Re: [Ipsec-tools-devel] OCSP for racoon

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Paul Moore wrote:
> if crl and ocsp configured i would do crl first. IN that case we dont do a round trip for a cert we know is dead

I'd have it configurable which one is preffered. The whole point of OCSP is to have realtime check. In which case you do want to make the round trip. CRL is usually just for backup (for software that does not support OCSP).

- Timo