Skip to content

Commit

Permalink
update manpage and changelog
Browse files Browse the repository at this point in the history
  • Loading branch information
Fabian Mauchle committed Jun 4, 2019
1 parent 0784703 commit 49f291a
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 8 deletions.
1 change: 1 addition & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ changes since 1.7.2
New features:
- Autodetect status-server capability of servers
- Minimalistic status-server
- Explicit SubjectAltName:DNS match on certificates

Misc:
- No longer require docbook2x tools, but include plain manpages
Expand Down
17 changes: 9 additions & 8 deletions radsecproxy.conf.5
View file
Original file line number Diff line number Diff line change
Expand Up @@ -348,10 +348,11 @@ of the configured clients (in the order they are defined), to determine which
this might mask clients defined later, which then will never be matched.

In the case of TLS/DTLS, the name of the client must match the FQDN or IP
address in the client certificate. Note that this is not required when the
client name is an IP prefix. If overlapping clients are defined (see section
above), they will be searched for matching \fBMatchCertificateAttribute\fR, but
they must reference the same tls block.
address in the client certificate (CN or SubectAltName:DNS or SubjectAltName:IP
respectively). Note that this is not required when the client name is an IP
prefix. If overlapping clients are defined (see section above), they will be
searched for matching \fBMatchCertificateAttribute\fR, but they must reference
the same tls block.

The allowed options in a client block are:

Expand Down Expand Up @@ -410,11 +411,11 @@ For a TLS/DTLS client, disable the default behaviour of matching CN or
SubjectAltName against the specified hostname or IP address.
.RE

\fBMatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB) :\fR/\fIregexp\fR/\fB )\fR
\fBMatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/\fB )\fR
.RS
Perform additional validation of certificate attributes. Currently only matching
of CN and SubjectAltName type URI is supported. Note that currently this option
can only be specified once in a client block.
of CN and SubjectAltName type URI and DNS is supported. Note that currently this
option can only be specified once in a client block.
.RE

.BI "DuplicateInterval " seconds
Expand Down Expand Up @@ -606,7 +607,7 @@ block. The details are not repeated here. Please refer to the definitions in the
.br
.BR "CertificateNameCheck (" on | off )
.br
\fBmatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB) :\fR/\fIregexp\fR/\fB )\fR
\fBmatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/\fB )\fR
.br
.BR "AddTTL " 1-255
.br
Expand Down

0 comments on commit 49f291a

Please sign in to comment.