diff options
Diffstat (limited to 'radsecproxy.conf.5.xml')
| -rw-r--r-- | radsecproxy.conf.5.xml | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 44ea1c7..0c713ea 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,14 +2,14 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> <refentry> <refentryinfo> - <date>2012-05-23</date> + <date>2012-10-25</date> </refentryinfo> <refmeta> <refentrytitle> <application>radsecproxy.conf</application> </refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo>radsecproxy 1.6.1-dev</refmiscinfo> + <refmiscinfo>radsecproxy 1.7-dev</refmiscinfo> </refmeta> <refnamediv> <refname> @@ -531,8 +531,10 @@ blocktype name { <literal>secret</literal> is the shared RADIUS key used with this client. If the secret contains whitespace, the value must be quoted. This option is optional for TLS/DTLS and if omitted - will default to "mysecret". Note that the default value of - <literal>secret</literal> will change in an upcoming release. + will default to "radsec". (Note that using a secret other than + "radsec" for TLS is a violation of the standard (RFC 6614) and + that the proposed standard for DTLS stipulates that the secret + must be "radius/dtls".) </para> <para> For a TLS/DTLS client you may also specify the @@ -544,6 +546,15 @@ blocktype name { <literal>default</literal>. If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error. + + NOTE: All versions of radsecproxy up to and including 1.6 + erroneously verify client certificate chains using the CA in the + very first matching client block regardless of which block is + used for the final decision. This was changed in version 1.6.1 + so that a client block with a different <literal>tls</literal> + option than the first matching client block is no longer + considered for verification of clients. + </para> <para> For a TLS/DTLS client, the option |