Doubt regarding OCSP validation in HS2.0 R2 online signup using hs20-osu-client
Jouni Malinen
j
Sat Nov 15 01:55:06 PST 2014
On Thu, Nov 06, 2014 at 12:33:38PM +0530, Sreenath S wrote:
> Online signup is failing with below error when I enable OCSP in
> /system/bin/hs20-osu-client.workarounds. The error is from
> ocsp_resp_cb().
>
> HTTP error: No OCSP response received
Are you sure the server you are using is configured to support OCSP
stabling?
> It was found that ocsp_resp_cb() is called even before the download of
> certificate ie, before download_cert(). The request is sent using
> function - curl_easy_perform() which in turn parses devinfo.xml and
> devdetail.xml to get information. But URI tag is NULL in devdetail.xml
> from the logs I presume that OSCP URI is taking from devdetail.
Huh.. curl_easy_perform() has nothing to do with devinfo.xml or
devdetail.xml.. The client does not use OSCP URI either, it uses TLS
extensions and OCSP stabling on the server.
> Then what is significance of "Authority Information Access" field in
> server.der. I was assuming that this URI will be used by OSU client to
> validate the certificate. In order to do that OCSP request should be
> sent only after downloading server certificate. Please correct if my
> understanding is wrong.
That's not the case. OCSP stabling is used, i.e., AIA URI is used by the
server, not the client.
> I am running OCSP server using ocsp-responder.sh from "hs20/server/ca"
> folder. OCSP validation is passing if I test using ocsp-req.sh and
> ocsp-update-cache.sh.
That is not OCSP stabling. Did you configure the HTTPS server to enable
OCSP stabling?
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list