console: join_ent test peap failure | Cypress Developer Community

1 2 3 Previous Next 33 Replies Latest reply on Jan 21, 2019 4:39 PM by AxLi_1746341 Go to original post

15. Re: console: join_ent test peap failure

AxLi_1746341 Oct 31, 2017 2:24 AM (in response to GauravS_31)

grsr wrote:

It appears that the TLS version used by your server is v1.0. SDK 6.0 has included compatibility for TLSv1.0 and TLSv1.1. Go to include/wiced_defaults.h and adjust the value of both WICED_TLS_MINOR_VERSION_MIN and WICED_TLS_MINOR_VERSION_MAX as per the appropriate TLS version. The TLS version is set in
In my previous test, I already set below setting in include/wiced_defaults.h:
#define WICED_TLS_MINOR_VERSION_MIN (0)
#define WICED_TLS_MINOR_VERSION_MAX (2)

I also tried below settings, all fails:
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0
WICED_TLS_MINOR_VERSION_MIN=1 && WICED_TLS_MINOR_VERSION_MAX=1
WICED_TLS_MINOR_VERSION_MIN=2 && WICED_TLS_MINOR_VERSION_MAX=2
Like Show 0 Likes(0)

Actions
16. Re: console: join_ent test peap failure

AxLi_1746341 Oct 31, 2017 2:36 AM (in response to AxLi_1746341)

Hi GauravS_31

Correct my previous post.

On ThreadX build:
It works with WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0.

On FreeRTOS build:
It fails with WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0.

However, we are using FreeRTOS build so this is still a problem.
Can you check if FreeRTOS build works for you?

Besides, I though WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2
should work but it does not work. We cannot assume the customer's server is a
fixed TLS version.
Like Show 0 Likes(0)

Actions
17. Re: console: join_ent test peap failure

AxLi_1746341 Oct 31, 2017 2:58 AM (in response to AxLi_1746341)

GauravS_31

To make it clear: ( I tried with more combinations)

On ThreadX build:
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0 works
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=1 works
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2 fails

On FreeRTOS build
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0/1/2 all fails
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
18. Re: console: join_ent test peap failure

AxLi_1746341 Oct 31, 2017 10:16 PM (in response to AxLi_1746341)

GauravS_31

The first error in FreeRTOS build is because:
eap_ssl_receive_packet() return timeout.
Maybe someone from cypress can take a look at this issue.

Note, increase timeout value does not help.
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
19. Re: console: join_ent test peap failure

AxLi_1746341 Nov 1, 2017 8:27 PM (in response to AxLi_1746341)

GauravS_31

Debugging for a while for FreeRTOS build and I give up now.
I think it might be something wrong in your binary library for FreeRTOS build.

The SDK changelog said the enterprise security was tested on SDK-5.0.
I'm so surprised that it actually does not work even in SDK-6.0.

Also note, to have better coverage of TLS support,
I think the default WICED_TLS_MINOR_VERSION_MIN/MAX setting should be
WICED_TLS_MINOR_VERSION_MIN=0
WICED_TLS_MINOR_VERSION_MAX=2

rahter than
WICED_TLS_MINOR_VERSION_MIN=2
WICED_TLS_MINOR_VERSION_MAX=2
Like Show 0 Likes(0)

Actions
20. Re: console: join_ent test peap failure

GauravS_31 Jan 14, 2018 11:55 PM (in response to AxLi_1746341)

I reproduced this issue with FreeRTOS in my setup and raised a ticket on this.
1 of 1 people found this helpful
Like Show 1 Likes(1)

Actions
21. Re: console: join_ent test peap failure

GauravS_31 Feb 20, 2018 8:26 PM (in response to GauravS_31)

It took time because I had to spend time to bring up the setup (on my own). Once I was able to reproduce, I reported the issue. Sorry but issue is not resolved, so it will still exist in 6.1.
Like Show 0 Likes(0)

Actions
22. Re: console: join_ent test peap failure

AxLi_1746341 Feb 20, 2018 9:42 PM (in response to GauravS_31)

Your SDK supports PEAP, then your team should have no problem to setup the test at all.
If you have problem to setup the test, I believe you should be able to find someone to help testing it.

ps.
I do appreciate your help.
It's seems the problem is in the *process* of handling user's reported issues.
Like Show 0 Likes(0)

Actions
23. Re: console: join_ent test peap failure

AxLi_1746341 Feb 23, 2018 11:26 PM (in response to AxLi_1746341)

axel.lin_1746341 wrote:

Hi grsr

Besides, I though WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2
should work but it does not work. We cannot assume the customer's server is a
fixed TLS version.
GauravS_31

I found sdk-6.1 still set default to
WICED_TLS_MINOR_VERSION_MIN=2 && WICED_TLS_MINOR_VERSION_MAX=2
Why not set default to
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2
for better covering of testing? (Whic was the default setting before switching to mbedtls)

Any comment?
Like Show 0 Likes(0)

Actions
24. Re: console: join_ent test peap failure

GauravS_31 Mar 6, 2018 10:21 PM (in response to AxLi_1746341)

Our default recommendation is to use TLSv1.2 as it provides the best security. With the current mbedTLS, source is available and the user can configure their min and max TLS version using wiced_defaults.h.
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
25. Re: console: join_ent test peap failure

AxLi_1746341 Mar 6, 2018 10:31 PM (in response to GauravS_31)

grsr wrote:

Our default recommendation is to use TLSv1.2 as it provides the best security. With the current mbedTLS, source is available and the user can configure their min and max TLS version using wiced_defaults.h.
My point is to get better coverity of testing.
You will have to make it work for all cases TLSv1.0, TLSv1.1, TLSv1.2 any way.

In additional, when the wiced device is a client, your users usually
have to set WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2
because they are not sure the supported TLS version on customer's server.
Like Show 0 Likes(0)

Actions
26. Re: console: join_ent test peap failure

AxLi_1746341 Mar 6, 2018 10:53 PM (in response to GauravS_31)

I just hope you can make sure the enterprise security can work in upcoming release for FreeRTOS build.
PEAPv0 and EAP-TTLS don't work with sdk-6.1 for FreeRTOS build.
Like Show 0 Likes(0)

Actions
27. Re: console: join_ent test peap failure

AxLi_1746341 Jun 5, 2018 1:02 AM (in response to GauravS_31)

grsr wrote:

Our default recommendation is to use TLSv1.2 as it provides the best security. With the current mbedTLS, source is available and the user can configure their min and max TLS version using wiced_defaults.h.
It's strange the sdk-6.2 add comments to tell people don't change TLS min/max version setting:
/* Note: Please don't try to change TLS MINOR VERSION MIN & MAX values,
* as few wiced prebuilts are compiled using below values changing the values can cause issues
* */
But it was fine to change MIN/MAX values in older sdks.
Like Show 0 Likes(0)

Actions
28. Re: console: join_ent test peap failure

AxLi_1746341 Jun 5, 2018 1:04 AM (in response to GauravS_31)

grsr wrote:

I reproduced this issue with FreeRTOS in my setup and raised a ticket on this.
My test with PEAPv0 shows it still does not work.
So does it work for you with sdk-6.2?
Like Show 0 Likes(0)

Actions
29. Re: console: join_ent test peap failure

GauravS_31 Jun 18, 2018 10:55 PM (in response to AxLi_1746341)

I tested PEAP and EAP-TTLS with Freeradius 3.0.16 and openssl version 1.1.0h in WICED SDK 6.2. Unfortunately both still fail with FreeRTOS for all TLS versions. I will send feedback internally to the software development team.
Like Show 0 Likes(0)

Actions