#
ecdh_curve = prime256v1
+ #
+ # verify:: Parameters for controlling client cert chain
+ # verification.
+ #
+ # Certificate verification is performed in two phases.
+ # The first is handled by the SSL library which checks
+ # whether a trusted chain of certificates can be built
+ # between the certificates loaded from `ca_file` or
+ # found in `ca_path`.
+ #
+ # The second (optional) phase is performed using the
+ # `verify * { ... }` sections of the tls
+ # `virtual_server`.
+ #
verify {
#
- # mode:: Which client certificates should be verified
+ # mode:: Which certificates in the verification chain
+ # should be checked.
+ #
+ # Certificate verification is performed in two phases.
+ # The first is handled by the SSL library which checks
+ # whether a trusted chain of certificates can be built
+ # between the certificates loaded from `ca_file` or
+ # found in `ca_path`.
+ #
+ # The SSL library also checks that the the correct usage
+ # OIDs are present in the presented client certificate
+ # and that none of the certificates have expired.
+ #
+
#
# [options="header,autowidth"]
# |===
# It is recommended to leave mode as `all` except
# when debugging, or in an emergency situation.
#
- # [NOTE]
- # ====
- # This verification is only applied during a full
- # handshake, and with stateful session resumption.
- # Verification for stateless session resumption
- # should be performed using the `verify [*] { ... }`
- # section(s) of the specified `virtual_server`.
- # ====
- #
# mode = all
#
# | `client-and-issuer`
# | Create attributes for the client certificate
# and its issuer.
- # | `client`
#
+ # | `client`
# | Only create attributes for the client
# certificate.
# |===
# stateless session-resumption.
# ====
#
-# attribute_mode = client-and-issuer
+# attribute_mode = untrusted
#
# check_crl:: Check the Certificate Revocation List.
fr_tls_verify_mode_t mode; //!< What certificates we apply OpenSSL's pre-validation
///< mode to.
- fr_tls_verify_mode_t pair_mode; //!< What set of certificates we're going to convert to
+ fr_tls_verify_mode_t attribute_mode; //!< What set of certificates we're going to convert to
///< pairs for verification.
bool check_crl; //!< Check certificate revocation lists.
.len = &verify_mode_table_len
},
.dflt = "all" },
- { FR_CONF_OFFSET("pair_mode", FR_TYPE_VOID, fr_tls_verify_conf_t, pair_mode),
+ { FR_CONF_OFFSET("attribute_mode", FR_TYPE_VOID, fr_tls_verify_conf_t, attribute_mode),
.func = cf_table_parse_int,
.uctx = &(cf_table_parse_ctx_t){
.table = verify_mode_table,
}
}
- if (verify_applies(conf->verify.pair_mode, depth, untrusted) &&
+ if (verify_applies(conf->verify.attribute_mode, depth, untrusted) &&
(!(container = fr_pair_find_by_da(&request->session_state_pairs, attr_tls_certificate, depth)) ||
fr_pair_list_empty(&container->vp_group))) {
if (!container) {
* and we're meant to verify this cert
* then call the virtual server.
*/
- if (my_ok && verify_applies(conf->verify.pair_mode, depth, untrusted)) {
+ if (my_ok && verify_applies(conf->verify.attribute_mode, depth, untrusted)) {
if (conf->virtual_server && tls_session->verify_client_cert) {
RDEBUG2("Requesting certificate validation");
projects / thirdparty / freeradius-server.git / commitdiff
