Doubt regarding OCSP validation in HS2.0 R2 online signup using hs20-osu-client
Sreenath S
sreenath.mailing.lists at gmail.com
Thu Nov 6 02:03:38 EST 2014
Hello Jouni,
Online signup is failing with below error when I enable OCSP in
/system/bin/hs20-osu-client.workarounds. The error is from
ocsp_resp_cb().
HTTP error: No OCSP response received
It was found that ocsp_resp_cb() is called even before the download of
certificate ie, before download_cert(). The request is sent using
function - curl_easy_perform() which in turn parses devinfo.xml and
devdetail.xml to get information. But URI tag is NULL in devdetail.xml
from the logs I presume that OSCP URI is taking from devdetail.
Then what is significance of "Authority Information Access" field in
server.der. I was assuming that this URI will be used by OSU client to
validate the certificate. In order to do that OCSP request should be
sent only after downloading server certificate. Please correct if my
understanding is wrong.
Authority Information Access:
OCSP - URI:http://example.com:8888/
I am running OCSP server using ocsp-responder.sh from "hs20/server/ca"
folder. OCSP validation is passing if I test using ocsp-req.sh and
ocsp-update-cache.sh.
Regards,
Sreenath
More information about the HostAP
mailing list