OCSP URL format

Alan DeKok aland at deployingradius.com
Fri Apr 1 13:29:25 CEST 2016


On Apr 1, 2016, at 7:22 AM, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
> 
> Yup but as it says
> 
> # Warning: this may enable clients with revoked
> # certificates to connect if the OCSP responder is not
> # available. Use with caution.
> #
> Think I'd rather have ability to try another OCSP server at this point.

  Sure.  Submit a patch. :)

  It has to detect the failure, and instead of "soft fail", try either another hard-coded URL, or parse the OCSP URL(s) for another URL.  And if either of those fail... fall back to the "soft fail".

  But realistically, if OCSP works at a hard-coded URL, why not just use that?  And most certificates won't have multiple OCSP URLs, so you can't fall back to another OCSP server.

  You're much better off ensuring that your OCSP server stays up.  Use a load-balancer, or a caching proxy.  It's easier to manage than FreeRADIUS patches, and more configurable.

  Alan DeKok.




More information about the Freeradius-Users mailing list