25 Apr
2016
25 Apr
'16
9:05 a.m.
On Apr 23, 2016, at 8:51 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 23, 2016, at 6:24 AM, Mitsuhiro Nakamura <mitsuhiro.nakamura@nabiq.co.jp> wrote:
I have to protect cert ddos attacks for OCSP server.
The solution is to limit the number of EAP authentications which can be done.
And to be honest, EAP takes more work than OCSP checks. If your OCSP server can't keep up with EAP traffic, you need to upgrade your OCSP server.
Well, yes and no. We support OCSP status caching in v3.1.x because OCSP servers are not necessarily built with performance in mind, and calling out to an external entity adds additional latency. There's enough crappy commercial OCSP servers out there that it's a useful feature. -Arran