[TW#24179] Fail to connect wpa2 peap

[andrefilipin]

Environment

• Development Kit: ESP32-bit
• IDF version f198339
• Development Env: Make
• Operating System: Ubuntu
• Power Supply: USB

Problem Description

Fail to connect wpa2 peap

Expected Behavior

Connect succeful

Actual Behavior

Fail to connect

Steps to repropduce

1. download esp-idf
2. copy wps example
3. make menuconfig and set username and password
4. make flash monitor

Code to reproduce this issue

#define EXAMPLE_WIFI_SSID CONFIG_WIFI_SSID
#define EXAMPLE_EAP_METHOD CONFIG_EAP_METHOD

#define EXAMPLE_EAP_ID CONFIG_EAP_ID
#define EXAMPLE_EAP_USERNAME CONFIG_EAP_USERNAME
#define EXAMPLE_EAP_PASSWORD CONFIG_EAP_PASSWORD


/* Constants that aren't configurable in menuconfig */
/* FreeRTOS event group to signal when we are connected & ready to make a request */
static EventGroupHandle_t wifi_event_group;

/* The event group allows multiple bits for each event,
   but we only care about one event - are we connected
   to the AP with an IP? */
const int CONNECTED_BIT = BIT0;

/* Constants that aren't configurable in menuconfig */
#define EAP_PEAP 1
#define EAP_TTLS 2

static const char *TAG = "example";

/* CA cert, taken from wpa2_ca.pem
   Client cert, taken from wpa2_client.crt
   Client key, taken from wpa2_client.key

   The PEM, CRT and KEY file were provided by the person or organization
   who configured the AP with wpa2 enterprise.

   To embed it in the app binary, the PEM, CRT and KEY file is named
   in the component.mk COMPONENT_EMBED_TXTFILES variable.
*/
extern uint8_t ca_pem_start[] asm("_binary_wpa2_ca_pem_start");
extern uint8_t ca_pem_end[]   asm("_binary_wpa2_ca_pem_end");
extern uint8_t client_crt_start[] asm("_binary_wpa2_client_crt_start");
extern uint8_t client_crt_end[]   asm("_binary_wpa2_client_crt_end");
extern uint8_t client_key_start[] asm("_binary_wpa2_client_key_start");
extern uint8_t client_key_end[]   asm("_binary_wpa2_client_key_end");

static esp_err_t event_handler(void *ctx, system_event_t *event)
{
    switch(event->event_id) {
    case SYSTEM_EVENT_STA_START:
        esp_wifi_connect();
        break;
    case SYSTEM_EVENT_STA_GOT_IP:
        xEventGroupSetBits(wifi_event_group, CONNECTED_BIT);
        break;
    case SYSTEM_EVENT_STA_DISCONNECTED:
        esp_wifi_connect();
        xEventGroupClearBits(wifi_event_group, CONNECTED_BIT);
        break;
    default:
        break;
    }
    return ESP_OK;
}

static void initialise_wifi(void)
{
    unsigned int ca_pem_bytes = ca_pem_end - ca_pem_start;
    unsigned int client_crt_bytes = client_crt_end - client_crt_start;
    unsigned int client_key_bytes = client_key_end - client_key_start;
    esp_wpa2_config_t config = WPA2_CONFIG_INIT_DEFAULT();

    tcpip_adapter_init();
    wifi_event_group = xEventGroupCreate();
    ESP_ERROR_CHECK( esp_event_loop_init(event_handler, NULL) );
    wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();
    ESP_ERROR_CHECK( esp_wifi_init(&cfg) );
    //ESP_ERROR_CHECK( esp_wifi_set_storage(WIFI_STORAGE_RAM) );
    wifi_config_t wifi_config = {
        .sta = {
            .ssid = EXAMPLE_WIFI_SSID,
        },
    };

    tcpip_adapter_dhcps_stop(TCPIP_ADAPTER_IF_AP);

    tcpip_adapter_ip_info_t ip_info;
    IP4_ADDR(&ip_info.ip,10,21,123,142);
    IP4_ADDR(&ip_info.gw,10,21,122,1);
    IP4_ADDR(&ip_info.netmask,255,255,254,0);
    ip_addr_t dnsserver;
	
    inet_pton(AF_INET, "10.21.71.19", &dnsserver);
		dns_setserver(0, &dnsserver);
		
    printf("set ip ret: %d\n", tcpip_adapter_set_ip_info(TCPIP_ADAPTER_IF_AP, &ip_info)); //set static IP

    //tcpip_adapter_dhcps_start(TCPIP_ADAPTER_IF_AP);


    ESP_LOGI(TAG, "Setting WiFi configuration SSID %s...", wifi_config.sta.ssid);
    ESP_ERROR_CHECK( esp_wifi_set_mode(WIFI_MODE_STA) );
    ESP_ERROR_CHECK( esp_wifi_set_config(ESP_IF_WIFI_STA, &wifi_config) );
    /*
    ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ca_cert(ca_pem_start, ca_pem_bytes) );
    ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_cert_key(client_crt_start, client_crt_bytes,\
    		client_key_start, client_key_bytes, NULL, 0) );
   
    */
    ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) );
    if (EXAMPLE_EAP_METHOD == EAP_PEAP || EXAMPLE_EAP_METHOD == EAP_TTLS) {
        ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_username((uint8_t *)EXAMPLE_EAP_USERNAME, strlen(EXAMPLE_EAP_USERNAME)) );
        ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_password((uint8_t *)EXAMPLE_EAP_PASSWORD, strlen(EXAMPLE_EAP_PASSWORD)) );
    }
   
    ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_enable(&config) );
    ESP_ERROR_CHECK( esp_wifi_start() );
}

static void wpa2_enterprise_example_task(void *pvParameters)
{
    tcpip_adapter_ip_info_t ip;
    memset(&ip, 0, sizeof(tcpip_adapter_ip_info_t));
    vTaskDelay(2000 / portTICK_PERIOD_MS);


            const struct addrinfo hints = {
                    .ai_family = AF_INET,
                    .ai_socktype = SOCK_STREAM,
                };
                struct addrinfo *res;
                struct in_addr *addr;
                int s, r;
                char recv_buf[64];

    while (1) {
        vTaskDelay(2000 / portTICK_PERIOD_MS);

        if (tcpip_adapter_get_ip_info(ESP_IF_WIFI_STA, &ip) == 0) {
            ESP_LOGI(TAG, "~~~~~~~~~~~");
            ESP_LOGI(TAG, "IP:"IPSTR, IP2STR(&ip.ip));
            ESP_LOGI(TAG, "MASK:"IPSTR, IP2STR(&ip.netmask));
            ESP_LOGI(TAG, "GW:"IPSTR, IP2STR(&ip.gw));
            ESP_LOGI(TAG, "~~~~~~~~~~~");
            

        }
    }
}

void app_main()
{
    ESP_ERROR_CHECK( nvs_flash_init() );
    initialise_wifi();
    xTaskCreate(&wpa2_enterprise_example_task, "wpa2_enterprise_example_task", 4096, NULL, 5, NULL);

}

Debug Logs

V (718) event: exit default callback
I (838) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1818) wifi: state: init -> auth (b0)
I (1818) wifi: state: auth -> assoc (0)
I (1838) wifi: state: assoc -> run (10)
I (1838) wpa: wpa2_task prio:2, stack:6656

D (3028) wpa: TLS: using phase1 config options
D (3038) wpa: SSL: Received packet(len=6) - Flags 0x21
D (3038) wpa: EAP-PEAP: Start (server ver=1, own ver=1)
D (3038) wpa: EAP-PEAP: Using PEAP version 1
D (3038) wpa: TLSv1: Send ClientHello
D (3048) wpa: SSL: 62 bytes left to be sent out (of total 62 bytes)
I (4698) example: ~~~~~~~~~~~
I (4698) example: IP:0.0.0.0
I (4698) example: MASK:0.0.0.0
I (4698) example: GW:0.0.0.0
I (4698) example: ~~~~~~~~~~~
D (4798) wpa: SSL: Received packet(len=1000) - Flags 0xc1
D (4798) wpa: SSL: TLS Message Length: 1248
I (4798) wpa: SSL: Need 258 bytes more input data
D (4798) wpa: SSL: Building ACK (type=25 id=4 ver=1)

