rpms / ocspd

Clone
Source Code
GIT

Files

epel8 epel8-playground f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f8 f9 main rawhide
  1.   f37
  2.   ocspd-1.7.0-config.patch
Blob Blame History Raw 
diff -Naurp openca-ocspd-1.7.0.orig/docs/ocspd.conf.3 openca-ocspd-1.7.0.new/docs/ocspd.conf.3
--- openca-ocspd-1.7.0.orig/docs/ocspd.conf.3	2008-02-15 00:24:15.000000000 +0100
+++ openca-ocspd-1.7.0.new/docs/ocspd.conf.3	2013-11-04 20:08:27.870767852 +0100
@@ -218,7 +218,7 @@ Following is a sample configuration file
 \& group                   = daemon
 \& bind                    = *
 \& port                    = 2560
-\& max_childs_num          = 5
+\& threads_num             = 150
 \& max_req_size            = 8192
 .Ve
 .PP
@@ -261,7 +261,7 @@ Following is a sample configuration file
 \& [ dbms_ldap ]
 .Ve
 .PP
-.Vb 31
+.Vb 33
 \& # It is possible to use an URI to identify a CRL and/or the
 \& # CA certificate, the general format is:
 \& #
@@ -281,18 +281,21 @@ Following is a sample configuration file
 \& #
 \& # You can have the CRLs/CA certificates on a simple file
 \& #    crl_url = file:///usr/local/etc/ocspd/crl.pem
+\& #    ca_url = file:///usr/local/etc/ocspd/ca.pem
 \& #
 \& # You can retrieve the CRLs/CA certificates from a web server
-\& #    crl_urt = http://server/ca/cacert.der
+\& #    crl_url = http://server/ca/cacert.crl.der
+\& #    ca_url = http://server/ca/cacert.der
 \& #
 \& # You can store the CRL into an LDAP server, simply
 \& # store it in certificateRevocationList;binary attribute
 \& #
-\& # There are different way, all legal, to specify the CRL
+\& # There are different way, all legal, to specify the CRL/CA
 \& # URL address:
 \& # crl_url = ldap://user:pwd@ldap.server.org:389
 \& # crl_url = ldap://ldap.server.org:389
 \& crl_url = ldap://localhost
+\& ca_url = ldap://localhost
 .Ve
 .PP
 .Vb 5
@@ -303,6 +306,46 @@ Following is a sample configuration file
 \&                                             o=Organization, c=IT"
 .Ve
 .PP
+.Vb 12
+\& # To retrieve the CRL from LDAP the attribute where it is stored is to
+\& # be specified. Usually this should be set to:
+\& #
+\& #     certificateRevocationList;binary
+\& #
+\& # anyway existing LDAP installations or new standards can mandate
+\& # for different attributes for storing CRLs into. Use this parameter
+\& # to specify the attribute used to retrieve the CRL from.
+\& #
+\& # This option is needed only if the CRL is stored on LDAP
+\& crl_entry_attribute = "certificateRevocationList;binary"
+.Ve
+.PP
+.Vb 8
+\& # We need the CA certificate for every CA we support. Upon loading
+\& # the CRL and the CA certificate a simple check is made to ensure
+\& # the CRL/CA certificate matching. Also the CA certificate is used
+\& # to retrieve the CID used to identify the certificate being
+\& # requested by the client (CID of the Issuer + serial Number).
+\& # Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
+\& ca_url  = ldap://localhost
+.Ve
+.PP
+.Vb 3
+\& # DN where the cACertificate;binary value can be downloaded
+\& # This option is needed only if the CA Certificate is stored on LDAP
+\& ca_entry_dn = "o=Organisation, c=IT"
+.Ve
+.PP
+.Vb 2
+\& # This is the attribute used to store the CA.
+\& ca_entry_attribute = "caCertificate;binary"
+.Ve
+.PP
+.Vb 2
+\& # Server Certificate to attach to the response
+\& server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
+.Ve
+.PP
 .Vb 2
 \& ####################################################################
