# comment out the configuration item below.
connect_uri = "http://127.0.0.1/"
- pool {
- start = 5
- max = 10
- spare = 3
- uses = 0
- idle_timeout = 100
- lifetime = 0
- }
-
authorize {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authorize"
method = "get"
+ tls = ${..tls}
}
authenticate {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authenticate"
method = "get"
+ tls = ${..tls}
}
accounting {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=accounting"
method = "post"
+ tls = ${..tls}
}
session {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=checksimul"
method = "post"
+ tls = ${..tls}
}
post-auth {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=post-auth"
method = "post"
+ tls = ${..tls}
+ }
+
+ #
+ # This subsection configures the tls related items
+ # that control how FreeRADIUS connects to a HTTPS
+ # server.
+ #
+ tls {
+# cacertfile = ${certdir}/cacert.pem
+# cacertdir = ${certdir}
+
+# certfile = /path/to/radius.crt
+# keyfile = /path/to/radius.key
+# keypassword = "supersecret"
+# randfile = ${certdir}/random
+
+ # Server certificate verification requirements. Can be:
+ # "no" (don't even bother trying)
+ # "yes" (verify the cert was issued by one of the
+ # trusted CAs)
+ #
+ # The default is "yes"
+# verify_cert = "yes"
+
+ # Server certificate CN verification requirements. Can be:
+ # "no" (don't even bother trying)
+ # "yes" (verify the CN in the certificate matches the host
+ # in the URI)
+ #
+ # The default is "yes"
+# verify_cert_cn = "yes"
+ }
+
+ #
+ # The connection pool is new for 3.0, and will be used in many
+ # modules, for all kinds of connection-related activity.
+ #
+ pool {
+ # Number of connections to start
+ start = 5
+
+ # Minimum number of connections to keep open
+ min = 4
+
+ # Maximum number of connections
+ #
+ # If these connections are all in use and a new one
+ # is requested, the request will NOT get a connection.
+ max = 10
+
+ # Spare connections to be left idle
+ #
+ # NOTE: Idle connections WILL be closed if "idle_timeout"
+ # is set.
+ spare = 3
+
+ # Number of uses before the connection is closed
+ #
+ # 0 means "infinite"
+ uses = 0
+
+ # The lifetime (in seconds) of the connection
+ lifetime = 0
+
+ # idle timeout (in seconds). A connection which is
+ # unused for this length of time will be closed.
+ idle_timeout = 60
+
+ # NOTE: All configuration settings are enforced. If a
+ # connection is closed because of "idle_timeout",
+ # "uses", or "lifetime", then the total number of
+ # connections MAY fall below "min". When that
+ # happens, it will open a new connection. It will
+ # also log a WARNING message.
+ #
+ # The solution is to either lower the "min" connections,
+ # or increase lifetime/idle_timeout.
}
}
}
/*
- * Set SSL authentication parameters
+ * Set SSL/TLS authentication parameters
*/
- if (section->certificate_file) {
+ if (section->tls_certfile) {
ret = curl_easy_setopt(candle,
CURLOPT_SSLCERT,
- section->certificate_file);
+ section->tls_certfile);
if (ret != CURLE_OK) goto error;
}
- if (section->file_type == FALSE) {
+ if (section->tls_keyfile) {
ret = curl_easy_setopt(candle,
- CURLOPT_SSLCERT,
- "DER");
- if (ret != CURLE_OK) goto error;
- }
-
- if (section->private_key_file) {
- ret = curl_easy_setopt(candle,
- CURLOPT_SSLCERT,
- section->private_key_file);
+ CURLOPT_SSLKEY,
+ section->tls_keyfile);
if (ret != CURLE_OK) goto error;
}
- if (section->private_key_password) {
+ if (section->tls_keypassword) {
ret = curl_easy_setopt(candle,
CURLOPT_KEYPASSWD,
- section->private_key_password);
+ section->tls_keypassword);
if (ret != CURLE_OK) goto error;
}
- if (section->ca_file) {
+ if (section->tls_cacertfile) {
ret = curl_easy_setopt(candle,
CURLOPT_ISSUERCERT,
- section->ca_file);
+ section->tls_cacertfile);
if (ret != CURLE_OK) goto error;
}
- if (section->ca_path) {
+ if (section->tls_cacertdir) {
ret = curl_easy_setopt(candle,
CURLOPT_CAPATH,
- section->ca_path);
+ section->tls_cacertdir);
if (ret != CURLE_OK) goto error;
}
- if (section->random_file) {
+ if (section->tls_randfile) {
ret = curl_easy_setopt(candle,
CURLOPT_RANDOM_FILE,
- section->random_file);
+ section->tls_randfile);
if (ret != CURLE_OK) goto error;
}
- ret = curl_easy_setopt(candle,
- CURLOPT_SSL_VERIFYHOST,
- (section->check_cert_cn == TRUE) ?
