HUP handling: a thought

Alan DeKok aland at
Fri May 4 17:16:59 CEST 2007

inverse wrote:
> The reason for me being so boring is that a proper implementation of
> EAP-(T)TLS requires the server to handle all the CA chain and CRL
> updates crap.
> CRLs unfortunately DO expire. Expired  CRL  == the properly
> implemented EAP-TLS structure falls apart and everybody gets a reject
> due to 'expired' certs.

  Support for OCSP in the server would minimize the reloads due to
changing CRL's.

> As a foot note: I suppport Alan's idea. Let's forget about HUP.
> Experience shows HUP is clearly not suited for something with a system
> state and personally I don't accept a solution that makes an otherwise
> perfectly stable daemon to occasionally crater.

  The problem isn't the HUP, so much as the fact that *everything*
changes on HUP.  It's tremendously difficult to keep the server running
while almost every data structure is modified.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Devel mailing list