Initial revision.

Moving from https://software.uninett.no/radsecproxy/ to https://software.nordu.net/radsecproxy/.

45 files changed, 1740 insertions, 0 deletions

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..a8c1306
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,19 @@
+# Build static html docs suitable for being shipped in the software
+# package. This depends on ikiwiki being installed to build the docs.
+
+ifeq ($(shell which ikiwiki),)
+IKIWIKI=echo "** ikiwiki not found" >&2 ; echo ikiwiki
+else
+IKIWIKI=ikiwiki
+endif
+
+all:
+	$(IKIWIKI) `pwd` html -v --wikiname radsecproxy \
+		--plugin=goodstuff \
+		--plugin=sidebar \
+		--exclude=html \
+		--include=^doc/.*/.*\.html \
+		--exclude=Makefile
+
+clean:
+	rm -rf .ikiwiki html
diff --git a/contact.mdwn b/contact.mdwn
new file mode 100644
index 0000000..7c20f19
--- /dev/null
+++ b/contact.mdwn
@@ -0,0 +1,12 @@
+## Mailing list
+
+To get in contact with other users and the developers of the
+radsecproxy, please join the
+[mailing list](https://postlister.uninett.no/sympa/info/radsecproxy/). There
+you can also find a list archive.
+
+## Issue tracker
+
+There is an
+[issue tracker](https://project.nordu.net/browse/RADSECPROXY) where
+you can report bugs or request new features.
diff --git a/doc.mdwn b/doc.mdwn
new file mode 100644
index 0000000..0308c1f
--- /dev/null
+++ b/doc.mdwn
@@ -0,0 +1,9 @@
+[[!meta title="radsecproxy documentation"]]
+
+Below you can find documentation for the various versions of
+radsecproxy.
+
+* 1.6 [radsecproxy](1.6/radsecproxy.html),
+  [radsecproxy.conf](1.6/radsecproxy.conf.html),
+  [radsecproxy-hash](1.6/radsecproxy-hash.html)
+  
diff --git a/doc/1.6/radsecproxy-hash.html b/doc/1.6/radsecproxy-hash.html
new file mode 100644
index 0000000..9bf298b
--- /dev/null
+++ b/doc/1.6/radsecproxy-hash.html
@@ -0,0 +1,117 @@
+<!-- Creator     : groff version 1.22.2 -->
+<!-- CreationDate: Thu Sep 17 10:29:24 2015 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       h1      { text-align: center }
+</style>
+<title>radsecproxy-hash</title>
+
+</head>
+<body>
+
+<h1 align="center">radsecproxy-hash</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSIS">SYNOPSIS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#OPTIONS">OPTIONS</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">radsecproxy-hash
+- print digests of Ethernet MAC addresses</p>
+
+<h2>SYNOPSIS
+<a name="SYNOPSIS"></a>
+</h2>
+
+
+<table width="100%" border="0" rules="none" frame="void"
+       cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="61%">
+
+
+<p style="margin-top: 1em">radsecproxy-hash [&minus;h]
+[&minus;k key] [&minus;t type]</p></td>
+<td width="28%">
+</td></tr>
+</table>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Print the hash
+or hmac of Ethernet MAC addresses read from standard
+input.</p>
+
+<h2>OPTIONS
+<a name="OPTIONS"></a>
+</h2>
+
+
+<table width="100%" border="0" rules="none" frame="void"
+       cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="9%">
+
+
+<p style="margin-top: 1em"><b>&minus;h</b></p></td>
+<td width="2%"></td>
+<td width="43%">
+
+
+<p style="margin-top: 1em"><i>display help and exit</i></p></td>
+<td width="35%">
+</td></tr>
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="9%">
+
+
+<p><b>&minus;k key</b></p></td>
+<td width="2%"></td>
+<td width="43%">
+
+
+<p><i>use KEY for HMAC calculation</i></p></td>
+<td width="35%">
+</td></tr>
+</table>
+
+<p style="margin-left:11%;"><b>&minus;t type</b></p>
+
+<p style="margin-left:22%;"><i>print digest of type TYPE
+[hash|hmac]</i></p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">radsecproxy.conf(5)</p>
+<hr>
+</body>
+</html>
diff --git a/doc/1.6/radsecproxy.conf.html b/doc/1.6/radsecproxy.conf.html
new file mode 100644
index 0000000..1780a13
--- /dev/null
+++ b/doc/1.6/radsecproxy.conf.html
@@ -0,0 +1,886 @@
+<!-- Creator     : groff version 1.22.2 -->
+<!-- CreationDate: Thu Sep 17 10:29:24 2015 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       h1      { text-align: center }
+</style>
+<title>radsecproxy.conf</title>
+
+</head>
+<body>
+
+<h1 align="center">radsecproxy.conf</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#CONFIGURATION SYNTAX">CONFIGURATION SYNTAX</a><br>
+<a href="#BASIC OPTIONS">BASIC OPTIONS</a><br>
+<a href="#BLOCKS">BLOCKS</a><br>
+<a href="#CLIENT BLOCK">CLIENT BLOCK</a><br>
+<a href="#SERVER BLOCK">SERVER BLOCK</a><br>
+<a href="#REALM BLOCK">REALM BLOCK</a><br>
+<a href="#TLS BLOCK">TLS BLOCK</a><br>
+<a href="#REWRITE BLOCK">REWRITE BLOCK</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">radsecproxy.conf
+&minus; Radsec proxy configuration file</p>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">When the proxy
+server starts, it will first check the command line
+arguments, and then read the configuration file. Normally
+radsecproxy will read the configuration file
+<i>/usr/local/etc/radsecproxy.conf</i>. The command line
+<b>&minus;c</b> option can be used to instead read an
+alternate file (see <b>radsecproxy</b>(1) for details).</p>
+
+<p style="margin-left:11%; margin-top: 1em">If the
+configuration file can not be found, the proxy will exit
+with an error message. Note that there is also an include
+facility so that any configuration file may include other
+configuration files. The proxy will also exit on
+configuration errors.</p>
+
+<h2>CONFIGURATION SYNTAX
+<a name="CONFIGURATION SYNTAX"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">When the
+configuration file is processed, whitespace (spaces and
+tabs) are generally ignored. For each line, leading and
+trailing whitespace are ignored. A line is ignored if it is
+empty, only consists of whitespace, or if the first
+non-whitespace character is a #. The configuration is
+generally case insensitive, but in some cases the option
+values (see below) are not.</p>
+
+<p style="margin-left:11%; margin-top: 1em">There are two
+types of configuration structures than can be used. The
+first and simplest are lines on the format <i>option
+value</i>. That is, an option name, see below for a list of
+valid options, followed by whitespace (at least one space or
+tab character), followed by a value. Note that if the value
+contains whitespace, then it must be quoted using
+&quot;&quot; or &rsquo;&rsquo;. Any whitespace in front of
+the option or after the value will be ignored.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The other type
+of structure is a block. A block spans at least two lines,
+and has the format:</p>
+
+<p style="margin-left:22%; margin-top: 1em">blocktype name
+{ <br>
+option value <br>
+option value <br>
+... <br>
+}</p>
+
+<p style="margin-left:11%; margin-top: 1em">That is, some
+blocktype, see below for a list of the different block
+types, and then enclosed in braces you have zero or more
+lines that each have the previously described <i>option
+value</i> format. Different block types have different rules
+for which options can be specified, they are listed below.
+The rules regarding white space, comments and quotes are as
+above. Hence you may do things like:</p>
+
+<p style="margin-left:22%; margin-top: 1em">blocktype name
+{ <br>
+# option value <br>
+option &quot;value with space&quot; <br>
+... <br>
+}</p>
+
+<p style="margin-left:11%; margin-top: 1em">Option value
+characters can also be written in hex. This is done by
+writing the character % followed by two hexadecimal digits.
+If a % is used without two following hexadecimal digits, the
+% and the following characters are used as written. If you
+want to write a % and not use this decoding, you may of
+course write % in hex; i.e., %25.</p>
+
+<p style="margin-left:11%; margin-top: 1em">There is one
+special option that can be used both as a basic option and
+inside all blocks. That is the option Include where the
+value specifies files to be included. The value can be a
+single file, or it can use normal shell globbing to specify
+multiple files, e.g.:</p>
+
+<p style="margin-left:22%;">include
+/usr/local/etc/radsecproxy.conf.d/*.conf</p>
+
+<p style="margin-left:11%; margin-top: 1em">The files are
+sorted alphabetically. Included files are read in the order
+they are specified, when reaching the end of a file, the
+next file is read. When reaching the end of the last
+included file, the proxy returns to read the next line
+following the Include option. Included files may again
+include other files.</p>
+
+<h2>BASIC OPTIONS
+<a name="BASIC OPTIONS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The following
+basic options may be specified in the configuration file.
+Note that blocktypes and options inside blocks are discussed
+later. Note that none of these options are required, and
+indeed in many cases they are not needed. Note that you
+should specify each at most once. The behaviour with
+multiple occurences is undefined. <br>
+PidFile</p>
+
+<p style="margin-left:22%;">The PidFile option specifies
+the name of a file to which the process id (PID) will be
+written. This is overridden by the <b>&minus;i</b> command
+line option. There is no default value for the PidFile
+option.</p>
+
+<p style="margin-left:11%;">LogLevel</p>
+
+<p style="margin-left:22%;">This option specifies the debug
+level. It must be set to 1, 2, 3, 4 or 5, where 1 logs only
+serious errors, and 5 logs everything. The default is 2
+which logs errors, warnings and a few informational
+messages. Note that the command line option <b>&minus;d</b>
+overrides this.</p>
+
+<p style="margin-left:11%;">LogDestination</p>
+
+<p style="margin-left:22%;">This specifies where the log
+messages should go. By default the messages go to syslog
+with facility LOG_DAEMON. Using this option you can specify
+another syslog facility, or you may specify that logging
+should be to a particular file, not using syslog. The value
+must be either a file or syslog URL. The file URL is the
+standard one, specifying a local file that should be used.
