OCSP URL format
Alex Sharaz
alex.sharaz at york.ac.uk
Fri Apr 1 14:28:39 CEST 2016
We're at the bottom of the learning curve w.r.t EAP-TLS but on the way
to the fish and chip shop this lunchtime did come to the same
conclusion that perhaps I was getting over concerned as to what to do
in the event of the OCSP server failing. As you said, can't imaging
we'll be revoking millions of certificates when we start rolling them
out there.
Think perhaps I'll use the softfail ... :-))
A
On 1 April 2016 at 12:35, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> On Fri, Apr 01, 2016 at 12:22:48PM +0100, Alex Sharaz wrote:
>> Yup but as it says
>>
>> # Warning: this may enable clients with revoked
>> # certificates to connect if the OCSP responder is not
>> # available. Use with caution.
>> #
>> Think I'd rather have ability to try another OCSP server at this point.
>
> It took me less than two minutes thought here to realise that
> we'd never revoked a certificate, so the likelihood of the server
> going down was more than worrying that someone with a revoked cert
> was going to get in. Hence writing the softfail code...
>
> But not doubting your feature request is a valid one. Just
> pointing out there are existing alternatives which might be good
> enough. OSCP loadbalancer + softfail + checking regularly
> downloaded CRLs is probably appropriate for the vast majority of
> people.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list