Use better defaults for TSA.

Use SHA256 for TSA and setted permitted digests to a sensible value.

Based on PR#4141

Reviewed-by: Matt Caswell <matt@openssl.org>

2 files changed, 3 insertions, 3 deletions

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index ba6977c01c..51a296b2d8 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -340,7 +340,7 @@ signer_digest  = sha1			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 473c884514..53c4bef044 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -335,11 +335,11 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir/cacert.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-signer_digest  = sha1			# Signing digest to use. (Optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?