+For syslog, you must use the syntax:
+x&minus;syslog:///FACILITY where FACILITY must be one of
+LOG_DAEMON, LOG_MAIL, LOG_USER, LOG_LOCAL0, LOG_LOCAL1,
+LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6
+or LOG_LOCAL7. You may omit the facility from the URL to
+specify logging to the default facility, but this is not
+very useful since this is the default log destination. Note
+that this option is ignored if <b>&minus;f</b> is specified
+on the command line.</p>
+
+<p style="margin-left:11%;">FTicksReporting</p>
+
+<p style="margin-left:22%;">The FTicksReporting option is
+used to enable F-Ticks logging and can be set to None, Basic
+or Full. Its default value is None. If FTicksReporting is
+set to anything other than None, note that the default value
+for FTicksMAC is VendorKeyHashed which needs FTicksKey to be
+set.</p>
+
+<p style="margin-left:22%; margin-top: 1em">See
+radsecproxy.conf&minus;example for details. Note that
+radsecproxy has to be configured with F-Ticks support
+(&minus;&minus;enable&minus;fticks) for this option to have
+any effect.</p>
+
+<p style="margin-left:11%;">FTicksMAC</p>
+
+<p style="margin-left:22%;">The FTicksMAC option can be
+used to control if and how Calling-Station-Id (the users
+Ethernet MAC address) is being logged. It can be set to one
+of Static, Original, VendorHashed, VendorKeyHashed,
+FullyHashed or FullyKeyHashed.</p>
+
+<p style="margin-left:22%; margin-top: 1em">The default
+value for FTicksMAC is VendorKeyHashed. This means that
+FTicksKey has to be set.</p>
+
+<p style="margin-left:22%; margin-top: 1em">Before chosing
+any of Original, FullyHashed or VendorHashed, consider the
+implications for user privacy when MAC addresses are
+collected. How will the logs be stored, transferred and
+accessed?</p>
+
+<p style="margin-left:22%; margin-top: 1em">See
+radsecproxy.conf&minus;example for details. Note that
+radsecproxy has to be configured with F-Ticks support
+(&minus;&minus;enable&minus;fticks) for this option to have
+any effect.</p>
+
+<p style="margin-left:11%;">FTicksKey</p>
+
+<p style="margin-left:22%;">The FTicksKey option is used to
+specify the key to use when producing HMAC&rsquo;s as an
+effect of specifying VendorKeyHashed or FullyKeyHashed for
+the FTicksMAC option.</p>
+
+<p style="margin-left:22%; margin-top: 1em">Note that
+radsecproxy has to be configured with F-Ticks support
+(&minus;&minus;enable&minus;fticks) for this option to have
+any effect.</p>
+
+<p style="margin-left:11%;">FTicksSyslogFacility</p>
+
+<p style="margin-left:22%;">The FTicksSyslogFacility option
+is used to specify a dedicated syslog facility for F-Ticks
+messages. This allows for easier filtering of F-Ticks
+messages. If no FTicksSyslogFacility option is given,
+F-Ticks messages are written to what the LogDestination
+option specifies.</p>
+
+<p style="margin-left:22%; margin-top: 1em">F-Ticks
+messages are always logged using the log level LOG_DEBUG.
+Note that specifying a file in FTicksSyslogFacility (using
+the file:/// prefix) is not supported.</p>
+
+<p style="margin-left:11%;">ListenUDP</p>
+
+<p style="margin-left:22%;">Normally the proxy will listen
+to the standard RADIUS UDP port 1812 if configured to handle
+UDP clients. On most systems it will do this for all of the
+system&rsquo;s IP addresses (both IPv4 and IPv6). On some
+systems however, it may respond to only IPv4 or only IPv6.
+To specify an alternate port you may use a value on the form
+*:port where port is any valid port number. If you also want
+to specify a specific address you can do e.g.
+192.168.1.1:1812 or [2001:db8::1]:1812. The port may be
+omitted if you want the default one (like in these
+examples). These examples are equivalent to 192.168.1.1 and
+2001:db8::1. Note that you must use brackets around the IPv6
+address. This option may be specified multiple times to
+listen to multiple addresses and/or ports.</p>
+
+<p style="margin-left:11%;">ListenTCP</p>
+
+<p style="margin-left:22%;">This option is similar to the
+ListenUDP option, except that it is used for receiving
+connections from TCP clients. The default port number is
+1812.</p>
+
+<p style="margin-left:11%;">ListenTLS</p>
+
+<p style="margin-left:22%;">This is similar to the
+ListenUDP option, except that it is used for receiving
+connections from TLS clients. The default port number is
+2083. Note that this option was previously called
+ListenTCP.</p>
+
+<p style="margin-left:11%;">ListenDTLS</p>
+
+<p style="margin-left:22%;">This is similar to the
+ListenUDP option, except that it is used for receiving
+connections from DTLS clients. The default port number is
+2083.</p>
+
+<p style="margin-left:11%;">SourceUDP</p>
+
+<p style="margin-left:22%;">This can be used to specify
+source address and/or source port that the proxy will use
+for sending UDP client messages (e.g. Access Request).</p>
+
+<p style="margin-left:11%;">SourceTCP</p>
+
+<p style="margin-left:22%;">This can be used to specify
+source address and/or source port that the proxy will use
+for TCP connections.</p>
+
+<p style="margin-left:11%;">SourceTLS</p>
+
+<p style="margin-left:22%;">This can be used to specify
+source address and/or source port that the proxy will use
+for TLS connections.</p>
+
+<p style="margin-left:11%;">SourceDTLS</p>
+
+<p style="margin-left:22%;">This can be used to specify
+source address and/or source port that the proxy will use
+for DTLS connections.</p>
+
+<p style="margin-left:11%;">TTLAttribute</p>
+
+<p style="margin-left:22%;">This can be used to change the
+default TTL attribute. Only change this if you know what you
+are doing. The syntax is either a numerical value denoting
+the TTL attribute, or two numerical values separated by
+column specifying a vendor attribute, i.e.
+vendorid:attribute.</p>
+
+<table width="100%" border="0" rules="none" frame="void"
+       cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="9%">
+
+
+<p>AddTTL</p></td>
+<td width="2%"></td>
+<td width="78%">
+
+
+<p>If a TTL attribute is present, the proxy will decrement
+the value and discard the message if zero. Normally the
+proxy does nothing if no TTL attribute is present. If you
+use the AddTTL option with a value 1-255, the proxy will
+when forwarding a message with no TTL attribute, add one
+with the specified value. Note that this option can also be
+specified for a client/server. It will then override this
+setting when forwarding a message to that client/server.</p></td></tr>
+</table>
+
+<p style="margin-left:11%;">LoopPrevention</p>
+
+<p style="margin-left:22%;">This can be set to on or off
+with off being the default. When this is enabled, a request
+will never be sent to a server named the same as the client
+it was received from. I.e., the names of the client block
+and the server block are compared. Note that this only gives
+limited protection against loops. It can be used as a basic
+option and inside server blocks where it overrides the basic
+setting.</p>
+
+<p style="margin-left:11%;">IPv4Only and IPv6Only</p>
+
+<p style="margin-left:22%;">These can be set to on or off
+with off being the default. At most one of IPv4Only and
+IPv6Only can be enabled. Enabling IPv4Only or IPv6Only makes
+radsecproxy resolve DNS names to the corresponding address
+family only, and not the other. This is done for both
+clients and servers. Note that this can be overridden in
+client and server blocks, see below.</p>
+
+<p style="margin-left:11%;">Include</p>
+
+<p style="margin-left:22%;">This is not a normal
+configuration option; it can be specified multiple times. It
+can both be used as a basic option and inside blocks. For
+the full description, see the configuration syntax section
+above.</p>
+
+<h2>BLOCKS
+<a name="BLOCKS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">There are five
+types of blocks, they are client, server, realm, tls and
+rewrite. At least one instance of each of client and realm
+is required. This is necessary for the proxy to do anything
+useful, and it will exit if not. The tls block is required
+if at least one TLS/DTLS client or server is configured.
+Note that there can be multiple blocks for each type. For
+each type, the block names should be unique. The behaviour
+with multiple occurences of the same name for the same block
+type is undefined. Also note that some block option values
+may reference a block by name, in which case the block name
+must be previously defined. Hence the order of the blocks
+may be significant.</p>
+
+<h2>CLIENT BLOCK
+<a name="CLIENT BLOCK"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The client
+block is used to configure a client. That is, tell the proxy
+about a client, and what parameters should be used for that
+client. The name of the client block must (with one
+exception, see below) be either the IP address (IPv4 or
+IPv6) of the client, an IP prefix (IPv4 or IPv6) on the form
+IpAddress/PrefixLength, or a domain name (FQDN). The way an
+FQDN is resolved into an IP address may be influenced by the
+use of the IPv4Only and IPv6Only options. Note that literal
+IPv6 addresses must be enclosed in brackets.</p>
+
+<p style="margin-left:11%; margin-top: 1em">If a domain
+name is specified, then this will be resolved immediately to
+all the addresses associated with the name, and the proxy
+will not care about any possible DNS changes that might
+occur later. Hence there is no dependency on DNS after
+startup.</p>
+
+<p style="margin-left:11%; margin-top: 1em">When some
+client later sends a request to the proxy, the proxy will
+look at the IP address the request comes from, and then go
+through all the addresses of each of the configured clients
+(in the order they are defined), to determine which (if any)
+of the clients this is.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In the case of
+TLS/DTLS, the name of the client must match the FQDN or IP
+address in the client certificate. Note that this is not
+required when the client name is an IP prefix.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Alternatively
+one may use the host option inside a client block. In that
+case, the value of the host option is used as above, while
+the name of the block is only used as a descriptive name for
+the administrator. The host option may be used multiple
+times, and can be a mix of addresses, FQDNs and
+prefixes.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The allowed
+options in a client block are host, IPv4Only, IPv6Only,
+type, secret, tls, certificateNameCheck,
+matchCertificateAttribute, duplicateInterval, AddTTL,
+fticksVISCOUNTRY, fticksVISINST, rewrite, rewriteIn,
+rewriteOut, and rewriteAttribute. We already discussed the
+host option. To specify how radsecproxy should resolve a
+host given as a DNS name, the IPv4Only or the IPv6Only can
+be set to on. At most one of these options can be enabled.
+Enabling IPv4Only or IPv6Only here overrides any basic
+settings set at the top level. The value of type must be one
+of udp, tcp, tls or dtls. The value of secret is the shared
+RADIUS key used with this client. If the secret contains
+whitespace, the value must be quoted. This option is
+optional for TLS/DTLS and if omitted will default to
+&quot;radsec&quot;. (Note that using a secret other than
+&quot;radsec&quot; for TLS is a violation of the standard
+(RFC 6614) and that the proposed standard for DTLS
+stipulates that the secret must be
+&quot;radius/dtls&quot;.)</p>
+
+<p style="margin-left:11%; margin-top: 1em">For a TLS/DTLS
+client you may also specify the tls option. The option value
+must be the name of a previously defined TLS block. If this
+option is not specified, the TLS block with the name
+defaultClient will be used if defined. If not defined, it
+will try to use the TLS block named default. If the
+specified TLS block name does not exist, or the option is
+not specified and none of the defaults exist, the proxy will
+exit with an error. NOTE: All versions of radsecproxy up to
+and including 1.6 erroneously verify client certificate
+chains using the CA in the very first matching client block
+regardless of which block is used for the final decision.
