Folks, According to RFC 4366, during TLS handshake, server may send OCSP status along with certificate. Is it possible to do this with Freeradius ? I had an issue with OS X < 10.9.5 using WiFi with EAP-TLS auth : my mac tried to do OCSP on my radius server's certificate before getting internet access... 20s timeout before getting connected ! I think it would be nice to issue OCSP stapling to WiFi clients so they can check the certificate revocation status offline. Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
On Dec 17, 2014, at 12:49 PM, Philippe MARASSE <philippe.marasse@ch-poitiers.fr> wrote:
According to RFC 4366, during TLS handshake, server may send OCSP status along with certificate. Is it possible to do this with Freeradius ?
FreeRADIUS doesn’t do OCSP checks on it’s own certificate, or send OCSP information.
I had an issue with OS X < 10.9.5 using WiFi with EAP-TLS auth : my mac tried to do OCSP on my radius server's certificate before getting internet access... 20s timeout before getting connected !
That’s just dumb. File a bug with Apple.
I think it would be nice to issue OCSP stapling to WiFi clients so they can check the certificate revocation status offline.
Sure. Patches are welcome. But… do the WiFi clients support OCSP stapling? If not, then no amount of patching FreeRADIUS will make any difference. Alan DeKok.
On Wed, Dec 17, 2014 at 7:56 PM, Alan DeKok <aland@deployingradius.com> wrote:
But… do the WiFi clients support OCSP stapling? If not, then no amount of patching FreeRADIUS will make any difference.
Probably most deployed ones do not yet, but many will be starting to support this due to Hotspot 2.0 Rel 2 requirements. - Jouni
participants (3)
-
Alan DeKok -
Jouni Malinen -
Philippe MARASSE