On Fri, Apr 01, 2016 at 12:22:48PM +0100, Alex Sharaz wrote:
Yup but as it says
# Warning: this may enable clients with revoked # certificates to connect if the OCSP responder is not # available. Use with caution. # Think I'd rather have ability to try another OCSP server at this point.
It took me less than two minutes thought here to realise that we'd never revoked a certificate, so the likelihood of the server going down was more than worrying that someone with a revoked cert was going to get in. Hence writing the softfail code... But not doubting your feature request is a valid one. Just pointing out there are existing alternatives which might be good enough. OSCP loadbalancer + softfail + checking regularly downloaded CRLs is probably appropriate for the vast majority of people. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>