+This was changed in version 1.6.1 so that a client block
+with a different tls option than the first matching client
+block is no longer considered for verification of
+clients.</p>
+
+<p style="margin-left:11%; margin-top: 1em">For a TLS/DTLS
+client, the option certificateNameCheck can be set to off,
+to disable the default behaviour of matching CN or
+SubjectAltName against the specified hostname or IP
+address.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Additional
+validation of certificate attributes can be done by use of
+the matchCertificateAttribute option. Currently one can only
+do some matching of CN and SubjectAltName. For regexp
+matching on CN, one can use the value CN:/regexp/. For
+SubjectAltName one can only do regexp matching of the URI,
+this is specified as SubjectAltName:URI:/regexp/. Note that
+currently this option can only be specified once in a client
+block.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The
+duplicateInterval option can be used to specify for how many
+seconds duplicate checking should be done. If a proxy
+receives a new request within a few seconds of a previous
+one, it may be treated the same if from the same client,
+with the same authenticator etc. The proxy will then ignore
+the new request (if it is still processing the previous
+one), or returned a copy of the previous reply.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The AddTTL
+option is similar to the AddTTL option used in the basic
+config. See that for details. Any value configured here
+overrides the basic one when sending messages to this
+client.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The
+fticksVISCOUNTRY option configures clients eligible to
+F-Ticks logging as defined by the FTicksReporting basic
+option.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The
+fticksVISINST option overwrites the default VISINST value
+taken from the client block name.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The rewrite
+option is deprecated. Use rewriteIn instead.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The rewriteIn
+option can be used to refer to a rewrite block that
+specifies certain rewrite operations that should be
+performed on incoming messages from the client. The
+rewriting is done before other processing. For details, see
+the rewrite block text below. Similarly to tls discussed
+above, if this option is not used, there is a fallback to
+using the rewrite block named defaultClient if it exists;
+and if not, a fallback to a block named default.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The rewriteOut
+option is used in the same way as rewriteIn, except that it
+specifies rewrite operations that should be performed on
+outgoing messages to the client. The rewriting is done after
+other processing. Also, there is no rewrite fallback if this
+option is not used.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The
+rewriteAttribute option currently makes it possible to
+specify that the User-Name attribute in a client request
+shall be rewritten in the request sent by the proxy. The
+User-Name attribute is written back to the original value if
+a matching response is later sent back to the client. The
+value must be on the form
+User-Name:/regexpmatch/replacement/. Example usage:</p>
+
+<p style="margin-left:22%;">rewriteAttribute
+User-Name:/^(.*)@local$/\1@example.com/</p>
+
+<h2>SERVER BLOCK
+<a name="SERVER BLOCK"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The server
+block is used to configure a server. That is, tell the proxy
+about a server, and what parameters should be used when
+communicating with that server. The name of the server block
+must (with one exception, see below) be either the IP
+address (IPv4 or IPv6) of the server, or a domain name
+(FQDN). If a domain name is specified, then this will be
+resolved immediately to all the addresses associated with
+the name, and the proxy will not care about any possible DNS
+changes that might occur later. Hence there is no dependency
+on DNS after startup. If the domain name resolves to
+multiple addresses, then for UDP/DTLS the first address is
+used. For TCP/TLS, the proxy will loop through the addresses
+until it can connect to one of them. The way an FQDN is
+resolved into an IP address may be influenced by the use of
+the IPv4Only and IPv6Only options. In the case of TLS/DTLS,
+the name of the server must match the FQDN or IP address in
+the server certificate.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Alternatively
+one may use the host option inside a server block. In that
+case, the value of the host option is used as above, while
+the name of the block is only used as a descriptive name for
+the administrator. Note that multiple host options may be
+used. This will then be treated as multiple names/addresses
+for the same server. When initiating a TCP/TLS connection,
+all addresses of all names may be attempted, but there is no
+failover between the different host values. For failover one
+must use separate server blocks.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Note that the
+name of the block, or values of host options may include a
+port number (separated with a column). This port number will
+then override the default port or a port option in the
+server block. Also note that literal IPv6 addresses must be
+enclosed in brackets.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The allowed
+options in a server block are host, port, IPv4Only,
+IPv6Only, type, secret, tls, certificateNameCheck,
+matchCertificateAttribute, AddTTL, rewrite, rewriteIn,
+rewriteOut, statusServer, retryCount, dynamicLookupCommand
+and retryInterval and LoopPrevention.</p>
+
+<p style="margin-left:11%; margin-top: 1em">We already
+discussed the host option. To specify how radsecproxy should
+resolve a host given as a DNS name, the IPv4Only or the
+IPv6Only can be set to on. At most one of these options can
+be enabled. Enabling IPv4Only or IPv6Only here overrides any
+basic settings set at the top level. The port option allows
+you to specify which port number the server uses. The usage
+of type, secret, tls, certificateNameCheck,
+matchCertificateAttribute, AddTTL, rewrite, rewriteIn and
+rewriteOut are just as specified for the client block above,
+except that defaultServer (and not defaultClient) is the
+fallback for the tls, rewrite and rewriteIn options.</p>
+
+<p style="margin-left:11%; margin-top: 1em">statusServer
+can be specified to enable the use of status-server messages
+for this server. The value must be either on or off. The
+default when not specified, is off. If statusserver is
+enabled, the proxy will during idle periods send regular
+status-server messages to the server to verify that it is
+alive. This should only be enabled if the server supports
+it.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The options
+retryCount and retryInterval can be used to specify how many
+times the proxy should retry sending a request and how long
+it should wait between each retry. The defaults are 2
+retries and an interval of 5s.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The option
+dynamicLookupCommand can be used to specify a command that
+should be executed to dynamically configure a server. The
+executable file should be given with full path and will be
+invoked with the name of the realm as its first and only
+argument. It should either print a valid server option on
+stdout and exit with a code of 0 or print nothing and exit
+with a non-zero exit code. An example of a shell script
+resolving the DNS NAPTR records for the realm and then the
+SRV records for each NAPTR matching
+&rsquo;x-eduroam:radius.tls&rsquo; is provided in
+tools/naptr&minus;eduroam.sh. This option was added in
+radsecproxy-1.3 but tends to crash radsecproxy versions
+earlier than 1.6.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Using the
+LoopPrevention option here overrides any basic setting of
+this option. See section BASIC OPTIONS for details on this
+option.</p>
+
+<h2>REALM BLOCK
+<a name="REALM BLOCK"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">When the proxy
+receives an Access-Request it needs to figure out to which
+server it should be forwarded. This is done by looking at
+the Username attribute in the request, and matching that
+against the names of the defined realm blocks. The proxy
+will match against the blocks in the order they are
+specified, using the first match if any. If no realm
+matches, the proxy will simply ignore the request. Each
+realm block specifies what the server should do when a match
+is found. A realm block may contain none, one or multiple
+server options, and similarly accountingServer options.
+There are also replyMessage and accountingResponse options.
+We will discuss these later.</p>
+
+<p style="margin-left:11%; margin-top: 1em"><b>REALM BLOCK
+NAMES AND MATCHING</b> <br>
+In the general case the proxy will look for a @ in the
+username attribute, and try to do an exact case insensitive
+match between what comes after the @ and the name of the
+realm block. So if you get a request with the attribute
+value anonymous@example.com, the proxy will go through the
+realm names in the order they are specified, looking for a
+realm block named example.com.</p>
+
+<p style="margin-left:11%; margin-top: 1em">There are two
+exceptions to this, one is the realm name * which means
+match everything. Hence if you have a realm block named *,
+then it will always match. This should then be the last
+realm block defined, since any blocks after this would never
+be checked. This is useful for having a default.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The other
+exception is regular expression matching. If the realm name
+starts with a /, the name is treated as an regular
+expression. A case insensitive regexp match will then be
+done using this regexp on the value of the entire Username
+attribute. Optionally you may also have a trailing / after
+the regexp. So as an example, if you want to use regexp
+matching the domain example.com you could have a realm block
+named /@example\\.com$. Optinally this can also be written
+/@example\\.com$/. If you want to match all domains under
+the .com top domain, you could do /@.*\\.com$. Note that
+since the matching is done on the entire attribute value,
+you can also use rules like /^[a&minus;k].*@example\\.com$/
+to get some of the users in this domain to use one server,
+while other users could be matched by another realm block
+and use another server.</p>
+
+<p style="margin-left:11%; margin-top: 1em"><b>REALM BLOCK
+OPTIONS</b> <br>
+A realm block may contain none, one or multiple server
+options. If defined, the values of the server options must
+be the names of previously defined server blocks. Normally
+requests will be forwarded to the first server option
+defined. If there are multiple server options, the proxy
+will do fail-over and use the second server if the first is
+down. If the two first are down, it will try the third etc.
+If say the first server comes back up, it will go back to
+using that one. Currently detection of servers being up or
+down is based on the use of StatusServer (if enabled), and
+that TCP/TLS/DTLS connections are up.</p>
+
+<p style="margin-left:11%; margin-top: 1em">A realm block
+may also contain none, one or multiple accountingServer
+options. This is used exactly like the server option, except
+that it is used for specifying where to send matching
+accounting requests. The values must be the names of
+previously defined server blocks. When multiple accounting
+servers are defined, there is a failover mechanism similar
+to the one for the server option.</p>
+
+<p style="margin-left:11%; margin-top: 1em">If there is no
+server option, the proxy will if replyMessage is specified,
+reply back to the client with an Access Reject message. The
+message contains a replyMessage attribute with the value as
+specified by the replyMessage option. Note that this is
+different from having no match since then the request is
+simply ignored. You may wonder why this is useful. One
+example is if you handle say all domains under say .bv. Then
+you may have several realm blocks matching the domains that
+exists, while for other domains under .bv you want to send a
+reject. At the same time you might want to send all other
+requests to some default server. After the realms for the
+subdomains, you would then have two realm definitions. One
+with the name /@.*\\.bv$ with no servers, followed by one
+with the name * with the default server defined. This may
+also be useful for blocking particular usernames.</p>
+
+<p style="margin-left:11%; margin-top: 1em">If there is no
+accountingServer option, the proxy will normally do nothing,
+ignoring accounting requests. There is however an option
+called accountingResponse. If this is set to on, the proxy
+will log some of the accounting information and send an
+Accounting-Response back. This is useful if you do not care
+much about accounting, but want to stop clients from
+retransmitting accounting requests. By default this option
+is set to off.</p>
+
+<h2>TLS BLOCK
+<a name="TLS BLOCK"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The TLS block
+specifies TLS configuration options and you need at least
+one of these if you have clients or servers using TLS/DTLS.
