Reply
Frequent Contributor I

OCSP on Firefox

So "use OCSP" is checked by default on Firefox 3.6+. That means on our guest network we have to allow access to this server (ocsp.thawte.com/ocsp.verisign.net) before authentication, otherwise users can't see the captive portal. They could if they unchecked this on their browsers, but that is not scalable when you have hundreds or more guests are a time.
Thawte/Verisign decided to change the IP address of the server they were using for OCSP, so my ACL broke. Since DNS names are not supported on ACLs as of now on Aruba 5.0, have you guys come up with any other better ideas to allow this traffic thru without having to worry that Thawte/Verisign will change the IP address of the OCSP server/s?
Thanks,
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Guru Elite

Re: OCSP on Firefox

A number of organizations simply have a link on their login page for "help" with a picture of the error and how to turn it off. Or you can just add the new ip address to an alias that is allowed.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: OCSP on Firefox

The following seems to work in our situation:

ip access-list session Thawte_Allow
any host 199.7.48.72 any permit log
any host 199.7.50.72 any permit log
any host 199.7.51.72 any permit log
any host 199.7.52.72 any permit log
any host 199.7.54.72 any permit log
any host 199.7.55.72 any permit log
any host 199.7.57.72 any permit log
any host 199.7.58.72 any permit log
any host 199.7.59.72 any permit log
any host 199.7.71.72 any permit log
any host 199.16.83.72 any permit log

The IP addresses were gathered via repeated nslookups since there is some kind of load-balancing. Hope this helps!

Steve.
New Contributor

Ocsp

we got it working but had to add more IPs to the list to allow ocsp.usertrust.com

host 174.133.236.131
host 174.133.251.251
host 208.77.208.79
host 208.77.208.82
host 208.116.13.251
host 208.116.18.83
host 64.150.188.27
host 64.150.190.19
host 65.98.24.187
host 69.175.66.203
host 69.175.66.219
Frequent Contributor I

Re: OCSP on Firefox

Hi,

Here's the procedure to turn it off?

Workaround

To work around the OCSP error, you may temporarily disable OCSP certificate validation.
1. At the top of the Firefox window, click on the Firefox button (Tools menu in Windows XP) and then click Options
2. Click on the Advanced icon to open the Advanced panel.
3. Click on the Encryption tab.
4. Click on Validation. The Certificate Validation window will appear.
5. Click Use the Online Certificate Status Protocol (OCSP) to confirm the validaty of certificates to un-select it.
6. Close the Certificate Validation window.
7. Click OK to close the Options window


Thanks.

Michael
Aruba Employee

Re: OCSP on Firefox

Thanks for the additional info Michael!
New Contributor

Re: OCSP on Firefox

Hello all,

I am running Aruba OS 6.1 with a guest portal configured on it. I do NOT have the firewall license, so I am not able to changes the ACLs of the guest portal. Adding the IP addresses of the OCSP servers is, as far I as I know, not possible.
The solution of turning off the OCSP validation in Firefox is not an option, because I have no control over the devices of the guests.
Is there another way that guest can use their Firefox browser to authenticate to the captive portal?

Kind regards,

Erik
Guru Elite

Re: OCSP on Firefox

The workaround would be to disable https for the Captive Portal profile, so that there is no certificate validation. The main issue would be is that the captive portal username and password would be in plaintext and not protected via SSL, so I would not authenticate say, employees on there.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Moderator

Re: OCSP on Firefox

The best advice I can offer is to replace the factory SSL certificate with something else. You'll want something that does not include the OCSP AIA field in the certificate. I've found that GeoTrust QuickSSL certs do not contain this URL (although that could change at any time).
---
Jon Green, ACMX, CISSP
Security Guy
Moderator

Re: OCSP on Firefox

Another alternative I should mention is to create your own certificate using OpenSSL. Browsers will get a warning about the certificate not being trusted, but that's probably better than it failing entirely. Some instructions are here:

http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php

(You can generate the CSR externally, or you can generate the CSR on the controller itself from the Configuration->Certificates->CSR tab and then sign it externally.)
---
Jon Green, ACMX, CISSP
Security Guy
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: