Hi,
I don't know why the OCSP support is not included in the main source
of OpenVPN (i need to update the patch for the rc7), but i know
something:
- if your CRL (in flat file) is not up2date your OpenVPN will not crash
- if you decide to use OCSP server with OpenVPN (and my patch) and if
your OCSP server crash, your OpenVPN will be block.
For my experience, I build Two OCSPd behind LVS and i bypass this
problem.
What do you think about that ?
Regards,
Davy
Le 16 juin 08 à 22:52, Faidon Liambotis a écrit :
Hi,
In light of the Debian OpenSSL vulnerability, I was looking for a
way to efficiently check for revoked certificates.
Updating CRLs is one way but it's not exactly efficient.
I've found that someone has actually implemented OCSP for OpenVPN[1].
Is there any specific reason that this hasn't been merged?
I saw evidence on the openvpn-devel archives that this was submitted
almost a year ago but I didn't see any reviews or comments whatsoever.
James, perhaps this should be included in -rc9?
Regards,
Faidon
1: http://www.block64.net/
