signing digest to use. Overrides the B<signer_digest> config file option. (Optional) @@ -405,8 +405,7 @@ command line option. (Optional) =item B<signer_digest> Signing digest to use. The same as the -B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> -command line option. (Optional) +B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional) =item B<default_policy> diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf index 95a21f9..ab2f84a 100644 --- a/test/CAtsa.cnf +++ b/test/CAtsa.cnf @@ -35,7 +35,7 @@ private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file default_days = 365 # how long to certify for -default_md = sha1 # which md to use. +default_md = sha256 # which md to use. preserve = no # keep passed DN ordering policy = policy_match @@ -132,11 +132,11 @@ signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate certs = $dir/tsaca.pem # Certificate chain to include in reply # (optional) signer_key = $dir/tsa_key1.pem # The TSA private key (optional) -signer_digest = sha1 # Signing digest to use. (Optional) +signer_digest = sha256 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = md5, sha1 # Acceptable message digests (mandatory) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) ordering = yes # Is ordering defined for timestamps? # (optional, default: no) @@ -156,8 +156,8 @@ signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply # (optional) signer_key = $dir/tsa_key2.pem # The TSA private key (optional) -signer_digest = sha1 # Signing digest to use. (Optional) +signer_digest = sha256 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = md5, sha1 # Acceptable message digests (mandatory) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) |