Commit d31e6fdb authored by venaas's avatar venaas Committed by venaas
Browse files

added policyOID option in trunk docs, fixed typo in several docs

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@429 e88ac4ed-0b26-0410-9574-a7f39faa03bf
parent ecc6d5a0
......@@ -5,7 +5,7 @@
\\$2 \(la\\$1\(ra\\$3
..
.if \n(.g .mso www.tmac
.TH "radsecproxy.conf " 5 2008-10-06 "radsecproxy devel 2008-10-06" ""
.TH "radsecproxy.conf " 5 2008-10-16 "radsecproxy devel 2008-10-16" ""
.SH NAME
radsecproxy.conf
\- Radsec proxy configuration file
......@@ -184,7 +184,7 @@ It can both be used as a basic option and inside blocks. For the full
description, see the configuration syntax section above.
.SH BLOCKS
There are five types of blocks, they are \*(T<client\*(T>,
\*(T<server\*(T>, \*(T<realm\*(T>, \*(T<Btls\*(T>
\*(T<server\*(T>, \*(T<realm\*(T>, \*(T<tls\*(T>
and \*(T<rewrite\*(T>. At least one instance of each of
\*(T<client\*(T> and \*(T<realm\*(T> is required. This is
necessary for the proxy to do anything useful, and it will exit if not. The
......@@ -444,8 +444,9 @@ default, even \*(T<defaultServer\*(T> if you really want to.
The available TLS block options are \*(T<CACertificateFile\*(T>,
\*(T<CACertificatePath\*(T>, \*(T<certificateFile\*(T>,
\*(T<certificateKeyFile\*(T>,
\*(T<certificateKeyPassword\*(T>, \*(T<cacheExpiry\*(T>
and \*(T<CRLCheck\*(T>. When doing RADIUS over TLS/DTLS, both the
\*(T<certificateKeyPassword\*(T>, \*(T<cacheExpiry\*(T>,
\*(T<CRLCheck\*(T> and \*(T<policyOID\*(T>.
When doing RADIUS over TLS/DTLS, both the
client and the server present certificates, and they are both verified by
the peer. Hence you must always specify \*(T<certificateFile\*(T>
and \*(T<certificateKeyFile\*(T> options, as well as
......@@ -457,7 +458,9 @@ certificates to a peer, you also always need to specify
Note that you may specify both, in which case the certificates in
\*(T<CACertificateFile\*(T> are checked first. By default CRLs are
not checked. This can be changed by setting \*(T<CRLCheck\*(T> to
\*(T<on\*(T>.
\*(T<on\*(T>. One can require peer certificates to adhere to certain
policies by specifying one or multiple policyOIDs using one or multiple
\*(T<policyOID\*(T> options.
.PP
CA certificates and CRLs are normally cached permanently. That is, once a CA
or CRL has been read, the proxy will never attempt to re-read it. CRLs may
......
......@@ -2,14 +2,14 @@
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry>
<refentryinfo>
<date>2008-10-06</date>
<date>2008-10-16</date>
</refentryinfo>
<refmeta>
<refentrytitle>
<application>radsecproxy.conf</application>
</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>radsecproxy devel 2008-10-06</refmiscinfo>
<refmiscinfo>radsecproxy devel 2008-10-16</refmiscinfo>
</refmeta>
<refnamediv>
<refname>
......@@ -283,7 +283,7 @@ description, see the configuration syntax section above.
<title>Blocks</title>
<para>
There are five types of blocks, they are <literal>client</literal>,
<literal>server</literal>, <literal>realm</literal>, <literal>Btls</literal>
<literal>server</literal>, <literal>realm</literal>, <literal>tls</literal>
and <literal>rewrite</literal>. At least one instance of each of
<literal>client</literal> and <literal>realm</literal> is required. This is
necessary for the proxy to do anything useful, and it will exit if not. The
......@@ -594,8 +594,9 @@ default, even <literal>defaultServer</literal> if you really want to.
The available TLS block options are <literal>CACertificateFile</literal>,
<literal>CACertificatePath</literal>, <literal>certificateFile</literal>,
<literal>certificateKeyFile</literal>,
<literal>certificateKeyPassword</literal>, <literal>cacheExpiry</literal>
and <literal>CRLCheck</literal>. When doing RADIUS over TLS/DTLS, both the
<literal>certificateKeyPassword</literal>, <literal>cacheExpiry</literal>,
<literal>CRLCheck</literal> and <literal>policyOID</literal>.
When doing RADIUS over TLS/DTLS, both the
client and the server present certificates, and they are both verified by
the peer. Hence you must always specify <literal>certificateFile</literal>
and <literal>certificateKeyFile</literal> options, as well as
......@@ -607,7 +608,9 @@ certificates to a peer, you also always need to specify
Note that you may specify both, in which case the certificates in
<literal>CACertificateFile</literal> are checked first. By default CRLs are
not checked. This can be changed by setting <literal>CRLCheck</literal> to
<literal>on</literal>.
<literal>on</literal>. One can require peer certificates to adhere to certain
policies by specifying one or multiple policyOIDs using one or multiple
<literal>policyOID</literal> options.
</para>
<para>
CA certificates and CRLs are normally cached permanently. That is, once a CA
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment