diff options
| author | venaas <venaas> | 2007-09-21 14:02:41 +0000 |
|---|---|---|
| committer | venaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf> | 2007-09-21 14:02:41 +0000 |
| commit | 36da594539ae96a43aebb2815f6a521c8103f5cb (patch) | |
| tree | ad10fc4e2ba17fdeedf48e12034a2f7f7cc37ed4 | |
| parent | ce837e6c1ac5ca98266cc3fbd5d6993be635c26a (diff) | |
final touches to radsecproxy.conf.5 for 1.0
git-svn-id: https://svn.testnett.uninett.no/radsecproxy/branches/release-1.0@168 e88ac4ed-0b26-0410-9574-a7f39faa03bf
| -rw-r--r-- | radsecproxy.conf.5 | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/radsecproxy.conf.5 b/radsecproxy.conf.5 index 0ad5261..8d7e246 100644 --- a/radsecproxy.conf.5 +++ b/radsecproxy.conf.5 @@ -130,9 +130,7 @@ dependency on DNS after startup. When some client later sends a request to the proxy, the proxy will look at the IP address the request comes from, and then go through all the addresses of each of the configured clients, to determine which (if any) of the clients this is. In the case of TLS, the name of the client must -match the FQDN or IP address in the client certificate. Note that at the time of -writing it must match the certificate CN. This will be extended to check -subjectAltName if present. +match the FQDN or IP address in the client certificate. .sp The allowed options in a client block are \fBtype\fR, \fBsecret\fR, \fBtls\fR and \fBmatchcertificateattribute\fR. @@ -146,7 +144,7 @@ defined, it will try to use the TLS block named \fBdefault\fR. If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error. The matchcertificateattribute is optional and can be used to require that certain certificate attributes have -certain value. Currently the allowed values are of the form +certain values. Currently the allowed values are of the form SubjectAltName:URI:/regexp/ which can be used to specify that SubjectAltName URIs in the certificate match the specified regexp. .sp @@ -162,8 +160,7 @@ Hence there is no dependency on DNS after startup. If the domain name resolves to multiple addresses, then for UDP the first address is used. For TLS, the proxy will loop through the addresses until it can connect to one of them. In the case of TLS, the name of the server must match the FQDN or IP address in the server -certificate. Note that at the time of writing it must match the certificate CN. -This will be extended to check subjectAltName if present. +certificate. .sp The allowed options in a server block are \fBtype\fR, \fBsecret\fR, \fBtls\fR, \fBport\fR, \fBstatusServer\fR and \fBmatchcertificateattribute\fR. The values |