Is it possible to execute check-eap-tls before checking ocsp?
Mitsuhiro Nakamura
mitsuhiro.nakamura at nabiq.co.jp
Mon Apr 25 15:17:13 CEST 2016
Thanks Mr.Arran
I try to read code.
I was a C programmer.
I'm old but not obsolete!!
On 2016/04/25 22:05, Arran Cudbard-Bell wrote:
>
>> On Apr 23, 2016, at 8:51 AM, Alan DeKok <aland at deployingradius.com> wrote:
>>
>> On Apr 23, 2016, at 6:24 AM, Mitsuhiro Nakamura <mitsuhiro.nakamura at nabiq.co.jp> wrote:
>>> I have to protect cert ddos attacks for OCSP server.
>>
>> The solution is to limit the number of EAP authentications which can be done.
>>
>> And to be honest, EAP takes more work than OCSP checks. If your OCSP server can't keep up with EAP traffic, you need to upgrade your OCSP server.
>
> Well, yes and no.
>
> We support OCSP status caching in v3.1.x because OCSP servers are not necessarily built with performance in mind, and calling out to an external entity adds additional latency.
>
> There's enough crappy commercial OCSP servers out there that it's a useful feature.
>
> -Arran
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list