5 Replies Latest reply on Sep 18, 2019 6:48 PM by ChMa_3922746

    Enterprise Wi-Fi Kills TLS for Web Server (CYW943907AEVAL1F)


      I am in the process of incorporating Enterprise Wi-Fi into the application based upon the "join_ent" demo app.


      I normally have an HTTPS server running on the WICED device.  When connected to Personal Wi-Fi, everything is fine.  When the WICED device connects to Enterprise Wi-Fi (via a freeradius server) configured for TTLS, the WICED device is authenticated by the Radius server and connects properly.  It can ping, etc.  Looks good.


      However, the Enterprise Wi-Fi appears to also "kill" the TLS connectivity to the HTTPS server somehow.  I can run an HTTP server (no TLS) with no problem.


      Has anyone got both working at the same time?



        • 1. Re: Enterprise Wi-Fi Kills TLS for Web Server (CYW943907AEVAL1F)

          Hi Charles,


          Are you able to establish TLS connectivity after using the "join_ent" demo app and run https server for Enterprise WiFi.
          If yes, Can you please provide the Embed TLS and radius server debug logs.



          • 2. Re: Enterprise Wi-Fi Kills TLS for Web Server (CYW943907AEVAL1F)

            Thank you!  Before I resort to the "joint_ent" demo, I did a TLS debug log dump, and my prelim. observation is that the following message appears: 


            WICED/security/BESL/mbedtls_open/library/ssl_tls.c:4693: TLSv1 client has no certificate


            So... I have a feeling that WICED is expecting a client certificate like it was set for mutual authentication.  I'll do a bit of digging and will report back with something more informative.

            • 3. Re: Enterprise Wi-Fi Kills TLS for Web Server (CYW943907AEVAL1F)

              Well, well.  That's exactly what it is.  The HTTPS server is fine.  However, the server asked for a client certificate when Enterprise/TTLS was employed.  When I install a client cert into the browser, then the browser (Firefox) connected to the HTTPS server.


              So, I left conn_info.trusted_ca_certificates = NULL, and now it works as expected.  So, making this assignment enables mutual authentication for the HTTPS server (and my HTTPS client, as well, as it turns out).


              Digging further, I see that the function besl_supplicant_init calls:

              wiced_result = wiced_tls_init_root_ca_certificates( (char*) conn_info->trusted_ca_certificates, conn_info->root_ca_cert_length );


              So, this is what is forcing the mutual authentication for all TLS activities. 


              I wonder if there is a way to specify mutual authentication only for specific functions, namely: Wi-Fi channel, HTTPS server and HTTPS client?

              • 4. Re: Enterprise Wi-Fi Kills TLS for Web Server (CYW943907AEVAL1F)

                Mutual authentication is done internally based on the client certificate request in WICED. By default, MBEDTLS requires SSL_CERTIFICATE_REQUEST for client certificate request.  Also, both the client and server certificates have to authorized by same Root Certificate Authority in the TLS Handshake mechanism.



                • 5. Re: Enterprise Wi-Fi Kills TLS for Web Server (CYW943907AEVAL1F)

                  Understood, thank you.  In summary, then, the function besl_supplicant_init calls wiced_tls_init_root_ca_certificates which, in turn, mandates client authentication if conn_info.trusted_ca_certificates is specified.  


                  Case closed!