Doubts regarding HS 2.0R2 OSU SPP server and client

Jouni Malinen j
Fri Apr 11 09:00:09 PDT 2014

On Thu, Apr 10, 2014 at 05:42:42PM +0530, Sreenath S wrote:
> In 'sql-example.txt' file, 'aaa_trust_root_cert_url' is set as
> 'https://<URL>/hs20/files/aaa-root-ca.pem'. During online-signup OSU client
> will download and store the same certificate as base64 encoded. However if the
> file is PEM encoded, then base64 encoding will corrupt the file. So the file
> should be DER encoded. It is better to rename the file as 'aaa-root-ca.der'
> to avoid the confusion. Please correct if I am missing the point.

Looks like this example file did not get all the updates. Anyway, yes,
that's correct, it was supposed to be DER. I'll fix that.

> After online signup how to make the downloaded credentials persistent?
> Because in the reference OSU client during 'signup' command, credentials are
> configured to supplicant using SET command and then INTERWORKING_SELECT command
> is used to initiate connection. The subsequent connections to same production
> AP doesn't need online-signup, as credentials are already available. The
> question is where to keep the credentials persistent, in wpa_supplicant.conf
> file or in downloaded MO file - pps.xml. If the credentials are kept in MO
> file, then on what basis framework can pick the right MO and configure the
> credentials to supplicant using "set_pps" command. Also after "set_pps" command
> INTERWORKING_SELECT command should be issued explicitly to initiate the
> connection. Any pointers/suggestion to handle this issue is highly appreciated.

In practice, the device will need to maintain the PPS MO contents in a
management tree somewhere. Whether to store the credential persistently
in wpa_supplicant.conf or not is a design choice and both alternatives
can be supported. I would populate all active cred blocks to
wpa_supplicant (i.e., all PPS MOs) rather than try to somehow filter

> Does OSU SPP server has any option to test user remediation, because it looks
> like only machine remediation is supported?

Yes, you can set remediation='user' to force user remediation to be
tested (see www/users.php for an example web UI for doing that type of
management operations).

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list