From 6260cc453b29f133398c6266e4771d090d5cf94e Mon Sep 17 00:00:00 2001 From: Fabian Mauchle Date: Fri, 18 Dec 2020 16:51:37 +0100 Subject: [PATCH] update manpage and changelog --- ChangeLog | 2 ++ radsecproxy.conf.5.in | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 620b6b2..68dc918 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ unreleased chanes - User configurable cipher-list and ciphersuites - User configurable TLS versions - Config option for DH-file + - Add rID and otherName options to certifcateAttributeCheck + - Allow multiple matchCertificateAttribute Misc: - Move radsecproxy manpage to section 8 diff --git a/radsecproxy.conf.5.in b/radsecproxy.conf.5.in index 88e9178..299a991 100644 --- a/radsecproxy.conf.5.in +++ b/radsecproxy.conf.5.in @@ -413,13 +413,21 @@ For a TLS/DTLS client, disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address. .RE -\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/ +\fBmatchCertificateAttribute \fRCN:/\fIregexp\fR/ .br -\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR +\fBmatchCertificateAttribute \fRSubjectAltName:DNS:/\fIregexp\fR/ +.br +\fBmatchCertificateAttribute \fRSubjectAltName:URI:/\fIregexp\fR/ +.br +\fBmatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR +.br +\fBmatchCertificateAttribute \fRSubjectAltName:rID:\fIoid\fR +.br +\fBmatchCertificateAttribute \fRSubjectAltName:otherName:\fIoid\fR:/\fIregexp\fR/ .RS Perform additional validation of certificate attributes. Currently matching -of CN and SubjectAltName types URI DNS and IP is supported. Note that currently this -option can only be specified once in a client block. +of CN and SubjectAltName types URI, DNS, IP, rID, and otherName is supported. If specified +multiple times, all terms must match for the certificate to be considered valid. .RE .BI "DuplicateInterval " seconds