summaryrefslogtreecommitdiffstats
path: root/raddb/sites-available/tls
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/sites-available/tls')
-rw-r--r--raddb/sites-available/tls44
1 files changed, 42 insertions, 2 deletions
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index 137fcbc..6eab1fe 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -56,12 +56,15 @@ listen {
#
type = auth+acct
- # For now, only TCP transport is allowed.
+ # For now, only TCP transport is allowed.
proto = tcp
- # Send packets to the default virtual server
+ # Send packets to the default virtual server
virtual_server = default
+ #
+ # We have clients specifically for TLS.
+ #
clients = radsec
#
@@ -88,6 +91,22 @@ listen {
# proxy_protocol = no
#
+ # This configuration item should be enabled for all listen
+ # sections which do TLS.
+ #
+ # It is only disabled because we are careful about changing
+ # existing behavior in a stable release.
+ #
+ # Setting this configuration item to "yes" means that the
+ # server will be able to gracefully recover if a TLS
+ # connection is blocking at the network layer.
+ #
+ # Note that setting "nonblock = yes" is NOT possible for bare
+ # TCP connections. RADIUS/TCP should generally be avoided.
+ #
+# nonblock = yes
+
+ #
# When this is set to "yes", new TLS connections
# are processed through a section called
#
@@ -310,6 +329,11 @@ listen {
tls_max_version = "1.3"
#
+ # See mods-available/eap for documentation
+ #
+ ecdh_curve = ""
+
+ #
# Session resumption / fast reauthentication
# cache.
#
@@ -514,6 +538,22 @@ home_server tls {
proto = tcp
status_check = none
+ #
+ # This configuration item should be enabled for all
+ # home_server sections which do TLS.
+ #
+ # It is only disabled because we are careful about changing
+ # existing behavior in a stable release.
+ #
+ # Setting this configuration item to "yes" means that the
+ # server will be able to gracefully recover if a TLS
+ # connection is blocking at the network layer.
+ #
+ # Note that setting "nonblock = yes" is NOT possible for bare
+ # TCP connections. RADIUS/TCP should generally be avoided.
+ #
+# nonblock = yes
+
tls {
#
# Similarly to HTTP, the client can use Server Name