path: root/radsecproxy.conf.5.xml
diff options
authorvenaas <venaas>2008-10-16 12:27:15 +0000
committervenaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf>2008-10-16 12:27:15 +0000
commitd31e6fdb6fb4859e5beb6d915ce474b064e019b1 (patch)
tree489e2bf73e28f9e7fce8904ebf9125ad459f332c /radsecproxy.conf.5.xml
parentecc6d5a045d878c2fcc6ef57ae55162ccc375384 (diff)
added policyOID option in trunk docs, fixed typo in several docs
git-svn-id: e88ac4ed-0b26-0410-9574-a7f39faa03bf
Diffstat (limited to 'radsecproxy.conf.5.xml')
1 files changed, 9 insertions, 6 deletions
diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index 56b9e19..41f29be 100644
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -2,14 +2,14 @@
- <date>2008-10-06</date>
+ <date>2008-10-16</date>
- <refmiscinfo>radsecproxy devel 2008-10-06</refmiscinfo>
+ <refmiscinfo>radsecproxy devel 2008-10-16</refmiscinfo>
@@ -283,7 +283,7 @@ description, see the configuration syntax section above.
There are five types of blocks, they are <literal>client</literal>,
-<literal>server</literal>, <literal>realm</literal>, <literal>Btls</literal>
+<literal>server</literal>, <literal>realm</literal>, <literal>tls</literal>
and <literal>rewrite</literal>. At least one instance of each of
<literal>client</literal> and <literal>realm</literal> is required. This is
necessary for the proxy to do anything useful, and it will exit if not. The
@@ -594,8 +594,9 @@ default, even <literal>defaultServer</literal> if you really want to.
The available TLS block options are <literal>CACertificateFile</literal>,
<literal>CACertificatePath</literal>, <literal>certificateFile</literal>,
-<literal>certificateKeyPassword</literal>, <literal>cacheExpiry</literal>
-and <literal>CRLCheck</literal>. When doing RADIUS over TLS/DTLS, both the
+<literal>certificateKeyPassword</literal>, <literal>cacheExpiry</literal>,
+<literal>CRLCheck</literal> and <literal>policyOID</literal>.
+When doing RADIUS over TLS/DTLS, both the
client and the server present certificates, and they are both verified by
the peer. Hence you must always specify <literal>certificateFile</literal>
and <literal>certificateKeyFile</literal> options, as well as
@@ -607,7 +608,9 @@ certificates to a peer, you also always need to specify
Note that you may specify both, in which case the certificates in
<literal>CACertificateFile</literal> are checked first. By default CRLs are
not checked. This can be changed by setting <literal>CRLCheck</literal> to
+<literal>on</literal>. One can require peer certificates to adhere to certain
+policies by specifying one or multiple policyOIDs using one or multiple
+<literal>policyOID</literal> options.
CA certificates and CRLs are normally cached permanently. That is, once a CA