Enterprise Wi-Fi Kills TLS for Web Server (CYW943907AEVAL1F)

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
ChMa_3922746
Level 5
Level 5
10 likes received 10 likes given 5 likes given

I am in the process of incorporating Enterprise Wi-Fi into the application based upon the "join_ent" demo app.

I normally have an HTTPS server running on the WICED device.  When connected to Personal Wi-Fi, everything is fine.  When the WICED device connects to Enterprise Wi-Fi (via a freeradius server) configured for TTLS, the WICED device is authenticated by the Radius server and connects properly.  It can ping, etc.  Looks good.

However, the Enterprise Wi-Fi appears to also "kill" the TLS connectivity to the HTTPS server somehow.  I can run an HTTP server (no TLS) with no problem.

Has anyone got both working at the same time?

Thanks!

0 Likes
1 Solution

Understood, thank you.  In summary, then, the function besl_supplicant_init calls wiced_tls_init_root_ca_certificates which, in turn, mandates client authentication if conn_info.trusted_ca_certificates is specified.  

Case closed!

View solution in original post

0 Likes
5 Replies
KotnaniK_71
Employee
Employee
50 likes received 25 likes received 10 likes received

Hi Charles,

Are you able to establish TLS connectivity after using the "join_ent" demo app and run https server for Enterprise WiFi.
If yes, Can you please provide the Embed TLS and radius server debug logs.

Thanks.

0 Likes

Thank you!  Before I resort to the "joint_ent" demo, I did a TLS debug log dump, and my prelim. observation is that the following message appears: 

WICED/security/BESL/mbedtls_open/library/ssl_tls.c:4693: TLSv1 client has no certificate

So... I have a feeling that WICED is expecting a client certificate like it was set for mutual authentication.  I'll do a bit of digging and will report back with something more informative.

0 Likes

Well, well.  That's exactly what it is.  The HTTPS server is fine.  However, the server asked for a client certificate when Enterprise/TTLS was employed.  When I install a client cert into the browser, then the browser (Firefox) connected to the HTTPS server.

So, I left conn_info.trusted_ca_certificates = NULL, and now it works as expected.  So, making this assignment enables mutual authentication for the HTTPS server (and my HTTPS client, as well, as it turns out).

Digging further, I see that the function besl_supplicant_init calls:

wiced_result = wiced_tls_init_root_ca_certificates( (char*) conn_info->trusted_ca_certificates, conn_info->root_ca_cert_length );

So, this is what is forcing the mutual authentication for all TLS activities. 

I wonder if there is a way to specify mutual authentication only for specific functions, namely: Wi-Fi channel, HTTPS server and HTTPS client?

0 Likes

Mutual authentication is done internally based on the client certificate request in WICED. By default, MBEDTLS requires SSL_CERTIFICATE_REQUEST for client certificate request.  Also, both the client and server certificates have to authorized by same Root Certificate Authority in the TLS Handshake mechanism.

Thanks.

0 Likes

Understood, thank you.  In summary, then, the function besl_supplicant_init calls wiced_tls_init_root_ca_certificates which, in turn, mandates client authentication if conn_info.trusted_ca_certificates is specified.  

Case closed!

0 Likes