X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=apps%2Fopenssl.cnf;h=b3e7444e5f22ef37be939d1cb51dd5dc1aa66acf;hb=2c4ee10c0aa231a30977aad47bae1d0dbe6bbef4;hp=41c2a37426c21f32d020ad8e951c929cdb979e67;hpb=44e0c2bae4bfd87d770480902618dbccde84fd81;p=oweals%2Fopenssl.git

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 41c2a37426..b3e7444e5f 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
@@ -335,11 +331,11 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir/cacert.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-
+signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?