Is it possible to execute check-eap-tls before checking ocsp?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Apr 25 15:05:32 CEST 2016


> On Apr 23, 2016, at 8:51 AM, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Apr 23, 2016, at 6:24 AM, Mitsuhiro Nakamura <mitsuhiro.nakamura at nabiq.co.jp> wrote:
>> I have to protect cert ddos attacks for OCSP server.
> 
>  The solution is to limit the number of EAP authentications which can be done.
> 
>  And to be honest, EAP takes more work than OCSP checks.  If your OCSP server can't keep up with EAP traffic, you need to upgrade your OCSP server.

Well, yes and no.

We support OCSP status caching in v3.1.x because OCSP servers are not necessarily built with performance in mind, and calling out to an external entity adds additional latency.

There's enough crappy commercial OCSP servers out there that it's a useful feature.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160425/120c02f1/attachment.sig>


More information about the Freeradius-Users mailing list