ocsp timeout and server failure

Alan DeKok aland at deployingradius.com
Mon Jan 23 15:49:26 CET 2012

Matthew Newton wrote:
> If freeradius tries to talk to an OCSP responder, and the server
> is not available for some reason, the ocsp check gets stuck for a
> while, then bombs out with (as expected) a verification failure.
> The two problems are that it takes quite a while for the client to
> be told it can't connect, and clients with good certificates can't
> connect.

  Yeah, there's no real perfect solution.

> The obvious solution is to make the ocsp server more resilient,
> but that's not always going to be possible.


> I've written two smallish patches against v2.1.x - 
> Comments?

  Committed. :)

  See the v2.1.x && master branches.

  Alan DeKok.

More information about the Freeradius-Devel mailing list