HUP handling: a thought
Alan DeKok
aland at deployingradius.com
Fri May 4 17:16:59 CEST 2007
inverse wrote:
> The reason for me being so boring is that a proper implementation of
> EAP-(T)TLS requires the server to handle all the CA chain and CRL
> updates crap.
> CRLs unfortunately DO expire. Expired CRL == the properly
> implemented EAP-TLS structure falls apart and everybody gets a reject
> due to 'expired' certs.
Support for OCSP in the server would minimize the reloads due to
changing CRL's.
> As a foot note: I suppport Alan's idea. Let's forget about HUP.
> Experience shows HUP is clearly not suited for something with a system
> state and personally I don't accept a solution that makes an otherwise
> perfectly stable daemon to occasionally crater.
The problem isn't the HUP, so much as the fact that *everything*
changes on HUP. It's tremendously difficult to keep the server running
while almost every data structure is modified.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Devel
mailing list