the home_server code uses tls_client_conf_parse(), because that
controls the settings used by the _client_ to connect to the home
server,
the client code should then use tls_server_conf_parse(), because
theat controls the settings used by the _server_ when a client
connects.
listen.c also now sets listen->tls = client->tls, so this is the
correct behavior.
Previously, the client TLS settings were entirely ignored. So it's
OK to change (i.e. fix) this behavior
#
idle_timeout = 900
}
+
+ #
+ # TLS Configuration
+ #
+ # A client can have TLS settings. The settings here are the
+ # settings used by the server when a client connects to it.
+ #
+ # The TLS configuration for RADIUS/TLS clients is the same as
+ # the listener TLS configuration. See sites-available/tls,
+ # and "listen { ... tls { ... } }" for examples of the server
+ # TLS configuration.
+ #
+# tls {
+# ...
+# }
}
# IPv6 Client
#
# Require a client certificate.
#
+ # If you set this to "no", then any client can
+ # connect anonymously. This is bad, and is likely
+ # not what you want.
+ #
require_client_cert = yes
#
#
# nonblock = yes
+ #
+ # The TLS settings used by the proxy (i.e. RADIUS client)
+ # when it connects to a home server.
+ #
tls {
#
# Similarly to HTTP, the client can use Server Name
#ifdef WITH_TLS
if (tls) {
- c->tls = tls_client_conf_parse(tls);
+ /*
+ * Client TLS settings are taken from the
+ * _server_ configuration. See listen.c, where
+ * client->tls is used as listener->tls.
+ */
+ c->tls = tls_server_conf_parse(tls);
if (!c->tls) goto error;
}
#endif
projects / thirdparty / freeradius-server.git / commitdiff
