We're at the bottom of the learning curve w.r.t EAP-TLS but on the way to the fish and chip shop this lunchtime did come to the same conclusion that perhaps I was getting over concerned as to what to do in the event of the OCSP server failing. As you said, can't imaging we'll be revoking millions of certificates when we start rolling them out there. Think perhaps I'll use the softfail ... :-)) A On 1 April 2016 at 12:35, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Apr 01, 2016 at 12:22:48PM +0100, Alex Sharaz wrote:
Yup but as it says
# Warning: this may enable clients with revoked # certificates to connect if the OCSP responder is not # available. Use with caution. # Think I'd rather have ability to try another OCSP server at this point.
It took me less than two minutes thought here to realise that we'd never revoked a certificate, so the likelihood of the server going down was more than worrying that someone with a revoked cert was going to get in. Hence writing the softfail code...
But not doubting your feature request is a valid one. Just pointing out there are existing alternatives which might be good enough. OSCP loadbalancer + softfail + checking regularly downloaded CRLs is probably appropriate for the vast majority of people.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html