update Changelog, conf-example, and manpage

update version info for 1.7.1

ChangeLog

@@ -1,4 +1,4 @@
-Changes between 1.6.9 and the master branch
+2018-05-03 1.7.1
 
 	License and copyright changes:
 	- Copyright SWITCH
@@ -11,17 +11,19 @@ Changes between 1.6.9 and the master branch
 	- Make use of SO_KEEPALIVE for tcp sockets (RADSECPROXY-12).
 	- Optionally include the thread-id in log messages
 	- Allow hashing MAC addresses in the log (same as for F-Ticks)
+	- Log certificate subject if rejected
+	- Log own responses (RADSECPROXY-61)
+	- Allow f-ticks prefix to be configured
 	- radsecproxy-hash: allow MAC addresses to be passed on command line
 
 	Misc:
 	- libnettle is now an unconditional dependency.
 	- FTicks support is now on by default and not optional.
-	- Experimental code for dynamic discovery has been removed. Be
-	aware that use of the DynamicLookupCommand configuration option
-	still enables code known to be buggy.
+	- Experimental code for dynamic discovery has been removed.
 	- Replace several server status bits with a single state enum.
 	(RADSECPROXY-71)
 	- Use poll instead of select to allow > 1000 concurrent connections.
+	- Implement locking for all SSL objects (openssl states it is not thread-safe)
 	- Rework DTLS code.
 
 	Bug fixes:
@@ -33,6 +35,7 @@ Changes between 1.6.9 and the master branch
 	(RADSECPROXY-69).
 	- Fix refcounting in error cases when loading configuration (RADSECPROXY-42)
 	- Fix potential crash when rewriting malformed vendor attributes.
+	- Properly cleanup expired requests from server output-queue.
 
 2017-08-02 1.6.9
 		Misc:

configure.ac

@@ -2,7 +2,7 @@ dnl Copyright (c) 2006-2010, UNINETT AS
 dnl Copyright (c) 2010-2013,2016, NORDUnet A/S
 dnl See LICENSE for licensing information.
 
-AC_INIT(radsecproxy, 1.7.1-alpha-dev, radsecproxy@lists.nordu.net)
+AC_INIT(radsecproxy, 1.7.1-rc1, radsecproxy@lists.nordu.net)
 AC_CANONICAL_TARGET
 AM_INIT_AUTOMAKE
 AC_PROG_CC
@@ -19,7 +19,7 @@ AC_ARG_ENABLE(udp,
       exit -1
     fi
   ])
- 
+
 tcp=yes
 AC_ARG_ENABLE(tcp,
   [  --enable-tcp whether to enable TCP transport: yes/no; default yes ],
@@ -30,7 +30,7 @@ AC_ARG_ENABLE(tcp,
       exit -1
     fi
   ])
- 
+
 tls=yes
 AC_ARG_ENABLE(tls,
   [  --enable-tls whether to enable TLS (RadSec) transport: yes/no; default yes ],
@@ -41,7 +41,7 @@ AC_ARG_ENABLE(tls,
       exit -1
     fi
   ])
- 
+
 dtls=yes
 AC_ARG_ENABLE(dtls,
   [  --enable-dtls whether to enable DTLS transport: yes/no; default yes ],
@@ -89,7 +89,7 @@ if test "x$dtls" = "xyes" ; then
   echo "DTLS transport enabled"
   TARGET_CFLAGS="$TARGET_CFLAGS -DRADPROT_DTLS"
 fi
- 
+
 AC_ARG_VAR([DOCBOOK2X_MAN], [docbook2x-man program to use])
 if test -z "$DOCBOOK2X_MAN" ; then
   AC_SUBST([DOCBOOK2X_MAN], [docbook2x-man])

radsecproxy-hash.1

@@ -1,28 +1,28 @@
-.TH radsecproxy-hash 1 "29 Sep 2011"
+.TH radsecproxy-hash 1 "5 May 2018"
 
 .SH "NAME"
 radsecproxy-hash - print digests of Ethernet MAC addresses
 
 .SH "SYNOPSIS"
 .HP 12
-radsecproxy-hash [\-h] [\-k key] [mac]...
+radsecproxy-hash [\-h] [\-k \fIKEY\fR] [\fIMAC\fR...]
 .sp
 
 .SH "DESCRIPTION"
-Print the hash or hmac of Ethernet MAC addresses
+Print the hash or hmac of Ethernet \fIMAC\fR addresses
 
 .SH "OPTIONS"
 .TP
 .B \-h
-\fIdisplay help and exit\fR
+Display help and exit
 
 .TP
-.B \-k key
-\fIuse KEY for HMAC calculation\fR
+.B \-k \fIKEY\fR
+.br
+perform HMAC calculation using key \fIKEY\fR
 
 .TP
-.B mac
-\fIMAC address to hash. Read from stdin if omitted.\fR
+With no \fIMAC\fR, read from standard input
 
 
 .SH "SEE ALSO"

radsecproxy.1

@@ -1,29 +1,27 @@
-.TH radsecproxy 1 "Sep 2015"
+.TH radsecproxy 1 "5 May 2018"
 
 .SH "NAME"
 radsecproxy - a generic RADIUS proxy that provides both RADIUS UDP and TCP/TLS (RadSec) transport.
 