 \& [ dbms_file ]
@@ -371,6 +414,11 @@ to every available interface, simply use
 .IP "\fBport\fR" 6
 .IX Item "port"
 specifies the port to listen to.
+.IP "\fBmax_req_size\fR" 6
+.IX Item "max_req_size"
+Maximum size of received request, if a received request is bigger it
+will be trashed. Usually simple requests are 200/300 bytes long (more
+or less).
 .IP "\fBthreads_num\fR" 6
 .IX Item "threads_num"
 Number of threads that shall be created at startup time, the
@@ -381,6 +429,21 @@ and processors.
 From version 1.5+ the server is not pre\-forked, instead it is
 a pre-threaded one. In order to run the server needs support
 for \s-1POSIX1\s0.c as found in most modern UNiX systems.
+.IP "\fBmax_client_num\fR" 6
+.IX Item "max_client_num"
+Length of the system's listen() queue. Up to this number of not-yet-served
+connection requests are queued by the system. Additional ones are dropped.
+Default is 30.
+.IP "\fBmax_timeout_secs\fR" 6
+.IX Item "max_timeout_secs"
+Max timeout for request receiving. If a request is not received
+within the specified number of seconds then the socket is closed
+in order to free unused threads. If not set, the default value
+is 5 seconds.
+.IP "\fBhttp_proto\fR" 6
+.IX Item "http_proto"
+ HTTP protocol version to be required. If 1.1 is specified, then
+the "Host: <addr>" name is also used in the header of HTTP GET requests.
 .IP "\fBchroot_dir\fR" 6
 .IX Item "chroot_dir"
 Chroot the application into the specified directory, watch
@@ -392,11 +455,24 @@ privileges dropping, privileges will not
 error will be written in the logfile, but the server will
 continue to run assuming the \fIchroot()\fR is sufficiently isolated
 to prevent abuse of the machine.
-.IP "\fBmax_req_size\fR" 6
-.IX Item "max_req_size"
-maximum size of received request, if a received request is bigger it
-will be trashed. Usually simple requests are 200/300 bytes long (more
-or less).
+.IP "\fBcrl_auto_reload\fR" 6
+.IX Item "crl_auto_reload"
+Auto Reload interval of CRL in seconds. If set to 0 or not present, to
+reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
+to the parent process.
+.IP "\fBcrl_check_validity\fR" 6
+.IX Item "crl_check_validity"
+CRL validity check period in seconds. If this parameter is set to #n
+then the CRL is checked every #n secs and if the CRL's validity
+period is expired then all the responses will be set to 'unknown'.
+If is set to '0' or not specified, all
+responses will be based on the loaded CRL, no matter if it
+is expired or not.
+.IP "\fBcrl_reload_expired\fR" 6
+.IX Item "crl_reload_expired"
+If the currently loaded CRL is expired, reload it. Set this parameter to "yes"
+only if you are sure that the new CRL will be issued and put
+in the crl_url location.
 .RE
 .IP "\fBrequest section\fR"
 .IX Item "request section"
diff -Naurp openca-ocspd-1.7.0.orig/etc/ocspd.conf.in openca-ocspd-1.7.0.new/etc/ocspd.conf.in
--- openca-ocspd-1.7.0.orig/etc/ocspd.conf.in	2013-11-04 19:06:08.816610001 +0100
+++ openca-ocspd-1.7.0.new/etc/ocspd.conf.in	2013-11-04 19:19:28.046227727 +0100
@@ -135,7 +135,7 @@ ocsp_add_response_keyid	= yes
 # NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in
 # case the nextUpdate field is missing. It is therefore suggested
 # to use the next_update_mins set (e.g. 5 minutes) to have mozilla's
-# software correclty work with OCSP enabled.
+# software correctly work with OCSP enabled.
 next_update_days	= 0
 next_update_mins	= 5
 
