mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
733094ec6b
We have reports that some are using example.com in their /etc/hosts for testing purposes, so we can't necessarily assume that those will fail. We fix it by using "random" hosts in that domain. Fixes #15395 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15398)
141 lines
2.5 KiB
INI
141 lines
2.5 KiB
INI
[default]
|
|
batch = 1 # do not use stdin
|
|
total_timeout = 8 # prevent, e.g., infinite polling due to error
|
|
trusted = trusted.crt
|
|
newkey = new.key
|
|
newkeypass =
|
|
cmd = ir
|
|
out_trusted = root.crt
|
|
#certout = test.cert.pem
|
|
policies = certificatePolicies
|
|
#policy_oids = 1.2.3.4
|
|
#policy_oids_critical = 1
|
|
#verbosity = 7
|
|
|
|
############################# server configurations
|
|
|
|
[Mock] # the built-in OpenSSL CMP mock server
|
|
no_check_time = 1
|
|
server_host = 127.0.0.1 # localhost
|
|
server_port = 0
|
|
server_tls = $server_port
|
|
server_cert = server.crt
|
|
server = $server_host:$server_port
|
|
server_path = pkix/
|
|
path = $server_path
|
|
ca_dn = /O=openssl_cmp
|
|
recipient = $ca_dn
|
|
server_dn = /O=openssl_cmp
|
|
expect_sender = $server_dn
|
|
subject = "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=leaf"
|
|
newkey = signer.key
|
|
out_trusted = signer_root.crt
|
|
kur_port = $server_port
|
|
pbm_port = $server_port
|
|
pbm_ref =
|
|
pbm_secret = pass:test
|
|
cert = signer.crt
|
|
key = signer.p12
|
|
keypass = pass:12345
|
|
ignore_keyusage = 0
|
|
column = 0
|
|
sleep = 0
|
|
|
|
############################# aspects
|
|
|
|
[connection]
|
|
msg_timeout = 5
|
|
total_timeout =
|
|
# reset any TLS options to default:
|
|
tls_used =
|
|
tls_cert =
|
|
tls_key =
|
|
tls_keypass =
|
|
tls_trusted =
|
|
tls_host =
|
|
|
|
[tls]
|
|
server =
|
|
tls_used =
|
|
tls_cert =
|
|
tls_key =
|
|
tls_keypass =
|
|
tls_trusted =
|
|
tls_host =
|
|
|
|
[credentials]
|
|
ref =
|
|
secret =
|
|
cert =
|
|
key =
|
|
keypass =
|
|
extracerts =
|
|
digest =
|
|
unprotected_requests =
|
|
|
|
[verification]
|
|
#expect_sender =
|
|
srvcert =
|
|
trusted =
|
|
untrusted =
|
|
#unprotected_errors =
|
|
extracertsout =
|
|
|
|
[commands]
|
|
cmd =
|
|
cacertsout =
|
|
infotype =
|
|
oldcert =
|
|
revreason =
|
|
geninfo =
|
|
|
|
[enrollment]
|
|
cmd =
|
|
newkey =
|
|
newkeypass =
|
|
#subject =
|
|
issuer =
|
|
days =
|
|
reqexts =
|
|
sans =
|
|
san_nodefault = 0
|
|
#popo =
|
|
implicit_confirm = 0
|
|
disable_confirm = 0
|
|
certout =
|
|
out_trusted =
|
|
oldcert =
|
|
csr =
|
|
|
|
############################# extra cert template contents
|
|
|
|
[certificatePolicies]
|
|
certificatePolicies = "critical, @pkiPolicy"
|
|
|
|
[pkiPolicy]
|
|
policyIdentifier = 1.2.3.4
|
|
|
|
[reqexts]
|
|
basicConstraints = CA:FALSE
|
|
#basicConstraints = critical, CA:TRUE
|
|
keyUsage = critical, digitalSignature # keyAgreement, keyEncipherment, nonRepudiation
|
|
extendedKeyUsage = critical, clientAuth # serverAuth, codeSigning
|
|
#crlDistributionPoints = URI:http:
|
|
#authorityInfoAccess = URI:http:
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.0 = localhost
|
|
IP.0 = 127.0.0.1
|
|
IP.1 = 192.168.1.1
|
|
URI.0 = http://192.168.0.2
|
|
|
|
[reqexts_invalidkey]
|
|
subjectAltName = @alt_names_3
|
|
|
|
[alt_names_3]
|
|
DNS.0 = localhost
|
|
DNS.1 = xn--rksmrgs-5wao1o.example.com
|
|
DNS.2 = xn--rkmacka-5wa.example.com
|
|
DNS__3 = xn--rksallad-0za.example.com
|