+As discussed in the client and server block descriptions, a
+client or server block may reference a particular TLS block
+by name. There are also however the special TLS block names
+default, defaultClient and defaultServer which are used as
+defaults if the client or server block does not reference a
+TLS block. Also note that a TLS block must be defined before
+the client or server block that would use it. If you want
+the same TLS configuration for all TLS/DTLS clients and
+servers, you need just a single tls block named default, and
+the client and servers need not refer to it. If you want all
+TLS/DTLS clients to use one config, and all TLS/DTLS servers
+to use another, then you would be fine only defining two TLS
+blocks named defaultClient and defaultServer. If you want
+different clients (or different servers) to have different
+TLS parameters, then you may need to create other TLS blocks
+with other names, and reference those from the client or
+server definitions. Note that you could also have say a
+client block refer to a default, even defaultServer if you
+really want to.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The available
+TLS block options are CACertificateFile, CACertificatePath,
+certificateFile, certificateKeyFile, certificateKeyPassword,
+cacheExpiry, CRLCheck and policyOID. When doing RADIUS over
+TLS/DTLS, both the client and the server present
+certificates, and they are both verified by the peer. Hence
+you must always specify certificateFile and
+certificateKeyFile options, as well as
+certificateKeyPassword if a password is needed to decrypt
+the private key. Note that CACertificateFile may be a
+certificate chain. In order to verify certificates, or send
+a chain of certificates to a peer, you also always need to
+specify CACertificateFile or CACertificatePath. Note that
+you may specify both, in which case the certificates in
+CACertificateFile are checked first. By default CRLs are not
+checked. This can be changed by setting CRLCheck to on. One
+can require peer certificates to adhere to certain policies
+by specifying one or multiple policyOIDs using one or
+multiple policyOID options.</p>
+
+<p style="margin-left:11%; margin-top: 1em">CA certificates
+and CRLs are normally cached permanently. That is, once a CA
+or CRL has been read, the proxy will never attempt to
+re-read it. CRLs may change relatively often and the proxy
+should ideally always use the latest CRLs. Rather than
+restarting the proxy, there is an option cacheExpiry that
+specifies how many seconds the CA and CRL information should
+be cached. Reasonable values might be say 3600 (1 hour) or
+86400 (24 hours), depending on how frequently CRLs are
+updated and how critical it is to be up to date. This option
+may be set to zero to disable caching.</p>
+
+<h2>REWRITE BLOCK
+<a name="REWRITE BLOCK"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The rewrite
+block specifies rules that may rewrite RADIUS messages. It
+can be used to add, remove and modify specific attributes
+from messages received from and sent to clients and servers.
+As discussed in the client and server block descriptions, a
+client or server block may reference a particular rewrite
+block by name. There are however also the special rewrite
+block names default, defaultClient and defaultServer which
+are used as defaults if the client or server block does not
+reference a block. Also note that a rewrite block must be
+defined before the client or server block that would use it.
+If you want the same rewrite rules for input from all
+clients and servers, you need just a single rewrite block
+named default, and the client and servers need not refer to
+it. If you want all clients to use one config, and all
+servers to use another, then you would be fine only defining
+two rewrite blocks named defaultClient and defaultServer.
+Note that these defaults are only used for rewrite on input.
+No rewriting is done on output unless explicitly specified
+using the rewriteOut option.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The available
+rewrite block options are addAttribute, addVendorAttribute,
+removeAttribute, removeVendorAttribute and modifyAttribute.
+They can all be specified none, one or multiple times.</p>
+
+<p style="margin-left:11%; margin-top: 1em">addAttribute is
+used to add attributes to a message. The option value must
+be on the form attribute:value where attribute is a
+numerical value specifying the attribute. Simliarly, the
+addVendorAttribute is used to specify a vendor attribute to
+be added. The option value must be on the form
+vendor:subattribute:value, where vendor and subattribute are
+numerical values.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The
+removeAttribute option is used to specify an attribute that
+should be removed from received messages. The option value
+must be a numerical value specifying which attribute is to
+be removed. Similarly, removeVendorAttribute is used to
+specify a vendor attribute that is to be removed. The value
+can be a numerical value for removing all attributes from a
+given vendor, or on the form vendor:subattribute, where
+vendor and subattribute are numerical values, for removing a
+specific subattribute for a specific vendor.</p>
+
+
+<p style="margin-left:11%; margin-top: 1em">modifyAttribute
+is used to specify modification of attributes. The value
+must be on the form attribute:/regexpmatch/replacement/
+where attribute is a numerical attribute type, regexpmatch
+is regexp matching rule and replacement specifies how to
+replace the matching regexp. Example usage:</p>
+
+<p style="margin-left:22%;">modifyAttribute
+1:/^(.*)@local$/\1@example.com/</p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>radsecproxy</b>(1),
+<br>
+Transport Layer Security (TLS) Encryption for RADIUS &lang;
+https://tools.ietf.org/html/rfc6614&rang;</p>
+<hr>
+</body>
+</html>
diff --git a/doc/1.6/radsecproxy.html b/doc/1.6/radsecproxy.html
new file mode 100644
index 0000000..ee3140f
--- /dev/null
+++ b/doc/1.6/radsecproxy.html
@@ -0,0 +1,251 @@
+<!-- Creator     : groff version 1.22.2 -->
+<!-- CreationDate: Thu Sep 17 10:29:23 2015 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       h1      { text-align: center }
+</style>
+<title>radsecproxy</title>
+
+</head>
+<body>
+
+<h1 align="center">radsecproxy</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSIS">SYNOPSIS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#OPTIONS">OPTIONS</a><br>
+<a href="#SIGNALS">SIGNALS</a><br>
+<a href="#FILES">FILES</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">radsecproxy - a
+generic RADIUS proxy that provides both RADIUS UDP and
+TCP/TLS (RadSec) transport.</p>
+
+<h2>SYNOPSIS
+<a name="SYNOPSIS"></a>
+</h2>
+
+
+<table width="100%" border="0" rules="none" frame="void"
+       cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="89%">
+
+
+<p style="margin-top: 1em">radsecproxy [&minus;c
+configfile] [&minus;d debuglevel] [&minus;f] [&minus;i
+pidfile] [&minus;p] [&minus;v]</p></td></tr>
+</table>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">radsecproxy is
+a <b>generic RADIUS proxy</b> that in addition to to usual
+<b>RADIUS UDP</b> transport, also supports <b>TLS
+(RadSec)</b>. The aim is for the proxy to have sufficient
+features to be flexible, while at the same time to be small,
+efficient and easy to configure. Currently the executable on
+Linux is only about <i>48 KB</i>, and it uses about <i>64
+KB</i> (depending on the number of peers) while running.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The proxy was
+initially made to be able to deploy <b>RadSec</b> (RADIUS
+over TLS) so that all RADIUS communication across network
+links could be done using TLS, without modifying existing
+RADIUS software. This can be done by running this proxy on
+the same host as an existing RADIUS server or client, and
+configure the existing client/server to talk to localhost
+(the proxy) rather than other clients and servers
+directly.</p>
+
+<p style="margin-left:11%; margin-top: 1em">There are
+however other situations where a RADIUS proxy might be
+useful. Some people deploy RADIUS topologies where they want
+to route RADIUS messages to the right server. The nodes that
+do purely routing could be using a proxy. Some people may
+also wish to deploy a proxy on a site boundary. Since the
+proxy <b>supports both IPv4 and IPv6</b>, it could also be
+used to allow communication in cases where some RADIUS nodes
+use only IPv4 and some only IPv6.</p>
+
+<h2>OPTIONS
+<a name="OPTIONS"></a>
+</h2>
+
+
+<table width="100%" border="0" rules="none" frame="void"
+       cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="3%">
+
+
+<p style="margin-top: 1em"><b>&minus;f</b></p></td>
+<td width="8%"></td>
+<td width="26%">
+
+
+<p style="margin-top: 1em"><i>Run in foreground</i></p></td>
+<td width="52%">
+</td></tr>
+</table>
+
+<p style="margin-left:22%; margin-top: 1em">By specifying
+this option, the proxy will run in foreground mode. That is,
+it won&rsquo;t detach. Also all logging will be done to
+stderr.</p>
+
+<p style="margin-left:11%;"><b>&minus;d &lt;debug
+level&gt;</b></p>
+
+<p style="margin-left:22%; margin-top: 1em"><i>Debug
+level</i></p>
+
+<p style="margin-left:22%; margin-top: 1em">This specifies
+the debug level. It must be set to 1, 2, 3, 4 or 5, where 1
+logs only serious errors, and 5 logs everything. The default
+is 2 which logs errors, warnings and a few informational
+messages.</p>
+
+<table width="100%" border="0" rules="none" frame="void"
+       cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="3%">
+
+
+<p><b>&minus;p</b></p></td>
+<td width="8%"></td>
+<td width="10%">
+
+
+<p><i>Pretend</i></p></td>
+<td width="68%">
+</td></tr>
+</table>
+
+<p style="margin-left:22%; margin-top: 1em">The proxy reads
+configuration files and performs initialisation as usual,
+but exits prior to creating any sockets. It will return
+different exit codes depending on whether the configuration
+files are okay. This may be used to verify configuration
+files, and can be done while another instance is
+running.</p>
+
+<table width="100%" border="0" rules="none" frame="void"
+       cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="3%">
+
+
+<p style="margin-top: 1em"><b>&minus;v</b></p></td>
+<td width="8%"></td>
+<td width="20%">
+
+
+<p style="margin-top: 1em"><i>Print version</i></p></td>
+<td width="58%">
+</td></tr>
+</table>
+
+<p style="margin-left:22%; margin-top: 1em">When this
+option is specified, the proxy will simply print version
+information and exit.</p>
+
+<p style="margin-left:11%;"><b>&minus;c &lt;config file
+path&gt;</b></p>
+
+<p style="margin-left:22%; margin-top: 1em"><i>Config file
+path</i></p>
+
+<p style="margin-left:22%; margin-top: 1em">This option
+allows you to specify which config file to use. This is
+useful if you want to use a config file that is not in any
+of the default locations.</p>
+
+<p style="margin-left:11%;"><b>&minus;i &lt;pid file
+path&gt;</b></p>
+
+<p style="margin-left:22%; margin-top: 1em"><i>PID file
+path</i></p>
+
+<p style="margin-left:22%; margin-top: 1em">This option
+tells the proxy to create a PID file with the specified
+path.</p>
+
+<h2>SIGNALS
+<a name="SIGNALS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The proxy
+generally exits on all signals. The exceptions are listed
+below.</p>
+
+<table width="100%" border="0" rules="none" frame="void"
+       cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="9%">
+
+
+<p><b>SIGHUP</b></p></td>
+<td width="2%"></td>
+<td width="78%">
+
+
+<p>When logging to a file, this signal forces a reopen of
+the log file.</p></td></tr>
+</table>
+
+<p style="margin-left:11%;"><b>SIGPIPE</b></p>
+
+<p style="margin-left:22%; margin-top: 1em">This signal is
+ignored.</p>
+
+<h2>FILES
+<a name="FILES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>/etc/radsecproxy.conf</b></p>
+
+<p style="margin-left:22%; margin-top: 1em">The default
+configuration file.</p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">radsecproxy.conf(5),
+radsecproxy-hash(1)</p>
+<hr>
+</body>
+</html>
diff --git a/download.mdwn b/download.mdwn
new file mode 100644
index 0000000..c1192d2
--- /dev/null
+++ b/download.mdwn
@@ -0,0 +1,215 @@
+## Verifying
+
+SHA256 checksums can be found in [[sha256.txt]].
+
+PGP signatures can be found below.
+
+## Releases
+
+* [1.6.6](radsecproxy-1.6.6.tar.xz)
+  ([PGP sig](radsecproxy-1.6.6.tar.xz.asc)) from January 19th, 2015
+
+  This is the latest release.  It fixes
+  [RADSECPROXY-59](https://project.nordu.net/browse/RADSECPROXY-59)
+  (use rewriteIn correctly), and
+  [RADSECPROXY-58](https://project.nordu.net/browse/RADSECPROXY-58)
+  (handle CHAP when there is no CHAP-Challenge), as well as a number
+  of security fixes (two use-after-free, one null-pointer dereference,
+  and three heap overflows).  </dd>
+
+
+* [1.6.5](radsecproxy-1.6.5.tar.gz)
+  ([PGP sig](radsecproxy-1.6.5.tar.gz.asc)) from September 6th, 2013
+
+  Fixes a crash bug introduced in 1.6.4. Fixes
+  [RADSECPROXY-53](https://project.nordu.net/browse/RADSECPROXY-53),
+  bugfix on 1.6.4.
+
+* 1.6.4 ([PGP sig](radsecproxy-1.6.4.tar.gz.asc)) from September 5th,
+  2013
+
+  Fixes a bug with not keeping Proxy-State attributes in all replies
+  [RADSECPROXY-52](https://project.nordu.net/browse/RADSECPROXY-52).
+
+* [1.6.3](radsecproxy-1.6.3.tar.gz)
+  ([PGP sig](radsecproxy-1.6.3.tar.gz.asc)) from September 5th, 2013
+
+  Fixes bugs vital for dynamic discovery, see ChangeLog for details.
+
+* [1.6.2](radsecproxy-1.6.2.tar.gz)
+  ([PGP sig](radsecproxy-1.6.2.tar.gz.asc)) from October 25th, 2012
+
+  Fixes bug regarding certificate authentication for DTLS
+  [RADSECPROXY-43](https://project.nordu.net/browse/RADSECPROXY-43),
+  CVE-2012-4566).
+
+* [1.6.1](radsecproxy-1.6.1.tar.gz)
+  ([PGP sig](radsecproxy-1.6.1.tar.gz.asc)) from September 14th, 2012
+
+  Fixes a bug regarding certificate authentication
+  [RADSECPROXY-43](https://project.nordu.net/browse/RADSECPROXY-43),
+  CVE-2012-4523)
+
+* [1.6](radsecproxy-1.6.tar.gz)
+  ([PGP sig](radsecproxy-1.6.tar.gz.asc)) from April 28th, 2012
+
+  Improved support for F-Ticks logging and new option for pidfile.
+
+  **Incompatible change**: The default shared secret for TLS and DTLS
+    connections change from "mysecret" to "radsec" as per
+    draft-ietf-radext-radsec-12 section 2.3 (4).  Please make sure to
+    specify a secret in both client and server blocks to avoid
+    unwanted surprises.
+
+  The default place to look for a configuration file has changed from
+  /etc to /usr/local/etc, let radsecproxy know where your
+  configuration file can be found by using the `-c' command line
+  option, or configure radsecproxy on with --sysconfdir=/etc when
+  building to restore old behaviour.
+
+  For other changes, see Changelog inside the archive.
+
+* [1.5](radsecproxy-1.5.tar.gz)
+  ([PGP sig](radsecproxy-1.5.tar.gz.asc)) from October 8th, 2011
+
+  Introduces support for F-Ticks logging. For other changes, see
+  Changelog inside the archive.
+
+## Older releases
+
+* [1.4.3](radsecproxy-1.4.3.tar.gz)
+  ([PGP sig](radsecproxy-1.4.3.tar.gz.asc)) from July 22nd, 2011
+
+  Fixed a debug printout issue.
+
+* [1.4.2](radsecproxy-1.4.2.tar.gz)
+  ([PGP sig](radsecproxy-1.4.2.tar.gz.asc)) from November 23rd, 2010
+
+  Mostly a security update due to a certain vulnerability in how
+  caching was handled in OpenSSL prior to 0.9.8p and 1.0.0b.  If your
+  OpenSSL is older than those, you should use this one or newer.
+
+* 1.4.1 from November 18th, 2010
+
+  This release contained some debug code that caused crashes, and is
+  hence removed.
+
+* [1.4](radsecproxy-1.4.tar.gz) from June 12th, 2010
+
+  The major changes are support for LoopPrevention per server, added
+  AddVendorAttribute rewrite configuration, new log level DBG_NOTICE,
+  fixed UDP fragmentation issue, fixed build issues on Solaris and
+  fixed bug regarding long passwords.
+
+* [1.3.1](radsecproxy-1.3.1.tar.gz) from July 22nd, 2009
+
+  Last release of 1.3. The main change is an important fix for
+  multiple UDP servers with the same IP address, which solves
+  accounting problems experienced by many.  Thanks alot to Simon
+  Leinen for submitting the patch for this.  Default log level is 2,
+  while it was 3 previously. also, some log messages have changed log
+  levels. you should be fine using this in production, although 1.2
+  may be safer (as it has been through more testing) if you don't need
+  the new features.
+
+* [1.2](radsecproxy-1.2.tar.gz) from October 7th, 2008
+
+  Perhaps the most stable "old" release so far.  If you do not need
+  the new features in 1.3+, then this may be the best option.  Some
+  issues with earlier releases are fixed and there are also a number
+  of new useful features like more message rewrite options and
+  regularly refreshing CRLs.
+
+
+* [1.3-beta](radsecproxy-1.3-beta.tar.gz) from February 18th, 2009
+
+  This is only a beta release and needs more testing to be as mature as
+  1.2, so be careful about using this in production. But if you can,
+  please help test this release to speed its way towards the 1.3
+  release. The only new feature since the alpha release is that client
+  and server blocks can contain multiple host options. There have also
+  been some minor bug fixes, and it is now possible when compiling to
+  select which transports to support.
+
+* [1.3-alpha](radsecproxy-1.3-alpha.tar.gz) from December 4th, 2008
+
+  Many new features were introduced in 1.3. The major ones are TCP and
+  DTLS transport, and dynamic server discovery. Other minor features
+  are TTL (hopcount) support for RADIUS messages and PolicyOID for
+  checking certificate policies.
+
+* [1.1](radsecproxy-1.1.tar.gz) from July 24th, 2008
+
+  This release has proven to be fairly stable, but an upgrade to 1.2
+  is recommended. Some issues with earlier releases are fixed and
+  there are also a number of new useful features like failover when
+  not using Status-Server, limited loop prevention and CRL
+  checking. This is also the first version where accounting works
+  properly.
+
+* [1.1-beta](radsecproxy-1.1-beta.tar.gz) from May 14th, 2008
+
+  The main new features since 1.1-alpha were attribute filtering,
+  accounting support and improved certificate matching.
+
+* [1.1-alpha](radsecproxy-1.1-alpha.tar.gz) from December 24th, 2007
+
+  There are some known problems with this release, so you should be
+  using the most recent 1.1 release instead. The new features were in
+  short: pretend option for validating configuration; include option
+  for including additional config files; clients can be configured by
+  IP prefix, allowing dynamic clients; server failover support; source
+  address and port can be specified for requests; and finally optional
+  rewriting of the username attribute.
+
+* [1.0p1](radsecproxy-1.0p1.tar.gz) from October 16th, 2007
+
+  Since 1.0 a bug was fixed where the proxy was likely to crash if any
+  servers were configured after the first realm block.  Since the
+  alpha release the certificate validation was improved and some minor
+  bugs have been fixed.
+
+* [1.0](radsecproxy-1.0.tar.gz) from September 21st, 2007
+
+* [1.0-alpha-p1](radsecproxy-1.0-alpha-p1.tar.gz) from June 13th, 2007
+
+* [1.0-alpha](radsecproxy-1.0-alpha.tar.gz) from June 5th, 2007
+
+## Access via git
+
+The developer tree of radsecproxy is available as a
+[tar archive](https://git.nordu.net/?p=radsecproxy.git;a=snapshot;h=HEAD;sf=tgz)
+or you use git. To checkout the current version of the tree, enter
+the following command:
+
+    git clone https://git.nordu.net/radsecproxy.git
+
+If you want to contribute code, you need to get in
+[contact with the developers](?page=contact).
+
+Note that there is also a
+[web interface](http://git.nordu.net/?p=radsecproxy.git;a=summary) to
+the repository.
+
+## Linux packages
+
+Various people have kindly contributed packages for various Linux
+distributions.
+
+### Debian
+
+* Since Debian release 5 (Lenny), radsecproxy is included in the
+distribution.
+
+* 1.2 for CentOS 5 / Red Hat Enterprise Linux 5
+[radsecproxy-1.2-1.i386.rpm](packages/radsecproxy-1.2-1.i386.rpm)
+[radsecproxy-1.2-1.src.rpm](packages/radsecproxy-1.2-1.src.rpm)
+
+* 1.0 for openSUSE, Fedora and Mandriva openSUSE should be available
+from various mirrors, but all of these can also be downloaded from
+[download.opensuse.org](http://download.opensuse.org/repositories/network:/aaa/).
+The Fedora and Mandriva packages have not yet been tested (AFAIK),
+please let me know whether they work for you or not.
+
+* 1.0p1 for [OpenSDE](http://opensde.org/)
+Part of the distribution, see the site
diff --git a/index.mdwn b/index.mdwn
new file mode 100644
index 0000000..98a7de0
--- /dev/null
+++ b/index.mdwn
@@ -0,0 +1,33 @@
+radsecproxy is a generic RADIUS proxy that in addition to to usual
+RADIUS UDP transport, also supports TLS (RadSec), as well as RADIUS
+over TCP and DTLS. The aim is for the proxy to have sufficient
+features to be flexible, while at the same time to be small, efficient
+and easy to configure.
+
+The proxy was initially made to be able to deploy RadSec (RADIUS over
+TLS) so that all RADIUS communication across network links could be
+done using TLS, without modifying existing RADIUS software. This can
+be done by running this proxy on the same host as an existing RADIUS
+server or client, and configure the existing client/server to talk to
+localhost (the proxy) rather than other clients and servers directly.
