[ previous ] [ next ] [ threads ]
 From:  Michael Sierchio <kudzu at tenebras dot com>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IE 7 OCSP request breaks captive portals
 Date:  Mon, 30 Oct 2006 12:16:18 -0800
Greets.  We've been experiencing a problem introduced by IE 7, which
arguably is caused by improved security.  This is in a non-m0n0wall
context, but it seems that the problem will become widespread soon.

We have a walled garden/captive portal page users are redirected to
via HTTPS.  The server presents a cert in the server hello, as usual,
but a sufficiently paranoid client (as is the default with MSIE 7, but
could be the case with Firefox dep. on settings), the attempt to
validate the cert - either by following the OCSP URL baked into the
cert, or via CRL fetch - fails.

It seems to me that rather than inventing a separate OCSP/CRL proxy,
this functionality should be in the captive portal itself -- once
the $$ are paid or password given etc, the user is no longer restricted
to the captive portal.

Forgive me if this has been a topic of discussion here and I missed it.
I'd like comments on this problem, I'm sure everyone here has an
opinion. ;-)