@@ -185,11 +185,16 @@ crl_entry_attribute = "certificateRevoca
 # the CRL/CA certificate matching. Also the CA certificate is used
 # to retrieve the CID used to identify the certificate being
 # requested by the client (CID of the Issuer + serial Number).
-# 
+# Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
+ca_url  = ldap://localhost
+
 # DN where the cACertificate;binary value can be downloaded
 # This option is needed only if the CA Certificate is stored on LDAP
 ca_entry_dn = "o=Organisation, c=IT"
 
+# This is the attribute used to store the CA.
+ca_entry_attribute = "caCertificate;binary"
+
 # Server Certificate to attach to the response
 server_cert = file://@sysconfdirvalue@/ocspd/certs/ocspd_cert.pem
 
diff -Naurp openca-ocspd-1.7.0.orig/examples/ocspd.conf openca-ocspd-1.7.0.new/examples/ocspd.conf
--- openca-ocspd-1.7.0.orig/examples/ocspd.conf	2013-11-04 19:06:08.816610001 +0100
+++ openca-ocspd-1.7.0.new/examples/ocspd.conf	2013-11-04 19:31:23.822329525 +0100
@@ -32,7 +32,38 @@ port		 	= 2560
 # Max size of accepted requests. Data connection will be closed
 # in case this size will be reached.
 max_req_size	 	= 8192
-max_childs_num		= 1
+
+# Number of threads that shall be created at startup time, the
+# more threads, the better for handling very high traffic. We
+# expect to have better performances on multi-threaded machines
+# and processors.
+threads_num		= 150
+
+# Size of the system listen() queue. This allows buffering connection
+# requests for later processing when all threads are already busy.
+#max_client_num		= 30
+
+# Max timeout for request receiving. If a request is not received
+# within the specified number of seconds then the socket is closed
+# in order to free unused threads. If not set, the default value
+# is 5 seconds
+max_timeout_secs	= 5
+
+# HTTP protocol version to be required. If 1.1 is specified, then
+# the "Host: <addr>" name is also used in the header of HTTP GET
+# requests
+http_proto		= 1.1
+
+# Chroot the application into the specified directory, whatch
+# out because if you chroot the application, all the paths
+# should be relative to the new root for CRL reloading or
+# (better solution) you have to download the CRLs from HTTP or
+# LDAP. If you chroot and you do not provide support for
+# privileges dropping, privileges will not be dropped and an
+# error will be written in the logfile, but the server will
+# continue to run assuming the chroot() is sufficiently isolated
+# to prevent abuse of the machine.
+#chroot_dir		= /etc/ocspd
 
 # Auto Reload interval of CRL (if set to 0 or not present, to
 # reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
@@ -100,6 +131,11 @@ ocsp_add_response_keyid	= yes
 # in the OCSP response will be left NULL indicating new data
 # can be made available anytime (this is true if you are issuing
 # new CRLs every time a revocation takes place)
+#
+# NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in
+# case the nextUpdate field is missing. It is therefore suggested
+# to use the next_update_mins set (e.g. 5 minutes) to have mozilla's
+# software correctly work with OCSP enabled.
 next_update_days	= 0
 next_update_mins	= 5
 
@@ -113,6 +149,9 @@ next_update_mins	= 5
 # You can have the CRL on a simple file
 # crl_url = file:///etc/ocspd/crls/crl.pem
 
+# You can have the CRL retrieved from an HTTP server
+# crl_url = http://[user[:pwd]@]server[:port]/path_to_crl
+
 # You can store the CRL into an LDAP server, simply
 # store it in certificateRevocationList;binary attribute
 #
@@ -146,11 +185,18 @@ crl_entry_attribute = "certificateRevoca
 # the CRL/CA certificate matching. Also the CA certificate is used
 # to retrieve the CID used to identify the certificate being
 # requested by the client (CID of the Issuer + serial Number).
-# 
+# Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
+ca_url  = ldap://localhost
+
 # DN where the cACertificate;binary value can be downloaded
 # This option is needed only if the CA Certificate is stored on LDAP
 ca_entry_dn = "o=Organisation, c=IT"
 
+# This is the attribute used to store the CA.
+ca_entry_attribute = "caCertificate;binary"
+
+# Server Certificate to attach to the response
+server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
 
 ####################################################################
 [ dbms_file ]
@@ -164,12 +210,15 @@ ca_entry_dn = "o=Organisation, c=IT"
 [ first_ca ]
 
 # You can have the CRL on a simple file in PEM format
-crl_url = file:///etc/ocspd/crls/crl_07.crl
+crl_url = file:///etc/ocspd/crls/crl_01.crl
 
 # We need the CA certificate for every supported CRL
 # ca_url  = file:///etc/ocspd/certs/1st_cacert.pem
 ca_url  = file:///etc/ocspd/certs/cacert.pem
 
+# Server Certificate to attach to the response
+server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
+
 ####################################################################
 [ second_ca ]
 
@@ -179,6 +228,9 @@ crl_url = file:///etc/ocspd/crls/crl_01.
 # We need the CA certificate for every supported CRL
 ca_url  = file:///etc/ocspd/certs/2nd_cacert.pem
 
+# Server Certificate to attach to the response
+server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
+
 ####################################################################
 [ HSM ]
 
@@ -207,9 +259,10 @@ engine_id = LunaCA3
 # high application id 10, low app id 11 and password "myPassword"
 1.engine_pre = login:1:10:11:myPassword
 
-# Some HSMs need to perform commands before the application can exit
-# it is therefore available the 'engine_post' option. Usage and format
+# Some HSMs need to perform commands after the ENGINE initialisation
+# which are taken from the 'engine_post' option. Usage and format
 # is exactly the same as 'engine_pre', the difference is that commands
-# are sent to the HSM just before server shutdown.
+# are sent to the HSM after the ENGINE_init() function. Refer to your
+# HSM documentation for more informations
 # 0.engine_post = logout:1:10:11
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.