From: Nick Porter Date: Thu, 5 Jun 2025 08:53:59 +0000 (+0100) Subject: Add rlm_crl docs from sample config X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3ab4a5586f9cdae6b36d27c8083dcc69b01cfaa;p=thirdparty%2Ffreeradius-server.git Add rlm_crl docs from sample config --- diff --git a/doc/antora/modules/reference/nav.adoc b/doc/antora/modules/reference/nav.adoc index 33bb0227d5c..3e9a71c45e4 100644 --- a/doc/antora/modules/reference/nav.adoc +++ b/doc/antora/modules/reference/nav.adoc @@ -161,6 +161,7 @@ *** xref:raddb/mods-available/doc/authentication.adoc[Authentication] **** xref:raddb/mods-available/chap.adoc[CHAP module] +**** xref:raddb/mods-available/crl.adoc[CRL] **** xref:raddb/mods-available/digest.adoc[Digest] **** xref:raddb/mods-available/eap.adoc[EAP] **** xref:raddb/mods-available/eap_inner.adoc[EAP/Inner] diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/crl.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/crl.adoc new file mode 100644 index 00000000000..c2683668eab --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/mods-available/crl.adoc @@ -0,0 +1,96 @@ + + + + += CRL Module + +The `crl` module provides CRL checking of TLS certificates. + +Its primary use case is within the `verify certificate` processing +section of the `tls-session` virtual server when verifying client +certificates during EAP-TLS. + + + +## Configuration Settings + + +source:: Where CRLs will be loaded from + + +dynamic:: Expansions for CRLs loaded dynamically from URIs in certificates + +The CRL distribution point URI will be in the +attribute `CRL.CDP-URL` when this expansion is performed. + + +http:: Expansion to use when URI scheme is http + +The `rest` module must be enabled to support this + + + +ldap:: Expansion to use when URI scheme is ldap + +If any CRLs need to be retrieved by LDAP queries +then configure and enable the `ldap` module to +support this. + +If the URIs in CRL distribution points do not include +an LDAP host (i.e. they start ldap:///) then the +ldap module must be configured with the correct +server details to fetch the CRL from + + + +force_expiry:: Maximum time between expiring CRLs + +If the `nextUpdate` attribute of a CRL is closer than this interval +then that will be used as the point that the CRL is expired. + + + +force_delta_expiry:: Maximum time between expiring delta CRLs + +This overrides `force_expiry` for delta CRLs. + + + +early_refresh:: Time before `nextUpdate` which the CRL will be refreshed + + + +ca_file:: File containing trusted CA, used to sign CRLs + +This can reference the setting in the `eap` module, but in that +case, the eap module must be instantiate before the `crl` module +by adding it to the list of explicitly instantiated modules +in `radiusd.conf` + + + +ca_path:: Directory containing trusted CAs, used to sign CRLs + + +== Default Configuration + +``` +crl { + source { + dynamic { + http = %rest('GET', "%uri.safe(%{CRL.CDP-URL})") +# ldap = %ldap(%ldap.uri.safe("%{CRL.CDP-URL}")) + } + } +# force_expiry = 7d +# force_delta_expiry = 1d + early_refresh = 1h +# ca_file = ${modules.eap.tls-config[tls-common].ca_file} + ca_file = ${cadir}/rsa/ca.pem +# ca_path = ${modules.eap.tls-config[tls-common].ca_path} + ca_path = ${cadir} +} +``` + +// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. +// This documentation was developed by Network RADIUS SAS.