OCSP Stapling with FR

Wed Dec 17 18:56:26 CET 2014

On Dec 17, 2014, at 12:49 PM, Philippe MARASSE <philippe.marasse at ch-poitiers.fr> wrote:
> According to RFC 4366, during TLS handshake, server may send OCSP status along with certificate. Is it possible to do this with Freeradius ?

  FreeRADIUS doesn’t do OCSP checks on it’s own certificate, or send OCSP information.

> I had an issue with OS X < 10.9.5 using WiFi with EAP-TLS auth : my mac tried to do OCSP on my radius server's certificate before getting internet access... 20s timeout before getting connected !

  That’s just dumb.  File a bug with Apple.

> I think it would be nice to issue OCSP stapling to WiFi clients so they can check the certificate revocation status offline.

  Sure.  Patches are welcome.

  But… do the WiFi clients support OCSP stapling?  If not, then no amount of patching FreeRADIUS will make any difference.

  Alan DeKok.