From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 15 Jan 2025 15:37:50 +0000 (-0500)
Subject: use the server TLS configuration, not client.
X-Git-Tag: release_3_2_7~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38883c4285c4fa3e9982b84e70ddb6c4af8863c2;p=thirdparty%2Ffreeradius-server.git

use the server TLS configuration, not client.

the home_server code uses tls_client_conf_parse(), because that
controls the settings used by the _client_ to connect to the home
server,

the client code should then use tls_server_conf_parse(), because
theat controls the settings used by the _server_ when a client
connects.

listen.c also now sets listen->tls = client->tls, so this is the
correct behavior.

Previously, the client TLS settings were entirely ignored.  So it's
OK to change (i.e. fix) this behavior
---

diff --git a/raddb/clients.conf b/raddb/clients.conf
index d1512357c4..b1dfe96698 100644
--- a/raddb/clients.conf
+++ b/raddb/clients.conf
@@ -296,6 +296,21 @@ client localhost {
 		#
 		idle_timeout = 900
 	}
+
+	#
+	#  TLS Configuration
+	#
+	#  A client can have TLS settings. The settings here are the
+	#  settings used by the server when a client connects to it.
+	#
+	#  The TLS configuration for RADIUS/TLS clients is the same as
+	#  the listener TLS configuration.  See sites-available/tls,
+	#  and "listen { ... tls { ... } }" for examples of the server
+	#  TLS configuration.
+	#
+#	tls {
+#		...
+#	}
 }
 
 # IPv6 Client
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index 6eab1fec52..f75eda82e2 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -426,6 +426,10 @@ listen {
 		#
 		#  Require a client certificate.
 		#
+		#  If you set this to "no", then any client can
+		#  connect anonymously.  This is bad, and is likely
+		#  not what you want.
+		#
 		require_client_cert = yes
 
 		#
@@ -554,6 +558,10 @@ home_server tls {
 	#
 #	nonblock = yes
 
+	#
+	#  The TLS settings used by the proxy (i.e. RADIUS client)
+	#  when it connects to a home server.
+	#
 	tls {
 		#
 		#  Similarly to HTTP, the client can use Server Name
diff --git a/src/main/client.c b/src/main/client.c
index 9e9912a3c6..aad9cf61cf 100644
--- a/src/main/client.c
+++ b/src/main/client.c
@@ -1242,7 +1242,12 @@ done_coa:
 
 #ifdef WITH_TLS
 	if (tls) {
-		c->tls = tls_client_conf_parse(tls);
+		/*
+		 *	Client TLS settings are taken from the
+		 *	_server_ configuration.  See listen.c, where
+		 *	client->tls is used as listener->tls.
+		 */
+		c->tls = tls_server_conf_parse(tls);
 		if (!c->tls) goto error;
 	}
 #endif