More questions on hs20/OSU keys and configuration.

Ben Greear greearb at candelatech.com
Wed Mar 25 12:41:45 EDT 2015


On 03/25/2015 04:32 AM, Jouni Malinen wrote:
> On Mon, Mar 23, 2015 at 04:14:05PM -0700, Ben Greear wrote:
>> The hs20-osu-server.txt file never mentions actually starting the hs20_osu_server,
>> but I assume that does need to be done.  And part of that seems to be configuring
>> the DB with some correct URLs and key information.
> 
> You don't need to start hs20_osu_server; it is executed when needed by
> www/spp.php. You do need to create the DB, though.

Ok, I think I at least mostly understand this now.

> 
>> So, I need to create a proper sql-example.txt file and I have several questions on it.
>>
>> ca/setup.sh does not generate spp-root-ca.der nor aaa-root-ca.der.  How are these
>> supposed to be created?
> 
> spp-root-ca.der would be DER encoded version of rootCA/cacert.pem.
> aaa-root-ca.der would be the trust root you are planning on using on the
> main AAA server (e.g., for EAP-TLS or EAP-TTLS authentication for normal
> data connection). ca/setup.sh is not involved in setting up that part.
> 
>> 'osu-server' is also not found in the setup.sh script.  How
>> does this name correlate to what the setup.sh is using?
> 
> ca/server.pem from setup.sh is used on the HTTPS server that acts as the
> OSU server (i.e., that https://osu-server... URL).
> 
>> And, same question for the 'subscription-server'?
> 
> In theory, subscription server could use a different server certificate,
> but I'm using the same one for both OSU and subscription servers (and
> policy server for that matter).
> 
>> Maybe subscription-server and osu-server could both be the same,
>> be called 'osu-client.$DOMAIN' and use the 'server-client' keys & certs
>> that setup.sh created?  It seems that apache cannot do HTTPS virtual-hosts,
>> or at least not with any flexibility, so if I can do all of the HTTPS
>> on the same hostname that is probably best?
> 
> You can use the same server certificate for all these logical servers.
> That comment about Apache may be a bit misleading, though.. You can have
> different server certificates on different TCP ports which is what I'm
> normally doing for negative test cases or when wanting to test more than
> a single set of server certificates.


Right, I have been trying this as well.

But, I'm running into new problems now.

I patched the osu_client so that it would use the specified osu-ca.pem file as
the ca_fname (which is then passed into curl)

[greearb at v-f20-64 client]$ git diff .
diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c
index 66fef63..0adc3ca 100644
--- a/hs20/client/osu_client.c
+++ b/hs20/client/osu_client.c

....

@@ -2039,7 +2041,14 @@ static int osu_connect(struct hs20_osu_client *ctx, const char *bssid,
                char dir[255], fname[300];
                if (getcwd(dir, sizeof(dir)) == NULL)
                        return -1;
-               os_snprintf(fname, sizeof(fname), "%s/osu-ca.pem", dir);
+                if (ctx->ca_fname) {
+                       strncpy(fname, sizeof(fname), ctx->ca_fname);
+                }
+                else {
+                       os_snprintf(fname, sizeof(fname), "%s/osu-ca.pem", dir);
+                        ctx->ca_fname = strdup(fname); /* so lib curl can use it. */
+                }
+                fname[sizeof(fname) - 1] = 0; /* ensure null termination */

                if (set_network(ifname, id, "proto", "OSEN") < 0 ||
                    set_network(ifname, id, "key_mgmt", "OSEN") < 0 ||
....


It seems that libcurl is not able to deal with OCSP.  I did a tshark dump on
port 8888 on the 192.168.100.85 machine and I see no traffic at all, so curl
is not asking there it seems.  Any idea what I might be doing wrong?


CURLINFO_TEXT[STATE: INIT => CONNECT handle 0x1059188; line 1034 (connection #-5000) ]
CURLINFO_TEXT[Added connection 0. The cache now contains 1 members]
CURLINFO_TEXT[STATE: CONNECT => WAITRESOLVE handle 0x1059188; line 1071 (connection #0) ]
CURLINFO_TEXT[  Trying 192.168.100.85...]
CURLINFO_TEXT[STATE: WAITRESOLVE => WAITCONNECT handle 0x1059188; line 1151 (connection #0) ]
CURLINFO_TEXT[Connected to osu.ben-ota-2.lanforge.local (192.168.100.85) port 443 (#0)]
CURLINFO_TEXT[Marked for [keep alive]: HTTP default]
CURLINFO_TEXT[successfully set certificate verify locations:]
CURLINFO_TEXT[  CAfile: /home/lanforge/wifi/osu_wlan1/osu-ca.pem
  CApath: none]
curl_cb_ssl
CURLINFO_TEXT[TLSv1.2, TLS handshake, Client hello (1):]
debug - CURLINFO_SSL_DATA_OUT - 274
CURLINFO_TEXT[STATE: WAITCONNECT => PROTOCONNECT handle 0x1059188; line 1223 (connection #0) ]
CURLINFO_TEXT[TLSv1.2, TLS handshake, Server hello (2):]
debug - CURLINFO_SSL_DATA_IN - 94
OpenSSL: No OCSP response received
CURLINFO_TEXT[TLSv1.2, TLS alert, Server hello (2):]
debug - CURLINFO_SSL_DATA_OUT - 2
CURLINFO_TEXT[error:14092113:SSL routines:SSL3_GET_SERVER_HELLO:serverhello tlsext]
CURLINFO_TEXT[Marked for [closure]: Failed HTTPS connection]
CURLINFO_TEXT[Closing connection 0]
CURLINFO_TEXT[The cache now contains 0 members]
CURLINFO_TEXT[Expire cleared]
curl_easy_perform() failed: No OCSP response received
HTTP error: No OCSP response received
Remove OSU network connection
wpa_command(ifname='wlan1', cmd='REMOVE_NETWORK 1')
===[hs20-osu-client END ]======================


Thanks,
Ben


-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com



More information about the HostAP mailing list