+
+There are however other situations where a RADIUS proxy might be
+useful. Some people deploy RADIUS topologies where they want to route
+RADIUS messages to the right server. The nodes that do purely routing
+could be using a proxy. Some people may also wish to deploy a proxy on
+a site boundary. Since the proxy supports both IPv4 and IPv6, it could
+also be used to allow communication in cases where some RADIUS nodes
+use only IPv4 and some only IPv6.
+
+## Latest release
+
+On January 19th 2015
+[radsecproxy-1.6.6](dist/radsecproxy-1.6.6.tar.xz)
+([PGP-sig)](dist/radsecproxy-1.6.6.tar.xz.asc) was released, and this
+is the recommended release for most people. Please report issues,
+request features etc. to the
+[bug tracker](https://project.nordu.net/browse/RADSECPROXY). If you
+use radsecproxy, you should consider joining the
+[mailing list](https://postlister.uninett.no/sympa/info/radsecproxy/)
+to stay up to date on changes, issues etc. as well. All releases can
+be found on the [[download page|download]].
diff --git a/radsecproxy-1.0-alpha-p1.tar.gz b/radsecproxy-1.0-alpha-p1.tar.gz
new file mode 100644
index 0000000..9c5ba77
--- /dev/null
+++ b/radsecproxy-1.0-alpha-p1.tar.gz
diff --git a/radsecproxy-1.0-alpha.tar.gz b/radsecproxy-1.0-alpha.tar.gz
new file mode 100644
index 0000000..988eb72
--- /dev/null
+++ b/radsecproxy-1.0-alpha.tar.gz
diff --git a/radsecproxy-1.0.tar.gz b/radsecproxy-1.0.tar.gz
new file mode 100644
index 0000000..0ae37c6
--- /dev/null
+++ b/radsecproxy-1.0.tar.gz
diff --git a/radsecproxy-1.0p1.tar.gz b/radsecproxy-1.0p1.tar.gz
new file mode 100644
index 0000000..ea90054
--- /dev/null
+++ b/radsecproxy-1.0p1.tar.gz
diff --git a/radsecproxy-1.1-alpha.tar.gz b/radsecproxy-1.1-alpha.tar.gz
new file mode 100644
index 0000000..a843be3
--- /dev/null
+++ b/radsecproxy-1.1-alpha.tar.gz
diff --git a/radsecproxy-1.1-beta.tar.gz b/radsecproxy-1.1-beta.tar.gz
new file mode 100644
index 0000000..2aab2c1
--- /dev/null
+++ b/radsecproxy-1.1-beta.tar.gz
diff --git a/radsecproxy-1.1.tar.gz b/radsecproxy-1.1.tar.gz
new file mode 100644
index 0000000..7bb59b4
--- /dev/null
+++ b/radsecproxy-1.1.tar.gz
diff --git a/radsecproxy-1.2.tar.gz b/radsecproxy-1.2.tar.gz
new file mode 100644
index 0000000..1971748
--- /dev/null
+++ b/radsecproxy-1.2.tar.gz
diff --git a/radsecproxy-1.3-alpha.tar.gz b/radsecproxy-1.3-alpha.tar.gz
new file mode 100644
index 0000000..86be6bf
--- /dev/null
+++ b/radsecproxy-1.3-alpha.tar.gz
diff --git a/radsecproxy-1.3-beta.tar.gz b/radsecproxy-1.3-beta.tar.gz
new file mode 100644
index 0000000..92e4494
--- /dev/null
+++ b/radsecproxy-1.3-beta.tar.gz
diff --git a/radsecproxy-1.3.1.tar.gz b/radsecproxy-1.3.1.tar.gz
new file mode 100644
index 0000000..aa72941
--- /dev/null
+++ b/radsecproxy-1.3.1.tar.gz
diff --git a/radsecproxy-1.3.tar.gz b/radsecproxy-1.3.tar.gz
new file mode 100644
index 0000000..1dad580
--- /dev/null
+++ b/radsecproxy-1.3.tar.gz
diff --git a/radsecproxy-1.4.2.tar.gz b/radsecproxy-1.4.2.tar.gz
new file mode 100644
index 0000000..23ebf72
--- /dev/null
+++ b/radsecproxy-1.4.2.tar.gz
diff --git a/radsecproxy-1.4.2.tar.gz.asc b/radsecproxy-1.4.2.tar.gz.asc
new file mode 100644
index 0000000..9bcdae7
--- /dev/null
+++ b/radsecproxy-1.4.2.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iQIcBAABCAAGBQJM69K7AAoJEB6L80kjKRJlpPcQANJccUgxQkVL8NArZK0pKhpe
+0pyuwGlAOvfZTOe1vDbX2zHpbj9s/RXxV28xcE9o4gJhHjKqS4Ikk8b92W8KCi/Y
+VfX0in1JJO0F2xy4LVxfTtmPZTgumAEm6lQAyv212MBxLC1joUNltGYyr/Pk+b5i
+lwZNidK7/ZWr6qclpc4bGpZbfiJiuJ4RKS0nzO9M5Y8Ue/gPjX35Q0nZXmUYRXma
+/lA8+ERjpxvU0YTrgTVGUYMQ78pql+nyvYqAd+iccSSlWIntQCWu3uAbBUbBVx4f
+d2ekrUaXEBV8AWHa/J86V0LteRX4BV+BdlJrkdFAXJLKtl5c3UmfCV6wewPyqxPR
+4JA7C3O02oE/c9ICYkpqHNkcBBSW0yyhSMHFuZXOjqyczdOPmvSCMzFRtuIkgSjU
+NJUgV6nDffbQVedAF+GkVO1ll4xFvqGdAh9CjiIU/rhyN2eOWe6NL0t84eaUdDGV
+5jzAVLFnmBNS99msmKO/RcSgJHE4NnoV1XTliAfU1lO+qY0nqyi+9FXJ3vVm9bHw
+AzX+cK9Qbf5crZlQOxpDdsjVH1CTdXeg80csEzw9cLYPwQmqUN7DBL/7YFmFI78Z
+mmQ2CxWyE1sTyAA/qnt4yWQ8x0EAo/lVlQBPdArxWlDRbhmdMbaJKp7REcwgedo3
+QNXzZuoO2x5Ls/aAw4dP
+=DPGU
+-----END PGP SIGNATURE-----
diff --git a/radsecproxy-1.4.3.tar.gz b/radsecproxy-1.4.3.tar.gz
new file mode 100644
index 0000000..bc64fa0
--- /dev/null
+++ b/radsecproxy-1.4.3.tar.gz
diff --git a/radsecproxy-1.4.3.tar.gz.asc b/radsecproxy-1.4.3.tar.gz.asc
new file mode 100644
index 0000000..f3edc57
--- /dev/null
+++ b/radsecproxy-1.4.3.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQIcBAABCAAGBQJOKY3lAAoJEB6L80kjKRJleyEQAOdRiAOZ9dV95Kota+RYuC1K
+ljrL2SPHrq/xAvvHWM9fGFEkGCUNaSt/VgDDE6zO1Ege+zYv8KsDf50ObqSJNvT6
+7E/3ZBdOfkPfaSdVIxa9OD4HxPJh/qiSEKa0Uqo/bgSO3eu6+FYJY5ttkROO8uN/
+bOmvvx0gDxcUfq/eFDuA3dC1uR1P/aqtE2ueJcXw2BV3qjZRapgSpNc7HzaW4avQ
+ke9HAfDaOZtSEG7S6kQ+k16wagKcxw4MQjtEq7P5g/C3l00vKYD5eOjt9ClSQS3H
+TdP9ubk3tTDgutvYaD7RSypObVf/ZUMk2X5QmWK+TjLkBq10CE51BIPIUme4l3RS
+LOlqGRzxCALbtd2/olPRwvkChSKbcC5fXwBqr0ZUcj8hx2QL9v3H1yb8nihFCRBN
+mkG2bCGsuEf5sBRRlwApNqNJwxGpXPIoDH2axzS+VEvKQseNaOypFwaWiSbTaOpn
+OdCrE0V/RORjOWYetS6RYjSZidKjzmdE14LlnOuNo6Lv2Iqz+kTg8sjQiafOgMxZ
+RrpXJf6YsN5U8LeQ7Iaf6RrQLzHjV16JwP9VKXsgkTYrEdXJuOMvrOlpAcsXHFO9
+ChHUPF800ORijEn+RUp1lNvcxbgCC+8TFg/OVHjr/NhaS/we2mZosy5Mtcj1ZQQo
+7w3BSdaAjq++kIxuT+5B
+=+V5O
+-----END PGP SIGNATURE-----
diff --git a/radsecproxy-1.4.tar.gz b/radsecproxy-1.4.tar.gz
new file mode 100644
index 0000000..4ea1cba
--- /dev/null
+++ b/radsecproxy-1.4.tar.gz
diff --git a/radsecproxy-1.5.tar.gz b/radsecproxy-1.5.tar.gz
new file mode 100644
index 0000000..367f79f
--- /dev/null
+++ b/radsecproxy-1.5.tar.gz
diff --git a/radsecproxy-1.5.tar.gz.asc b/radsecproxy-1.5.tar.gz.asc
new file mode 100644
index 0000000..2062966
--- /dev/null
+++ b/radsecproxy-1.5.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQIcBAABCAAGBQJOkFu0AAoJEB6L80kjKRJl/SIQAKsbop76MS0X1KNbwKdhYcG3
+CyWDA9dP44FB7PLpBDywqD0Pn++baGNu7+WSYlakwCXcwvEjpR1GhtZ8b604KEVN
