- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am in the process of incorporating Enterprise Wi-Fi into the application based upon the "join_ent" demo app.
I normally have an HTTPS server running on the WICED device. When connected to Personal Wi-Fi, everything is fine. When the WICED device connects to Enterprise Wi-Fi (via a freeradius server) configured for TTLS, the WICED device is authenticated by the Radius server and connects properly. It can ping, etc. Looks good.
However, the Enterprise Wi-Fi appears to also "kill" the TLS connectivity to the HTTPS server somehow. I can run an HTTP server (no TLS) with no problem.
Has anyone got both working at the same time?
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Understood, thank you. In summary, then, the function besl_supplicant_init calls wiced_tls_init_root_ca_certificates which, in turn, mandates client authentication if conn_info.trusted_ca_certificates is specified.
Case closed!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Charles,
Are you able to establish TLS connectivity after using the "join_ent" demo app and run https server for Enterprise WiFi.
If yes, Can you please provide the Embed TLS and radius server debug logs.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! Before I resort to the "joint_ent" demo, I did a TLS debug log dump, and my prelim. observation is that the following message appears:
WICED/security/BESL/mbedtls_open/library/ssl_tls.c:4693: TLSv1 client has no certificate
So... I have a feeling that WICED is expecting a client certificate like it was set for mutual authentication. I'll do a bit of digging and will report back with something more informative.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, well. That's exactly what it is. The HTTPS server is fine. However, the server asked for a client certificate when Enterprise/TTLS was employed. When I install a client cert into the browser, then the browser (Firefox) connected to the HTTPS server.
So, I left conn_info.trusted_ca_certificates = NULL, and now it works as expected. So, making this assignment enables mutual authentication for the HTTPS server (and my HTTPS client, as well, as it turns out).
Digging further, I see that the function besl_supplicant_init calls:
wiced_result = wiced_tls_init_root_ca_certificates( (char*) conn_info->trusted_ca_certificates, conn_info->root_ca_cert_length );
So, this is what is forcing the mutual authentication for all TLS activities.
I wonder if there is a way to specify mutual authentication only for specific functions, namely: Wi-Fi channel, HTTPS server and HTTPS client?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mutual authentication is done internally based on the client certificate request in WICED. By default, MBEDTLS requires SSL_CERTIFICATE_REQUEST for client certificate request. Also, both the client and server certificates have to authorized by same Root Certificate Authority in the TLS Handshake mechanism.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Understood, thank you. In summary, then, the function besl_supplicant_init calls wiced_tls_init_root_ca_certificates which, in turn, mandates client authentication if conn_info.trusted_ca_certificates is specified.
Case closed!