cache_ocsp
Matthew Newton
mcn4 at leicester.ac.uk
Wed Nov 25 16:06:32 CET 2015
On Wed, Nov 25, 2015 at 09:52:09AM -0500, Arran Cudbard-Bell wrote:
> > I thought the whole point of OCSP was that it was supposed to be a
> > lightweight and quickly updated alternative to CRLs, and therefore
>
> No, it does. The OCSP standard provides a nextUpdate field which indicates
> the next time data will be available.
>
> nextUpdate The time at or before which newer information will be
Ah, cool. That does make sense, then.
> This particular feature was added to support a very large commercial
> deployment of EAP-TLS (1.6M subscribers), which is operating with a single
> OCSP server instance (it fails open).
Yeah, same here but much less clients. Which was why I wrote the
"softfail" option :-)
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list