Doubt regarding OCSP validation in HS2.0 R2 online signup using hs20-osu-client

Jouni Malinen j
Sat Nov 15 01:55:06 PST 2014

On Thu, Nov 06, 2014 at 12:33:38PM +0530, Sreenath S wrote:
> Online signup is failing with below error when I enable OCSP in
> /system/bin/hs20-osu-client.workarounds. The error is from
> ocsp_resp_cb().
> HTTP error: No OCSP response received

Are you sure the server you are using is configured to support OCSP

> It was found that ocsp_resp_cb() is called even before the download of
> certificate ie, before download_cert(). The request is sent using
> function - curl_easy_perform() which in turn parses devinfo.xml and
> devdetail.xml to get information. But URI tag is NULL in devdetail.xml
> from the logs I presume that OSCP URI is taking from devdetail.

Huh.. curl_easy_perform() has nothing to do with devinfo.xml or
devdetail.xml.. The client does not use OSCP URI either, it uses TLS
extensions and OCSP stabling on the server.

> Then what is significance of "Authority Information Access" field in
> server.der. I was assuming that this URI will be used by OSU client to
> validate the certificate. In order to do that OCSP request should be
> sent only after downloading server certificate. Please correct if my
> understanding is wrong.

That's not the case. OCSP stabling is used, i.e., AIA URI is used by the
server, not the client.

> I am running OCSP server using from "hs20/server/ca"
> folder. OCSP validation is passing if I test using and

That is not OCSP stabling. Did you configure the HTTPS server to enable
OCSP stabling?

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list