REST module config options

Wed Nov 30 23:34:16 UTC 2022

On Wed, 30 Nov 2022 at 19:15, Alan DeKok <aland at deployingradius.com> wrote:

> On Nov 30, 2022, at 1:42 PM, James Narey via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > I'm working on an existing FreeRADIUS 3.0.25 implementation, in
> particular
> > the REST module.
> >
> > The current configuration sets the following config items in the tls
> block:
> >
> > cacertdir
> > cacertfile
> > verify_cert
> >
> > These don't appear in the default rest config for 3.0.x. The do appear in
> > the NetworkRADIUS wiki, though the first two do not have descriptions.
> This
> > page's 'Default Config' link goes to the same file - mods-available/rest
> in
> > the 3.0.x branch.
>
>   The TLS configuration for the "rest" module is documented in
> mods-available/rest.  Anything not documented there doesn't work.
>
>   For EAP and RadSec, we've implemented all of the TLS bits ourselves.
> Which means that there are a ton of configuration options for TLS.
>
>   For the Rest module, we have to use the libcurl API.  And that exposes
> fewer configuration options for TLS.
>
> > I'm unsure which names to be using and, while the names of the top two
> are
> > descriptive, it would be helpful to see some documentation before
> > continuing to rely on them.
>
>   The documentation in mods-available/rest is up to date, and is correct.
>
> > It would also be helpful to know whether there is a reason to use
> > verify_cert vs check_cert, though it is clear at least that these do the
> > same thing.
>
>   You can't use them with the Rest module.
>
> check_cert is in the documentation in mods-available/rest so I'm assuming,
based on the point above, that it's
OK? (verify_cert isn't).

>   For EAP and Radsec, these configuration items are documented in
> mods-available/eap, among other places.
>
>   Alan DeKok.
>
> Thank you so much for the helpful reply.