diff options
| author | venaas <venaas> | 2008-10-16 12:27:15 +0000 |
|---|---|---|
| committer | venaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf> | 2008-10-16 12:27:15 +0000 |
| commit | d31e6fdb6fb4859e5beb6d915ce474b064e019b1 (patch) | |
| tree | 489e2bf73e28f9e7fce8904ebf9125ad459f332c | |
| parent | ecc6d5a045d878c2fcc6ef57ae55162ccc375384 (diff) | |
added policyOID option in trunk docs, fixed typo in several docs
git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@429 e88ac4ed-0b26-0410-9574-a7f39faa03bf
| -rw-r--r-- | radsecproxy.conf.5 | 13 | ||||
| -rw-r--r-- | radsecproxy.conf.5.xml | 15 |
2 files changed, 17 insertions, 11 deletions
diff --git a/radsecproxy.conf.5 b/radsecproxy.conf.5 index 95ba83f..315ccf2 100644 --- a/radsecproxy.conf.5 +++ b/radsecproxy.conf.5 @@ -5,7 +5,7 @@ \\$2 \(la\\$1\(ra\\$3 .. .if \n(.g .mso www.tmac -.TH "radsecproxy.conf " 5 2008-10-06 "radsecproxy devel 2008-10-06" "" +.TH "radsecproxy.conf " 5 2008-10-16 "radsecproxy devel 2008-10-16" "" .SH NAME radsecproxy.conf \- Radsec proxy configuration file @@ -184,7 +184,7 @@ It can both be used as a basic option and inside blocks. For the full description, see the configuration syntax section above. .SH BLOCKS There are five types of blocks, they are \*(T<client\*(T>, -\*(T<server\*(T>, \*(T<realm\*(T>, \*(T<Btls\*(T> +\*(T<server\*(T>, \*(T<realm\*(T>, \*(T<tls\*(T> and \*(T<rewrite\*(T>. At least one instance of each of \*(T<client\*(T> and \*(T<realm\*(T> is required. This is necessary for the proxy to do anything useful, and it will exit if not. The @@ -444,8 +444,9 @@ default, even \*(T<defaultServer\*(T> if you really want to. The available TLS block options are \*(T<CACertificateFile\*(T>, \*(T<CACertificatePath\*(T>, \*(T<certificateFile\*(T>, \*(T<certificateKeyFile\*(T>, -\*(T<certificateKeyPassword\*(T>, \*(T<cacheExpiry\*(T> -and \*(T<CRLCheck\*(T>. When doing RADIUS over TLS/DTLS, both the +\*(T<certificateKeyPassword\*(T>, \*(T<cacheExpiry\*(T>, +\*(T<CRLCheck\*(T> and \*(T<policyOID\*(T>. +When doing RADIUS over TLS/DTLS, both the client and the server present certificates, and they are both verified by the peer. Hence you must always specify \*(T<certificateFile\*(T> and \*(T<certificateKeyFile\*(T> options, as well as @@ -457,7 +458,9 @@ certificates to a peer, you also always need to specify Note that you may specify both, in which case the certificates in \*(T<CACertificateFile\*(T> are checked first. By default CRLs are not checked. This can be changed by setting \*(T<CRLCheck\*(T> to -\*(T<on\*(T>. +\*(T<on\*(T>. One can require peer certificates to adhere to certain +policies by specifying one or multiple policyOIDs using one or multiple +\*(T<policyOID\*(T> options. .PP CA certificates and CRLs are normally cached permanently. That is, once a CA or CRL has been read, the proxy will never attempt to re-read it. CRLs may diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 56b9e19..41f29be 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,14 +2,14 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> <refentry> <refentryinfo> - <date>2008-10-06</date> + <date>2008-10-16</date> </refentryinfo> <refmeta> <refentrytitle> <application>radsecproxy.conf</application> </refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo>radsecproxy devel 2008-10-06</refmiscinfo> + <refmiscinfo>radsecproxy devel 2008-10-16</refmiscinfo> </refmeta> <refnamediv> <refname> @@ -283,7 +283,7 @@ description, see the configuration syntax section above. <title>Blocks</title> <para> There are five types of blocks, they are <literal>client</literal>, -<literal>server</literal>, <literal>realm</literal>, <literal>Btls</literal> +<literal>server</literal>, <literal>realm</literal>, <literal>tls</literal> and <literal>rewrite</literal>. At least one instance of each of <literal>client</literal> and <literal>realm</literal> is required. This is necessary for the proxy to do anything useful, and it will exit if not. The @@ -594,8 +594,9 @@ default, even <literal>defaultServer</literal> if you really want to. The available TLS block options are <literal>CACertificateFile</literal>, <literal>CACertificatePath</literal>, <literal>certificateFile</literal>, <literal>certificateKeyFile</literal>, -<literal>certificateKeyPassword</literal>, <literal>cacheExpiry</literal> -and <literal>CRLCheck</literal>. When doing RADIUS over TLS/DTLS, both the +<literal>certificateKeyPassword</literal>, <literal>cacheExpiry</literal>, +<literal>CRLCheck</literal> and <literal>policyOID</literal>. +When doing RADIUS over TLS/DTLS, both the client and the server present certificates, and they are both verified by the peer. Hence you must always specify <literal>certificateFile</literal> and <literal>certificateKeyFile</literal> options, as well as @@ -607,7 +608,9 @@ certificates to a peer, you also always need to specify Note that you may specify both, in which case the certificates in <literal>CACertificateFile</literal> are checked first. By default CRLs are not checked. This can be changed by setting <literal>CRLCheck</literal> to -<literal>on</literal>. +<literal>on</literal>. One can require peer certificates to adhere to certain +policies by specifying one or multiple policyOIDs using one or multiple +<literal>policyOID</literal> options. </para> <para> CA certificates and CRLs are normally cached permanently. That is, once a CA |