Syslog TLS OCSP Attribute ConfigurationNEW!
Beginning with version 32.2, you can configure Syslog TLS OCSP attributes (nonce, override, and ocsp-nocheck, respectively) using the following commands:
- configure syslog tls ocsp nonce [on | off]
- configure syslog tls tls override [url | none]
- configure syslog tls ocsp signer ocsp-nocheck [on | off]
OCSP nonce cryptographically binds an OCSP request and an OCSP response with an id-pkix-ocsp-nonce extension to prevent replay attacks.
OCSP override configures one HTTP Online Certificate Status Protocol (OCSP) override URL for TLS connections to a remote Syslog server.
If this configuration is turned on, then the operating system assumes the OCSP signer certificate contains the ocsp-nocheck extension, whether it has the extension or not. This results in the system accepting the OCSP responses from this OCSP signer. By default, this configuration is off to maintain backward compatibility, but can be turned on or off per application. This is also applicable for both the override server and AIA servers.