Cannot get hostapd radius to authenticate OSEN connection.

Gene Heskett gheskett
Fri Mar 20 11:26:52 PDT 2015

On Friday 20 March 2015 12:39:52 Jouni Malinen wrote:
> On Fri, Mar 20, 2015 at 08:00:00AM -0700, Ben Greear wrote:
> > I am generating those certs with this logic:
> ..
> I'd recommend taking a look at hs20/server/ca/*. Hotspot 2.0 Rel 2 has
> plenty of additional requirements for certificates. The scripts in
> that directory know how to add such details. You'll also need to set
> up OCSP stapling which is also something that those scripts make
> easier. You can use an OSU server certificate as the AAA server
> certificate for OSEN purposes (there are some extra attributes
> included, but those do not harm this and you'll find your life easier
> if you need to figure out just one instead of two different types of
> server certificates.. :).
> > It still does not work, but it gets farther and complains about the
> > cert file from what I can tell.  I assume I must be either
> > generating keys incorrectly or using them incorrectly:
> >
> > 1426862605.113584: SSL: SSL3 alert: read (remote end reported an
> > error):fatal:bad certificate status response

The remote end has probably disabled SSLv3 due to the POODLE exploit. 
I "think" I have it disabled here too.

> The server did not have OCSP stapling enabled and the client required
> that. See ocsp_stapling_response in hostapd/hostapd.conf.

Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <>

More information about the Hostap mailing list