"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry>
<refentryinfo>
- <date>2012-05-23</date>
+ <date>2012-10-25</date>
</refentryinfo>
<refmeta>
<refentrytitle>
<application>radsecproxy.conf</application>
</refentrytitle>
<manvolnum>5</manvolnum>
- <refmiscinfo>radsecproxy 1.6.1-dev</refmiscinfo>
+ <refmiscinfo>radsecproxy 1.6.5</refmiscinfo>
</refmeta>
<refnamediv>
<refname>
<literal>secret</literal> is the shared RADIUS key used with
this client. If the secret contains whitespace, the value must
be quoted. This option is optional for TLS/DTLS and if omitted
- will default to "mysecret". Note that the default value of
- <literal>secret</literal> will change in an upcoming release.
+ will default to "radsec". (Note that using a secret other than
+ "radsec" for TLS is a violation of the standard (RFC 6614) and
+ that the proposed standard for DTLS stipulates that the secret
+ must be "radius/dtls".)
</para>
<para>
For a TLS/DTLS client you may also specify the
<literal>default</literal>. If the specified TLS block name does
not exist, or the option is not specified and none of the
defaults exist, the proxy will exit with an error.
+
+ NOTE: All versions of radsecproxy up to and including 1.6
+ erroneously verify client certificate chains using the CA in the
+ very first matching client block regardless of which block is
+ used for the final decision. This was changed in version 1.6.1
+ so that a client block with a different <literal>tls</literal>
+ option than the first matching client block is no longer
+ considered for verification of clients.
+
</para>
<para>
For a TLS/DTLS client, the option