Parameter:
OCSP_CHECK_CLIENT_CERTShort description: Enables OCSP revocation checks for client certificates during TLS client authentication (HTTPS, SMTP / LDAP STARTTLS).
Profile
Parameter | OCSP_CHECK_CLIENT_CERT |
Category | Security / TLS |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = off (default), 1 = check (fail-open), 2 = check (fail-closed) |
Description
During TLS client authentication, the client presents a certificate. For revoked certificates (revocation via CRL / OCSP) to actually be rejected, the server must actively check.
OCSP_CHECK_CLIENT_CERT enables this check against the OCSP responder referenced in the certificate:1fail-open: if the OCSP responder is unreachable, the certificate is accepted anyway.
2fail-closed: with an unreachable responder the connection is rejected – the stricter and more secure variant.
Example configuration
OCSP_CHECK_CLIENT_CERT=2
Notes & pitfalls
- fail-closed requires highly available OCSP responders – otherwise it locks legitimate clients out during an outage.
- Takes effect after a restart of the consuming tasks (HTTP, SMTP, LDAP).
- Pairs with
NOCRLCheckandLogPrintCertChainErrorsfor deeper TLS diagnostics.
- For the highest security requirements, additionally document soft-fail / hard-fail behavior in the security policy.