D (4818) wpa: SSL: Received packet(len=264) - Flags 0x01
D (4818) wpa: TLSv1: Received content type 22 version 3.1 length 74
D (4818) wpa: TLSv1: Received ServerHello
D (4818) wpa: TLSv1: Using TLS v1.0
D (4828) wpa: TLSv1: Selected cipher suite: 0x002f
D (4828) wpa: TLSv1: Received content type 22 version 3.1 length 1155
D (4838) wpa: TLSv1: Received Certificate (certificate_list len 1151)
D (4848) wpa: TLSv1: Certificate 0 (len 1145)
D (4848) wpa: X509: Version X.509v3
D (4848) wpa: X509: serialNumber ###
D (4858) wpa: X509: issuer ?=Cisco Systems, ?=Cisco Manufacturing CA
D (4858) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (4868) wpa: X509: subject ?=US, ?=California, ?=San Jose, ?=Cisco Systems, ?=AIR-CT5508-K9-649ef3bf2d00/emailAddress=support@cisco.com
D (4878) wpa: X509: Extension: extnID=2.5.29.15 critical=0
D (4888) wpa: X509: KeyUsage 0x5
D (4888) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (4898) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (4898) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (4908) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (4908) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.20.2 critical=0
D (4918) wpa: X509: Version X.509v3
D (4918) wpa: X509: serialNumber ###
D (4928) wpa: X509: issuer ?=Cisco Systems, ?=Cisco Manufacturing CA
D (4928) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (4938) wpa: X509: subject ?=US, ?=California, ?=San Jose, ?=Cisco Systems, ?=AIR-CT5508-K9-649ef3bf2d00/emailAddress=support@cisco.com
D (4948) wpa: X509: Extension: extnID=2.5.29.15 critical=0
D (4958) wpa: X509: KeyUsage 0x5
D (4958) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (4968) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (4968) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (4978) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (4978) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.20.2 critical=0
D (4988) wpa: X509: Validate certificate chain
D (4988) wpa: X509: 0: ?=US, ?=California, ?=San Jose, ?=Cisco Systems, ?=AIR-CT5508-K9-649ef3bf2d00/emailAddress=support@cisco.com
D (5008) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (5008) wpa: X509: Certificate chain validation disabled - ignore unknown CA issue
D (5018) wpa: X509: Certificate chain valid
D (5028) wpa: TLSv1: Received content type 22 version 3.1 length 4
D (5028) wpa: TLSv1: Received ServerHelloDone
D (5038) wpa: TLSv1: Send ClientKeyExchange
D (5218) wpa: TLSv1: Send ChangeCipherSpec
D (5218) wpa: TLSv1: Record Layer - New write cipher suite 0x002f
D (5218) wpa: TLSv1: Send Finished
D (5218) wpa: SSL: 326 bytes left to be sent out (of total 326 bytes)
D (5338) wpa: SSL: Received packet(len=17) - Flags 0x81
D (5338) wpa: SSL: TLS Message Length: 7
D (5338) wpa: TLSv1: Received content type 21 version 3.1 length 2
D (5348) wpa: TLSv1: Received alert 2:20
D (5348) wpa: SSL: No data to be sent out
D (5358) wpa: SSL: Building ACK (type=25 id=6 ver=1)

I (5368) wpa: >>>>>wpa2 FIALED

D (5368) wpa: TLSv1: Selected cipher suite: 0x0000
D (5368) wpa: TLSv1: Record Layer - New write cipher suite 0x0000
D (5378) wpa: TLSv1: Record Layer - New read cipher suite 0x0000

I (5388) wpa: wpa2 task delete

## sdkconfig
```cpp

#
# Automatically generated file; DO NOT EDIT.
# Espressif IoT Development Framework Configuration
#

#
# SDK tool configuration
#
CONFIG_TOOLPREFIX="xtensa-esp32-elf-"
CONFIG_PYTHON="python"
CONFIG_MAKE_WARN_UNDEFINED_VARIABLES=y

#
# Bootloader config
#
CONFIG_LOG_BOOTLOADER_LEVEL_NONE=
CONFIG_LOG_BOOTLOADER_LEVEL_ERROR=
CONFIG_LOG_BOOTLOADER_LEVEL_WARN=
CONFIG_LOG_BOOTLOADER_LEVEL_INFO=y
CONFIG_LOG_BOOTLOADER_LEVEL_DEBUG=
CONFIG_LOG_BOOTLOADER_LEVEL_VERBOSE=
CONFIG_LOG_BOOTLOADER_LEVEL=3
CONFIG_BOOTLOADER_VDDSDIO_BOOST_1_8V=
CONFIG_BOOTLOADER_VDDSDIO_BOOST_1_9V=y
CONFIG_BOOTLOADER_FACTORY_RESET=
CONFIG_BOOTLOADER_APP_TEST=

#
# Security features
#
CONFIG_SECURE_BOOT_ENABLED=
CONFIG_FLASH_ENCRYPTION_ENABLED=

#
# Serial flasher config
#
CONFIG_ESPTOOLPY_PORT="/dev/ttyUSB0"
CONFIG_ESPTOOLPY_BAUD_115200B=y
CONFIG_ESPTOOLPY_BAUD_230400B=
CONFIG_ESPTOOLPY_BAUD_921600B=
CONFIG_ESPTOOLPY_BAUD_2MB=
CONFIG_ESPTOOLPY_BAUD_OTHER=
CONFIG_ESPTOOLPY_BAUD_OTHER_VAL=115200
CONFIG_ESPTOOLPY_BAUD=115200
CONFIG_ESPTOOLPY_COMPRESSED=y
CONFIG_FLASHMODE_QIO=
CONFIG_FLASHMODE_QOUT=
CONFIG_FLASHMODE_DIO=y
CONFIG_FLASHMODE_DOUT=
CONFIG_ESPTOOLPY_FLASHMODE="dio"
CONFIG_ESPTOOLPY_FLASHFREQ_80M=
CONFIG_ESPTOOLPY_FLASHFREQ_40M=y
CONFIG_ESPTOOLPY_FLASHFREQ_26M=
CONFIG_ESPTOOLPY_FLASHFREQ_20M=
CONFIG_ESPTOOLPY_FLASHFREQ="40m"
CONFIG_ESPTOOLPY_FLASHSIZE_1MB=
CONFIG_ESPTOOLPY_FLASHSIZE_2MB=y
CONFIG_ESPTOOLPY_FLASHSIZE_4MB=
CONFIG_ESPTOOLPY_FLASHSIZE_8MB=
CONFIG_ESPTOOLPY_FLASHSIZE_16MB=
CONFIG_ESPTOOLPY_FLASHSIZE="2MB"
CONFIG_ESPTOOLPY_FLASHSIZE_DETECT=y
CONFIG_ESPTOOLPY_BEFORE_RESET=y
CONFIG_ESPTOOLPY_BEFORE_NORESET=
CONFIG_ESPTOOLPY_BEFORE="default_reset"
CONFIG_ESPTOOLPY_AFTER_RESET=y
CONFIG_ESPTOOLPY_AFTER_NORESET=
CONFIG_ESPTOOLPY_AFTER="hard_reset"
CONFIG_MONITOR_BAUD_9600B=
CONFIG_MONITOR_BAUD_57600B=
CONFIG_MONITOR_BAUD_115200B=y
CONFIG_MONITOR_BAUD_230400B=
CONFIG_MONITOR_BAUD_921600B=
CONFIG_MONITOR_BAUD_2MB=
CONFIG_MONITOR_BAUD_OTHER=
CONFIG_MONITOR_BAUD_OTHER_VAL=115200
CONFIG_MONITOR_BAUD=115200

#
# Example Configuration
#
CONFIG_WIFI_SSID="###"
CONFIG_EAP_METHOD=1
CONFIG_EAP_ID="###"
CONFIG_EAP_USERNAME="##"
CONFIG_EAP_PASSWORD="###"

#
# Partition Table
#
CONFIG_PARTITION_TABLE_SINGLE_APP=y
CONFIG_PARTITION_TABLE_TWO_OTA=
CONFIG_PARTITION_TABLE_CUSTOM=
CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv"
CONFIG_PARTITION_TABLE_FILENAME="partitions_singleapp.csv"
CONFIG_PARTITION_TABLE_OFFSET=0x8000
CONFIG_PARTITION_TABLE_MD5=y

#
# Compiler options
#
CONFIG_OPTIMIZATION_LEVEL_DEBUG=y
CONFIG_OPTIMIZATION_LEVEL_RELEASE=
CONFIG_OPTIMIZATION_ASSERTIONS_ENABLED=y
CONFIG_OPTIMIZATION_ASSERTIONS_SILENT=
CONFIG_OPTIMIZATION_ASSERTIONS_DISABLED=
CONFIG_CXX_EXCEPTIONS=
CONFIG_STACK_CHECK_NONE=y
CONFIG_STACK_CHECK_NORM=
CONFIG_STACK_CHECK_STRONG=
CONFIG_STACK_CHECK_ALL=
CONFIG_STACK_CHECK=
CONFIG_WARN_WRITE_STRINGS=

#
# Component config
#

#
# Application Level Tracing
#
CONFIG_ESP32_APPTRACE_DEST_TRAX=
CONFIG_ESP32_APPTRACE_DEST_NONE=y
CONFIG_ESP32_APPTRACE_ENABLE=
CONFIG_ESP32_APPTRACE_LOCK_ENABLE=y
CONFIG_AWS_IOT_SDK=

#
# Bluetooth
#
CONFIG_BT_ENABLED=
CONFIG_BTDM_CONTROLLER_PINNED_TO_CORE=0
CONFIG_BT_RESERVE_DRAM=0

#
# Driver configurations
#

#
# ADC configuration
#
CONFIG_ADC_FORCE_XPD_FSM=
CONFIG_ADC2_DISABLE_DAC=y

#
# SPI master configuration
#
CONFIG_SPI_MASTER_IN_IRAM=
CONFIG_SPI_MASTER_ISR_IN_IRAM=y

#
# ESP32-specific
#
CONFIG_ESP32_DEFAULT_CPU_FREQ_80=
CONFIG_ESP32_DEFAULT_CPU_FREQ_160=y
CONFIG_ESP32_DEFAULT_CPU_FREQ_240=
CONFIG_ESP32_DEFAULT_CPU_FREQ_MHZ=160
CONFIG_SPIRAM_SUPPORT=
CONFIG_MEMMAP_TRACEMEM=
CONFIG_MEMMAP_TRACEMEM_TWOBANKS=
CONFIG_ESP32_TRAX=
CONFIG_TRACEMEM_RESERVE_DRAM=0x0
CONFIG_ESP32_ENABLE_COREDUMP_TO_FLASH=
CONFIG_ESP32_ENABLE_COREDUMP_TO_UART=
CONFIG_ESP32_ENABLE_COREDUMP_TO_NONE=y
CONFIG_ESP32_ENABLE_COREDUMP=
CONFIG_TWO_UNIVERSAL_MAC_ADDRESS=
CONFIG_FOUR_UNIVERSAL_MAC_ADDRESS=y
CONFIG_NUMBER_OF_UNIVERSAL_MAC_ADDRESS=4
CONFIG_SYSTEM_EVENT_QUEUE_SIZE=32
CONFIG_SYSTEM_EVENT_TASK_STACK_SIZE=2304
CONFIG_MAIN_TASK_STACK_SIZE=3584
CONFIG_IPC_TASK_STACK_SIZE=1024
CONFIG_TIMER_TASK_STACK_SIZE=3584
CONFIG_NEWLIB_STDOUT_LINE_ENDING_CRLF=y
CONFIG_NEWLIB_STDOUT_LINE_ENDING_LF=
CONFIG_NEWLIB_STDOUT_LINE_ENDING_CR=
CONFIG_NEWLIB_STDIN_LINE_ENDING_CRLF=
CONFIG_NEWLIB_STDIN_LINE_ENDING_LF=
CONFIG_NEWLIB_STDIN_LINE_ENDING_CR=y
CONFIG_NEWLIB_NANO_FORMAT=
CONFIG_CONSOLE_UART_DEFAULT=y
CONFIG_CONSOLE_UART_CUSTOM=
CONFIG_CONSOLE_UART_NONE=
CONFIG_CONSOLE_UART_NUM=0
CONFIG_CONSOLE_UART_BAUDRATE=115200
CONFIG_ULP_COPROC_ENABLED=
CONFIG_ULP_COPROC_RESERVE_MEM=0
CONFIG_ESP32_PANIC_PRINT_HALT=
CONFIG_ESP32_PANIC_PRINT_REBOOT=y
CONFIG_ESP32_PANIC_SILENT_REBOOT=
CONFIG_ESP32_PANIC_GDBSTUB=
CONFIG_ESP32_DEBUG_OCDAWARE=y
CONFIG_ESP32_DEBUG_STUBS_ENABLE=y
CONFIG_INT_WDT=y
CONFIG_INT_WDT_TIMEOUT_MS=300
CONFIG_INT_WDT_CHECK_CPU1=y
CONFIG_TASK_WDT=y
CONFIG_TASK_WDT_PANIC=
CONFIG_TASK_WDT_TIMEOUT_S=5
CONFIG_TASK_WDT_CHECK_IDLE_TASK_CPU0=y
CONFIG_TASK_WDT_CHECK_IDLE_TASK_CPU1=y
CONFIG_BROWNOUT_DET=y
CONFIG_BROWNOUT_DET_LVL_SEL_0=y
CONFIG_BROWNOUT_DET_LVL_SEL_1=
CONFIG_BROWNOUT_DET_LVL_SEL_2=
CONFIG_BROWNOUT_DET_LVL_SEL_3=
CONFIG_BROWNOUT_DET_LVL_SEL_4=
CONFIG_BROWNOUT_DET_LVL_SEL_5=
CONFIG_BROWNOUT_DET_LVL_SEL_6=
CONFIG_BROWNOUT_DET_LVL_SEL_7=
CONFIG_BROWNOUT_DET_LVL=0
CONFIG_ESP32_TIME_SYSCALL_USE_RTC_FRC1=y
CONFIG_ESP32_TIME_SYSCALL_USE_RTC=
CONFIG_ESP32_TIME_SYSCALL_USE_FRC1=
CONFIG_ESP32_TIME_SYSCALL_USE_NONE=
CONFIG_ESP32_RTC_CLOCK_SOURCE_INTERNAL_RC=y
CONFIG_ESP32_RTC_CLOCK_SOURCE_EXTERNAL_CRYSTAL=
CONFIG_ESP32_RTC_CLK_CAL_CYCLES=1024
CONFIG_ESP32_DEEP_SLEEP_WAKEUP_DELAY=2000
CONFIG_ESP32_XTAL_FREQ_40=y
CONFIG_ESP32_XTAL_FREQ_26=
CONFIG_ESP32_XTAL_FREQ_AUTO=
CONFIG_ESP32_XTAL_FREQ=40
CONFIG_DISABLE_BASIC_ROM_CONSOLE=
CONFIG_NO_BLOBS=
CONFIG_ESP_TIMER_PROFILING=
CONFIG_COMPATIBLE_PRE_V2_1_BOOTLOADERS=
CONFIG_ESP_ERR_TO_NAME_LOOKUP=y

#
# Wi-Fi
#
CONFIG_ESP32_WIFI_STATIC_RX_BUFFER_NUM=10
CONFIG_ESP32_WIFI_DYNAMIC_RX_BUFFER_NUM=32
CONFIG_ESP32_WIFI_STATIC_TX_BUFFER=
CONFIG_ESP32_WIFI_DYNAMIC_TX_BUFFER=y
CONFIG_ESP32_WIFI_TX_BUFFER_TYPE=1
CONFIG_ESP32_WIFI_DYNAMIC_TX_BUFFER_NUM=32
CONFIG_ESP32_WIFI_CSI_ENABLED=
CONFIG_ESP32_WIFI_AMPDU_TX_ENABLED=y
CONFIG_ESP32_WIFI_TX_BA_WIN=6
CONFIG_ESP32_WIFI_AMPDU_RX_ENABLED=y
CONFIG_ESP32_WIFI_RX_BA_WIN=6
CONFIG_ESP32_WIFI_NVS_ENABLED=y
CONFIG_ESP32_WIFI_TASK_PINNED_TO_CORE_0=y
CONFIG_ESP32_WIFI_TASK_PINNED_TO_CORE_1=

#
# PHY
#
CONFIG_ESP32_PHY_CALIBRATION_AND_DATA_STORAGE=y
CONFIG_ESP32_PHY_INIT_DATA_IN_PARTITION=
CONFIG_ESP32_PHY_MAX_WIFI_TX_POWER=20
CONFIG_ESP32_PHY_MAX_TX_POWER=20

#
# Power Management
#
CONFIG_PM_ENABLE=

#
# ADC-Calibration
#
CONFIG_ADC_CAL_EFUSE_TP_ENABLE=y
CONFIG_ADC_CAL_EFUSE_VREF_ENABLE=y
CONFIG_ADC_CAL_LUT_ENABLE=y

#
# ESP HTTP client
#
CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS=y

#
# Ethernet
#
CONFIG_DMA_RX_BUF_NUM=10
CONFIG_DMA_TX_BUF_NUM=10
CONFIG_EMAC_L2_TO_L3_RX_BUF_MODE=
CONFIG_EMAC_TASK_PRIORITY=20

#
# FAT Filesystem support
#
CONFIG_FATFS_CODEPAGE_DYNAMIC=
CONFIG_FATFS_CODEPAGE_437=y
CONFIG_FATFS_CODEPAGE_720=
CONFIG_FATFS_CODEPAGE_737=
CONFIG_FATFS_CODEPAGE_771=
CONFIG_FATFS_CODEPAGE_775=
CONFIG_FATFS_CODEPAGE_850=
CONFIG_FATFS_CODEPAGE_852=
CONFIG_FATFS_CODEPAGE_855=
CONFIG_FATFS_CODEPAGE_857=
CONFIG_FATFS_CODEPAGE_860=
CONFIG_FATFS_CODEPAGE_861=
CONFIG_FATFS_CODEPAGE_862=
CONFIG_FATFS_CODEPAGE_863=
CONFIG_FATFS_CODEPAGE_864=
CONFIG_FATFS_CODEPAGE_865=
CONFIG_FATFS_CODEPAGE_866=
CONFIG_FATFS_CODEPAGE_869=
CONFIG_FATFS_CODEPAGE_932=
CONFIG_FATFS_CODEPAGE_936=
CONFIG_FATFS_CODEPAGE_949=
CONFIG_FATFS_CODEPAGE_950=
CONFIG_FATFS_CODEPAGE=437
CONFIG_FATFS_LFN_NONE=y
CONFIG_FATFS_LFN_HEAP=
CONFIG_FATFS_LFN_STACK=
CONFIG_FATFS_FS_LOCK=0
CONFIG_FATFS_TIMEOUT_MS=10000
CONFIG_FATFS_PER_FILE_CACHE=y

#
# FreeRTOS
#
CONFIG_FREERTOS_UNICORE=
CONFIG_FREERTOS_CORETIMER_0=y
CONFIG_FREERTOS_CORETIMER_1=
CONFIG_FREERTOS_HZ=100
CONFIG_FREERTOS_ASSERT_ON_UNTESTED_FUNCTION=y
CONFIG_FREERTOS_CHECK_STACKOVERFLOW_NONE=
CONFIG_FREERTOS_CHECK_STACKOVERFLOW_PTRVAL=
CONFIG_FREERTOS_CHECK_STACKOVERFLOW_CANARY=y
CONFIG_FREERTOS_WATCHPOINT_END_OF_STACK=
CONFIG_FREERTOS_INTERRUPT_BACKTRACE=y
CONFIG_FREERTOS_THREAD_LOCAL_STORAGE_POINTERS=1
CONFIG_FREERTOS_ASSERT_FAIL_ABORT=y
CONFIG_FREERTOS_ASSERT_FAIL_PRINT_CONTINUE=
CONFIG_FREERTOS_ASSERT_DISABLE=
CONFIG_FREERTOS_IDLE_TASK_STACKSIZE=1536
CONFIG_FREERTOS_ISR_STACKSIZE=1536
CONFIG_FREERTOS_LEGACY_HOOKS=
CONFIG_FREERTOS_MAX_TASK_NAME_LEN=16
CONFIG_SUPPORT_STATIC_ALLOCATION=
CONFIG_TIMER_TASK_PRIORITY=1
CONFIG_TIMER_TASK_STACK_DEPTH=2048
CONFIG_TIMER_QUEUE_LENGTH=10
CONFIG_FREERTOS_QUEUE_REGISTRY_SIZE=0
CONFIG_FREERTOS_USE_TRACE_FACILITY=
CONFIG_FREERTOS_GENERATE_RUN_TIME_STATS=
CONFIG_FREERTOS_DEBUG_INTERNALS=

#
# Heap memory debugging
#
CONFIG_HEAP_POISONING_DISABLED=y
CONFIG_HEAP_POISONING_LIGHT=
CONFIG_HEAP_POISONING_COMPREHENSIVE=
CONFIG_HEAP_TRACING=

#
# libsodium
#
CONFIG_LIBSODIUM_USE_MBEDTLS_SHA=y

#
# Log output
#
CONFIG_LOG_DEFAULT_LEVEL_NONE=
CONFIG_LOG_DEFAULT_LEVEL_ERROR=
CONFIG_LOG_DEFAULT_LEVEL_WARN=
CONFIG_LOG_DEFAULT_LEVEL_INFO=
CONFIG_LOG_DEFAULT_LEVEL_DEBUG=
CONFIG_LOG_DEFAULT_LEVEL_VERBOSE=y
CONFIG_LOG_DEFAULT_LEVEL=5
CONFIG_LOG_COLORS=y

#
# LWIP
#
CONFIG_L2_TO_L3_COPY=
CONFIG_LWIP_IRAM_OPTIMIZATION=
CONFIG_LWIP_MAX_SOCKETS=10
CONFIG_USE_ONLY_LWIP_SELECT=
CONFIG_LWIP_SO_REUSE=y
CONFIG_LWIP_SO_REUSE_RXTOALL=y
CONFIG_LWIP_SO_RCVBUF=
CONFIG_LWIP_DHCP_MAX_NTP_SERVERS=1
CONFIG_LWIP_IP_FRAG=
CONFIG_LWIP_IP_REASSEMBLY=
CONFIG_LWIP_STATS=
CONFIG_LWIP_ETHARP_TRUST_IP_MAC=y
CONFIG_TCPIP_RECVMBOX_SIZE=32
CONFIG_LWIP_DHCP_DOES_ARP_CHECK=y

#
# DHCP server
#
CONFIG_LWIP_DHCPS_LEASE_UNIT=60
CONFIG_LWIP_DHCPS_MAX_STATION_NUM=8
CONFIG_LWIP_AUTOIP=
CONFIG_LWIP_NETIF_LOOPBACK=y
CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8

#
# TCP
#
CONFIG_LWIP_MAX_ACTIVE_TCP=16
CONFIG_LWIP_MAX_LISTENING_TCP=16
CONFIG_TCP_MAXRTX=12
CONFIG_TCP_SYNMAXRTX=6
CONFIG_TCP_MSS=1436
CONFIG_TCP_MSL=60000
CONFIG_TCP_SND_BUF_DEFAULT=5744
CONFIG_TCP_WND_DEFAULT=5744
CONFIG_TCP_RECVMBOX_SIZE=6
CONFIG_TCP_QUEUE_OOSEQ=y
CONFIG_ESP_TCP_KEEP_CONNECTION_WHEN_IP_CHANGES=
CONFIG_TCP_OVERSIZE_MSS=y
CONFIG_TCP_OVERSIZE_QUARTER_MSS=
CONFIG_TCP_OVERSIZE_DISABLE=

#
# UDP
#
CONFIG_LWIP_MAX_UDP_PCBS=16
CONFIG_UDP_RECVMBOX_SIZE=6
CONFIG_TCPIP_TASK_STACK_SIZE=2560
CONFIG_PPP_SUPPORT=

#
# ICMP
#
CONFIG_LWIP_MULTICAST_PING=
CONFIG_LWIP_BROADCAST_PING=

#
# LWIP RAW API
#
CONFIG_LWIP_MAX_RAW_PCBS=16

#
# mbedTLS
#
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
CONFIG_MBEDTLS_DEBUG=
CONFIG_MBEDTLS_HARDWARE_AES=y
CONFIG_MBEDTLS_HARDWARE_MPI=
CONFIG_MBEDTLS_HARDWARE_SHA=
CONFIG_MBEDTLS_HAVE_TIME=y
CONFIG_MBEDTLS_HAVE_TIME_DATE=
CONFIG_MBEDTLS_TLS_SERVER_AND_CLIENT=y
CONFIG_MBEDTLS_TLS_SERVER_ONLY=
CONFIG_MBEDTLS_TLS_CLIENT_ONLY=
CONFIG_MBEDTLS_TLS_DISABLED=
CONFIG_MBEDTLS_TLS_SERVER=y
CONFIG_MBEDTLS_TLS_CLIENT=y
CONFIG_MBEDTLS_TLS_ENABLED=y

#
# TLS Key Exchange Methods
#
CONFIG_MBEDTLS_PSK_MODES=
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA=y
CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
CONFIG_MBEDTLS_SSL_PROTO_SSL3=
CONFIG_MBEDTLS_SSL_PROTO_TLS1=y
CONFIG_MBEDTLS_SSL_PROTO_TLS1_1=y
CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=y
CONFIG_MBEDTLS_SSL_PROTO_DTLS=
CONFIG_MBEDTLS_SSL_ALPN=y
CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y

#
# Symmetric Ciphers
#
CONFIG_MBEDTLS_AES_C=y
CONFIG_MBEDTLS_CAMELLIA_C=
CONFIG_MBEDTLS_DES_C=
CONFIG_MBEDTLS_RC4_DISABLED=y
CONFIG_MBEDTLS_RC4_ENABLED_NO_DEFAULT=
CONFIG_MBEDTLS_RC4_ENABLED=
CONFIG_MBEDTLS_BLOWFISH_C=
CONFIG_MBEDTLS_XTEA_C=
CONFIG_MBEDTLS_CCM_C=y
CONFIG_MBEDTLS_GCM_C=y
CONFIG_MBEDTLS_RIPEMD160_C=

#
# Certificates
#
CONFIG_MBEDTLS_PEM_PARSE_C=y
CONFIG_MBEDTLS_PEM_WRITE_C=y
CONFIG_MBEDTLS_X509_CRL_PARSE_C=y
CONFIG_MBEDTLS_X509_CSR_PARSE_C=y
CONFIG_MBEDTLS_ECP_C=y
CONFIG_MBEDTLS_ECDH_C=y
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED=y
CONFIG_MBEDTLS_ECP_NIST_OPTIM=y

#
# OpenSSL
#
CONFIG_OPENSSL_DEBUG=
CONFIG_OPENSSL_ASSERT_DO_NOTHING=y
CONFIG_OPENSSL_ASSERT_EXIT=

#
# PThreads
#
CONFIG_ESP32_PTHREAD_TASK_PRIO_DEFAULT=5
CONFIG_ESP32_PTHREAD_TASK_STACK_SIZE_DEFAULT=3072

#
# SPI Flash driver
#
CONFIG_SPI_FLASH_VERIFY_WRITE=
CONFIG_SPI_FLASH_ENABLE_COUNTERS=
CONFIG_SPI_FLASH_ROM_DRIVER_PATCH=y
CONFIG_SPI_FLASH_WRITING_DANGEROUS_REGIONS_ABORTS=y
CONFIG_SPI_FLASH_WRITING_DANGEROUS_REGIONS_FAILS=
CONFIG_SPI_FLASH_WRITING_DANGEROUS_REGIONS_ALLOWED=

#
# SPIFFS Configuration
#
CONFIG_SPIFFS_MAX_PARTITIONS=3

#
# SPIFFS Cache Configuration
#
CONFIG_SPIFFS_CACHE=y
CONFIG_SPIFFS_CACHE_WR=y
CONFIG_SPIFFS_CACHE_STATS=
CONFIG_SPIFFS_PAGE_CHECK=y
CONFIG_SPIFFS_GC_MAX_RUNS=10
CONFIG_SPIFFS_GC_STATS=
CONFIG_SPIFFS_PAGE_SIZE=256
CONFIG_SPIFFS_OBJ_NAME_LEN=32
CONFIG_SPIFFS_USE_MAGIC=y
CONFIG_SPIFFS_USE_MAGIC_LENGTH=y
CONFIG_SPIFFS_META_LENGTH=4
CONFIG_SPIFFS_USE_MTIME=y

#
# Debug Configuration
#
CONFIG_SPIFFS_DBG=
CONFIG_SPIFFS_API_DBG=
CONFIG_SPIFFS_GC_DBG=
CONFIG_SPIFFS_CACHE_DBG=
CONFIG_SPIFFS_CHECK_DBG=
CONFIG_SPIFFS_TEST_VISUALISATION=

#
# tcpip adapter
#
CONFIG_IP_LOST_TIMER_INTERVAL=120

#
# Virtual file system
#
CONFIG_SUPPRESS_SELECT_DEBUG_OUTPUT=y

#
# Wear Levelling
#
CONFIG_WL_SECTOR_SIZE_512=
CONFIG_WL_SECTOR_SIZE_4096=y
CONFIG_WL_SECTOR_SIZE=4096

[negativekelvin]

Received alert 2:20

fatal, bad_record_mac

Not that helpful, just pointing it out

[andrefilipin]

@negativekelvin thanks for your comment,
how did you "translate" "Received alert 2:20" to "fatal, bad_record_mac"?

I'll ask the network owner with this information,

thanks

[XinDeng11]

Hi @andrefilipin, I saw you mark down the certificate check, it will jump the certificate check to build TLS tunnel. However, it only effect when the server don't check ca cerificate also, have you disable the ca certificate in server? The configure is in the hostapd.conf

[andrefilipin]

Hello @XinDeng11,
I'dont have access to server, but I know it's not a freeradius.
When I connect's with my mac it ask to accept the cert, I expect the same behavior on esp, there is a way to do it?

Obs: I'm waiting the network admin to give me the cert files,

Thanks for your help

[XinDeng11]

It's hard to do now, because we have some urgent thing to do. However, build a server is not hard, even you can do it in your mac book. Just follow the step in the document
set_up_radius_server_with_hostapd.zip
And we have put the certificate in the floder wifi/wpa2_enterprise/main, you can try EAP method PEAP/TTLS/TLS

[l8l8l]

seems you're trying to connect to a Cisco WLC using self signed certificate and without Radius behind.
I have the exact same error.
to export the self signed certificate from WLC is not easy.
https://supportforums.cisco.com/t5/security-and-network-management/export-ssc-self-signed-certificate-from-wlc/td-p/2924297

Expecting Espressif could make a test with a Cisco WLC and find the root cause because it's very popular in many industries. (Cisco WLC+self signed certificate+no Radius)

Thanks in advance.

[andrefilipin]

@l8l8l this is exactly my enviroment, I asked for the cert files to network manager but without success,

I found a bug reported at cisco, https://quickview.cloudapps.cisco.com/quickview/bug/CSCuz66826

Do you see relation with our problem?

thanks for your help,

[XinDeng11]

Hi@andrefilipin @l8l8l, after our discussion. We plan to buy the router do test. Could you offer a link of this router for us? Very thanks

[andrefilipin]

Hi @XinDeng11

this is my gear https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-2700-series-access-point/datasheet-c78-730593.html

waiting for news

thanks

[negativekelvin]

That's the AP but the controller is air-ct5508-k9.

Have you tried exporting the certificate from your osx keychain?

[andrefilipin]

@negativekelvin thanks for your reply,

I tried to export the certificate, but i can only export to pem extension,

how can i export the .crt/key?

thanks

[negativekelvin]

That should be the ca cert I know it says optional just wondering if you tried it.

[PaulFreund]

We are also in a Cisco environment with Radius server in the backend. Maybe @XinDeng11
can explain if this should work without client certificate? My Android is able to connect without installing any certificates but I don't know if Android automatically generates a valid self signed certificate. I documented everything at https://www.esp32.com/viewtopic.php?f=2&t=3108&start=10#p28331

PS: This seems to be related to #1297

[PaulFreund]

@XinDeng11 As discussed in #2222 I could provide monitor mode logs once I order a compatible WiFi dongle, but please let us clarify one thing first so we are on the same page:

1. I can't and don't need to change anything on the Wifi Router/Radius server
2. My Android phone can connect fine with PEAP and do not validate ca certificate
3. Should ESP32 also be able to connect without setting any certificates? (even if unsafe)

[XinDeng11]

@PaulFreund 1. radius server need disable the ca certificate check if you want to connect with 32 with ca certificate
2. I am not sure why smart phone can connect
3. ESP32 can connect without cerificate after you change the radius server, this is only avildable in PEAP method

[PaulFreund]

@XinDeng11

1. I have asked IT, Radius server does not require client certificates (I don't know if they can be missing or can be self signed)
2. I have ordered a monitor mode capable WiFi interface, I will create a log of my smartphone authenticating
3. If I try to connect without setting certificate via esp_wifi_sta_wpa2_ent_set_cert_key I get:
   I (1596) wpa: EAP-TLS: Private key not configured
   E (1596) wpa: Method private structure allocated failure
   I'm using WPA2_CONFIG_INIT_DEFAULT() and have identity, username and password set

[XinDeng11]

Don't call esp_wifi_sta_wpa2_ent_set_ca_cert() either

[PaulFreund]

This function is also not present, this is the current iteration of my code:

void DeviceManager::connectAPEnterprise(std::string ssid, std::string identity, std::string password) {
    wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();

    if(ESP_OK != esp_wifi_init(&cfg)) { ESP_LOGE(LOGTAG, "[STA] esp_wifi_init failed"); }
    
    if(ESP_OK != esp_wifi_set_storage(WIFI_STORAGE_RAM)) { ESP_LOGE(LOGTAG, "[STA] esp_wifi_set_storage failed"); }

    if(ESP_OK != esp_wifi_set_mode(WIFI_MODE_STA)) { ESP_LOGE(LOGTAG, "[STA] esp_wifi_set_mode failed"); }

    if(ESP_OK != esp_wifi_start()) { ESP_LOGE(LOGTAG, "[STA] esp_wifi_start failed"); }


    wifi_config_t sta_config;
    memset(&sta_config,0,sizeof(sta_config));
    strcpy((char*)(&sta_config.sta.ssid), ssid.c_str());

    if(ESP_OK != esp_wifi_set_config(ESP_IF_WIFI_STA, &sta_config)) { ESP_LOGE(LOGTAG, "[STA] esp_wifi_set_config failed"); }

    esp_wifi_sta_wpa2_ent_set_identity((const unsigned char*)identity.c_str(), identity.length());
    esp_wifi_sta_wpa2_ent_set_username((const unsigned char*)identity.c_str(), identity.length());
    esp_wifi_sta_wpa2_ent_set_password((const unsigned char*)password.c_str(), password.length());

    esp_wpa2_config_t wpa_config = WPA2_CONFIG_INIT_DEFAULT();
    esp_wifi_sta_wpa2_ent_enable(&wpa_config);

    ESP_LOGI(LOGTAG, "[STA Enterprise] Wifi start");

    if(ESP_OK != esp_wifi_connect()) { ESP_LOGE(LOGTAG, "[STA] esp_wifi_connect failed"); }
}

Which yields at runtime (Log level Verbose for wifi and wpa):

I (599) wifi: wifi driver task: 3ffcddc4, prio:23, stack:3584, core=0
I (599) wifi: wifi firmware version: 633012a
I (599) wifi: config NVS flash: enabled
I (609) wifi: config nano formating: disabled
I (629) wifi: Init dynamic tx buffer num: 32
I (629) wifi: Init data frame dynamic rx buffer num: 32
I (629) wifi: Init management frame dynamic rx buffer num: 32
I (629) wifi: Init static rx buffer size: 1600
I (629) wifi: Init static rx buffer num: 10
I (639) wifi: Init dynamic rx buffer num: 32
I (699) phy: phy_version: 3960, 5211945, Jul 18 2018, 10:40:07, 0, 0
I (699) wifi: mode : sta (XX:XX:XX:XX:XX:XX)
I (699) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable

I (819) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1489) wifi: state: init -> auth (b0)
I (1509) wifi: state: auth -> assoc (0)
I (1519) wifi: state: assoc -> run (10)
I (1519) wpa: wpa2_task prio:2, stack:6656

I (1589) wpa: EAP-TLS: Private key not configured
E (1589) wpa: Method private structure allocated failure

I (1639) wpa: >>>>>wpa2 FAILED

[XinDeng11]

Maybe you can try to invoke esp_wifi_start() after wpa2_ent_enable

[PaulFreund]

Already tried because I was not sure how initializes what but it does not make a difference. Only thing I can tell is that sometimes after rebooting instead of the wpa2 FAILED it hangs at:

I (599) wifi: wifi driver task: 3ffcddc4, prio:23, stack:3584, core=0
I (599) wifi: wifi firmware version: 633012a
I (599) wifi: config NVS flash: enabled
I (609) wifi: config nano formating: disabled
I (629) wifi: Init dynamic tx buffer num: 32
I (629) wifi: Init data frame dynamic rx buffer num: 32
I (629) wifi: Init management frame dynamic rx buffer num: 32
I (629) wifi: Init static rx buffer size: 1600
I (639) wifi: Init static rx buffer num: 10
I (639) wifi: Init dynamic rx buffer num: 32
I (699) phy: phy_version: 3960, 5211945, Jul 18 2018, 10:40:07, 0, 0
I (699) wifi: mode : sta (XX:XX:XX:XX:XX:XX)
I (719) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable

I (839) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1509) wifi: state: init -> auth (b0)
I (1509) wifi: state: auth -> assoc (0)
I (2509) wifi: state: assoc -> init (400)
I (2519) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1

PS: Also changing storage to Flash does not have an impact

[XinDeng11]

try again, I think it is another issue which we have fixed in the latest code

[PaulFreund]

Tested with newest master esp-idf cc8ad72 with updated submodules, wifi firmware now d9df943:

I (609) wifi: wifi driver task: 3ffcdd34, prio:23, stack:3584, core=0
I (609) wifi: wifi firmware version: d9df943
I (609) wifi: config NVS flash: enabled
I (609) wifi: config nano formating: disabled
I (629) wifi: Init dynamic tx buffer num: 32
I (629) wifi: Init data frame dynamic rx buffer num: 32
I (629) wifi: Init management frame dynamic rx buffer num: 32
I (639) wifi: Init static rx buffer size: 1600
I (639) wifi: Init static rx buffer num: 10
I (649) wifi: Init dynamic rx buffer num: 32
I (709) phy: phy_version: 3960, 5211945, Jul 18 2018, 10:40:07, 0, 0
I (709) wifi: mode : sta (XX:XX:XX:XX:XX:XX)
I (709) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable

I (829) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1499) wifi: state: init -> auth (b0)
I (1509) wifi: state: auth -> assoc (0)
I (1529) wifi: state: assoc -> run (10)
I (1529) wpa: wpa2_task prio:2, stack:6656

I (1599) wpa: EAP-TLS: Private key not configured
E (1599) wpa: Method private structure allocated failure

I (1669) wpa: >>>>>wpa2 FAILED

[XinDeng11]

It looks still need certificate, I have no idea now, because it still remind you should set private key, maybe we can find something from the air packets

[negativekelvin]

@XinDeng11 if client certificate/key is not configured then eap-tls should not be registered as an available peer method?

@PaulFreund maybe try building without -DEAP_TLS ?

esp-idf/components/wpa_supplicant/component.mk

Line 4 in aaf1239

CFLAGS += -DEMBEDDED_SUPP -DIEEE8021X_EAPOL -DEAP_PEER_METHOD -DEAP_MSCHAPv2 -DEAP_TTLS -DEAP_TLS -DEAP_PEAP -DUSE_WPA2_TASK -DCONFIG_WPS2 -DCONFIG_WPS_PIN -DUSE_WPS_TASK -DESPRESSIF_USE -DESP32_WORKAROUND -D__ets__ -Wno-strict-aliasing

[XinDeng11]

you can try, but it may crash as I remember

[PaulFreund]

@negativekelvin This is without -DEAP_TLS:

I (295) wifi: wifi driver task: 3ffcdd34, prio:23, stack:3584, core=0
I (295) wifi: wifi firmware version: d9df943
I (295) wifi: config NVS flash: enabled
I (295) wifi: config nano formating: disabled
I (315) wifi: Init dynamic tx buffer num: 32
I (325) wifi: Init data frame dynamic rx buffer num: 32
I (325) wifi: Init management frame dynamic rx buffer num: 32
I (325) wifi: Init static rx buffer size: 1600
I (325) wifi: Init static rx buffer num: 10
I (335) wifi: Init dynamic rx buffer num: 32
I (395) phy: phy_version: 3960, 5211945, Jul 18 2018, 10:40:07, 0, 0
I (395) wifi: mode : sta (XX:XX:XX:XX:XX:XX)
I (395) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable

I (515) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1375) wifi: state: init -> auth (b0)
I (1385) wifi: state: auth -> assoc (0)
I (1415) wifi: state: assoc -> run (10)
I (1415) wpa: wpa2_task prio:2, stack:6656

D (1545) wpa: TLS: using phase1 config options
D (1545) wpa: SSL: Received packet(len=6) - Flags 0x20
D (1545) wpa: EAP-PEAP: Start (server ver=0, own ver=1)
D (1555) wpa: EAP-PEAP: Using PEAP version 0
D (1555) wpa: TLSv1: Send ClientHello
D (1555) wpa: SSL: 62 bytes left to be sent out (of total 62 bytes)
D (1785) wpa: SSL: Received packet(len=1296) - Flags 0xc0
D (1785) wpa: SSL: TLS Message Length: 3633
I (1785) wpa: SSL: Need 2347 bytes more input data
D (1785) wpa: SSL: Building ACK (type=25 id=5 ver=0)

D (1875) wpa: SSL: Received packet(len=1296) - Flags 0x40
I (1875) wpa: SSL: Need 1057 bytes more input data
D (1875) wpa: SSL: Building ACK (type=25 id=6 ver=0)

D (1935) wpa: SSL: Received packet(len=1063) - Flags 0x00
D (1935) wpa: TLSv1: Received content type 22 version 3.1 length 3628
D (1935) wpa: TLSv1: Received ServerHello
D (1945) wpa: TLSv1: Using TLS v1.0
D (1945) wpa: TLSv1: Selected cipher suite: 0x0035
D (1945) wpa: TLSv1: Received Certificate (certificate_list len 3536)
D (1955) wpa: TLSv1: Certificate 0 (len 1908)
D (1955) wpa: X509: Version X.509v3
D (1965) wpa: X509: serialNumber 53251
D (1965) wpa: X509: issuer CENSORED
D (1975) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (1975) wpa: X509: subject CENSORED
D (1995) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (1995) wpa: ASN.1: Extended tag data: 0x04
D (2005) wpa: X509: Extension: extnID=2.5.29.15 critical=255
D (2005) wpa: X509: KeyUsage 0x5
D (2005) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (2015) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (2015) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (2025) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.21.7 critical=0
D (2035) wpa: X509: Extension: extnID=2.5.29.37 critical=0
D (2035) wpa: X509: Extension: extnID=2.5.29.32 critical=0
D (2045) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.21.10 critical=0

Stack smashing protect failure!
[...]

unfortunately crashes but I can actually see negotiation going on. Also leaving EAP_TLS inside and removing the call eap_peer_tls_register leads to a crash.

@XinDeng11

I (1599) wpa: EAP-TLS: Private key not configured

This happens in eap_tls_init of eap_tls.c inside wpa_supplicant. I did not have a lot of time to go through wpa_supplicant and I don't know the terminiology but what irritates me is that I can only find one call to eap_method* init functions in eap_peap.c line 730 which would lead to a wpa_printf a few lines later. Should the next method be tried then?

E (1599) wpa: Method private structure allocated failure

This looks like an actual error and I can't find the text inside wpa_supplicant which suggests it is actually inside the wifi library, is this correct?

[PaulFreund]

PS: Here is the stack trace

abort() was called at PC 0x400d3508 on core 1
0x400d3508: __stack_chk_fail at /mnt/c/esp/esp-idf/components/esp32/stack_check.c:36


Backtrace: 0x4008f48c:0x3ffd4ea0 0x4008f661:0x3ffd4ec0 0x400d3508:0x3ffd4ee0 0x400f4a39:0x3ffd4f00 0x400f4af4:0x3ffd4fd0 0x400f18d1:0x3ffd5020 0x400f5cea:0x3ffd5040 0x400f62c5:0x3ffd50a0 0x400ef869:0x3ffd50d0 0x400ed0ee:0x3ffd5120 0x400ed149:0x3ffd5160 0x400e9c33:0x3ffd5180 0x400e9e25:0x3ffd51c0 0x400ec362:0x3ffd51e0 0x4012cc2a:0x3ffd5260 0x4012cebd:0x3ffd5290
0x4008f48c: invoke_abort at /mnt/c/esp/esp-idf/components/esp32/panic.c:660

0x4008f661: abort at /mnt/c/esp/esp-idf/components/esp32/panic.c:660

0x400d3508: __stack_chk_fail at /mnt/c/esp/esp-idf/components/esp32/stack_check.c:36

0x400f4a39: x509_parse_tbs_certificate at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/tls/x509v3.c:1446

0x400f4af4: x509_certificate_parse at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/tls/x509v3.c:1555

0x400f18d1: tls_parse_cert at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/tls/tlsv1_common.c:164

0x400f5cea: tls_process_certificate at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/tls/tlsv1_client_read.c:336

0x400f62c5: tlsv1_client_process_handshake at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/tls/tlsv1_client_read.c:958

0x400ef869: tlsv1_client_handshake at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/tls/tlsv1_client.c:801

0x400ed0ee: tls_connection_handshake2 at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/tls/tls_internal.c:568

0x400ed149: tls_connection_handshake at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/tls/tls_internal.c:568

0x400e9c33: eap_tls_process_input at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/eap_peer/eap_tls_common.c:482

0x400e9e25: eap_peer_tls_process_helper at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/eap_peer/eap_tls_common.c:630

0x400ec362: eap_peap_process at /mnt/c/esp/esp-idf/components/wpa_supplicant/src/wpa2/eap_peer/eap_peap.c:1097

0x4012cc2a: eap_sm_process_request at ??:?

0x4012cebd: wpa2Task at ??:?

EDIT: It seems that x509_parse_tbs_certificate is violating it's canary, unfortunately the function is quite big and I don't have a debugger set up yet.

[XinDeng11]

I told you it will crash because the TLS tunnel can not finish after close EAP-TLS macro, the best way is try to find somthing in air packet now

[PaulFreund]

I have some logs now, unfortunately I feel they are incomplete, I tried to fix the channel but it seems I still miss a lot. I use a Alfa Networks AWUS036NHA with Kali Linux and Wireshark. Monitor mode via airmon-ng fixed to the channel of the access point.

If you need the full logs we have to talk about a NDA and do this in private but I can share some screenshots of the communication with my phone and the one with ESP32

In every log I filtered for the MAC address of the STA in any of the address fields.

1. Those logs are with most recent master and the exact code I posted above (result is I (1599) wpa: EAP-TLS: Private key not configured). The log always ends after this

2. Those logs are with recent master and EAP_TLS disabled, crashing

3. Here are logs from my Android phone (connection working)

@XinDeng11 please tell me any additional information you might need and which packages we need the details (and maybe what details

@negativekelvin I don't think the reason is a too small stack but rather a buffer overflow. Also I can not change the stack size of the wifi task in menuconfig.

[negativekelvin]

facepalm

esp-idf/components/wpa_supplicant/src/wpa2/tls/x509v3.c

Lines 546 to 547 in a557e8c

	//ret = os_snprintf(pos, end - pos, "%s=%s, ",
	ret = sprintf(pos, "%s=%s, ",

esp-idf/components/wpa_supplicant/src/wpa2/tls/x509v3.c

Lines 563 to 564 in a557e8c

	//ret = os_snprintf(pos, end - pos, "/emailAddress=%s",
	ret = sprintf(pos, "/emailAddress=%s",

[negativekelvin]

#2354

[XinDeng11]

@PaulFreund Could you share me the original wireshark packet to me?

[negativekelvin]

@XinDeng11 this is fixed, check the PR. BTW PEAP works fine without the EAP_TLS flag but now everything should work.

[PaulFreund]

@negativekelvin Thank you so much for solving this! Good catch!

@XinDeng11 Issue really is resolved, I don't need any more assistance apart from merging the changes

[andrefilipin]

@XinDeng11 @negativekelvin thanks for support, I really appreciate it.
I'll test in my enviroment and back soon
Thanks again

[andrefilipin]

@XinDeng11 @negativekelvin i'm still having problem to connect
verbose log:

I (1736) wifi: state: init -> auth (b0)
I (1736) wifi: state: auth -> assoc (0)
I (1736) wifi: state: assoc -> run (10)
I (1746) wpa: wpa2_task prio:2, stack:6656

D (1756) wpa: TLS: using phase1 config options
D (1756) wpa: SSL: Received packet(len=6) - Flags 0x21
D (1756) wpa: EAP-PEAP: Start (server ver=1, own ver=1)
D (1756) wpa: EAP-PEAP: Using PEAP version 1
D (1766) wpa: TLSv1: Send ClientHello
D (1766) wpa: SSL: 62 bytes left to be sent out (of total 62 bytes)
D (1776) wpa: SSL: Received packet(len=1200) - Flags 0xc1
D (1776) wpa: SSL: TLS Message Length: 1248
I (1786) wpa: SSL: Need 58 bytes more input data
D (1786) wpa: SSL: Building ACK (type=25 id=4 ver=1) 

D (1796) wpa: SSL: Received packet(len=64) - Flags 0x01
D (1796) wpa: TLSv1: Received content type 22 version 3.1 length 74
D (1806) wpa: TLSv1: Received ServerHello
D (1806) wpa: TLSv1: Using TLS v1.0
D (1816) wpa: TLSv1: Selected cipher suite: 0x002f
D (1816) wpa: TLSv1: Received content type 22 version 3.1 length 1155
D (1826) wpa: TLSv1: Received Certificate (certificate_list len 1151)
D (1826) wpa: TLSv1: Certificate 0 (len 1145)
D (1836) wpa: X509: Version X.509v3
D (1836) wpa: X509: serialNumber 1199223
D (1846) wpa: X509: issuer O=Cisco Systems, CN=Cisco Manufacturing CA
D (1846) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (1856) wpa: X509: subject C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-XXX/emailAddress=support@cisco.com
D (1866) wpa: X509: Extension: extnID=2.5.29.15 critical=0
D (1876) wpa: X509: KeyUsage 0x5
D (1876) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (1876) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (1886) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (1896) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (1896) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.20.2 critical=0
D (1906) wpa: X509: Version X.509v3
D (1906) wpa: X509: serialNumber XXX
D (1916) wpa: X509: issuer O=Cisco Systems, CN=Cisco Manufacturing CA
D (1916) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (1926) wpa: X509: subject C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-649ef3bf2d00/emailAddress=support@cisco.com
D (1936) wpa: X509: Extension: extnID=2.5.29.15 critical=0
D (1946) wpa: X509: KeyUsage 0x5
D (1946) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (1946) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (1956) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (1966) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (1966) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.20.2 critical=0
D (1976) wpa: X509: Validate certificate chain
D (1976) wpa: X509: 0: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-XXX/emailAddress=support@cisco.com
D (1986) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (1996) wpa: X509: Certificate chain validation disabled - ignore unknown CA issue
D (2006) wpa: X509: Certificate chain valid
D (2016) wpa: TLSv1: Received content type 22 version 3.1 length 4
D (2016) wpa: TLSv1: Received ServerHelloDone
D (2026) wpa: TLSv1: Send ClientKeyExchange
D (2206) wpa: TLSv1: Send ChangeCipherSpec
D (2206) wpa: TLSv1: Record Layer - New write cipher suite 0x002f
D (2206) wpa: TLSv1: Send Finished
D (2206) wpa: SSL: 326 bytes left to be sent out (of total 326 bytes)
D (2416) wpa: SSL: Received packet(len=17) - Flags 0x81
D (2416) wpa: SSL: TLS Message Length: 7
D (2416) wpa: TLSv1: Received content type 21 version 3.1 length 2
D (2426) wpa: TLSv1: Received alert 2:20
D (2426) wpa: SSL: No data to be sent out
D (2436) wpa: SSL: Building ACK (type=25 id=6 ver=1) 

I (2446) wpa: >>>>>wpa2 FAILED

D (2446) wpa: TLSv1: Selected cipher suite: 0x0000
D (2446) wpa: TLSv1: Record Layer - New write cipher suite 0x0000
D (2456) wpa: TLSv1: Record Layer - New read cipher suite 0x0000 

I (4616) example: ~~~~~~~~~~~
I (4616) example: IP:0.0.0.0
I (4616) example: MASK:0.0.0.0
I (4616) example: GW:0.0.0.0
I (4616) example: ~~~~~~~~~~~
I (6616) example: ~~~~~~~~~~~

I removed -DEAP_TLS tag and applied the commit with @negativekelvin changes

@PaulFreund maybe you can help me with any tip

thanks guys

[PaulFreund]

@andrefilipin For this solution don't remove -DEAP_TLS! Also don't call set cert or set key

[andrefilipin]

@PaulFreund
The error on my log is:

D (2426) wpa: TLSv1: Received alert 2:20
D (2426) wpa: SSL: No data to be sent out

and yours:

I (1589) wpa: EAP-TLS: Private key not configured
E (1589) wpa: Method private structure allocated failure

I thinking they are distinct problems and maybe require a different solution

[negativekelvin]

@andrefilipin sorry, I was not sure the buffer overflow would be causing your issue. You should definitely check with your admin that the software update that fixes the Cisco bug you linked has been installed.

[negativekelvin]

@andrefilipin check #2381

[FayeY]

Hi, this issue should have been solved in the latest master, please have a try, and feel free to reopen if the issue persists. Thanks.

[ybuyankin]

Hi, still can't get it working:

D (3443) wpa: TLS: using phase1 config options
D (3443) wpa: SSL: Received packet(len=6) - Flags 0x20
D (3443) wpa: EAP-PEAP: Start (server ver=0, own ver=1)
D (3443) wpa: EAP-PEAP: Using PEAP version 0
D (3453) wpa: TLSv1: Send ClientHello
D (3453) wpa: SSL: 62 bytes left to be sent out (of total 62 bytes)
D (3473) wpa: SSL: Received packet(len=1296) - Flags 0xc0
D (3473) wpa: SSL: TLS Message Length: 3917
I (3473) wpa: SSL: Need 2631 bytes more input data
D (3473) wpa: SSL: Building ACK (type=25 id=4 ver=0) 

D (3533) wpa: SSL: Received packet(len=1296) - Flags 0x40
I (3533) wpa: SSL: Need 1341 bytes more input data
D (3533) wpa: SSL: Building ACK (type=25 id=5 ver=0) 

D (3553) wpa: SSL: Received packet(len=1296) - Flags 0x40
I (3553) wpa: SSL: Need 51 bytes more input data
D (3553) wpa: SSL: Building ACK (type=25 id=6 ver=0) 

D (3563) wpa: SSL: Received packet(len=57) - Flags 0x00
D (3563) wpa: TLSv1: Received content type 22 version 3.1 length 3912
D (3573) wpa: TLSv1: Received ServerHello
D (3573) wpa: TLSv1: Using TLS v1.0
D (3583) wpa: TLSv1: Selected cipher suite: 0x002f
D (3583) wpa: TLSv1: Received Certificate (certificate_list len 1508)
D (3593) wpa: TLSv1: Certificate 0 (len 1502)
D (3593) wpa: X509: Version X.509v3
D (3593) wpa: X509: serialNumber 20
D (3603) wpa: X509: issuer DC=com, DC=******, CN=*******
D (3603) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (3613) wpa: X509: subject CN=*******
D (3613) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.20.2 critical=0
D (3623) wpa: X509: Extension: extnID=2.5.29.37 critical=0
D (3633) wpa: ASN.1: Extended tag data: 0x04
D (3633) wpa: X509: Extension: extnID=2.5.29.15 critical=255
D (3643) wpa: X509: KeyUsage 0x5
D (3643) wpa: X509: Extension: extnID=1.2.840.113549.1.9.15 critical=0
D (3653) wpa: X509: Extension: extnID=2.5.29.17 critical=0
D (3653) wpa: X509: SubjectAltName
D (3663) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (3663) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (3673) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (3673) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (3683) wpa: X509: Version X.509v3
D (3683) wpa: X509: serialNumber 20
D (3693) wpa: X509: issuer DC=com, DC=*******, CN=*******
D (3693) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (3703) wpa: X509: subject CN=******
D (3703) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.20.2 critical=0
D (3713) wpa: X509: Extension: extnID=2.5.29.37 critical=0
D (3713) wpa: ASN.1: Extended tag data: 0x04
D (3723) wpa: X509: Extension: extnID=2.5.29.15 critical=255
D (3723) wpa: X509: KeyUsage 0x5
D (3733) wpa: X509: Extension: extnID=1.2.840.113549.1.9.15 critical=0
D (3733) wpa: X509: Extension: extnID=2.5.29.17 critical=0
D (3743) wpa: X509: SubjectAltName
D (3743) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (3753) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (3753) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (3763) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (3773) wpa: X509: Validate certificate chain
