Use better defaults for TSA.

Use SHA256 for TSA and setted permitted digests to a sensible value.

Based on PR#4141

Reviewed-by: Matt Caswell <matt@openssl.org>
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index ba6977c..51a296b 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -340,7 +340,7 @@
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 473c884..53c4bef 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -335,11 +335,11 @@
 certs		= $dir/cacert.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-signer_digest  = sha1			# Signing digest to use. (Optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index 038dfae..82b9e55 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -28,7 +28,7 @@
 [B<-passin> password_src]
 [B<-signer> tsa_cert.pem]
 [B<-inkey> private.pem]
-[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>]
+[B<-sha1|-sha224|-sha256|-sha384|-sha512>]
 [B<-chain> certs_file.pem]
 [B<-policy> object_id]
 [B<-in> response.tsr]
@@ -216,7 +216,7 @@
 The signer private key of the TSA in PEM format. Overrides the
 B<signer_key> config file option. (Optional)
 
-=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
+=item B<-sha1|-sha224|-sha256|-sha384|-sha512>
 
 Signing digest to use. Overrides the B<signer_digest> config file
 option. (Optional)
@@ -405,8 +405,7 @@
 =item B<signer_digest>
 
 Signing digest to use. The same as the
-B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
-command line option. (Optional)
+B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional)
 
 =item B<default_policy>
 
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index 95a21f9..ab2f84a 100644
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -35,7 +35,7 @@
 RANDFILE	= $dir/private/.rand	# private random number file
 
 default_days	= 365			# how long to certify for
-default_md	= sha1			# which md to use.
+default_md	= sha256			# which md to use.
 preserve	= no			# keep passed DN ordering
 
 policy		= policy_match
@@ -132,11 +132,11 @@
 certs		= $dir/tsaca.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
-signer_digest  = sha1                  # Signing digest to use. (Optional)
+signer_digest  = sha256             # Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 ordering		= yes	# Is ordering defined for timestamps?
 				# (optional, default: no)
@@ -156,8 +156,8 @@
 certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
-signer_digest  = sha1                  # Signing digest to use. (Optional)
+signer_digest  = sha256             # Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)