Document effects of RADSECPROXY-43.

https://project.nordu.net/browse/RADSECPROXY-43
author: Linus Nordberg <linus@nordu.net> 2012-09-14 12:49:53 +0200
committer: Linus Nordberg <linus@nordu.net> 2012-09-14 12:49:53 +0200
commit: 6dc5eeb8f9158ac399d306eebb56164badf8dbc8 (patch)
tree: 1d6d4d01e43aecf1546ecd61de65ad00b4526532 /radsecproxy.conf.5.xml
parent: db965c9bf7cf4acc0830d7b689d69d40b9ecef8c (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index 44ea1c7..bd52682 100644
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -544,6 +544,15 @@ blocktype name {
       <literal>default</literal>. If the specified TLS block name does
       not exist, or the option is not specified and none of the
       defaults exist, the proxy will exit with an error.
+
+      NOTE: All versions of radsecproxy up to and including 1.6
+      erroneously verify client certificate chains using the CA in the
+      <strong>first</strong> matching client block regardless of which
+      block is used for the final decision. This changed in 1.6.1 so
+      that a client block with a different <literal>tls</literal>
+      option than the first matching client block is no longer
+      considered for verification of clients.
+
     </para>
     <para>
       For a TLS/DTLS client, the option
author	Linus Nordberg <linus@nordu.net>	2012-09-14 12:49:53 +0200
committer	Linus Nordberg <linus@nordu.net>	2012-09-14 12:49:53 +0200
commit	6dc5eeb8f9158ac399d306eebb56164badf8dbc8 (patch)
tree	1d6d4d01e43aecf1546ecd61de65ad00b4526532 /radsecproxy.conf.5.xml
parent	db965c9bf7cf4acc0830d7b689d69d40b9ecef8c (diff)