status_check = none
tls {
+ #
+ # Similarly to HTTP, the client can use Server Name
+ # Indication to inform the RadSec server of which
+ # domain it is requesting. This selection allows
+ # multiple sites to exist at the same IP address.
+ #
+ # For example, and identity provider could host
+ # multiple sites, but present itself with one public
+ # IP address.
+ #
+ # SNI also permits the use of a load balancer such as
+ # haproxy. That load balancer can terminate the TLS
+ # connection, and then use SNI to route the
+ # underlying RADIUS TCP traffic to a particular host.
+ #
+ # hostname = "example.com"
+
private_key_password = whatever
private_key_file = ${certdir}/client.pem
char const *realm_dir;
fr_hash_table_t *realms;
+
+ char const *client_hostname;
};
#ifdef __cplusplus
#endif
},
+ { "hostname", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, client_hostname), NULL },
+
CONF_PARSER_TERMINATOR
};
SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock);
sock->ssn->quick_session_tickets = true; /* we don't have inner-tunnel authentication */
+ /*
+ * Set SNI, if configured.
+ *
+ * The OpenSSL API says the filename is "char
+ * const *", but some versions have it as "void
+ * *", without the "const". So we un-const it
+ * here through various C magic.
+ */
+ if (listener->tls->client_hostname) {
+ (void) SSL_set_tlsext_host_name(sock->ssn->ssl, (void *) (uintptr_t) listener->tls->client_hostname);
+ }
+
doing_init = true;
}
projects / thirdparty / freeradius-server.git / commitdiff
