Check more return values in the SRP code

[openssl.git] / apps / openssl.cnf

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 514e64035b8bbdd1f1cff0c8789435ca5ab88d99..6df2878d5021551e8cceae297ac07b5675f627dd 100644 (file)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -3,10 +3,13 @@
 # This is mostly being used for generation of certificate requests.
 #
 
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME                   = .
-RANDFILE               = $ENV::HOME/.rnd
 
 # Extra OBJECT IDENTIFIER info:
 #oid_file              = $ENV::HOME/.oid
@@ -53,7 +56,6 @@ crlnumber     = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
 crl            = $dir/crl.pem          # The current CRL
 private_key    = $dir/private/cakey.pem# The private key
-RANDFILE       = $dir/private/.rand    # private random number file
 
 x509_extensions        = usr_cert              # The extensions to add to the cert
 
@@ -103,7 +105,7 @@ emailAddress                = optional
 
 ####################################################################
 [ req ]
-default_bits           = 1024
+default_bits           = 2048
 default_keyfile        = privkey.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
@@ -233,11 +235,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
@@ -335,11 +333,11 @@ signer_cert       = $dir/tsacert.pem      # The TSA signing certificate
 certs          = $dir/cacert.pem       # Certificate chain to include in reply
                                        # (optional)
 signer_key     = $dir/private/tsakey.pem # The TSA private key (optional)
-
+signer_digest  = sha256                        # Signing digest to use. (Optional)
 default_policy = tsa_policy1           # Policy if request did not specify it
                                        # (optional)
 other_policies = tsa_policy2, tsa_policy3      # acceptable policies (optional)
-digests                = md5, sha1             # Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy       = secs:1, millisecs:500, microsecs:100  # (optional)
 clock_precision_digits  = 0    # number of digits after dot. (optional)
 ordering               = yes   # Is ordering defined for timestamps?
@@ -348,3 +346,5 @@ tsa_name            = yes   # Must the TSA name be included in the reply?
                                # (optional, default: no)
 ess_cert_id_chain      = no    # Must the ESS cert id chain be included?
                                # (optional, default: no)
+ess_cert_id_alg                = sha1  # algorithm to compute certificate
+                               # identifier (optional, default: sha1)