OCSP URL format
Matthew Newton
mcn4 at leicester.ac.uk
Fri Apr 1 13:35:28 CEST 2016
On Fri, Apr 01, 2016 at 12:22:48PM +0100, Alex Sharaz wrote:
> Yup but as it says
>
> # Warning: this may enable clients with revoked
> # certificates to connect if the OCSP responder is not
> # available. Use with caution.
> #
> Think I'd rather have ability to try another OCSP server at this point.
It took me less than two minutes thought here to realise that
we'd never revoked a certificate, so the likelihood of the server
going down was more than worrying that someone with a revoked cert
was going to get in. Hence writing the softfail code...
But not doubting your feature request is a valid one. Just
pointing out there are existing alternatives which might be good
enough. OSCP loadbalancer + softfail + checking regularly
downloaded CRLs is probably appropriate for the vast majority of
people.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list