Arran Cudbard-Bell a.cudbardb at
Wed Nov 25 15:52:09 CET 2015

> On Nov 25, 2015, at 9:40 AM, Matthew Newton <mcn4 at> wrote:
> On Wed, Nov 25, 2015 at 02:21:16PM +0000, Scott Armitage wrote:
>> I might be doing something wrong but I can’t seem to find the
>> cache_ocsp module anywhere which is called in the tls-cache
>> server:
> I thought the whole point of OCSP was that it was supposed to be a
> lightweight and quickly updated alternative to CRLs, and therefore
> caching it doesn't make sense from a security point of view?

No, it does.  The OCSP standard provides a nextUpdate field which indicates
the next time data will be available.

   nextUpdate      The time at or before which newer information will be
                   available about the status of the certificate. (section 2.4).

So you can use that as your Cache-TTL.

You can also do smarter things if you own all the internal infrastructure
like delete cache entries when the status of the certificate changes.

This particular feature was added to support a very large commercial
deployment of EAP-TLS (1.6M subscribers), which is operating with a single
OCSP server instance (it fails open).

I have no idea how good OpenSSL's internal OCSP client is, but I wouldn't
be surprised if it closed the TCP connection after every request.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list