-
15. Re: console: join_ent test peap failure
AxLi_1746341 Oct 31, 2017 2:24 AM (in response to GauravS_31)grsr wrote:
It appears that the TLS version used by your server is v1.0. SDK 6.0 has included compatibility for TLSv1.0 and TLSv1.1. Go to include/wiced_defaults.h and adjust the value of both WICED_TLS_MINOR_VERSION_MIN and WICED_TLS_MINOR_VERSION_MAX as per the appropriate TLS version. The TLS version is set in
In my previous test, I already set below setting in include/wiced_defaults.h:
#define WICED_TLS_MINOR_VERSION_MIN (0)
#define WICED_TLS_MINOR_VERSION_MAX (2)
I also tried below settings, all fails:
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0
WICED_TLS_MINOR_VERSION_MIN=1 && WICED_TLS_MINOR_VERSION_MAX=1
WICED_TLS_MINOR_VERSION_MIN=2 && WICED_TLS_MINOR_VERSION_MAX=2
-
16. Re: console: join_ent test peap failure
AxLi_1746341 Oct 31, 2017 2:36 AM (in response to AxLi_1746341)Hi GauravS_31
Correct my previous post.
On ThreadX build:
It works with WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0.
On FreeRTOS build:
It fails with WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0.
However, we are using FreeRTOS build so this is still a problem.
Can you check if FreeRTOS build works for you?
Besides, I though WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2
should work but it does not work. We cannot assume the customer's server is a
fixed TLS version.
-
17. Re: console: join_ent test peap failure
AxLi_1746341 Oct 31, 2017 2:58 AM (in response to AxLi_1746341)1 of 1 people found this helpfulTo make it clear: ( I tried with more combinations)
On ThreadX build:
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0 works
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=1 works
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2 fails
On FreeRTOS build
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0/1/2 all fails
-
18. Re: console: join_ent test peap failure
AxLi_1746341 Oct 31, 2017 10:16 PM (in response to AxLi_1746341)1 of 1 people found this helpfulThe first error in FreeRTOS build is because:
eap_ssl_receive_packet() return timeout.
Maybe someone from cypress can take a look at this issue.
Note, increase timeout value does not help.
-
19. Re: console: join_ent test peap failure
AxLi_1746341 Nov 1, 2017 8:27 PM (in response to AxLi_1746341)Debugging for a while for FreeRTOS build and I give up now.
I think it might be something wrong in your binary library for FreeRTOS build.
The SDK changelog said the enterprise security was tested on SDK-5.0.
I'm so surprised that it actually does not work even in SDK-6.0.
Also note, to have better coverage of TLS support,
I think the default WICED_TLS_MINOR_VERSION_MIN/MAX setting should be
WICED_TLS_MINOR_VERSION_MIN=0
WICED_TLS_MINOR_VERSION_MAX=2
rahter than
WICED_TLS_MINOR_VERSION_MIN=2
WICED_TLS_MINOR_VERSION_MAX=2
-
20. Re: console: join_ent test peap failure
GauravS_31Jan 14, 2018 11:55 PM (in response to AxLi_1746341)
1 of 1 people found this helpfulI reproduced this issue with FreeRTOS in my setup and raised a ticket on this.
-
21. Re: console: join_ent test peap failure
GauravS_31Feb 20, 2018 8:26 PM (in response to GauravS_31)
It took time because I had to spend time to bring up the setup (on my own). Once I was able to reproduce, I reported the issue. Sorry but issue is not resolved, so it will still exist in 6.1.
-
22. Re: console: join_ent test peap failure
AxLi_1746341 Feb 20, 2018 9:42 PM (in response to GauravS_31)Your SDK supports PEAP, then your team should have no problem to setup the test at all.
If you have problem to setup the test, I believe you should be able to find someone to help testing it.
ps.
I do appreciate your help.
It's seems the problem is in the *process* of handling user's reported issues.
-
23. Re: console: join_ent test peap failure
AxLi_1746341 Feb 23, 2018 11:26 PM (in response to AxLi_1746341)axel.lin_1746341 wrote:
Hi grsr
Besides, I though WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2
should work but it does not work. We cannot assume the customer's server is a
fixed TLS version.
I found sdk-6.1 still set default to
WICED_TLS_MINOR_VERSION_MIN=2 && WICED_TLS_MINOR_VERSION_MAX=2
Why not set default to
WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2
for better covering of testing? (Whic was the default setting before switching to mbedtls)
Any comment?
-
24. Re: console: join_ent test peap failure
GauravS_31Mar 6, 2018 10:21 PM (in response to AxLi_1746341)
1 of 1 people found this helpfulOur default recommendation is to use TLSv1.2 as it provides the best security. With the current mbedTLS, source is available and the user can configure their min and max TLS version using wiced_defaults.h.
-
25. Re: console: join_ent test peap failure
AxLi_1746341 Mar 6, 2018 10:31 PM (in response to GauravS_31)grsr wrote:
Our default recommendation is to use TLSv1.2 as it provides the best security. With the current mbedTLS, source is available and the user can configure their min and max TLS version using wiced_defaults.h.
My point is to get better coverity of testing.
You will have to make it work for all cases TLSv1.0, TLSv1.1, TLSv1.2 any way.
In additional, when the wiced device is a client, your users usually
have to set WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2
because they are not sure the supported TLS version on customer's server.
-
26. Re: console: join_ent test peap failure
AxLi_1746341 Mar 6, 2018 10:53 PM (in response to GauravS_31)I just hope you can make sure the enterprise security can work in upcoming release for FreeRTOS build.
PEAPv0 and EAP-TTLS don't work with sdk-6.1 for FreeRTOS build.
-
27. Re: console: join_ent test peap failure
AxLi_1746341 Jun 5, 2018 1:02 AM (in response to GauravS_31)grsr wrote:
Our default recommendation is to use TLSv1.2 as it provides the best security. With the current mbedTLS, source is available and the user can configure their min and max TLS version using wiced_defaults.h.
It's strange the sdk-6.2 add comments to tell people don't change TLS min/max version setting:
/* Note: Please don't try to change TLS MINOR VERSION MIN & MAX values,
* as few wiced prebuilts are compiled using below values changing the values can cause issues
* */
But it was fine to change MIN/MAX values in older sdks.
-
28. Re: console: join_ent test peap failure
AxLi_1746341 Jun 5, 2018 1:04 AM (in response to GauravS_31)grsr wrote:
I reproduced this issue with FreeRTOS in my setup and raised a ticket on this.
My test with PEAPv0 shows it still does not work.
So does it work for you with sdk-6.2?
-
29. Re: console: join_ent test peap failure
GauravS_31Jun 18, 2018 10:55 PM (in response to AxLi_1746341)
I tested PEAP and EAP-TTLS with Freeradius 3.0.16 and openssl version 1.1.0h in WICED SDK 6.2. Unfortunately both still fail with FreeRTOS for all TLS versions. I will send feedback internally to the software development team.