TLS - Config - Verify

Synopsis

Subsection of tls-config_tls-common.

As of version 2.1.10, client certificates can be validated via an external command. This command allows the use of dynamic CRLs or OCSP. This configuration is commented out in the default configuration. Uncomment it, and then configure the correct paths below to enable it.

Processing Sections

Any.

Expansions

None.

Directives

client
Syntax

client = string

Default

/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}

Description

The command used to verify the client cert. We recommend using the OpenSSL command-line tool. The ${..ca_path} text is a reference to the CA_path variable. The %{TLS-Client-Cert-Filename} is the name of the temporary file containing the cert in PEM format. This file is automatically deleted by the server when the command returns.

tmpdir
Syntax

tmpdir = string

Default

/tmp/radiusd

Description

A temporary directory where the client certificates are stored. This directory MUST be owned by the UID of the server and MUST not be accessible by any other users. When the server starts, it will do chmod go-rwx on the directory, for security reasons. The directory MUST exist when the server starts. All of the files in the directory should also be deleted when the server starts.