X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=radsecproxy.conf.5.xml;h=993141216a7a93cb4581a398604692a3b221286d;hb=refs%2Fheads%2Fmaint-1.6;hp=ab1580a469757f03ba7630ec1acf6b19e76727d8;hpb=8c8d6467725823150483bf6e09f2d2caaee9a4d3;p=libradsec.git

diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index ab1580a..9931412 100644
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -2,14 +2,14 @@
 "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
 <refentry>
   <refentryinfo>
-    <date>2012-04-17</date>
+    <date>2012-10-25</date>
   </refentryinfo>
   <refmeta>
     <refentrytitle>
       <application>radsecproxy.conf</application>
     </refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo>radsecproxy 1.6-rc0</refmiscinfo>
+    <refmiscinfo>radsecproxy 1.6.5</refmiscinfo>
   </refmeta>
   <refnamediv>
     <refname>
@@ -531,8 +531,10 @@ blocktype name {
       <literal>secret</literal> is the shared RADIUS key used with
       this client. If the secret contains whitespace, the value must
       be quoted. This option is optional for TLS/DTLS and if omitted
-      will default to "mysecret".  Note that the default value of
-      <literal>secret</literal> will change in an upcoming release.
+      will default to "radsec". (Note that using a secret other than
+      "radsec" for TLS is a violation of the standard (RFC 6614) and
+      that the proposed standard for DTLS stipulates that the secret
+      must be "radius/dtls".)
     </para>
     <para>
       For a TLS/DTLS client you may also specify the
@@ -544,6 +546,15 @@ blocktype name {
       <literal>default</literal>. If the specified TLS block name does
       not exist, or the option is not specified and none of the
       defaults exist, the proxy will exit with an error.
+
+      NOTE: All versions of radsecproxy up to and including 1.6
+      erroneously verify client certificate chains using the CA in the
+      very first matching client block regardless of which block is
+      used for the final decision. This was changed in version 1.6.1
+      so that a client block with a different <literal>tls</literal>
+      option than the first matching client block is no longer
+      considered for verification of clients.
+
     </para>
     <para>
       For a TLS/DTLS client, the option
@@ -950,7 +961,7 @@ blocktype name {
       <literal>defaultClient</literal> and
       <literal>defaultServer</literal>. Note that these defaults are
       only used for rewrite on input. No rewriting is done on output
-      unless explicitly specifed using the
+      unless explicitly specified using the
       <literal>rewriteOut</literal> option.
     </para>
     <para>