# OCSP Soft-fail Consequences Before we dive into the pros and cons let's start by quickly recapping what the setting means: Please note: All of those examples describe the behaviour of an authentication where the supplicant has a valid certificate (not expired, issued by a trusted CA). #### Soft-fail = Enabled If a problem occurs when querying the OCSP responder such as a timeout or incorrect data, the application treats the certificate revocation status as '**good**'. #### Soft-fail = Disabled If a problem occurs when querying the OCSP responder such as a timeout or incorrect data, the application treats the certificate revocation status as '**revoked**'. If you use **OCSP-Autodetect** and the client certificate does not include an OCSP responder URL, the application treats the certificate revocation status as '**revoked**'. ## Pros and Cons ### Soft-fail Enabled #### Pros 1. **Higher Availability & Fewer Disruptions** * Users are less likely to experience sudden authentication failures due to transient network issues or temporary OCSP responder outages. * Improves user experience and reduces support calls related to “can’t connect” issues caused solely by OCSP connectivity or service problems. 2. **Better Tolerance of OCSP Service Outages** * If the OCSP hosting provider experiences downtime or certificate-related issues, authentications will still succeed. 3. **Minimal Impact on Business Continuity** * Especially important in environments where downtime has a high cost (e.g., critical infrastructure, emergency services, or 24/7 businesses). #### Cons 1. **Security Risk: Revoked Certificates May Be Accepted** * A failure in the RADIUS server's revocation status verification, due to OCSP unavailability or other issues, will result in the acceptance of a revoked certificate. * This undermines the trust model of certificate-based authentication and can be exploited if an attacker deliberately forces OCSP failures. 2. **Lack of Visibility Into System-wide Issues** * If the system silently bypasses revocation checks, administrators might not immediately notice that an OCSP responder is down or misconfigured, prolonging the vulnerability window. ### Soft-fail Disabled #### Pros 1. **Higher Security Assurance** * Ensures that any certificate that cannot be positively validated against the OCSP responder is rejected. * Protects against usage of revoked, or otherwise compromised certificates. 2. **Clear Operational Signals** * If authentication suddenly starts failing, it forces quick attention to OCSP availability or configuration problems. * Administrators become immediately aware of any connectivity or trust chain issues because no user can authenticate unless the OCSP check is successful. #### Cons 1. **Single Point of Failure** * If the OCSP responder is down, DDOS attacked, unreachable, or misconfigured, **all** valid certificate authentications fail. * Can cause significant business disruption and a flood of support calls. 2. **Reliance on OCSP Service Uptime** * Implies your OCSP service must be highly available and robustly monitored. * Requires thorough failover planning (e.g., multiple OCSP responders, load balancing, or redundancy) to prevent massive outages. * Requires planning for updating the responder 3. **Possible Frustration for Users** * Users can’t connect even when they have perfectly valid certificates, simply because the OCSP check can’t complete. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.radiusaas.com/other/faqs/ocsp-soft-fail-consequences.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.