From ecf7685a0cf0071ad54071ba18238d900d8075e0 Mon Sep 17 00:00:00 2001 From: venaas Date: Fri, 1 Jun 2007 09:56:41 +0000 Subject: completely changed TLS configuration git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@118 e88ac4ed-0b26-0410-9574-a7f39faa03bf --- radsecproxy.conf-example | 51 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 11 deletions(-) (limited to 'radsecproxy.conf-example') diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index 7593b7c..029c7e1 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -1,17 +1,8 @@ #Master config file, must be in /etc/radsecproxy or proxy's current directory # All possible config options are listed below -# -# You must specify at least one of TLSCACertificateFile or TLSCACertificatePath -# for TLS to work. We always verify peer certificate (both client and server) -#TLSCACertificateFile /etc/cacerts/CA.pem -TLSCACertificatePath /etc/cacerts - -# You must specify the below for TLS, we will always present our certificate -TLSCertificateFile /etc/hostcertkey/host.example.com.pem -TLSCertificateKeyFile /etc/hostcertkey/host.example.com.key.pem -# Optionally specify password if key is encrypted (not very secure) -TLSCertificateKeyPassword "follow the white rabbit" +# First you may define any global options, these are: +# # You can optionally specify addresses and ports to listen on # Max one of each, below are just multiple examples #ListenUDP *:1814 @@ -29,6 +20,34 @@ TLSCertificateKeyPassword "follow the white rabbit" #LogDestination x-syslog:// #LogDestination x-syslog://log_local2 +#If we have TLS clients or servers we must define at least one tls block. +#You can name them whatever you like and then reference them by name when +#specifying clients or servers later. There are however three special names +#"default", "defaultclient" and "defaultserver". If no name is defined for +#a client, the "defaultclient" block will be used if it exists, if not the +#"default" will be used. For a server, "defaultserver" followed by "default" +#will be checked. +# +#The simplest configuration you can do is: +tls default { + # You must specify at least one of CACertificateFile or CACertificatePath + # for TLS to work. We always verify peer certificate (client and server) + # CACertificateFile /etc/cacerts/CA.pem + CACertificatePath /etc/cacerts + + # You must specify the below for TLS, we always present our certificate + CertificateFile /etc/hostcertkey/host.example.com.pem + CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem + # Optionally specify password if key is encrypted (not very secure) + CertificateKeyPassword "follow the white rabbit" +} + +#If you want one cert for all clients and another for all servers, use +#defaultclient and defaultserver instead of default. If we wanted some +#particular server to use something else you could specify a block +#"tls myserver" and then reference that for that server. If you always +#name the tls block in the client/server config you don't need a default + #Now we configure clients, servers and realms. Note that these and #also the lines above may be in any order, except that a realm #can only be configured to use a server that is previously configured. @@ -45,6 +64,11 @@ TLSCertificateKeyPassword "follow the white rabbit" client 2001:db8::1 { type tls secret verysecret +#we could specify tls here, e.g. +# tls myclient +#in order to use tls parameters named myclient. We don't, so we will +#use "tls defaultclient" if defined, or look for "tls default" as a +#last resort } client 127.0.0.1 { type udp @@ -67,6 +91,11 @@ server 2001:db8::1 { type TLS port 2283 # secret is optional for TLS +#we could specify tls here, e.g. +# tls myserver +#in order to use tls parameters named myserver. We don't, so we will +#use "tls defaultserver" if defined, or look for "tls default" as a +#last resort } server radius.example.com { type tls -- cgit v1.1