Doubt regarding OCSP validation in HS2.0 R2 online signup using hs20-osu-client

Jouni Malinen j at w1.fi
Sat Nov 15 04:55:06 EST 2014


On Thu, Nov 06, 2014 at 12:33:38PM +0530, Sreenath S wrote:
> Online signup is failing with below error when I enable OCSP in
> /system/bin/hs20-osu-client.workarounds. The error is from
> ocsp_resp_cb().
> 
> HTTP error: No OCSP response received

Are you sure the server you are using is configured to support OCSP
stabling?

> It was found that ocsp_resp_cb() is called even before the download of
> certificate ie, before download_cert(). The request is sent using
> function - curl_easy_perform() which in turn parses devinfo.xml and
> devdetail.xml to get information. But URI tag is NULL in devdetail.xml
> from the logs I presume that OSCP URI is taking from devdetail.

Huh.. curl_easy_perform() has nothing to do with devinfo.xml or
devdetail.xml.. The client does not use OSCP URI either, it uses TLS
extensions and OCSP stabling on the server.

> Then what is significance of "Authority Information Access" field in
> server.der. I was assuming that this URI will be used by OSU client to
> validate the certificate. In order to do that OCSP request should be
> sent only after downloading server certificate. Please correct if my
> understanding is wrong.

That's not the case. OCSP stabling is used, i.e., AIA URI is used by the
server, not the client.

> I am running OCSP server using ocsp-responder.sh from "hs20/server/ca"
> folder. OCSP validation is passing if I test using ocsp-req.sh and
> ocsp-update-cache.sh.

That is not OCSP stabling. Did you configure the HTTPS server to enable
OCSP stabling?

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list