#  -*- text -*-
#
#
#  $Id: c4d9f1182913557312521084521a2ce773afd630 $

#######################################################################
#
#  = Cache TLS Session Module
#
#  The `cache_tls` module caches TLS sessions for resiliency.
#
#  This module should be listed in a `send Access-Accept` section to
#  write the cache, and in `recv Access-Request` to read the cache.
#  When it runs, it will cache the current TLS session.  That cache
#  allows for fast session resumption.
#
#  The `rbtree` cache back-end is an "in memory" cache.  Which means
#  that the TLS session cache will be lost if the server restarts.
#  The TLS session cache can be preserved by using an external
#  back-end, such as `memcached` or `redis`.
#
#  Also, if an external backend is used, then the TLS session cache
#  can be shared across multiple RADIUS servers.  That makes for
#  simple load balancing with full session resumption.
#
#  NOTE: Please see the `cache` module for full documentation on the cache
#  configuration.
#

#
#  ## Configuration Settings
#

#
#  ### TLS Session Configuration
#
cache cache_tls_session {
	#
	#  driver:: `cache` driver.
	#
	driver = "rbtree"

	#
	#  key:: The `cache` key.
	#
	key = &Session-Id

	#
	#  ttl:: TTL for `cache` entries.
	#
	ttl = 3600	# 60 mins

	#
	#  update <section> { ... }::
	#
	update {
		&reply.Session-Data := &Session-Data
	}
}

#
#  ### OCSP Session Configuration
#
#  In addition to TLS sessions, the OCSP queries can be cached.
#
cache cache_ocsp {
	#
	#  driver:: `cache` driver.
	#
	driver = "rbtree"

	#
	#  key:: `cache` key.
	#
	key = &session-state.TLS-Client-Cert-Serial

	#
	#  update <section> { ... }::
	#
	update {
		&control.TLS-OCSP-Cert-Valid := &TLS-OCSP-Cert-Valid
		&control.TLS-OCSP-Response := &TLS-OCSP-Response
	}
}