+uYRKD+9ikTrRV4RVyAzmqqjNwX1wehqzywmsGpCpQG0SQSrwCi5v7CSJv3XoCjdV
+u1oYzZiwSegGUTAmcCfLi+PHQ5jQJi8PuOCFa7NOAzDdJU2B8MMm4kVxUhGXdPvb
+9abaGbnddEwgHgu7hu4Nk5+g7m9BHHEFAPGRmWgJRgMlNL5UzYHJe6VeI17QZOl/
+xfeMUvT1f5d0BbSFQvgM6fOPXYbE4MAcstpvNQjRZUo4zmW6A3Dxl080nF/wXn4t
+XWQThs9JYKH5ZZ7aEhsUlF0BVddddH0HW90TIJWPfiHk63B/abcNBntY+agOmi3M
+g7K5g5rgC0tOWEQe0o+q0qtF3C3fQpjm60zN+OdPl2aoJmC8HupmBMUlAeKD4jEB
+Sw1/60tNVQjO3FDbwHjMeDMZyX4OSoDQJhXO59lscPrd4EHgSplU0WbkuSdZ50Lk
+LrRQ0Jfst5fYw+SNkzOEdIzYF7WfZ8lPlNGA2/TRW450Qeyek1+AYC/eS99h5Vcs
+Vh3Zi2VplHwg4ezf/PAUWh1Ee3YPl8qzyN16mvZVFqmO4qxIjn97grjZm1HhlS9B
+b8i0EZTcGHBdjWWHR83e
+=Htom
+-----END PGP SIGNATURE-----
diff --git a/radsecproxy-1.6.1.tar.gz b/radsecproxy-1.6.1.tar.gz
new file mode 100644
index 0000000..7c3a53d
--- /dev/null
+++ b/radsecproxy-1.6.1.tar.gz
diff --git a/radsecproxy-1.6.1.tar.gz.asc b/radsecproxy-1.6.1.tar.gz.asc
new file mode 100644
index 0000000..5fb1040
--- /dev/null
+++ b/radsecproxy-1.6.1.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.19 (FreeBSD)
+
+iQIcBAABCAAGBQJQUxU0AAoJEB6L80kjKRJlLJIQAOYHUNZgOdAndqhy/3zLVk3B
+fArFCV6h6XMsoveSogxUwSaOdQPN26x8T5pDbTxOaXBkmvayqfEDeiRtXZA6p6U5
+LXu3w9Umws5XCCTq5nnJfyD8UfHTH4ecVLK3LH6bAeVCyyM9TiAMIhI65G2tuFT+
+qfe8+w7ZOnrah/crxD0PUYaQcZnB/3QShiry1hTCl6AzYvj5nonPFhz6cTp1ljRL
+b02CAsqnoDATpmPe1vrtTDjvTBMZeaTVwmif8nOsg0wpcBupkRQjocpUPTHaVySD
+mC9heuMVGL409NPiIyCLeLBUwE4/4b5hM8pPy3WBBSXksvxgljwDLzNNk4by0d39
+cXmXWzn3jZDLMAHV2CoVgTR9QQKVaUMmmAVDtNTXZRCEARYg+eDOX3wKMiwqtw6e
+59gav/QyuiDBgi3hbvZ1LcBPMPjNBmNI+K1Mjlm0UydMoA/HNgkwnzm4W81FFUWH
+Meyv/FWZdHnoPPdJdDExzRpHH0cnvU9I7PMrh/UVSYhZd0d82dLKgIsjnRoDKfiV
+Wa4Htpgl/1wPUOcZZBt5z52s0Ow9E6tLmA8kwN+CX43Eqkgd8dCYJ0l9KQgeMpMY
+uIVmfGtPxGuiw5qUo9oOCcvHuyrdNucOsBMQWJqh499gn0NQNYxz88FEzXZIEn2M
+JslcuksaDBnzLxFJQvSy
+=Nrvi
+-----END PGP SIGNATURE-----
diff --git a/radsecproxy-1.6.2.tar.gz b/radsecproxy-1.6.2.tar.gz
new file mode 100644
index 0000000..c1f1fa5
--- /dev/null
+++ b/radsecproxy-1.6.2.tar.gz
diff --git a/radsecproxy-1.6.2.tar.gz.asc b/radsecproxy-1.6.2.tar.gz.asc
new file mode 100644
index 0000000..5107981
--- /dev/null
+++ b/radsecproxy-1.6.2.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.19 (FreeBSD)
+
+iQIcBAABCAAGBQJQiSfWAAoJEB6L80kjKRJlTK0P/0oOlaY7qP5lF2kZ8aWkDvCe
+SZC2zvAOemSmgn/lEPckVDjdgaV1YXrIstLgZY9dRQoctbRPZB9GMpoPynYTb6j5
+8lJt7lA9Bd0rEyIXO0n7VuGVAXQBMO5Hjb2TWoyTMgvg9I2GeJ82/oMWrwRHd4w0
+scfCBP6gOKMNzurGzzrBnkqsB3Tv5AhzZF7/2NBVX0KOyU1XXZktANaqavpXDjZ8
+Hz8sI9E3dvwOLR73DH6qbOnEDA3dUqBvEghB90pO2kpoSIrzPNBN8/qUg2P3P3SG
+1ybYlWNLZzAPhR9PUMWQ7uq/bJ+aI1VnfgZAEf5gnQGhNuqFTIdIz5NkPuGt9G7/
+NT4T+D1ixo28lIBkIC440y9xL3ACN8jooXB/UrDU6voMPoLOCet6bCmFOYyDsfXi
+h6mBmox0exYz11xNI+kT/7HmMfs7nxCO6i4pN2uRVgzTWU9Rwsh6gJ2uhscmUIn3
+Khq3nDNhzLeL8QKAobcOYAoWN9AoE84niBt90siuwqC0GS5zcRem4f477iDJvRK6
+QTQOfw8/HQSdPQjgbpi1Px21LLTO/Gna5R5iuZvFGubAjQM0jVLSf8u2GghSHQu2
+a3rvqKArezlI9v4CHNp4VSLCKtnbncUOFV2bJKaUE9ryedkf7KST9gj7jYbHpHdz
+VYKuG5TuEt2wZvuYDVsY
+=WjuE
+-----END PGP SIGNATURE-----
diff --git a/radsecproxy-1.6.3.tar.gz b/radsecproxy-1.6.3.tar.gz
new file mode 100644
index 0000000..a5b9adc
--- /dev/null
+++ b/radsecproxy-1.6.3.tar.gz
diff --git a/radsecproxy-1.6.3.tar.gz.asc b/radsecproxy-1.6.3.tar.gz.asc
new file mode 100644
index 0000000..0c91e5d
--- /dev/null
+++ b/radsecproxy-1.6.3.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+iQIcBAABCAAGBQJSJz0xAAoJEB6L80kjKRJlZnYP/jY6i0XGBFUrExXU5ZfkdfKQ
+C77GSZZDeVflXfVFWjzgjAlDDKJZ5dUrSMkKXhkWe0mTs7eayY2HPIj5s5xu9H+j
+o7sGyyc/2rBUjLtPpCRu93ukHbkP97KE1R1QRYWqIiKfdc1jxFMIAUXS6FFcxbTQ
+uZQYkG+5t9tnXdoTXLYEB1Y7uDZ2dJIu7pcK8s98HSjaKkjN1Ph4eytpENEoyBOX
+tcsS1Jgf1ilm9OURXXto6ct2WLIfzD3yu+sPvRvHuAcHSScA31u8wVBYQfNxQXQL
+5uj+0n9BN8IXg/IoxdeATKn6sascHd3vikKAFeL8Xo7m0iP8975GghEWBNgYx+Tg
+Ju0YOHivVsULtyh61TDz5Vng9Br+pjX1aRMy6rS70mvh4D1ctFVg+4ZxMx8UpK06
+F3X8jAaDa4oSXNQJkoUaTMWCgQprnAs1jEpICdVzntlylws6Ei84tIatfZGj0Exf
+3WDQAR7S4yI6CUsz68FTDzsmjRWAYMENgseYnnWN6q7YrP1hizuaUDOxpXG8ZfM7
+KbCqDKBdqzfkMMMhZEksbSryMXT/UM2lLrlfLvSZGZo9cHkCnYDZthbCdWXXhBug
+FRO6SmX+8cwcRuh3Fmi//JYv6C1EvFk4lOrwBKXtwVjdwTrZYutzutNML4yGUvoR
+DpaART428P/6uMp96vCO
+=stR5
+-----END PGP SIGNATURE-----
diff --git a/radsecproxy-1.6.4.tar.gz b/radsecproxy-1.6.4.tar.gz
new file mode 100644
index 0000000..aa8b3bf
--- /dev/null
+++ b/radsecproxy-1.6.4.tar.gz
diff --git a/radsecproxy-1.6.4.tar.gz.asc b/radsecproxy-1.6.4.tar.gz.asc
new file mode 100644
index 0000000..54af8aa
--- /dev/null
+++ b/radsecproxy-1.6.4.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+iQIcBAABCAAGBQJSKIeIAAoJEB6L80kjKRJlEv4P/iUWIdQRIWxrPCg10s5TIHBR
+Bss9EV/rq4aMsVxRWyLgzLs0TvxbwJTQyQcI6w98k8Lu5leSshDw55Z7ZHye5smu
+xMTrmHOTl7nE4gcxWrG+R1aac61G7BdOUuG/0Q1asXyj17A09/BpAoWMuJqSqtAq
+MHsB3uX1+vfOptuDvknNPPP8BFI01si5VeTCNunJwdNlmr7/QxfFqKMeq8PQHx2c
+3iqUc8yShAqJOeR3EeGgTgTxRn7vy0yBm7V6EbQZhNX+2t39SLqleVXCrrG+/WLc
+zEFzWCs8ouyzRzqnve3zRuRE30bkjG3SmiAwlwB0+LCfcs7PRAyWDuv9DzJ32D9f
+qL6FuVjegHLdnT1QcW3JdKK3y3AC73+pDYnRSTy1aMVO+5jfbAf1Xq4/c+0kxzOs
+jDt8ALcOzRL1fVR9drqGxfPQrqFw3odDNfyMK8v5d1jz+B4B4AfGL1wcqaRJMN3u
+Nh+xQ0430QczDdc2adprUjTT39r955K7QTRfxmez9NVu6mZxBINJQBmdV58+6TQD
+amI5ADbidhOZEnRbM102UT9IBWUcUtdsRCp+tbcbbuEgDarp2Y4fcEKgWW4bG6Os
+Labuhf+WzpmlirMi2yt1tY5VQdz0OdBGyB7LOLOvdo0dVRp0kI4e2Z5UXEtjaKZi
+LAHIxS+a2VdhlU5X2Fkn
+=a8LW
+-----END PGP SIGNATURE-----
diff --git a/radsecproxy-1.6.5.tar.gz b/radsecproxy-1.6.5.tar.gz
new file mode 100644
index 0000000..631e78c
--- /dev/null
+++ b/radsecproxy-1.6.5.tar.gz
diff --git a/radsecproxy-1.6.5.tar.gz.asc b/radsecproxy-1.6.5.tar.gz.asc
new file mode 100644
index 0000000..1ac95b3
--- /dev/null
+++ b/radsecproxy-1.6.5.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+iQIcBAABCAAGBQJSKdkrAAoJEB6L80kjKRJlfqgQAML6n2CoLPe6DRa8LF8W5Do/
+cDZccicyd0B1QjnNoHTOEFu9jIb7RTBnv68w0rcYF6hLlj03pAWKczAmretOnoqu
+vURrJrmACi3fJ8urgt6muhlrcb0ZkCfKhFCIjlMJma1z3KBCdO9OmuWU22Z5lYMj
+uFEU00u7bTXkoZLwPgljLypBteWckPTzt1QePU/ZjemRvDNfd7nByw1ga83WVzH2
