/etc/pkcs11proxyd/pkcs11proxyd.conf is in caml-crush-server 1.0.7-1build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 | netplex {
controller {
max_level = "debug"; (* Log level *)
(* configure "admin" socket directory, default "/tmp/.netplex" *)
socket_directory = "/var/lib/pkcs11proxyd/.netplex";
logging {
(* type can either be "stderr" or "syslog" *)
type = "syslog"; (* Log to stderr *)
};
};
service {
name = "PKCS#11 Filtering Proxy";
(* These parameters can be used to change UID/GID of worker processes *)
user = "Debian-pkcs11proxyd";
group = "Debian-pkcs11proxyd";
(* Do NOT change conn_limit, this would be a serious SECURITY ISSUE *)
conn_limit = 1;
protocol {
(* This section creates the socket *)
name = "rpc_pkcs11";
(* Set Unix socket permissions:*)
(*
local_chmod = "0o777";
*)
(* Socket can either be TCP or UNIX *)
address {
(* Default here is TCP localhost on port 4444 *)
type = "internet";
bind = "127.0.0.1:4444";
(*
type = "local";
path = "/var/run/pkcs11proxyd.socket";
*)
};
};
processor {
(* This section specifies how to process data of the socket *)
type = "rpc_pkcs11";
(* libnames param is used when the proxy is compiled WITHOUT filtering support *)
(* syntax is: libnames="<module_name>:<path_to_middleware>;<...>:<...>;"; *)
(*
libnames="softhsm:/usr/local/lib/softhsm/libsofthsm.so;opencryptoki:/usr/lib/libopencryptoki.so;";
*)
(* filter_config is used to supply the filtering configuration when compiled in *)
filter_config="/etc/pkcs11proxyd/filter.conf";
(*************** TLS support begin ***********************)
(* use_ssl = false to disable SSL support on server side *)
(* use_ssl = true to enable SSL support on server side *)
use_ssl = false;
(* TLS support for Caml Crush compiled with OCamlnet 4.x *)
(* Uncomment to enable TLS when using OCamlnet 4.x *)
(*
tls {
(* Ciphersuites, GnuTLS syntax *)
(* TLS 1.2, PFS-only suites, no DSS, no CAMELLIA *)
algorithms = "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC";
(* Uncomment to enable DHE parameters, used for PFS *)
(*
dh_params {
(* Pre-computed DH parameters *)
pkcs3_file = "/etc/pkcs11proxyd/dhparams.pem";
(* Run-time created DH parameters, warning: this takes a long time *)
(*bits = 2048;*)
};
*)
x509 {
key {
crt_file = "server.pem";
key_file = "server.key";
};
trust {
crt_file = "cacert.pem";
};
}
};
*)
(***************TLS support end *************************)
};
workload_manager {
type = "dynamic";
max_jobs_per_thread = 1; (* Everything else is senseless *)
min_free_jobs_capacity = 1;
max_free_jobs_capacity = 1;
max_threads = 100;
};
}
}
|