2026-02-10 08:46:58 +08:00 · 2018-04-15 16:38:59 +02:00
parent d49ba40fb2
commit 2ae4c2b2ed
1 changed files with 14 additions and 11 deletions
							
							
								
							
							
						
@@ -115,7 +115,7 @@ run-as-group = daemon
socket-file = /var/run/ocserv-socket
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
#chroot-dir = /var/lib/ocserv
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g., 
							
							
							
								
							
						
@@ -127,23 +127,25 @@ socket-file = /var/run/ocserv-socket
# There may be multiple server-cert and server-key directives,
# but each key should correspond to the preceding certificate.
# The certificate files will be reloaded when changed allowing for in-place
# certificate renewal (if both keys and certs change send the SIGHUP
# signal to the main server).
# certificate renewal (they are checked and reloaded periodically;
# a SIGHUP signal to main server will force reload).
#server-cert = /etc/ocserv/server-cert.pem
#server-key = /etc/ocserv/server-key.pem
server-cert = ../tests/certs/server-cert.pem
server-key = ../tests/certs/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
# versions of GnuTLS for supporting DHE ciphersuites.
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
#dh-params = /etc/ocserv/dh.pem
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the 
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
#pin-file = /etc/ocserv/pin.txt
#srk-pin-file = /etc/ocserv/srkpin.txt
# The password or PIN needed to unlock the key in server-key file.
# Only needed if the file is encrypted or a PKCS #11 object. This
							
							
							
								
							
						
@@ -157,6 +159,7 @@ server-key = ../tests/certs/server-key.pem
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /etc/ocserv/ca.pem
ca-cert = ../tests/certs/ca.pem
							
								
							
							
								
							
							
						
@@ -249,7 +252,7 @@ try-mtu-discovery = false
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
#ocsp-response = /etc/ocserv/ocsp.der
# The object identifier that will be used to read the user ID in the client 
# certificate. The object identifier should be part of the certificate's DN
							
							
							
								
							
						
@@ -268,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
# See the manual to generate an empty CRL initially. The CRL will be reloaded
# periodically when ocserv detects a change in the file. To force a reload use
# SIGHUP.
#crl = /path/to/crl.pem
#crl = /etc/ocserv/crl.pem
# Uncomment this to enable compression negotiation (LZS, LZ4).
#compression = true