From 89a2b2c1e657c2b9c20f4a0a5d8c48e89096ba3c Mon Sep 17 00:00:00 2001 From: venaas Date: Fri, 21 Sep 2007 14:03:20 +0000 Subject: man page in synch with 1.0 for now git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@169 e88ac4ed-0b26-0410-9574-a7f39faa03bf --- radsecproxy.conf.5 | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/radsecproxy.conf.5 b/radsecproxy.conf.5 index b19ebb3..8d7e246 100644 --- a/radsecproxy.conf.5 +++ b/radsecproxy.conf.5 @@ -130,11 +130,10 @@ dependency on DNS after startup. When some client later sends a request to the proxy, the proxy will look at the IP address the request comes from, and then go through all the addresses of each of the configured clients, to determine which (if any) of the clients this is. In the case of TLS, the name of the client must -match the FQDN or IP address in the client certificate. Note that at the time of -writing it must match the certificate CN. This will be extended to check -subjectAltName if present. +match the FQDN or IP address in the client certificate. .sp -The allowed options in a client block are \fBtype\fR, \fBsecret\fR and \fBtls\fR. +The allowed options in a client block are \fBtype\fR, \fBsecret\fR, \fBtls\fR +and \fBmatchcertificateattribute\fR. The value of \fBtype\fR must be either \fBudp\fR or \fBtls\fR. The value of \fBsecret\fR is the shared RADIUS key used with this client. If the secret contains whitespace, the value must be quoted. This option is optional for TLS. @@ -143,7 +142,11 @@ be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name \fBdefaultclient\fR will be used if defined. If not defined, it will try to use the TLS block named \fBdefault\fR. If the specified TLS block name does not exist, or the option is not specified and none of the -defaults exist, the proxy will exit with an error. +defaults exist, the proxy will exit with an error. The matchcertificateattribute +is optional and can be used to require that certain certificate attributes have +certain values. Currently the allowed values are of the form +SubjectAltName:URI:/regexp/ which can be used to specify that SubjectAltName +URIs in the certificate match the specified regexp. .sp .SH "SERVER BLOCK" @@ -157,12 +160,12 @@ Hence there is no dependency on DNS after startup. If the domain name resolves to multiple addresses, then for UDP the first address is used. For TLS, the proxy will loop through the addresses until it can connect to one of them. In the case of TLS, the name of the server must match the FQDN or IP address in the server -certificate. Note that at the time of writing it must match the certificate CN. -This will be extended to check subjectAltName if present. +certificate. .sp The allowed options in a server block are \fBtype\fR, \fBsecret\fR, \fBtls\fR, -\fBport\fR and \fBstatusServer\fR. The values of \fBtype\fR, \fBsecret\fR and -\fBtls\fR are just as specified for the \fIclient block\fR above, except that +\fBport\fR, \fBstatusServer\fR and \fBmatchcertificateattribute\fR. The values +of \fBtype\fR, \fBsecret\fR, \fBtls\fR and \fBmatchcertificateattribute\fR are +just as specified for the \fIclient block\fR above, except that \fBdefaultserve\fRr (and not \fBdefaultclient\fR) is used as a fallback if the \fBtls\fR option is not used. .sp -- cgit v1.1