diff options
author | venaas <venaas> | 2007-06-01 09:56:41 +0000 |
---|---|---|
committer | venaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf> | 2007-06-01 09:56:41 +0000 |
commit | ecf7685a0cf0071ad54071ba18238d900d8075e0 (patch) | |
tree | 36a8bada2dfa26341179b13d4f4665b15857814a /radsecproxy.conf-example | |
parent | 305e2f3efd0b925ffc7a24aa20c6fecdff0dcbed (diff) |
completely changed TLS configuration
git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@118 e88ac4ed-0b26-0410-9574-a7f39faa03bf
Diffstat (limited to 'radsecproxy.conf-example')
-rw-r--r-- | radsecproxy.conf-example | 51 |
1 files changed, 40 insertions, 11 deletions
diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index 7593b7c..029c7e1 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -1,17 +1,8 @@ #Master config file, must be in /etc/radsecproxy or proxy's current directory # All possible config options are listed below -# -# You must specify at least one of TLSCACertificateFile or TLSCACertificatePath -# for TLS to work. We always verify peer certificate (both client and server) -#TLSCACertificateFile /etc/cacerts/CA.pem -TLSCACertificatePath /etc/cacerts - -# You must specify the below for TLS, we will always present our certificate -TLSCertificateFile /etc/hostcertkey/host.example.com.pem -TLSCertificateKeyFile /etc/hostcertkey/host.example.com.key.pem -# Optionally specify password if key is encrypted (not very secure) -TLSCertificateKeyPassword "follow the white rabbit" +# First you may define any global options, these are: +# # You can optionally specify addresses and ports to listen on # Max one of each, below are just multiple examples #ListenUDP *:1814 @@ -29,6 +20,34 @@ TLSCertificateKeyPassword "follow the white rabbit" #LogDestination x-syslog:// #LogDestination x-syslog://log_local2 +#If we have TLS clients or servers we must define at least one tls block. +#You can name them whatever you like and then reference them by name when +#specifying clients or servers later. There are however three special names +#"default", "defaultclient" and "defaultserver". If no name is defined for +#a client, the "defaultclient" block will be used if it exists, if not the +#"default" will be used. For a server, "defaultserver" followed by "default" +#will be checked. +# +#The simplest configuration you can do is: +tls default { + # You must specify at least one of CACertificateFile or CACertificatePath + # for TLS to work. We always verify peer certificate (client and server) + # CACertificateFile /etc/cacerts/CA.pem + CACertificatePath /etc/cacerts + + # You must specify the below for TLS, we always present our certificate + CertificateFile /etc/hostcertkey/host.example.com.pem + CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem + # Optionally specify password if key is encrypted (not very secure) + CertificateKeyPassword "follow the white rabbit" +} + +#If you want one cert for all clients and another for all servers, use +#defaultclient and defaultserver instead of default. If we wanted some +#particular server to use something else you could specify a block +#"tls myserver" and then reference that for that server. If you always +#name the tls block in the client/server config you don't need a default + #Now we configure clients, servers and realms. Note that these and #also the lines above may be in any order, except that a realm #can only be configured to use a server that is previously configured. @@ -45,6 +64,11 @@ TLSCertificateKeyPassword "follow the white rabbit" client 2001:db8::1 { type tls secret verysecret +#we could specify tls here, e.g. +# tls myclient +#in order to use tls parameters named myclient. We don't, so we will +#use "tls defaultclient" if defined, or look for "tls default" as a +#last resort } client 127.0.0.1 { type udp @@ -67,6 +91,11 @@ server 2001:db8::1 { type TLS port 2283 # secret is optional for TLS +#we could specify tls here, e.g. +# tls myserver +#in order to use tls parameters named myserver. We don't, so we will +#use "tls defaultserver" if defined, or look for "tls default" as a +#last resort } server radius.example.com { type tls |