 .SH "SYNOPSIS"
 .HP 12
-radsecproxy [\-c configfile] [\-d debuglevel] [\-f] [\-i pidfile] [\-p] [\-v]
+radsecproxy [\-c \fIconfigfile\fR] [\-d \fIdebuglevel\fR] [\-f] [\-i \fIpidfile\fR] [\-p] [\-v]
 .sp
 
 .SH "DESCRIPTION"
 radsecproxy is a \fBgeneric RADIUS proxy\fR that in addition to to
 usual \fBRADIUS UDP\fR transport, also supports \fBTLS (RadSec)\fR. The
 aim is for the proxy to have sufficient features to be flexible,
 while at the same time to be small, efficient and easy to configure.
-Currently the executable on Linux is only about \fI48 KB\fR, and it uses
-about \fI64 KB\fR (depending on the number of peers) while running.
-.sp
+
 The proxy was initially made to be able to deploy \fBRadSec\fR (RADIUS
 over TLS) so that all RADIUS communication across network links
 could be done using TLS, without modifying existing RADIUS software.
 This can be done by running this proxy on the same host as an existing
 RADIUS server or client, and configure the existing client/server to
 talk to localhost (the proxy) rather than other clients and servers
 directly.
-.sp
+
 There are however other situations where a RADIUS proxy might be
 useful. Some people deploy RADIUS topologies where they want to
 route RADIUS messages to the right server. The nodes that do purely
@@ -35,26 +33,21 @@ where some RADIUS nodes use only IPv4 and some only IPv6.
 .SH "OPTIONS"
 .TP
 .B \-f
-.sp
-\fIRun in foreground\fR
-.sp
+Run in foreground.
+.br
 By specifying this option, the proxy will run in foreground mode. That
 is, it won't detach. Also all logging will be done to stderr.
 
 .TP
-.B \-d <debug level>
-.sp
-\fIDebug level\fR
-.sp
+.B \-d \fIdebuglevel\fR
 This specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where
 1 logs only serious errors, and 5 logs everything. The default is 2 which
 logs errors, warnings and a few informational messages.
 
 .TP
 .B \-p
-.sp
-\fIPretend\fR
-.sp
+Pretend
+.br
 The proxy reads configuration files and performs initialisation as
 usual, but exits prior to creating any sockets. It will return different
 exit codes depending on whether the configuration files are okay. This
@@ -63,38 +56,30 @@ instance is running.
 
 .TP
 .B \-v
-.sp
-\fIPrint version\fR
-.sp
-When this option is specified, the proxy will simply print version
-information and exit.
+Print version and exit.
 
 .TP
-.B \-c <config file path>
-.sp
-\fIConfig file path\fR
-.sp
+.B \-c \fIconfigfile\fR
 This option allows you to specify which config file to use. This is useful
 if you want to use a config file that is not in any of the default locations.
 
 .TP
-.B \-i <pid file path>
-.sp
-\fIPID file path\fR
-.sp
+.B \-i \fIpidfile\fR
 This option tells the proxy to create a PID file with the specified path.
 
 .SH "SIGNALS"
 The proxy generally exits on all signals. The exceptions are listed below.
 
 .TP
 .B SIGHUP
-.sp
+.br
 When logging to a file, this signal forces a reopen of the log file.
+.br
+When using TLS or DTLS, reload certificate CRLs.
 
 .TP
 .B SIGPIPE
-.sp
+.br
 This signal is ignored.
 
 .SH "FILES"

radsecproxy.conf-example

@@ -28,6 +28,8 @@
 # LOG_LOCAL0, ..., LOG_LOCAL7
 #LogDestination         x-syslog:///
 #LogDestination         x-syslog:///log_local2
+# Optional log thread Id
+#LogThreadId on
 
 # For generating log entries conforming to the F-Ticks system, specify
 # FTicksReporting with one of the following values.
@@ -66,6 +68,9 @@
 # Note that specifying a file (using the file:/// prefix) is not supported.
 #FTicksSyslogFacility	log_local1
 #FTicksSyslogFacility	x-syslog:///log_local1
+# If you are using radsecproxy outside the eduroam context, and you want
+# F-Ticks messages to have your own prefix instead of eduroam, you can set:
+#FTicksPrefix <prefix>
 
 # There is an option for doing some simple loop prevention.  Note that
 # the LoopPrevention directive can be used in server blocks too,
@@ -194,9 +199,11 @@ server [2001:db8::1] {
 }
 server radius.example.com {
 	type	tls
-	secret	verysecret
+	secret	radsec
 	StatusServer on
 # statusserver is optional, can be on or off. Off is default
+	tcpKeepalive on
+# tcp and tls connections also support TCP keepalives.
 }
 #server radius.example.com {
 #	type	dtls

radsecproxy.conf.5.xml

@@ -2,12 +2,12 @@
 "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
 <refentry>
   <refentryinfo>
-    <date>2018-03-13</date>
+    <date>2018-05-05</date>
   </refentryinfo>
   <refmeta>
     <refentrytitle>radsecproxy.conf</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo>radsecproxy 1.7.1-alpha-dev</refmiscinfo>
+    <refmiscinfo>radsecproxy 1.7.1</refmiscinfo>
   </refmeta>
   <refnamediv>
     <refname>