Add OCSP softfail option

[freeradius.git] / raddb / mods-available / eap

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 0e767d8..26a7f43 100644 (file)
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -465,6 +465,22 @@
                              # for OCSP response. 0 uses system default.
                              #
                              # timeout = 0
+
+                             #
+                             # Normally an error in querying the OCSP
+                             # responder (no response from server, server did
+                             # not understand the request, etc) will result in
+                             # a validation failure.
+                             #
+                             # To treat these errors as 'soft' failures and
+                             # still accept the certificate, enable this
+                             # option.
+                             # 
+                             # Warning: this may enable clients with revoked
+                             # certificates to connect if the OCSP responder
+                             # is not available. Use with caution.
+                             #
+                             # softfail = no
                        }
                }