On Tue, Apr 16, 2013 at 04:30:18PM -0400, Alan DeKok wrote: > Beltramini Francesco wrote: > > but when I try to remove this feature and use the OCSP > > property extracted from the client certificate, the radiusd -X > > output is: > > > > [tls] --> Starting OCSP Request > > [ocsp] --> Responder URL = http://(null):(null)(null) > > From the v2.2.0 change log: > > * Skip OCSP if there's no host / port / url, with soft_fail
Hmm - I'm not sure if the override_cert_url = no code works correctly - I seem to remember I had problems with it, but I just set it to yes and forced the server anyway, as it seemed better than trusting the client-provided cert (our setup is private CA, so I know what the OCSP server is). I think I saw the same - that it wouldn't extract the URL from the cert, and just came back with (null)s. As usual, I just blamed OpenSSL and moved on. If I get a chance, I'll try and check it again. soft_fail will allow the auth to succeed in the event that there is no response (rather than a negative response) from the OCSP server - otherwise it "fails safe" and rejects the request. It's in case the OCSP server happens to be down for some reason. > Upgrade. Always the right thing anyway :-) Cheers, Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html