warn if they're using a secret other than 'radsec' for TLS.

@todo - also when we do DTLS, the secret should be different.
And when ALPN is used, we don't have a secret

diff --git a/src/lib/server/client.c b/src/lib/server/client.c
index 952adce70d9d4c95a228b505b3427da79bedc2f2..bd447c94d2ac9ebd4dfedd293a68d3c93d9ab32e 100644 (file)
--- a/src/lib/server/client.c
+++ b/src/lib/server/client.c
@@ -904,7 +904,14 @@ fr_client_t *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, CONF_SECTION *se
         *      "radsec".  See RFC 6614.
         */
        if (c->tls_required) {
-               c->secret = talloc_typed_strdup(cs, "radsec");
+               if (c->secret) {
+                       if (strcmp(c->secret, "radsec") != 0) {
+                               cf_log_warn(cs, "'secret' is not 'radsec' for TLS");
+                               cf_log_warn(cs, "Packets may not be processed correctly!");
+                       }
+               } else {
+                       c->secret = talloc_typed_strdup(cs, "radsec");
+               }
        }
 #endif