+fKqtOPOhkEtftiql6piDty29qJgJO9MN7NOrpiGYEWiutJXzZFdp57h47pIaGo8p
+7X/vGq4FjkNcWO1wLL/UvMo/MOdt+hU783u11QLh37tkRCurc1IAUDCrKEnRNfV7
+QGbr3//CKxt/UyJhJgUSeQ8SJy5F6Pj6/mckwvqFaYJDxBNAfrorsdULrS98Vd6l
+EvCMmx/B413rr0dnG8A56Rj9wcFc3nSKNSaf+to3EgHTkC246qtsYjQ+8y0Y/lda
+6zAsnPvdzidCacQThgEefHkdwM1uFirpzFnd38g0zbusmT1/A21UionsVIQaiSBM
+W/+a+Cp7y+6QQO7BRFyLnNmaccTVirf1RNQK9cd81p3UL65VZPQN/j9vmqtylVMi
+JHEiwmVBQcEFITUq4QRuyiRAZ9IcgKOlfKpJpwXPshhNjXynhM1pqpJL7jq8fnll
+p1dQ1zh0tR4wBEW5AURo
+=z3I3
+-----END PGP SIGNATURE-----
diff --git a/radsecproxy-1.6.6.tar.xz b/radsecproxy-1.6.6.tar.xz
new file mode 100644
index 0000000..26bf087
--- /dev/null
+++ b/radsecproxy-1.6.6.tar.xz
diff --git a/radsecproxy-1.6.6.tar.xz.asc b/radsecproxy-1.6.6.tar.xz.asc
new file mode 100644
index 0000000..421670c
--- /dev/null
+++ b/radsecproxy-1.6.6.tar.xz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAABCAAGBQJUvQmKAAoJEB6L80kjKRJl9CUP/i3zyi7OOx4IAvOacTydAvcd
+t8sz/YTpi0/kud2Tt3rOK0Bc1/LSLL0U+QEg2KcYvC7mu5NAADgeMOM1vi98Ce4u
+5TcPCiFxDigZBT92jiq77DRBGrtl37W12GtU71CyUDPBp1th++1mJP0lm7sY8OZ8
+kXCCyZfWrgXkyntWv5hBwEn9SuzfmbYI8SyvL7ofJETZ0qfhqcfJff7v5N7L/f+w
+WhH0uDLqKgjjP+Y+6JUdZYYYRuQ75r8JPdJ/uo3xJs7G4OTk8/ucvqFmOQF7TJq9
+A+Nch83MG9cDY6+N3od40zvz9qTLpybvQ2mKNUEj6AASPt6O+DHtqVo6E1eQ6ZIj
+fTOZbeJaam/5jK5z2+4MPmtW2+GPFsMQjzyZueAbW0pYU0WAsf3fZi3GkCL3OE2l
+ec4VvdzVAI9aVQTwn9ebQdwyPxQf9+0fU6BpGL4R9FobIY5Re2Hm6Fib1Ym4TkSy
+oxIf3j1tiFBB5KZwLIhkP8mTTi6UoqDb/ThU+5KllwQQZrEv8K0C77rt9kXZkaPg
+gXCGVJEfny5hoHcLT1uNemmYVRAKgDZYNLRA7YV+lpa/GfcD4lz8AZSg6bnqlQIB
+4gBjLQLIZr6xiToSSNGeLjaTfd36VgtKnzmtsb8NIbN4YhLsFRptfsnTdp13I6Cr
+DJ8vjIrenGVSxe9tX+0x
+=AJTs
+-----END PGP SIGNATURE-----
diff --git a/radsecproxy-1.6.tar.gz b/radsecproxy-1.6.tar.gz
new file mode 100644
index 0000000..54d78f3
--- /dev/null
+++ b/radsecproxy-1.6.tar.gz
diff --git a/radsecproxy-1.6.tar.gz.asc b/radsecproxy-1.6.tar.gz.asc
new file mode 100644
index 0000000..1ea8eb8
--- /dev/null
+++ b/radsecproxy-1.6.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.19 (FreeBSD)
+
+iQIcBAABCAAGBQJPmpfSAAoJEB6L80kjKRJlJbUP/2zFzGRGfs+Fkkq8tA/IQjPZ
+5BaSR02HITKOwr8D6eoYGdSSLl2fetQkml1i+xqlbCWbvNXkul6+wwQBJ1ZYGOrD
+o7KXd06B75i8mAfIU45HhzfRl3TSq3Er9lZIXbWwkMMUrzEweNMLqziTQ6645EyB
+O4/gYBoTga8JxsXHicPPKLYXJC4neIb5NgQ7mhU8xNmsu5CC1K8tVDRoxocsi41o
+LTsLSPdSxESiPNJVlm0Xu1BXTEKINbGBAQV32s/idIxrOVUlEYIfSAV48o0Iz1tH
+aQ8lC0eZL9Unv1po81xwic8uRmfQeix0RM0bf5AwyURw+62KFEwG9PjYMRNEdFbK
+xRE1k5YzrujEbmaQ9z1H62H+M+zDtvqy4ASd5BLPmaJBiQ9fS90vYUefLQLcPux8
+padZbTPmA4Shgnn9TqAe7CEzQr7g4CnNrfcxTgsxDfhBxr2eiB1JrecChEZ6IdGT
+idfiOpuKtUUFIYzCkGIb2ZJYqrQ5IDEyOWpD9s5u+KVwTnLtWBXdeJksREqYdmSV
+dvQvx37nVu3F8CxdeAYDNjW5D4TI/NWE+7JTS9LdD8+cj1ixvOwBED3dKbOPwAYv
+HU9bISjZIc4ocTZk0bHDVhdlOCa88zacoJ4+JarUnNAb2e1s0hHbTdFZoId3byjm
+D90Z0IloqK2JUllwINcG
+=4F1m
+-----END PGP SIGNATURE-----
diff --git a/radsecproxy-devel-20081006.tar.gz b/radsecproxy-devel-20081006.tar.gz
new file mode 100644
index 0000000..5a038ac
--- /dev/null
+++ b/radsecproxy-devel-20081006.tar.gz
diff --git a/radsecproxy-devel-20081106.tar.gz b/radsecproxy-devel-20081106.tar.gz
new file mode 100644
index 0000000..55cfbba
--- /dev/null
+++ b/radsecproxy-devel-20081106.tar.gz
diff --git a/sha256.txt b/sha256.txt
new file mode 100644
index 0000000..cfe2726
--- /dev/null
+++ b/sha256.txt
@@ -0,0 +1,25 @@
+4fca01d04416abce86100a024c2afdcd7dba573c3b418d3850acdc0e26ce3ed5  radsecproxy-devel-20081106.tar.gz
+2b84753521cf3db992d333c5f3fc3c316d3c101cc488993f4bc41ec6531c8244  radsecproxy-devel-20081006.tar.gz
+b20058d88f9994d6affc47d2a81dfb0c9878d8498d42662e2033adea115ea67a  radsecproxy-1.3.tar.gz
+a0de10c88b1137aa45b043539c24e962a4aaf6733338bacb27f5f8443bb26e5c  radsecproxy-1.3-beta.tar.gz
+f52c25ac96fbb3c7370385f54964f4fcb4c0b0ef7fe165f97611fdddefe8015b  radsecproxy-1.3-alpha.tar.gz
+ebed436dd1cf2a3b3a5313a4e179e300e1b02e22df6bba0a426ee32fc18e690e  radsecproxy-1.3.1.tar.gz
+edcdb0acd044b4fb8d913801b5362b72df9c39b9526eecec44853093ab74831a  radsecproxy-1.2.tar.gz
+5ef48727c30cdf412c6e9f8a13817d9a7ad20787673cd93476d09d5da90a6478  radsecproxy-1.1.tar.gz
+1e57886b1251b7ac81917173b753dd3a8150c921056f46f36c907db55b5bbaa9  radsecproxy-1.1-beta.tar.gz
+11625b0b56972f0cad29a63fae0baa20a7f78307506faf881ff0f37e0f4a1a85  radsecproxy-1.1-alpha.tar.gz
+fa892f20f46436ab6dc7a3fbd7e84a6cc0132e31c54a3eb56702b36e4d18eaf8  radsecproxy-1.0.tar.gz
+95fb8f2e39e82f089d8038a78473329322ac2d28dbfe8239092f6f1827cf852f  radsecproxy-1.0p1.tar.gz
+1bb5c086c04042bcd78b031ce6bab3db01f48c3c38c500a339ca6cf5cbdbd74e  radsecproxy-1.0-alpha.tar.gz
+032a79942bc9dec6c836d41497b0a5377c7b855b3383e2df6eebafd8a596347e  radsecproxy-1.0-alpha-p1.tar.gz
+12cbdb8c0ac6eaba81fc805033549845a5937f42e32416f091cc79796f207385  radsecproxy-1.4.tar.gz
+76f2db133c22883bd87bd0c6f2c258c14d7c01751845d425abb4a1599401757e  radsecproxy-1.4.2.tar.gz
+7271339d15c4850f7bd9c7ea26d583c450347cbdeaca13c35921409502245eeb  radsecproxy-1.4.3.tar.gz
+abddfae337c31c2496b38ac504eee780acc655c7ea2457361cee6d2f6f5c6bdd  radsecproxy-1.5.tar.gz
+7348425b76703cf614cd8e3952c79f8aa471a27f3d3192729f8afbd6332d099f  radsecproxy-1.6.tar.gz
+44d7943d2de5db029782ed4931736a210ee77d1157576729d3c20214e4200a45  radsecproxy-1.6.1.tar.gz
+d562e69025b8833f0e44b141ae04aa0ae6b014290883a4f88967d8220c1d927c  radsecproxy-1.6.2.tar.gz
+49cb599fb446307dba3adf9032e1c5c45113b4b871fb759cbf41a27f1b6e29ac  radsecproxy-1.6.3.tar.gz
+65837d14daad56ca8eb8cb629db0d01dfd6b341df8e4df1c12ba362242a47be7  radsecproxy-1.6.4.tar.gz
+b0b7718c84a73ee2af48684cb5c9f3d76369c7e3a4ad3258b919769b4dc65e5f  radsecproxy-1.6.5.tar.gz
+278251399e326f9afacd1df8c7de492ec5ae6420085f71630da8f6ce585297ef  radsecproxy-1.6.6.tar.xz
diff --git a/sidebar.mdwn b/sidebar.mdwn
new file mode 100644
index 0000000..6b1e402
--- /dev/null
+++ b/sidebar.mdwn
@@ -0,0 +1,3 @@
+* **[[download]]**
+* [[documentation|doc]]
+* [[contact]]