inverse wrote:
The reason for me being so boring is that a proper implementation of EAP-(T)TLS requires the server to handle all the CA chain and CRL updates crap. CRLs unfortunately DO expire. Expired CRL == the properly implemented EAP-TLS structure falls apart and everybody gets a reject due to 'expired' certs.
Support for OCSP in the server would minimize the reloads due to changing CRL's.
As a foot note: I suppport Alan's idea. Let's forget about HUP. Experience shows HUP is clearly not suited for something with a system state and personally I don't accept a solution that makes an otherwise perfectly stable daemon to occasionally crater.
The problem isn't the HUP, so much as the fact that *everything* changes on HUP. It's tremendously difficult to keep the server running while almost every data structure is modified. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog