update manpage and changelog

mariux64 · Dec 18, 2020 · 6260cc4 · 6260cc4
1 parent 1f67a68
commit 6260cc4
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -5,6 +5,8 @@ unreleased chanes
 	- User configurable cipher-list and ciphersuites
 	- User configurable TLS versions
 	- Config option for DH-file
+	- Add rID and otherName options to certifcateAttributeCheck
+	- Allow multiple matchCertificateAttribute
 
 	Misc:
 	- Move radsecproxy manpage to section 8

diff --git a/radsecproxy.conf.5.in b/radsecproxy.conf.5.in
@@ -413,13 +413,21 @@ For a TLS/DTLS client, disable the default behaviour of matching CN or
 SubjectAltName against the specified hostname or IP address.
 .RE
 
-\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/
+\fBmatchCertificateAttribute \fRCN:/\fIregexp\fR/
 .br
-\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
+\fBmatchCertificateAttribute \fRSubjectAltName:DNS:/\fIregexp\fR/
+.br
+\fBmatchCertificateAttribute \fRSubjectAltName:URI:/\fIregexp\fR/
+.br
+\fBmatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
+.br
+\fBmatchCertificateAttribute \fRSubjectAltName:rID:\fIoid\fR
+.br
+\fBmatchCertificateAttribute \fRSubjectAltName:otherName:\fIoid\fR:/\fIregexp\fR/
 .RS
 Perform additional validation of certificate attributes. Currently matching
-of CN and SubjectAltName types URI DNS and IP is supported. Note that currently this 
-option can only be specified once in a client block.
+of CN and SubjectAltName types URI, DNS, IP, rID, and otherName is supported. If specified
+multiple times, all terms must match for the certificate to be considered valid.
 .RE
 
 .BI "DuplicateInterval " seconds