diff options
Diffstat (limited to 'raddb/sites-available/tls')
-rw-r--r-- | raddb/sites-available/tls | 44 |
1 files changed, 42 insertions, 2 deletions
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls index 137fcbc..6eab1fe 100644 --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls @@ -56,12 +56,15 @@ listen { # type = auth+acct - # For now, only TCP transport is allowed. + # For now, only TCP transport is allowed. proto = tcp - # Send packets to the default virtual server + # Send packets to the default virtual server virtual_server = default + # + # We have clients specifically for TLS. + # clients = radsec # @@ -88,6 +91,22 @@ listen { # proxy_protocol = no # + # This configuration item should be enabled for all listen + # sections which do TLS. + # + # It is only disabled because we are careful about changing + # existing behavior in a stable release. + # + # Setting this configuration item to "yes" means that the + # server will be able to gracefully recover if a TLS + # connection is blocking at the network layer. + # + # Note that setting "nonblock = yes" is NOT possible for bare + # TCP connections. RADIUS/TCP should generally be avoided. + # +# nonblock = yes + + # # When this is set to "yes", new TLS connections # are processed through a section called # @@ -310,6 +329,11 @@ listen { tls_max_version = "1.3" # + # See mods-available/eap for documentation + # + ecdh_curve = "" + + # # Session resumption / fast reauthentication # cache. # @@ -514,6 +538,22 @@ home_server tls { proto = tcp status_check = none + # + # This configuration item should be enabled for all + # home_server sections which do TLS. + # + # It is only disabled because we are careful about changing + # existing behavior in a stable release. + # + # Setting this configuration item to "yes" means that the + # server will be able to gracefully recover if a TLS + # connection is blocking at the network layer. + # + # Note that setting "nonblock = yes" is NOT possible for bare + # TCP connections. RADIUS/TCP should generally be avoided. + # +# nonblock = yes + tls { # # Similarly to HTTP, the client can use Server Name |