Untitled :: The FreeRADIUS project

This virtual server controls caching of TLS sessions.

When a TLS session is used, the server will automatically create the following attributes in the session-state list. These attributes are the ones for the server certificate.

If a client certificate is required (e.g. EAP-TLS or sometimes PEAP / TTLS), the following attributes are also created in the session-state list:

This section can be run to verify a client certificate if additional checks need to be performed beyond standard checks verification against a trust chain, CRLs and OCSP.

Attributes extracted from the certificates forming the client certificate chain will be in the session state list.

Returning 'ok', 'updated' or 'noop' will cause the verification to succeed. Other return codes will cause the verification to fail.

This section is run whenever the server needs to read an entry from the TLS session cache.

It should read the attribute &session-state.TLS-Session-Data from the cache, along with any other attributes which were in the cache

On success it should return 'ok' or 'updated'.

The return code has no real effect on session processing and will just cause the server to emit a warning.

This section is run whenever the server needs to write an entry to the TLS session cache.

It should write the attribute &session-state.Session-Data to the cache, along with any other attributes which need to be cached.

On success it should return 'ok' or 'updated'.

The return code has no real effect on session processing and will just cause the server to emit a warning.

This section is run whenever the server needs to delete an entry from the TLS session cache.

On success it should return 'ok', 'updated', 'noop' or 'notfound'

The return code has no real effect on session processing and will just cause the server to emit a warning.

This section is run after certificate attributes are added to the request list, and before performing OCSP validation.

It should read the attribute &control.TLS-OCSP-Cert-Valid from the cache.

On success it should return 'ok', 'updated', 'noop' or 'notfound' To force OCSP validation failure, it should return 'reject'.

This section is run after OCSP validation has completed.

It should write the attribute &reply.TLS-OCSP-Cert-Valid to the cache.

On success it should return 'ok' or 'updated'.

The return code has no real effect on session processing and will just cause the server to emit a warning.

Default Configuration

#	       TLS-Cert-Serial
#	       TLS-Cert-Expiration
#	       TLS-Cert-Subject
#	       TLS-Cert-Issuer
#	       TLS-Cert-Common-Name
#	       TLS-Cert-Subject-Alt-Name-Email
#	       TLS-Client-Cert-Serial
#	       TLS-Client-Cert-Expiration
#	       TLS-Client-Cert-Subject
#	       TLS-Client-Cert-Issuer
#	       TLS-Client-Cert-Common-Name
#	       TLS-Client-Cert-Subject-Alt-Name-Email
server tls-cache {
	namespace = tls
	verify certificate {
		ok
	}
	load session {
		&control.Cache-Allow-Insert := no
		cache_tls_session
	}
	store session {
		&control.Cache-TTL := 0
		cache_tls_session
	}
	clear session {
		&control.Cache-TTL := 0
		&control.Cache-Allow-Insert := no
		cache_tls_session
	}
	load ocsp-state {
		&control.Cache-Allow-Insert := no
		cache_ocsp
	}
	store ocsp-state {
		&control.Cache-TTL := "%{&reply.TLS-OCSP-Next-Update * -1}"
		&control.Cache-Allow-Merge := no
		cache_ocsp
	}
}