ocsp timeout and server failure
Alan DeKok
aland at deployingradius.com
Mon Jan 23 15:49:26 CET 2012
Matthew Newton wrote:
> If freeradius tries to talk to an OCSP responder, and the server
> is not available for some reason, the ocsp check gets stuck for a
> while, then bombs out with (as expected) a verification failure.
> The two problems are that it takes quite a while for the client to
> be told it can't connect, and clients with good certificates can't
> connect.
Yeah, there's no real perfect solution.
> The obvious solution is to make the ocsp server more resilient,
> but that's not always going to be possible.
Yup.
> I've written two smallish patches against v2.1.x -
...
> Comments?
Committed. :)
See the v2.1.x && master branches.
Alan DeKok.
More information about the Freeradius-Devel
mailing list