Commit ecf7685a authored by venaas's avatar venaas Committed by venaas

completely changed TLS configuration

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@118 e88ac4ed-0b26-0410-9574-a7f39faa03bf
parent 305e2f3e
This diff is collapsed.
#Master config file, must be in /etc/radsecproxy or proxy's current directory
# All possible config options are listed below
#
# You must specify at least one of TLSCACertificateFile or TLSCACertificatePath
# for TLS to work. We always verify peer certificate (both client and server)
#TLSCACertificateFile /etc/cacerts/CA.pem
TLSCACertificatePath /etc/cacerts
# You must specify the below for TLS, we will always present our certificate
TLSCertificateFile /etc/hostcertkey/host.example.com.pem
TLSCertificateKeyFile /etc/hostcertkey/host.example.com.key.pem
# Optionally specify password if key is encrypted (not very secure)
TLSCertificateKeyPassword "follow the white rabbit"
# First you may define any global options, these are:
#
# You can optionally specify addresses and ports to listen on
# Max one of each, below are just multiple examples
#ListenUDP *:1814
......@@ -29,6 +20,34 @@ TLSCertificateKeyPassword "follow the white rabbit"
#LogDestination x-syslog://
#LogDestination x-syslog://log_local2
#If we have TLS clients or servers we must define at least one tls block.
#You can name them whatever you like and then reference them by name when
#specifying clients or servers later. There are however three special names
#"default", "defaultclient" and "defaultserver". If no name is defined for
#a client, the "defaultclient" block will be used if it exists, if not the
#"default" will be used. For a server, "defaultserver" followed by "default"
#will be checked.
#
#The simplest configuration you can do is:
tls default {
# You must specify at least one of CACertificateFile or CACertificatePath
# for TLS to work. We always verify peer certificate (client and server)
# CACertificateFile /etc/cacerts/CA.pem
CACertificatePath /etc/cacerts
# You must specify the below for TLS, we always present our certificate
CertificateFile /etc/hostcertkey/host.example.com.pem
CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem
# Optionally specify password if key is encrypted (not very secure)
CertificateKeyPassword "follow the white rabbit"
}
#If you want one cert for all clients and another for all servers, use
#defaultclient and defaultserver instead of default. If we wanted some
#particular server to use something else you could specify a block
#"tls myserver" and then reference that for that server. If you always
#name the tls block in the client/server config you don't need a default
#Now we configure clients, servers and realms. Note that these and
#also the lines above may be in any order, except that a realm
#can only be configured to use a server that is previously configured.
......@@ -45,6 +64,11 @@ TLSCertificateKeyPassword "follow the white rabbit"
client 2001:db8::1 {
type tls
secret verysecret
#we could specify tls here, e.g.
# tls myclient
#in order to use tls parameters named myclient. We don't, so we will
#use "tls defaultclient" if defined, or look for "tls default" as a
#last resort
}
client 127.0.0.1 {
type udp
......@@ -67,6 +91,11 @@ server 2001:db8::1 {
type TLS
port 2283
# secret is optional for TLS
#we could specify tls here, e.g.
# tls myserver
#in order to use tls parameters named myserver. We don't, so we will
#use "tls defaultserver" if defined, or look for "tls default" as a
#last resort
}
server radius.example.com {
type tls
......
......@@ -44,11 +44,6 @@
#define CONF_CBK 2
struct options {
char *tlscacertificatefile;
char *tlscacertificatepath;
char *tlscertificatefile;
char *tlscertificatekeyfile;
char *tlscertificatekeypassword;
char *listenudp;
char *listentcp;
char *logdestination;
......@@ -87,6 +82,7 @@ struct peer {
char *port;
char *secret;
SSL *ssl;
SSL_CTX *ssl_ctx;
struct addrinfo *addrinfo;
};
......@@ -117,6 +113,12 @@ struct realm {
struct server *server;
};
struct tls {
char *name;
SSL_CTX *ctx;
int count;
};
#define RADLEN(x) ntohs(((uint16_t *)(x))[1])
#define ATTRTYPE(x) ((x)[0])
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment