New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TW#24179] Fail to connect wpa2 peap #2152
Comments
fatal, bad_record_mac Not that helpful, just pointing it out |
@negativekelvin thanks for your comment, I'll ask the network owner with this information, thanks |
Hi @andrefilipin, I saw you mark down the certificate check, it will jump the certificate check to build TLS tunnel. However, it only effect when the server don't check ca cerificate also, have you disable the ca certificate in server? The configure is in the hostapd.conf |
Hello @XinDeng11, Obs: I'm waiting the network admin to give me the cert files, Thanks for your help |
It's hard to do now, because we have some urgent thing to do. However, build a server is not hard, even you can do it in your mac book. Just follow the step in the document |
seems you're trying to connect to a Cisco WLC using self signed certificate and without Radius behind. Expecting Espressif could make a test with a Cisco WLC and find the root cause because it's very popular in many industries. (Cisco WLC+self signed certificate+no Radius) Thanks in advance. |
@l8l8l this is exactly my enviroment, I asked for the cert files to network manager but without success, I found a bug reported at cisco, https://quickview.cloudapps.cisco.com/quickview/bug/CSCuz66826 Do you see relation with our problem? thanks for your help, |
Hi@andrefilipin @l8l8l, after our discussion. We plan to buy the router do test. Could you offer a link of this router for us? Very thanks |
Hi @XinDeng11 this is my gear https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-2700-series-access-point/datasheet-c78-730593.html waiting for news thanks |
That's the AP but the controller is air-ct5508-k9. Have you tried exporting the certificate from your osx keychain? |
@negativekelvin thanks for your reply, I tried to export the certificate, but i can only export to pem extension, how can i export the .crt/key? thanks |
That should be the ca cert I know it says optional just wondering if you tried it. |
We are also in a Cisco environment with Radius server in the backend. Maybe @XinDeng11 PS: This seems to be related to #1297 |
@XinDeng11 As discussed in #2222 I could provide monitor mode logs once I order a compatible WiFi dongle, but please let us clarify one thing first so we are on the same page:
|
@PaulFreund 1. radius server need disable the ca certificate check if you want to connect with 32 with ca certificate |
|
Don't call esp_wifi_sta_wpa2_ent_set_ca_cert() either |
This function is also not present, this is the current iteration of my code:
Which yields at runtime (Log level Verbose for wifi and wpa):
|
Maybe you can try to invoke esp_wifi_start() after wpa2_ent_enable |
Already tried because I was not sure how initializes what but it does not make a difference. Only thing I can tell is that sometimes after rebooting instead of the wpa2 FAILED it hangs at:
PS: Also changing storage to Flash does not have an impact |
try again, I think it is another issue which we have fixed in the latest code |
Tested with newest master esp-idf cc8ad72 with updated submodules, wifi firmware now d9df943:
|
It looks still need certificate, I have no idea now, because it still remind you should set private key, maybe we can find something from the air packets |
@XinDeng11 if client certificate/key is not configured then eap-tls should not be registered as an available peer method? @PaulFreund maybe try building without -DEAP_TLS ?
|
you can try, but it may crash as I remember |
@negativekelvin This is without -DEAP_TLS:
unfortunately crashes but I can actually see negotiation going on. Also leaving EAP_TLS inside and removing the call eap_peer_tls_register leads to a crash.
This happens in eap_tls_init of eap_tls.c inside wpa_supplicant. I did not have a lot of time to go through wpa_supplicant and I don't know the terminiology but what irritates me is that I can only find one call to eap_method* init functions in eap_peap.c line 730 which would lead to a wpa_printf a few lines later. Should the next method be tried then?
This looks like an actual error and I can't find the text inside wpa_supplicant which suggests it is actually inside the wifi library, is this correct? |
PS: Here is the stack trace
EDIT: It seems that x509_parse_tbs_certificate is violating it's canary, unfortunately the function is quite big and I don't have a debugger set up yet. |
I told you it will crash because the TLS tunnel can not finish after close EAP-TLS macro, the best way is try to find somthing in air packet now |
I have some logs now, unfortunately I feel they are incomplete, I tried to fix the channel but it seems I still miss a lot. I use a Alfa Networks AWUS036NHA with Kali Linux and Wireshark. Monitor mode via airmon-ng fixed to the channel of the access point. If you need the full logs we have to talk about a NDA and do this in private but I can share some screenshots of the communication with my phone and the one with ESP32 In every log I filtered for the MAC address of the STA in any of the address fields.
@XinDeng11 please tell me any additional information you might need and which packages we need the details (and maybe what details @negativekelvin I don't think the reason is a too small stack but rather a buffer overflow. Also I can not change the stack size of the wifi task in menuconfig. |
facepalm esp-idf/components/wpa_supplicant/src/wpa2/tls/x509v3.c Lines 546 to 547 in a557e8c
esp-idf/components/wpa_supplicant/src/wpa2/tls/x509v3.c Lines 563 to 564 in a557e8c
|
@PaulFreund Could you share me the original wireshark packet to me? |
@XinDeng11 this is fixed, check the PR. BTW PEAP works fine without the EAP_TLS flag but now everything should work. |
@negativekelvin Thank you so much for solving this! Good catch! @XinDeng11 Issue really is resolved, I don't need any more assistance apart from merging the changes |
@XinDeng11 @negativekelvin thanks for support, I really appreciate it. |
@XinDeng11 @negativekelvin i'm still having problem to connect I (1736) wifi: state: init -> auth (b0)
I (1736) wifi: state: auth -> assoc (0)
I (1736) wifi: state: assoc -> run (10)
I (1746) wpa: wpa2_task prio:2, stack:6656
D (1756) wpa: TLS: using phase1 config options
D (1756) wpa: SSL: Received packet(len=6) - Flags 0x21
D (1756) wpa: EAP-PEAP: Start (server ver=1, own ver=1)
D (1756) wpa: EAP-PEAP: Using PEAP version 1
D (1766) wpa: TLSv1: Send ClientHello
D (1766) wpa: SSL: 62 bytes left to be sent out (of total 62 bytes)
D (1776) wpa: SSL: Received packet(len=1200) - Flags 0xc1
D (1776) wpa: SSL: TLS Message Length: 1248
I (1786) wpa: SSL: Need 58 bytes more input data
D (1786) wpa: SSL: Building ACK (type=25 id=4 ver=1)
D (1796) wpa: SSL: Received packet(len=64) - Flags 0x01
D (1796) wpa: TLSv1: Received content type 22 version 3.1 length 74
D (1806) wpa: TLSv1: Received ServerHello
D (1806) wpa: TLSv1: Using TLS v1.0
D (1816) wpa: TLSv1: Selected cipher suite: 0x002f
D (1816) wpa: TLSv1: Received content type 22 version 3.1 length 1155
D (1826) wpa: TLSv1: Received Certificate (certificate_list len 1151)
D (1826) wpa: TLSv1: Certificate 0 (len 1145)
D (1836) wpa: X509: Version X.509v3
D (1836) wpa: X509: serialNumber 1199223
D (1846) wpa: X509: issuer O=Cisco Systems, CN=Cisco Manufacturing CA
D (1846) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (1856) wpa: X509: subject C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-XXX/emailAddress=support@cisco.com
D (1866) wpa: X509: Extension: extnID=2.5.29.15 critical=0
D (1876) wpa: X509: KeyUsage 0x5
D (1876) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (1876) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (1886) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (1896) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (1896) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.20.2 critical=0
D (1906) wpa: X509: Version X.509v3
D (1906) wpa: X509: serialNumber XXX
D (1916) wpa: X509: issuer O=Cisco Systems, CN=Cisco Manufacturing CA
D (1916) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (1926) wpa: X509: subject C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-649ef3bf2d00/emailAddress=support@cisco.com
D (1936) wpa: X509: Extension: extnID=2.5.29.15 critical=0
D (1946) wpa: X509: KeyUsage 0x5
D (1946) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (1946) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (1956) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (1966) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (1966) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.20.2 critical=0
D (1976) wpa: X509: Validate certificate chain
D (1976) wpa: X509: 0: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-XXX/emailAddress=support@cisco.com
D (1986) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (1996) wpa: X509: Certificate chain validation disabled - ignore unknown CA issue
D (2006) wpa: X509: Certificate chain valid
D (2016) wpa: TLSv1: Received content type 22 version 3.1 length 4
D (2016) wpa: TLSv1: Received ServerHelloDone
D (2026) wpa: TLSv1: Send ClientKeyExchange
D (2206) wpa: TLSv1: Send ChangeCipherSpec
D (2206) wpa: TLSv1: Record Layer - New write cipher suite 0x002f
D (2206) wpa: TLSv1: Send Finished
D (2206) wpa: SSL: 326 bytes left to be sent out (of total 326 bytes)
D (2416) wpa: SSL: Received packet(len=17) - Flags 0x81
D (2416) wpa: SSL: TLS Message Length: 7
D (2416) wpa: TLSv1: Received content type 21 version 3.1 length 2
D (2426) wpa: TLSv1: Received alert 2:20
D (2426) wpa: SSL: No data to be sent out
D (2436) wpa: SSL: Building ACK (type=25 id=6 ver=1)
I (2446) wpa: >>>>>wpa2 FAILED
D (2446) wpa: TLSv1: Selected cipher suite: 0x0000
D (2446) wpa: TLSv1: Record Layer - New write cipher suite 0x0000
D (2456) wpa: TLSv1: Record Layer - New read cipher suite 0x0000
I (4616) example: ~~~~~~~~~~~
I (4616) example: IP:0.0.0.0
I (4616) example: MASK:0.0.0.0
I (4616) example: GW:0.0.0.0
I (4616) example: ~~~~~~~~~~~
I (6616) example: ~~~~~~~~~~~ I removed -DEAP_TLS tag and applied the commit with @negativekelvin changes @PaulFreund maybe you can help me with any tip thanks guys |
@andrefilipin For this solution don't remove -DEAP_TLS! Also don't call set cert or set key |
@PaulFreund
and yours:
I thinking they are distinct problems and maybe require a different solution |
@andrefilipin sorry, I was not sure the buffer overflow would be causing your issue. You should definitely check with your admin that the software update that fixes the Cisco bug you linked has been installed. |
@andrefilipin check #2381 |
Hi, this issue should have been solved in the latest master, please have a try, and feel free to reopen if the issue persists. Thanks. |
Hi, still can't get it working:
Not using any cert or key:
Latest master used with #2381 and this patch applied. Please help with any hint, thank you! |
@ybuyankin Your server is requesting a client certificate
|
@negativekelvin Thanks yes I've noticed that but it's generally the same thing - it does not appear to be a problem for any other device to connect to this server except for the ESP32. We generally aim to make it compatible with any 'valid' network setup, do we? And by 'valid' I mean any setup which allows for common Win/MacOS/Android devices to connect. And they do. |
Local admin said that was the guide to set up the Cisco so it should be quite common https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html |
Debug log shows it fails abruptly without server sending any response compared to andrefilipin's log where server will send tls alert before failure. Unfortunately failure message is generated in closed source libwpa2. Can you check server log or use sniffer? |
@negativekelvin Thanks, yes I'll try to look deeper into this. My guess so far was that it fails upon sending a non-configured certificate. I've tried to uncomment the line which sets the client cert (with provided sample one) but still got almost the same results:
|
@negativekelvin I've ordered a monitor mode-capable wifi adapter to capture the exchange. D (2464) wpa: X509: Certificate chain valid
D (2474) wpa: TLSv1: Received content type 22 version 3.1 length 4
D (2474) wpa: TLSv1: Received ServerHelloDone
D (2474) wpa: TLSv1: Send ClientKeyExchange
D (2664) wpa: TLSv1: Send ChangeCipherSpec
D (2664) wpa: TLSv1: Record Layer - New write cipher suite 0x002f
D (2664) wpa: TLSv1: Send Finished
D (2664) wpa: SSL: 326 bytes left to be sent out (of total 326 bytes)
D (2774) wpa: SSL: Received packet(len=17) - Flags 0x81
D (2774) wpa: SSL: TLS Message Length: 7
D (2774) wpa: TLSv1: Received content type 21 version 3.1 length 2
D (2774) wpa: TLSv1: Received alert 2:20
D (2774) wpa: SSL: No data to be sent out
D (2784) wpa: SSL: Building ACK (type=25 id=6 ver=1)
I (2794) wpa: >>>>>wpa2 FAILED That's frustrating. Needless to say, phone is connecting there without any problem |
Some observations with Wireshark so far:
It really bothers me as a whole thing seems to be out of control. |
Hi Tried the espressif WPA2 example https://github.com/espressif/esp-idf/tree/master/examples/wifi/wpa2_enterprise. D (3930) wifi:recv auth: seq=2, status=0 D (3950) wifi:start 30s connect timer for 4 way handshake D (3980) wpa: WPA2: RX EAPOL-EAP PACKET - hexdump(len=54): D (4020) wpa: WPA2: RX EAPOL-EAP PACKET - hexdump(len=54): D (4080) wifi:rsn valid: gcipher=3 ucipher=3 akm=4 D (4100) wpa: IEEE 802.1X RX: version=2 type=0 length=4 D (4100) wpa: WPA2: RX EAPOL-EAP PACKET - hexdump(len=8): D (4110) wpa: WPA2: wifi->wpa2 api completed sig(1) |
Environment
Problem Description
Fail to connect wpa2 peap
Expected Behavior
Connect succeful
Actual Behavior
Fail to connect
Steps to repropduce
Code to reproduce this issue
Debug Logs
V (718) event: exit default callback
I (838) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1818) wifi: state: init -> auth (b0)
I (1818) wifi: state: auth -> assoc (0)
I (1838) wifi: state: assoc -> run (10)
I (1838) wpa: wpa2_task prio:2, stack:6656
D (3028) wpa: TLS: using phase1 config options
D (3038) wpa: SSL: Received packet(len=6) - Flags 0x21
D (3038) wpa: EAP-PEAP: Start (server ver=1, own ver=1)
D (3038) wpa: EAP-PEAP: Using PEAP version 1
D (3038) wpa: TLSv1: Send ClientHello
D (3048) wpa: SSL: 62 bytes left to be sent out (of total 62 bytes)
I (4698) example: ~~~~~~~~~~~
I (4698) example: IP:0.0.0.0
I (4698) example: MASK:0.0.0.0
I (4698) example: GW:0.0.0.0
I (4698) example: ~~~~~~~~~~~
D (4798) wpa: SSL: Received packet(len=1000) - Flags 0xc1
D (4798) wpa: SSL: TLS Message Length: 1248
I (4798) wpa: SSL: Need 258 bytes more input data
D (4798) wpa: SSL: Building ACK (type=25 id=4 ver=1)
D (4818) wpa: SSL: Received packet(len=264) - Flags 0x01
D (4818) wpa: TLSv1: Received content type 22 version 3.1 length 74
D (4818) wpa: TLSv1: Received ServerHello
D (4818) wpa: TLSv1: Using TLS v1.0
D (4828) wpa: TLSv1: Selected cipher suite: 0x002f
D (4828) wpa: TLSv1: Received content type 22 version 3.1 length 1155
D (4838) wpa: TLSv1: Received Certificate (certificate_list len 1151)
D (4848) wpa: TLSv1: Certificate 0 (len 1145)
D (4848) wpa: X509: Version X.509v3
D (4848) wpa: X509: serialNumber ###
D (4858) wpa: X509: issuer ?=Cisco Systems, ?=Cisco Manufacturing CA
D (4858) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (4868) wpa: X509: subject ?=US, ?=California, ?=San Jose, ?=Cisco Systems, ?=AIR-CT5508-K9-649ef3bf2d00/emailAddress=support@cisco.com
D (4878) wpa: X509: Extension: extnID=2.5.29.15 critical=0
D (4888) wpa: X509: KeyUsage 0x5
D (4888) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (4898) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (4898) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (4908) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (4908) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.20.2 critical=0
D (4918) wpa: X509: Version X.509v3
D (4918) wpa: X509: serialNumber ###
D (4928) wpa: X509: issuer ?=Cisco Systems, ?=Cisco Manufacturing CA
D (4928) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (4938) wpa: X509: subject ?=US, ?=California, ?=San Jose, ?=Cisco Systems, ?=AIR-CT5508-K9-649ef3bf2d00/emailAddress=support@cisco.com
D (4948) wpa: X509: Extension: extnID=2.5.29.15 critical=0
D (4958) wpa: X509: KeyUsage 0x5
D (4958) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (4968) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (4968) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (4978) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (4978) wpa: X509: Extension: extnID=1.3.6.1.4.1.311.20.2 critical=0
D (4988) wpa: X509: Validate certificate chain
D (4988) wpa: X509: 0: ?=US, ?=California, ?=San Jose, ?=Cisco Systems, ?=AIR-CT5508-K9-649ef3bf2d00/emailAddress=support@cisco.com
D (5008) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (5008) wpa: X509: Certificate chain validation disabled - ignore unknown CA issue
D (5018) wpa: X509: Certificate chain valid
D (5028) wpa: TLSv1: Received content type 22 version 3.1 length 4
D (5028) wpa: TLSv1: Received ServerHelloDone
D (5038) wpa: TLSv1: Send ClientKeyExchange
D (5218) wpa: TLSv1: Send ChangeCipherSpec
D (5218) wpa: TLSv1: Record Layer - New write cipher suite 0x002f
D (5218) wpa: TLSv1: Send Finished
D (5218) wpa: SSL: 326 bytes left to be sent out (of total 326 bytes)
D (5338) wpa: SSL: Received packet(len=17) - Flags 0x81
D (5338) wpa: SSL: TLS Message Length: 7
D (5338) wpa: TLSv1: Received content type 21 version 3.1 length 2
D (5348) wpa: TLSv1: Received alert 2:20
D (5348) wpa: SSL: No data to be sent out
D (5358) wpa: SSL: Building ACK (type=25 id=6 ver=1)
I (5368) wpa: >>>>>wpa2 FIALED
D (5368) wpa: TLSv1: Selected cipher suite: 0x0000
D (5368) wpa: TLSv1: Record Layer - New write cipher suite 0x0000
D (5378) wpa: TLSv1: Record Layer - New read cipher suite 0x0000
I (5388) wpa: wpa2 task delete
The text was updated successfully, but these errors were encountered: