1 2 3 Previous Next 33 Replies Latest reply on Jan 21, 2019 4:39 PM by axel.lin_1746341 Go to original post
      • 15. Re: console: join_ent test peap failure
        axel.lin_1746341

        grsr wrote:

         

        It appears that the TLS version used by your server is v1.0. SDK 6.0 has included compatibility for TLSv1.0 and TLSv1.1. Go to include/wiced_defaults.h and adjust the value of both WICED_TLS_MINOR_VERSION_MIN and WICED_TLS_MINOR_VERSION_MAX as per the appropriate TLS version. The TLS version is set in

        In my previous test, I already set below setting in include/wiced_defaults.h:

        #define WICED_TLS_MINOR_VERSION_MIN           (0)

        #define WICED_TLS_MINOR_VERSION_MAX           (2)

         

        I also tried below settings, all fails:

        WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0

        WICED_TLS_MINOR_VERSION_MIN=1 && WICED_TLS_MINOR_VERSION_MAX=1

        WICED_TLS_MINOR_VERSION_MIN=2 && WICED_TLS_MINOR_VERSION_MAX=2

        • 16. Re: console: join_ent test peap failure
          axel.lin_1746341

          Hi GauravS_31

           

          Correct my previous post.

           

          On ThreadX build:

          It works with WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0.

           

          On FreeRTOS build:

          It fails with WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0.

           

          However, we are using FreeRTOS build so this is still a problem.

          Can you check if FreeRTOS build works for you?

           

          Besides, I though WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2

          should work but it does not work. We cannot assume the customer's server is a

          fixed TLS version.

          • 17. Re: console: join_ent test peap failure
            axel.lin_1746341

            GauravS_31

             

            To make it clear: ( I tried with more combinations)

             

            On ThreadX build:

            WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0 works

            WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=1 works

            WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2 fails

             

            On FreeRTOS build

            WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=0/1/2 all fails

            1 of 1 people found this helpful
            • 18. Re: console: join_ent test peap failure
              axel.lin_1746341

              GauravS_31

               

              The first error in FreeRTOS build is because:

              eap_ssl_receive_packet() return timeout.

              Maybe someone from cypress can take a look at this issue.

               

              Note, increase timeout value does not help.

              1 of 1 people found this helpful
              • 19. Re: console: join_ent test peap failure
                axel.lin_1746341

                GauravS_31

                 

                Debugging for a while for FreeRTOS build and I give up now.

                I think it might be something wrong in your binary library for FreeRTOS build.

                 

                The SDK changelog said the enterprise security was tested on SDK-5.0.

                I'm so surprised that it actually does not work even in SDK-6.0.

                 

                Also note, to have better coverage of TLS support,

                I think the default WICED_TLS_MINOR_VERSION_MIN/MAX setting should be

                WICED_TLS_MINOR_VERSION_MIN=0

                WICED_TLS_MINOR_VERSION_MAX=2

                 

                rahter than

                WICED_TLS_MINOR_VERSION_MIN=2

                WICED_TLS_MINOR_VERSION_MAX=2

                • 20. Re: console: join_ent test peap failure
                  GauravS_31

                  I reproduced this issue with FreeRTOS in my setup and raised a ticket on this.

                  1 of 1 people found this helpful
                  • 21. Re: console: join_ent test peap failure
                    GauravS_31

                    It took time because I had to spend time to bring up the setup (on my own). Once I was able to reproduce, I reported the issue. Sorry but issue is not resolved, so it will still exist in 6.1.

                    • 22. Re: console: join_ent test peap failure
                      axel.lin_1746341

                      Your SDK supports PEAP, then your team should have no problem to setup the test at all.

                      If you have problem to setup the test, I believe you should be able to find someone to help testing it.

                       

                      ps.

                      I do appreciate your help.

                      It's seems the problem is in the *process* of handling user's reported issues.

                      • 23. Re: console: join_ent test peap failure
                        axel.lin_1746341

                        axel.lin_1746341 wrote:

                         

                        Hi grsr

                         

                        Besides, I though WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2

                        should work but it does not work. We cannot assume the customer's server is a

                        fixed TLS version.

                        GauravS_31

                         

                        I found sdk-6.1 still set default to

                        WICED_TLS_MINOR_VERSION_MIN=2 && WICED_TLS_MINOR_VERSION_MAX=2

                        Why not set default to

                        WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2

                        for better covering of testing? (Whic was the default setting before switching to mbedtls)

                         

                        Any comment?

                        • 24. Re: console: join_ent test peap failure
                          GauravS_31

                          Our default recommendation is to use TLSv1.2 as it provides the best security. With the current mbedTLS, source is available and the user can configure their min and max TLS version using wiced_defaults.h.

                          1 of 1 people found this helpful
                          • 25. Re: console: join_ent test peap failure
                            axel.lin_1746341

                            grsr wrote:

                             

                            Our default recommendation is to use TLSv1.2 as it provides the best security. With the current mbedTLS, source is available and the user can configure their min and max TLS version using wiced_defaults.h.

                            My point is to get better coverity of testing.

                            You will have to make it work for all cases TLSv1.0, TLSv1.1, TLSv1.2 any way.

                             

                            In additional, when the wiced device is a client, your users usually

                            have to set WICED_TLS_MINOR_VERSION_MIN=0 && WICED_TLS_MINOR_VERSION_MAX=2

                            because they are not sure the supported TLS version on customer's server.

                            • 26. Re: console: join_ent test peap failure
                              axel.lin_1746341

                              I just hope you can make sure the enterprise security can work in upcoming release for FreeRTOS build.

                              PEAPv0 and EAP-TTLS don't work with sdk-6.1 for FreeRTOS build.

                              • 27. Re: console: join_ent test peap failure
                                axel.lin_1746341

                                grsr wrote:

                                 

                                Our default recommendation is to use TLSv1.2 as it provides the best security. With the current mbedTLS, source is available and the user can configure their min and max TLS version using wiced_defaults.h.

                                It's strange the sdk-6.2 add comments to tell people don't change TLS min/max version setting:

                                /* Note: Please don't try to change TLS MINOR VERSION MIN & MAX values,

                                * as few  wiced prebuilts are compiled using below values changing the values can cause issues

                                * */

                                But it was fine to change MIN/MAX values in older sdks.

                                • 28. Re: console: join_ent test peap failure
                                  axel.lin_1746341

                                  grsr wrote:

                                   

                                  I reproduced this issue with FreeRTOS in my setup and raised a ticket on this.

                                  My test with PEAPv0 shows it still does not work.

                                  So does it work for you with sdk-6.2?

                                  • 29. Re: console: join_ent test peap failure
                                    GauravS_31

                                    I tested PEAP and EAP-TTLS with Freeradius 3.0.16 and openssl version 1.1.0h in WICED SDK 6.2. Unfortunately both still fail with FreeRTOS for all TLS versions. I will send feedback internally to the software development team.