On Tue, Apr 18, 2017 at 09:18:14PM +0200, Johannes Berg wrote: > Fix the openssl ocsp command line and check if it returns > an error - so that instead of having something unusable > later we error out immediately. > > This still doesn't get the test to pass for me, but at > least openssl is no longer complaining. This breaks ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked ("Unexpected EAP-Success") and ap_wpa2_eap_tls_intermediate_ca_ocsp ("Connection timed out") for me. > diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py > @@ -4078,13 +4078,17 @@ def root_ocsp(cert): > - arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert, > - "-no_nonce", "-sha256", "-text" ] > + arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256", > + "-cert", cert, "-no_nonce", "-text" ] What does this fix? This moves the command line arguments "-sha256" to be earlier, but the man page for openssl ocsp shows the hash algorithm arguments to be at the end.. What did openssl complain for you and which version of openssl is that? Interestingly, I do see a difference here, i.e., the location of the -sha256 argument does indeed change behavior for me. The current script ends up using SHA-1 instead of SHA-256 which was the purpose and your change does indeed make it use SHA-256. However, that does not remove anyh warning of error message from openssl for me. The fact that the test fails then is problematic, though.. > @@ -4111,13 +4118,16 @@ def ica_ocsp(cert): > - arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert, > - "-no_nonce", "-sha256", "-text" ] > + arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256", > + "-cert", cert, "-no_nonce", "-text" ] And obviously the same here.. It looks like OpenSSL is rejecting the OCSP response in the SHA-256 case ("bad certificate status response"). Interestingly, the internal TLS implementation in hostap.git does pass the test cases with the SHA-256 case as well. Or to be more exact, the tls_openssl.c code in wpa_supplicant is failing to find the current server certificate from the OCSP response when SHA-256 hash is used instead of SHA-1. Looks like this is due to the OCSP_cert_to_id() use there with NULL dgst argument. Hmph.. I guess that needs to loop over different hash algorithms to make this more generic. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap