Are you able to establish TLS connectivity after using the "join_ent" demo app and run https server for Enterprise WiFi.
If yes, Can you please provide the Embed TLS and radius server debug logs.
Thank you! Before I resort to the "joint_ent" demo, I did a TLS debug log dump, and my prelim. observation is that the following message appears:
WICED/security/BESL/mbedtls_open/library/ssl_tls.c:4693: TLSv1 client has no certificate
So... I have a feeling that WICED is expecting a client certificate like it was set for mutual authentication. I'll do a bit of digging and will report back with something more informative.
Well, well. That's exactly what it is. The HTTPS server is fine. However, the server asked for a client certificate when Enterprise/TTLS was employed. When I install a client cert into the browser, then the browser (Firefox) connected to the HTTPS server.
So, I left conn_info.trusted_ca_certificates = NULL, and now it works as expected. So, making this assignment enables mutual authentication for the HTTPS server (and my HTTPS client, as well, as it turns out).
Digging further, I see that the function besl_supplicant_init calls:
wiced_result = wiced_tls_init_root_ca_certificates( (char*) conn_info->trusted_ca_certificates, conn_info->root_ca_cert_length );
So, this is what is forcing the mutual authentication for all TLS activities.
I wonder if there is a way to specify mutual authentication only for specific functions, namely: Wi-Fi channel, HTTPS server and HTTPS client?
Mutual authentication is done internally based on the client certificate request in WICED. By default, MBEDTLS requires SSL_CERTIFICATE_REQUEST for client certificate request. Also, both the client and server certificates have to authorized by same Root Certificate Authority in the TLS Handshake mechanism.
Understood, thank you. In summary, then, the function besl_supplicant_init calls wiced_tls_init_root_ca_certificates which, in turn, mandates client authentication if conn_info.trusted_ca_certificates is specified.