nrfconnect · D-Triveni · Aug 11, 2025 · Sep 15, 2025 · Sep 25, 2025 · Sep 5, 2025
diff --git a/doc/connectivity/networking/api/wifi.rst b/doc/connectivity/networking/api/wifi.rst
@@ -120,6 +120,29 @@ To initiate a Wi-Fi connection using enterprise security, use one of the followi
 Server certificate is also provided in the same directory for testing purposes.
 Any AAA server can be used for testing purposes, for example, ``FreeRADIUS`` or ``hostapd``.
 
+Server certificate domain name verification
+-------------------------------------------
+
+The authentication server’s identity is verified by validating the domain name in the X.509 certificate received from the server, using the ``Common Name`` (CN) field.
+
+* Exact domain match — Verifies that the certificate’s CN exactly matches the specified domain.
+
+* Domain suffix match — Allows a certificate whose CN ends with the specified domain suffix.
+
+To initiate a Wi-Fi connection using enterprise security with server certificate validation, use one of the following commands, depending on the desired validation mode:
+
+* Exact domain match
+
+  .. code-block:: console
+
+     wifi connect -s <SSID> -c <channel> -k 12 -K <Private key Password> -e <Domain match>
+
+* Domain suffix match
+
+  .. code-block:: console
+
+     wifi connect -s <SSID> -c <channel> -k 12 -K <Private key Password> -x <Domain suffix name>
+
 Certificate requirements for EAP methods
 ----------------------------------------
 

diff --git a/include/zephyr/net/wifi_mgmt.h b/include/zephyr/net/wifi_mgmt.h
@@ -716,6 +716,16 @@ struct wifi_connect_req_params {
 	uint8_t ignore_broadcast_ssid;
 	/** Parameter used for frequency band */
 	enum wifi_frequency_bandwidths bandwidth;
+
+	/** Full domain name to verify in the server certificate */
+	const uint8_t *server_cert_domain_exact;
+	/** Length of the server_cert_domain_exact string, maximum 128 bytes */
+	uint8_t server_cert_domain_exact_len;
+
+	/** Domain name suffix to verify in the server certificate */
+	const uint8_t *server_cert_domain_suffix;
+	/** Length of the server_cert_domain_suffix string, maximum 64 bytes */
+	uint8_t server_cert_domain_suffix_len;
 };
 
 /** @brief Wi-Fi disconnect reason codes. To be overlaid on top of \ref wifi_status

diff --git a/modules/hostap/CMakeLists.txt b/modules/hostap/CMakeLists.txt
@@ -572,6 +572,10 @@ zephyr_library_compile_definitions_ifdef(CONFIG_EAP_FAST
   EAP_FAST
 )
 
+zephyr_library_compile_definitions_ifdef(CONFIG_EAP_TLSV1_3
+  EAP_TLSV1_3
+)
+
 zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_EAPOL
   ${HOSTAP_SRC_BASE}/eapol_supp/eapol_supp_sm.c
   ${HOSTAP_SRC_BASE}/eap_peer/eap.c

diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
@@ -299,6 +299,14 @@ config EAP_ALL
 	select EAP_TTLS
 	select EAP_MSCHAPV2
 	default y
+
+config EAP_TLSV1_3
+	bool "EAP TLSv1.3 support"
+	select MBEDTLS_TLS_VERSION_1_3
+	select MBEDTLS_TLS_SESSION_TICKETS
+	select MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+	select MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+	select MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 endif # WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 
 config WIFI_NM_WPA_SUPPLICANT_WPA3

diff --git a/modules/hostap/src/supp_api.c b/modules/hostap/src/supp_api.c
@@ -970,6 +970,22 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 				goto out;
 			}
 
+			if (params->server_cert_domain_exact_len > 0) {
+				if (!wpa_cli_cmd_v("set_network %d domain_match \"%s\"",
+						   resp.network_id,
+						   params->server_cert_domain_exact)) {
+					goto out;
+				}
+			}
+
+			if (params->server_cert_domain_suffix_len > 0) {
+				if (!wpa_cli_cmd_v("set_network %d domain_suffix_match \"%s\"",
+						   resp.network_id,
+						   params->server_cert_domain_suffix)) {
+					goto out;
+				}
+			}
+
 			if (false == ((params->security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||
 			    params->security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2) &&
 			    (!params->verify_peer_cert))) {

diff --git a/subsys/net/l2/wifi/wifi_shell.c b/subsys/net/l2/wifi/wifi_shell.c
@@ -620,6 +620,8 @@
 		{"ignore-broadcast-ssid", required_argument, 0, 'g'},
 		{"ieee-80211r", no_argument, 0, 'R'},
 		{"iface", required_argument, 0, 'i'},
+		{"server-cert-domain-exact", required_argument, 0, 'e'},
+		{"server-cert-domain-suffix", required_argument, 0, 'x'},
 		{"help", no_argument, 0, 'h'},
 		{0, 0, 0, 0}};
 	char *endptr;
@@ -872,6 +874,16 @@
 		case 'i':
 			/* Unused, but parsing to avoid unknown option error */
 			break;
+		case 'e':
+			params->server_cert_domain_exact = state->optarg;
+			params->server_cert_domain_exact_len =
+					strlen(params->server_cert_domain_exact);
+			break;
+		case 'x':
+			params->server_cert_domain_suffix = state->optarg;
+			params->server_cert_domain_suffix_len =
+					strlen(params->server_cert_domain_suffix);
+			break;
 		case 'h':
 			return -ENOEXEC;
 		default:
@@ -3921,11 +3933,13 @@
 		 "[-P, --eap-pwd1]: Client Password.\n"
 		 "Default no password for eap user.\n"
 		 "[-R, --ieee-80211r]: Use IEEE80211R fast BSS transition connect."
+		 "[-e, --server-cert-domain-exact]: Full domain names for server certificate match.\n"
+		 "[-x, --server-cert-domain-suffix]: Domain name suffixes for server certificate match.\n"
 		 "[-h, --help]: Print out the help for the connect command.\n"
 		 "[-i, --iface=<interface index>] : Interface index.\n",
 		 cmd_wifi_connect,
-		 2, 42);
+		 2, 46);
 
 SHELL_SUBCMD_ADD((wifi), disconnect, NULL,
 		 "Disconnect from the Wi-Fi AP.\n"
 		 "[-i, --iface=<interface index>] : Interface index.\n",

diff --git a/west.yml b/west.yml
@@ -281,7 +281,7 @@ manifest:
         - hal
     - name: hostap
       path: modules/lib/hostap
-      revision: 5abcff1c0ecff65f0f81e0cc086b7f766e5101bf
+      revision: 6086dea5ee7406e1eede7f2ca6dff1b00b0f04e2
     - name: liblc3
       revision: 48bbd3eacd36e99a57317a0a4867002e0b09e183
       path: modules/lib/liblc3