D (3773) wpa: X509: 0: CN=********
D (3773) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (3783) wpa: X509: Certificate chain validation disabled - ignore unknown CA issue
D (3793) wpa: X509: Certificate chain valid
D (3803) wpa: TLSv1: Received CertificateRequest
D (3803) wpa: TLSv1: Received ServerHelloDone
D (3803) wpa: TLSv1: Send Certificate
D (3813) wpa: TLSv1: Full client certificate chain not configured - validation may fail
D (3823) wpa: TLSv1: Send ClientKeyExchange
D (4003) wpa: TLSv1: Send ChangeCipherSpec
D (4003) wpa: TLSv1: Record Layer - New write cipher suite 0x002f
D (4003) wpa: TLSv1: Send Finished
D (4003) wpa: SSL: 338 bytes left to be sent out (of total 338 bytes)
I (4023) wpa: >>>>>wpa2 FAILED

D (4033) wpa: TLSv1: Selected cipher suite: 0x0000
D (4033) wpa: TLSv1: Record Layer - New write cipher suite 0x0000
D (4033) wpa: TLSv1: Record Layer - New read cipher suite 0x0000 

Not using any cert or key:

    ESP_LOGI(TAG, "Setting WiFi configuration SSID %s...", wifi_config.sta.ssid);
    ESP_ERROR_CHECK( esp_wifi_set_mode(WIFI_MODE_STA) );
    ESP_ERROR_CHECK( esp_wifi_set_config(ESP_IF_WIFI_STA, &wifi_config) );
    //ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ca_cert(ca_pem_start, ca_pem_bytes) );
    //ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_cert_key(client_crt_start, client_crt_bytes,	client_key_start, client_key_bytes, NULL, 0) );
    ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) );
    if (EXAMPLE_EAP_METHOD == EAP_PEAP || EXAMPLE_EAP_METHOD == EAP_TTLS) {
        ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_username((uint8_t *)EXAMPLE_EAP_USERNAME, strlen(EXAMPLE_EAP_USERNAME)) );
        ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_password((uint8_t *)EXAMPLE_EAP_PASSWORD, strlen(EXAMPLE_EAP_PASSWORD)) );
    }

Latest master used with #2381 and this patch applied.

Please help with any hint, thank you!

[negativekelvin]

@ybuyankin Your server is requesting a client certificate

D (3803) wpa: TLSv1: Received CertificateRequest

[ybuyankin]

@negativekelvin Thanks yes I've noticed that but it's generally the same thing - it does not appear to be a problem for any other device to connect to this server except for the ESP32. We generally aim to make it compatible with any 'valid' network setup, do we? And by 'valid' I mean any setup which allows for common Win/MacOS/Android devices to connect. And they do.

[ybuyankin]

Local admin said that was the guide to set up the Cisco so it should be quite common https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

[negativekelvin]

Debug log shows it fails abruptly without server sending any response compared to andrefilipin's log where server will send tls alert before failure. Unfortunately failure message is generated in closed source libwpa2. Can you check server log or use sniffer?

[ybuyankin]

@negativekelvin Thanks, yes I'll try to look deeper into this. My guess so far was that it fails upon sending a non-configured certificate. I've tried to uncomment the line which sets the client cert (with provided sample one) but still got almost the same results:

D (2636) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (2636) wpa: X509: Certificate chain validation disabled - ignore unknown CA issue
D (2646) wpa: X509: Certificate chain valid
D (2656) wpa: TLSv1: Received CertificateRequest
D (2656) wpa: TLSv1: Received ServerHelloDone
D (2656) wpa: TLSv1: Send Certificate
D (2666) wpa: TLSv1: Full client certificate chain not configured - validation may fail
D (2676) wpa: TLSv1: Send ClientKeyExchange
D (2856) wpa: TLSv1: Send CertificateVerify
D (4756) wpa: TLSv1: Send ChangeCipherSpec
D (4756) wpa: TLSv1: Record Layer - New write cipher suite 0x002f
D (4756) wpa: TLSv1: Send Finished
D (4766) wpa: SSL: 1458 bytes left to be sent out (of total 1458 bytes)
D (4766) wpa: SSL: sending 1400 bytes, more fragments will follow
D (4806) wpa: SSL: Received packet(len=6) - Flags 0x00
D (4806) wpa: SSL: 58 bytes left to be sent out (of total 1458 bytes)
I (4876) wpa: >>>>>wpa2 FAILED

[ybuyankin]

@negativekelvin I've ordered a monitor mode-capable wifi adapter to capture the exchange.
In the meantime, I've asked the admin to create a separate network to experiment with. There I'm getting a different kind of error (more familiar tho):

D (2464) wpa: X509: Certificate chain valid
D (2474) wpa: TLSv1: Received content type 22 version 3.1 length 4
D (2474) wpa: TLSv1: Received ServerHelloDone
D (2474) wpa: TLSv1: Send ClientKeyExchange
D (2664) wpa: TLSv1: Send ChangeCipherSpec
D (2664) wpa: TLSv1: Record Layer - New write cipher suite 0x002f
D (2664) wpa: TLSv1: Send Finished
D (2664) wpa: SSL: 326 bytes left to be sent out (of total 326 bytes)
D (2774) wpa: SSL: Received packet(len=17) - Flags 0x81
D (2774) wpa: SSL: TLS Message Length: 7
D (2774) wpa: TLSv1: Received content type 21 version 3.1 length 2
D (2774) wpa: TLSv1: Received alert 2:20
D (2774) wpa: SSL: No data to be sent out
D (2784) wpa: SSL: Building ACK (type=25 id=6 ver=1) 

I (2794) wpa: >>>>>wpa2 FAILED

That's frustrating.

Needless to say, phone is connecting there without any problem

[ybuyankin]

Some observations with Wireshark so far:

1. Other successfully connected to the same AP devices are not getting CertificateRequest from server
2. Other devices are using TLS 1.2 while TLS 1.0 is selected with ESP32 (while support for TLS 1.2 is claimed).

It really bothers me as a whole thing seems to be out of control.

[samca208]

Hi Tried the espressif WPA2 example https://github.com/espressif/esp-idf/tree/master/examples/wifi/wpa2_enterprise.
Also utilized the CA certificate, server certificate and key of my organization wit the result of wpa>>>>>>>wpa2 FAILED
Also tried the original certificates provided with the example. Obviously they had to fail as the certificates are not valid for my network but I got the same result to when I've used my system certificates. Find below the logs:

D (3930) wifi:recv auth: seq=2, status=0
I (3930) wifi:state: auth -> assoc (0)
D (3940) wifi:restart connect 1s timer for assoc
D (3940) wifi:recv assoc: type=0x10
D (3940) wifi:filter: set rx policy=6
I (3950) wifi:state: assoc -> run (10)
I (3950) wpa: wpa2_task prio:2, stack:6656

D (3950) wifi:start 30s connect timer for 4 way handshake
D (3960) wpa: WPA2: wifi->wpa2 api completed sig(0)
D (3960) wpa: WPA2: wpa2 api return, sm->state(1)
D (3970) wpa: IEEE 802.1X RX: version=2 type=0 length=50

D (3980) wpa: WPA2: RX EAPOL-EAP PACKET - hexdump(len=54):
D (3980) wpa: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72
D (3990) wpa: 6b 69 64 3d 53 54 4d 46 47 2c 6e 61 73 69 64 3d
D (3990) wpa: 4b 49 52 2d 43 57 49 57 4c 43 30 31 2c 70 6f 72
D (4000) wpa: 74 69 64 3d 31 33
D (4000) wpa: WPA2: wifi->wpa2 api completed sig(1)
D (4010) wpa: WPA2: wpa2 api return, sm->state(1)
D (4010) wpa: IEEE 802.1X RX: version=2 type=0 length=50

D (4020) wpa: WPA2: RX EAPOL-EAP PACKET - hexdump(len=54):
D (4020) wpa: 02 00 00 32 01 02 00 32 01 00 6e 65 74 77 6f 72
D (4030) wpa: 6b 69 64 3d 53 54 4d 46 47 2c 6e 61 73 69 64 3d
D (4030) wpa: 4b 49 52 2d 43 57 49 57 4c 43 30 31 2c 70 6f 72
D (4040) wpa: 74 69 64 3d 31 33
D (4040) wpa: WPA2: wifi->wpa2 api completed sig(1)
D (4050) wpa: WPA2: wpa2 api return, sm->state(1)
D (4050) wifi:rsn valid: gcipher=3 ucipher=3 akm=4

D (4080) wifi:rsn valid: gcipher=3 ucipher=3 akm=4

D (4100) wpa: IEEE 802.1X RX: version=2 type=0 length=4

D (4100) wpa: WPA2: RX EAPOL-EAP PACKET - hexdump(len=8):
D (4100) wpa: 02 00 00 04 04 ff 00 04
I (4110) wpa: >>>>>wpa2 FAILED

D (4110) wpa: WPA2: wifi->wpa2 api completed sig(1)
D (4120) wpa: WPA2: wpa2 api return, sm->state(3)
D (4120) wpa: WPA2: queue deleted
D (4120) wpa: WPA2: task deleted
D (4130) wpa: WPA2: wifi->wpa2 api completed sig(2)
D (4130) wpa: WPA2: wpa2 api return, sm->state(3)
D (4140) wpa: wpa2 eap_peer_sm_deinit: free data lock
D (4190) wifi:rsn valid: gcipher=3 ucipher=3 akm=4