ESP32 wpa_supplicant does not accept sha384-signed certificates (IDFGH-5756)

[redfast00]

My university recently switched their certificates for eduroam (a WPA enterprise network), causing all ESP-type microcontrollers not to be able to connect to the network anymore (even if they don't validate certificates). I disabled mbed-tls in wpa_supplicant and used the built-in tls library (this is easier to debug). The issue is here https://github.com/espressif/esp-idf/blob/master/components/wpa_supplicant/src/tls/x509v3.c#L1630. I "fixed" this by adding return 0;, but this can probably be properly fixed with https://patchwork.ozlabs.org/project/hostap/patch/1448154178-17670-5-git-send-email-pali.rohar@gmail.com/. There's also a bug with negotiating this certificate with mbed-tls, but this was harder to find so I didn't do that.

Environment

• Development Kit: ESP32-S2-Saola
• IDF version (run git describe --tags to find it): v4.3
• Build System: idf.py
• Compiler version (run xtensa-esp32-elf-gcc --version to find it):
• Operating System: Linux
• Using an IDE?: No
• Power Supply: USB

[kapilkedawat]

Hi @redfast00 , can you please provide following info.

1. Supplicant and mbedTLS logs(You can go to their respective configuration in components in menuconfig and enable those)
2. Sniffer capture during the connection.
3. Certificates.
4. If certificate sharing is not possible, key size used in certificates.

Thanks

[AxelLin]

Just to remind this fix needs to backport for stable branches.