LogoLogo
LogoLogo
  • Welcome
  • Details
  • Configuration
    • Getting Started
      • Generic Guide
      • Scenario-based Guides
        • Microsoft Cloud PKI
        • SCEPman PKI
    • Access Point Setup
      • RadSec
        • Aruba
        • FortiNet
        • Juniper Mist
        • Meraki
        • MikroTik
        • Ruckus
        • UniFi
      • RADIUS
        • ExtremeCloud IQ CoPilot
        • Meraki
        • Sophos UTM
        • UniFi
    • Server Certificate Renewal
  • Admin Portal
    • Home
    • Insights
      • Rule Engine
      • Logs
    • Users
    • Settings
      • Server Settings
      • Trusted Certificates
      • Proxy Settings
      • Permissions
      • User Settings
      • Rules
        • General Structure
        • WiFi
        • LAN
        • VPN
      • Log Exporter
        • Teams
        • Log Analytics
        • Generic Webhook
        • Examples
    • My Invited Users
  • Profile Deployment
    • Microsoft Intune
      • Server Trust
      • WiFi Profile
        • Windows
        • iOS/iPadOS & macOS
        • Android
      • Wired Profile
        • Windows
        • macOS
    • Jamf Pro
      • Server Trust
      • WiFi Profile
      • Wired Profile
    • Google Workspace
      • Server Trust
      • WiFi Profile
  • Other
    • Troubleshooting
    • FAQs
      • General
      • Log & Common Errors
      • MAC Authentication
      • Blast-RADIUS Vulnerability
      • OCSP Soft-fail Consequences
      • Security & Privacy
    • REST API
      • External Monitoring
    • Changelog
  • Licensing
    • Azure Marketplace
    • cleverbridge
  • Support & Service Level
  • RADIUSaaS Website
Powered by GitBook
On this page
  • Pros and Cons
  • Soft-fail Enabled
  • Soft-fail Disabled

Was this helpful?

  1. Other
  2. FAQs

OCSP Soft-fail Consequences

This page provides an overview on the pros and cons in the terms of OCSP Soft-fail mechanism.

Before we dive into the pros and cons let's start by quickly recapping what the setting means:

Please note: All of those examples describe the behaviour of an authentication where the supplicant has a valid certificate (not expired, issued by a trusted CA).

Soft-fail = Enabled

If a problem occurs when querying the OCSP responder such as a timeout or incorrect data, the application treats the certificate revocation status as 'good'.

Soft-fail = Disabled

If a problem occurs when querying the OCSP responder such as a timeout or incorrect data, the application treats the certificate revocation status as 'revoked'.

If you use OCSP-Autodetect and the client certificate does not include an OCSP responder URL, the application treats the certificate revocation status as 'revoked'.

Pros and Cons

Soft-fail Enabled

Pros

  1. Higher Availability & Fewer Disruptions

    • Users are less likely to experience sudden authentication failures due to transient network issues or temporary OCSP responder outages.

    • Improves user experience and reduces support calls related to “can’t connect” issues caused solely by OCSP connectivity or service problems.

  2. Better Tolerance of OCSP Service Outages

    • If the OCSP hosting provider experiences downtime or certificate-related issues, authentications will still succeed.

  3. Minimal Impact on Business Continuity

    • Especially important in environments where downtime has a high cost (e.g., critical infrastructure, emergency services, or 24/7 businesses).

Cons

  1. Security Risk: Revoked Certificates May Be Accepted

    • A failure in the RADIUS server's revocation status verification, due to OCSP unavailability or other issues, will result in the acceptance of a revoked certificate.

    • This undermines the trust model of certificate-based authentication and can be exploited if an attacker deliberately forces OCSP failures.

  2. Lack of Visibility Into System-wide Issues

    • If the system silently bypasses revocation checks, administrators might not immediately notice that an OCSP responder is down or misconfigured, prolonging the vulnerability window.

Soft-fail Disabled

Pros

  1. Higher Security Assurance

    • Ensures that any certificate that cannot be positively validated against the OCSP responder is rejected.

    • Protects against usage of revoked, or otherwise compromised certificates.

  2. Clear Operational Signals

    • If authentication suddenly starts failing, it forces quick attention to OCSP availability or configuration problems.

    • Administrators become immediately aware of any connectivity or trust chain issues because no user can authenticate unless the OCSP check is successful.

Cons

  1. Single Point of Failure

    • If the OCSP responder is down, DDOS attacked, unreachable, or misconfigured, all valid certificate authentications fail.

    • Can cause significant business disruption and a flood of support calls.

  2. Reliance on OCSP Service Uptime

    • Implies your OCSP service must be highly available and robustly monitored.

    • Requires thorough failover planning (e.g., multiple OCSP responders, load balancing, or redundancy) to prevent massive outages.

    • Requires planning for updating the responder

  3. Possible Frustration for Users

    • Users can’t connect even when they have perfectly valid certificates, simply because the OCSP check can’t complete.

Last updated 3 months ago

Was this helpful?