- 2 : 0);
- if (ret != CURLE_OK) goto error;
+ if (section->tls_verify_cert) {
+ ret = curl_easy_setopt(candle,
+ CURLOPT_SSL_VERIFYHOST,
+ (section->tls_verify_cert_cn == TRUE) ?
+ 2 : 0);
+ if (ret != CURLE_OK) goto error;
+ } else {
+ ret = curl_easy_setopt(candle,
+ CURLOPT_SSL_VERIFYPEER,
+ 0);
+ if (ret != CURLE_OK) goto error;
+ }
/*
* Tell CURL how to get HTTP body content, and how to process
http_auth_type_t auth;
int require_auth;
- char *certificate_file;
- int file_type;
- char *private_key_file;
- char *private_key_password;
- char *ca_file;
- char *ca_path;
- char *random_file;
- int check_cert_cn;
-
+ char *tls_certfile;
+ char *tls_keyfile;
+ char *tls_keypassword;
+ char *tls_cacertfile;
+ char *tls_cacertdir;
+ char *tls_randfile;
+ int tls_verify_cert;
+ int tls_verify_cert_cn;
+
int timeout;
unsigned int chunk;
} rlm_rest_section_t;
#include "rest.h"
/*
+ * TLS Configuration
+ */
+static CONF_PARSER tls_config[] = {
+ { "cacertfile", PW_TYPE_FILENAME,
+ offsetof(rlm_rest_section_t,tls_cacertfile), NULL, NULL},
+ { "cacertdir", PW_TYPE_FILENAME,
+ offsetof(rlm_rest_section_t,tls_cacertdir), NULL, NULL},
+ { "certfile", PW_TYPE_FILENAME,
+ offsetof(rlm_rest_section_t,tls_certfile), NULL, NULL},
+ { "keyfile", PW_TYPE_FILENAME,
+ offsetof(rlm_rest_section_t,tls_keyfile), NULL, NULL },
+ { "keypassword", PW_TYPE_STRING_PTR,
+ offsetof(rlm_rest_section_t, tls_keypassword), NULL, NULL },
+ { "randfile", PW_TYPE_STRING_PTR, /* OK if it changes on HUP */
+ offsetof(rlm_rest_section_t,tls_randfile), NULL, NULL },
+ { "verify_cert", PW_TYPE_BOOLEAN,
+ offsetof(rlm_rest_section_t, tls_verify_cert), NULL, "yes" },
+ { "verify_cert_cn", PW_TYPE_BOOLEAN,
+ offsetof(rlm_rest_section_t, tls_verify_cert_cn), NULL, "yes" },
+
+ { NULL, -1, 0, NULL, NULL }
+};
+
+/*
* A mapping of configuration file names to internal variables.
*
* Note that the string is dynamically allocated, so it MUST
{ "require_auth", PW_TYPE_BOOLEAN,
offsetof(rlm_rest_section_t, require_auth), NULL, "no"},
- /* SSL authentication */
- { "certificate_file", PW_TYPE_FILENAME,
- offsetof(rlm_rest_section_t, certificate_file), NULL, NULL },
- { "pem_file_type", PW_TYPE_BOOLEAN,
- offsetof(rlm_rest_section_t, file_type), NULL, "yes" },
- { "private_key_file", PW_TYPE_FILENAME,
- offsetof(rlm_rest_section_t, private_key_file), NULL, NULL },
- { "private_key_password", PW_TYPE_STRING_PTR,
- offsetof(rlm_rest_section_t, private_key_password), NULL, NULL },
- { "CA_file", PW_TYPE_FILENAME,
- offsetof(rlm_rest_section_t, ca_file), NULL, NULL },
- { "CA_path", PW_TYPE_FILENAME,
- offsetof(rlm_rest_section_t, ca_path), NULL, NULL },
- { "random_file", PW_TYPE_STRING_PTR,
- offsetof(rlm_rest_section_t, random_file), NULL, NULL },
- { "check_cert_cn", PW_TYPE_BOOLEAN,
- offsetof(rlm_rest_section_t, check_cert_cn), NULL, "yes"},
-
/* Transfer configuration */
{ "timeout", PW_TYPE_INTEGER,
offsetof(rlm_rest_section_t, timeout), NULL, "0" },
{ "chunk", PW_TYPE_INTEGER,
offsetof(rlm_rest_section_t, chunk), NULL, "0" },
+ /* TLS Parameters */
+ { "tls", PW_TYPE_SUBSECTION, 0, NULL, (const void *) tls_config },
+
{ NULL, -1, 0, NULL, NULL }
};