... > > I've found that someone has actually implemented OCSP for > OpenVPN[1]. > > Is there any specific reason that this hasn't been merged? ... > > > > 1: http://www.block64.net/ > > Hi, > > I don't know why the OCSP support is not included in the main source > of OpenVPN (i need to update the patch for the rc7), but i know > something: > > - if your CRL (in flat file) is not up2date your OpenVPN will > not crash > - if you decide to use OCSP server with OpenVPN (and my > patch) and if > your OCSP server crash, your OpenVPN will be block. > > For my experience, I build Two OCSPd behind LVS and i bypass this > problem. > > What do you think about that ? > > Regards, > > Davy
I use it and like it, and in the builds that I have published for OpenWRT, I have included that patch. I don't understand Davy's first point, but to his second, I do wish that the openvpn could be made to fall back to a local CRL when the ocspd server cannot be reached. I have had this happen before, and effectively the vpn was shut down. Then again, from a security standpoint, that's probably a good thing.... Anyway, wish there was at least an option to have a local crl file fallback. -Dave
