Matthew Newton mcn4 at
Wed Nov 25 16:06:32 CET 2015

On Wed, Nov 25, 2015 at 09:52:09AM -0500, Arran Cudbard-Bell wrote:
> > I thought the whole point of OCSP was that it was supposed to be a
> > lightweight and quickly updated alternative to CRLs, and therefore
> No, it does.  The OCSP standard provides a nextUpdate field which indicates
> the next time data will be available.
>    nextUpdate      The time at or before which newer information will be

Ah, cool. That does make sense, then.

> This particular feature was added to support a very large commercial
> deployment of EAP-TLS (1.6M subscribers), which is operating with a single
> OCSP server instance (it fails open).

Yeah, same here but much less clients. Which was why I wrote the
"softfail" option :-)


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list