Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
P
puppet-freeradius
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Container registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Projets publics
puppet-freeradius
Commits
c124da25
You need to sign in or sign up before continuing.
Commit
c124da25
authored
9 years ago
by
Jonathan Gazeley
Browse files
Options
Downloads
Patches
Plain Diff
Package tls-cache locally as it isn't available in the 3.0.x RPM
parent
8bcc2cda
Branches
Branches containing commit
Tags
Tags containing commit
No related merge requests found
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
files/tls-cache
+136
-0
136 additions, 0 deletions
files/tls-cache
manifests/init.pp
+4
-5
4 additions, 5 deletions
manifests/init.pp
with
140 additions
and
5 deletions
files/tls-cache
0 → 100644
+
136
−
0
View file @
c124da25
######################################################################
#
# This virtual server controls caching of TLS sessions.
#
# When a TLS session is used, the server will automatically create
# the following attributes in the session-state list. These attributes
# are the the ones for the *server* certificate.
#
# TLS-Cert-Serial
# TLS-Cert-Expiration
# TLS-Cert-Subject
# TLS-Cert-Issuer
# TLS-Cert-Common-Name
# TLS-Cert-Subject-Alt-Name-Email
#
# If a client certificate is required (e.g. EAP-TLS or sometimes PEAP / TTLS),
# the following attributes are also created in the session-state list:
#
# TLS-Client-Cert-Serial
# TLS-Client-Cert-Expiration
# TLS-Client-Cert-Subject
# TLS-Client-Cert-Issuer
# TLS-Client-Cert-Common-Name
# TLS-Client-Cert-Subject-Alt-Name-Email
#
#
# $Id$
#
######################################################################
server tls-cache {
#
# Only the "authorize" section is needed.
# Only the listed Autz-Types are used.
# Everything else in the virtual server is ignored.
#
# The attribute &TLS-Session-Id is set to the identity
# of the session to read / write / delete from the cache. This
# identity is an opaque blob.
#
authorize {
#
# This section is run whenever the server needs to read an
# entry from the TLS session cache.
#
# It should read the attribute &session-state:TLS-Session-Data
# from the cache, along with any other attributes which
# were in the cache
#
# On success it should return 'ok' or 'updated'.
#
# The return code has no real effect on session processing
# and will just cause the server to emit a warning.
#
Autz-Type Session-Cache-Read {
update control {
Cache-Allow-Insert := no
}
cache_tls_session
}
#
# This section is run whenever the server needs to write an
# entry to the TLS session cache.
#
# It should write the attribute &session-state:TLS-Session-Data
# to the cache, along with any other attributes which
# need to be cached.
#
# On success it should return 'ok' or 'updated'.
#
# The return code has no real effect on session processing
# and will just cause the server to emit a warning.
#
Autz-Type Session-Cache-Write {
update control {
Cache-TTL := 0
}
cache_tls_session
}
#
# This section is run whenever the server needs to delete an
# entry from the TLS session cache.
#
# On success it should return 'ok', 'updated', 'noop' or 'notfound'
#
# The return code has no real effect on session processing
# and will just cause the server to emit a warning.
#
Autz-Type Session-Cache-Delete {
update control {
Cache-TTL := 0
Cache-Allow-Insert := no
}
cache_tls_session
}
#
# This section is run after certificate attributes are added
# to the request list, and before performing OCSP validation.
#
# It should read the attribute &control:TLS-OCSP-Cert-Valid
# from the cache.
#
# On success it should return 'ok', 'updated', 'noop' or 'notfound'
# To force OCSP validation failure, it should return 'reject'.
#
Autz-Type OCSP-Cache-Read {
update control {
Cache-Allow-Insert := no
}
cache_ocsp
}
#
# This section is run after OCSP validation has completed.
#
# It should write the attribute &reply:TLS-OCSP-Cert-Valid
# to the cache.
#
# On success it should return 'ok' or 'updated'.
#
# The return code has no real effect on session processing
# and will just cause the server to emit a warning.
#
Autz-Type OCSP-Cache-Write {
update control {
Cache-TTL := "%{expr:&reply:TLS-OCSP-Next-Update * -1}"
Cache-Allow-Merge := no
}
cache_ocsp
}
}
}
This diff is collapsed.
Click to expand it.
manifests/init.pp
+
4
−
5
View file @
c124da25
...
@@ -73,11 +73,10 @@ class freeradius (
...
@@ -73,11 +73,10 @@ class freeradius (
ensure
=>
absent
,
ensure
=>
absent
,
}
}
# Create symlink to enable tls-cache server
# Install tls-cache from packaged file. This should be available in the RPM
# This is not harmful to enable globally
# when FR 3.1.x is released. This is not harmful to enable globally.
file
{
"
${freeradius::fr_basepath}
/sites-enabled/tls-cache"
:
freeradius::site
{
'tls-cache'
:
ensure
=>
link
,
source
=>
'puppet:///modules/freeradius/tls-cache'
,
target
=>
"
${freeradius::fr_basepath}
/sites-available/tls-cache"
,
}
}
# Set up concat policy file, as there is only one global policy
# Set up concat policy file, as there is only one global policy
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
