summaryrefslogtreecommitdiff
path: root/radsecproxy.conf.5.xml
diff options
context:
space:
mode:
Diffstat (limited to 'radsecproxy.conf.5.xml')
-rw-r--r--radsecproxy.conf.5.xml15
1 files changed, 9 insertions, 6 deletions
diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index 56b9e19..41f29be 100644
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -2,14 +2,14 @@
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry>
<refentryinfo>
- <date>2008-10-06</date>
+ <date>2008-10-16</date>
</refentryinfo>
<refmeta>
<refentrytitle>
<application>radsecproxy.conf</application>
</refentrytitle>
<manvolnum>5</manvolnum>
- <refmiscinfo>radsecproxy devel 2008-10-06</refmiscinfo>
+ <refmiscinfo>radsecproxy devel 2008-10-16</refmiscinfo>
</refmeta>
<refnamediv>
<refname>
@@ -283,7 +283,7 @@ description, see the configuration syntax section above.
<title>Blocks</title>
<para>
There are five types of blocks, they are <literal>client</literal>,
-<literal>server</literal>, <literal>realm</literal>, <literal>Btls</literal>
+<literal>server</literal>, <literal>realm</literal>, <literal>tls</literal>
and <literal>rewrite</literal>. At least one instance of each of
<literal>client</literal> and <literal>realm</literal> is required. This is
necessary for the proxy to do anything useful, and it will exit if not. The
@@ -594,8 +594,9 @@ default, even <literal>defaultServer</literal> if you really want to.
The available TLS block options are <literal>CACertificateFile</literal>,
<literal>CACertificatePath</literal>, <literal>certificateFile</literal>,
<literal>certificateKeyFile</literal>,
-<literal>certificateKeyPassword</literal>, <literal>cacheExpiry</literal>
-and <literal>CRLCheck</literal>. When doing RADIUS over TLS/DTLS, both the
+<literal>certificateKeyPassword</literal>, <literal>cacheExpiry</literal>,
+<literal>CRLCheck</literal> and <literal>policyOID</literal>.
+When doing RADIUS over TLS/DTLS, both the
client and the server present certificates, and they are both verified by
the peer. Hence you must always specify <literal>certificateFile</literal>
and <literal>certificateKeyFile</literal> options, as well as
@@ -607,7 +608,9 @@ certificates to a peer, you also always need to specify
Note that you may specify both, in which case the certificates in
<literal>CACertificateFile</literal> are checked first. By default CRLs are
not checked. This can be changed by setting <literal>CRLCheck</literal> to
-<literal>on</literal>.
+<literal>on</literal>. One can require peer certificates to adhere to certain
+policies by specifying one or multiple policyOIDs using one or multiple
+<literal>policyOID</literal> options.
</para>
<para>
CA certificates and CRLs are normally cached permanently. That is, once a CA