Commit c124da25 authored by Jonathan Gazeley's avatar Jonathan Gazeley
Browse files

Package tls-cache locally as it isn't available in the 3.0.x RPM

parent 8bcc2cda
######################################################################
#
# This virtual server controls caching of TLS sessions.
#
# When a TLS session is used, the server will automatically create
# the following attributes in the session-state list. These attributes
# are the the ones for the *server* certificate.
#
# TLS-Cert-Serial
# TLS-Cert-Expiration
# TLS-Cert-Subject
# TLS-Cert-Issuer
# TLS-Cert-Common-Name
# TLS-Cert-Subject-Alt-Name-Email
#
# If a client certificate is required (e.g. EAP-TLS or sometimes PEAP / TTLS),
# the following attributes are also created in the session-state list:
#
# TLS-Client-Cert-Serial
# TLS-Client-Cert-Expiration
# TLS-Client-Cert-Subject
# TLS-Client-Cert-Issuer
# TLS-Client-Cert-Common-Name
# TLS-Client-Cert-Subject-Alt-Name-Email
#
#
# $Id$
#
######################################################################
server tls-cache {
#
# Only the "authorize" section is needed.
# Only the listed Autz-Types are used.
# Everything else in the virtual server is ignored.
#
# The attribute &TLS-Session-Id is set to the identity
# of the session to read / write / delete from the cache. This
# identity is an opaque blob.
#
authorize {
#
# This section is run whenever the server needs to read an
# entry from the TLS session cache.
#
# It should read the attribute &session-state:TLS-Session-Data
# from the cache, along with any other attributes which
# were in the cache
#
# On success it should return 'ok' or 'updated'.
#
# The return code has no real effect on session processing
# and will just cause the server to emit a warning.
#
Autz-Type Session-Cache-Read {
update control {
Cache-Allow-Insert := no
}
cache_tls_session
}
#
# This section is run whenever the server needs to write an
# entry to the TLS session cache.
#
# It should write the attribute &session-state:TLS-Session-Data
# to the cache, along with any other attributes which
# need to be cached.
#
# On success it should return 'ok' or 'updated'.
#
# The return code has no real effect on session processing
# and will just cause the server to emit a warning.
#
Autz-Type Session-Cache-Write {
update control {
Cache-TTL := 0
}
cache_tls_session
}
#
# This section is run whenever the server needs to delete an
# entry from the TLS session cache.
#
# On success it should return 'ok', 'updated', 'noop' or 'notfound'
#
# The return code has no real effect on session processing
# and will just cause the server to emit a warning.
#
Autz-Type Session-Cache-Delete {
update control {
Cache-TTL := 0
Cache-Allow-Insert := no
}
cache_tls_session
}
#
# This section is run after certificate attributes are added
# to the request list, and before performing OCSP validation.
#
# It should read the attribute &control:TLS-OCSP-Cert-Valid
# from the cache.
#
# On success it should return 'ok', 'updated', 'noop' or 'notfound'
# To force OCSP validation failure, it should return 'reject'.
#
Autz-Type OCSP-Cache-Read {
update control {
Cache-Allow-Insert := no
}
cache_ocsp
}
#
# This section is run after OCSP validation has completed.
#
# It should write the attribute &reply:TLS-OCSP-Cert-Valid
# to the cache.
#
# On success it should return 'ok' or 'updated'.
#
# The return code has no real effect on session processing
# and will just cause the server to emit a warning.
#
Autz-Type OCSP-Cache-Write {
update control {
Cache-TTL := "%{expr:&reply:TLS-OCSP-Next-Update * -1}"
Cache-Allow-Merge := no
}
cache_ocsp
}
}
}
......@@ -73,11 +73,10 @@ class freeradius (
ensure => absent,
}
# Create symlink to enable tls-cache server
# This is not harmful to enable globally
file { "${freeradius::fr_basepath}/sites-enabled/tls-cache":
ensure => link,
target => "${freeradius::fr_basepath}/sites-available/tls-cache",
# Install tls-cache from packaged file. This should be available in the RPM
# when FR 3.1.x is released. This is not harmful to enable globally.
freeradius::site { 'tls-cache':
source => 'puppet:///modules/freeradius/tls-cache',
}
# Set up concat policy file, as there is only one global policy
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment