mduanaa
commented
6 years ago @XinDeng11 Can you please help ?
Closed mduanaa closed 3 years ago
mduanaa
commented
6 years ago @XinDeng11 Can you please help ?
XinDeng11
commented
6 years ago @mduanaa Hi, the issue may caused by certificate not match, in the main folder in the example, you can find some certificates, you need copy the certificates relative to server to the radius server, and renamed them as server.crt, server.key and server.pem, after this, this issue will solved. What's more. there is a simple way to verify whether is due to the certificate, just mark the certificates check function in the example, esp_wifi_sta_wpa2_ent_set_ca_cert() and esp_wifi_sta_wpa2_ent_set_cert_key(), if it work, it should be the reason
mduanaa
commented
6 years ago @XinDeng11 Thanks for your suggestions. However, I have no access to the Radius Server and I don't think the manager of the Radius Server of our university would let me do that. The debug info. shown in my first trial (failed to parse the certificate) indicates even the certificate in the example folder is not recognized by your example code. I don't know how many people has tried this example and how many successful cases ?
Yoshi20
commented
6 years ago Faced lots and lots of problem with this example too. Try to use the exact same kind of certs as in the example. Others doesn't seem to work. E.g. SHA256 is/was not working (use SHA1) and everything other than 2048 Bit is/was also not working. (Last tested one or two months ago)
XinDeng11
commented
6 years ago @mduanaa @Yoshi Dearing, the wpa2_enterprise example and its certificates are surely 100% OK, many newers failed because they didn't have matched certificates between client and server, certificates verify based on RSA algorithm. It needs matched public key and private key. That's why we add the both server and client's certificates in the main floder, but you need build an server on linux at first. Then put the ca.pem, server.pem, sever.crt and server.pem. in the server. @mduanaa, What's more, if you try with your school's server, you need use the client's certificates offered by school server. Also make sure the EAP method is PEAP or TLS, because we noly support those two methods in the example now.
negativekelvin
commented
6 years ago @XinDeng11 I think you need more example certificates with different key lengths and better error messages to figure out what the problem is when it doesn't work
XinDeng11
commented
6 years ago @negativekelvin We have tried with 1024 bit, 2048bit and 4096 bit key, all of them are work, what you mentioned add more error logs and log switch, that what we plan to do in the next version. After it finished, I will let you know, thanks.
nubiator123
commented
6 years ago @XinDeng11 I have exactly the same problems that @mduanaa mentioned with 4096 bit certificates.
Backtrace: 0x4013cd85:0x3ffdd740 0x4013dae9:0x3ffdd760 0x401398ca:0x3ffdd780 0x400eab05:0x3ffdd7b0 0x400eaceb:0x3ffdd860 0x400e7a7e:0x3ffdd930 0x400e7e6d:0x3ffdd970 0x400e70e9:0x3ffdd9f0 0x400e6b56:0x3ffdda40 0x400e6bb9:0x3ffdda80 0x400e5274:0x3ffddaa0 0x400e5865:0x3ffddae0 0x400e3029:0x3ffddb30 0x400e3389:0x3ffddb70
0x4013cd85: mp_read_unsigned_bin at /Users/ficeto/Desktop/ESP32/ESP32/esp-idf-public/components/wpa_supplicant/src/crypto/libtommath.h line 990 0x4013dae9: bignum_set_unsigned_bin at /Users/ficeto/Desktop/ESP32/ESP32/esp-idf-public/components/wpa_supplicant/src/crypto/bignum.c line 114 0x401398ca: crypto_mod_exp at /Users/ficeto/Desktop/ESP32/ESP32/esp-idf-public/components/wpa_supplicant/src/crypto/crypto_internal-modexp.c line 40 0x400eab05: x509_certificate_check_signature at ?? line ? 0x400eaceb: x509_certificate_chain_validate at ?? line ? 0x400e7a7e: tlsv1_client_set_cred at ?? line ? 0x400e7e6d: tlsv1_client_process_handshake at ?? line ? 0x400e70e9: tlsv1_client_handshake at ?? line ? 0x400e6b56: tls_connection_handshake2 at ?? line ? 0x400e6bb9: tls_connection_handshake at ?? line ? 0x400e5274: eap_peer_tls_process_helper at ?? line ? 0x400e5865: eap_peer_tls_phase2_nak at ?? line ? 0x400e3029: eap_sm_process_request at ?? line ? 0x400e3389: wpa2Task at ?? line ?
Tested with all available examples. Only worked until August, since than only Guru Mediation Error
Guru Meditation Error: Core 0 panic'ed (LoadProhibited)
. Exception was unhandled.
Register dump:
PC : 0x4013cd85 PS : 0x00060b30 A0 : 0x8013daec A1 : 0x3ffdd740
A2 : 0x3ffce8d4 A3 : 0x00000001 A4 : 0x3ffe30a0 A5 : 0x3ffe309f
A6 : 0x00000002 A7 : 0x00000005 A8 : 0x8013cd83 A9 : 0x3ffdd720
A10 : 0x00000000 A11 : 0x00000008 A12 : 0x3ffce8d4 A13 : 0x00000000
A14 : 0x00000032 A15 : 0x00000020 SAR : 0x00000018 EXCCAUSE: 0x0000001c
EXCVADDR: 0x00000001 LBEG : 0x4000c46c LEND : 0x4000c477 LCOUNT : 0x00000000
ToBeSmavoo
commented
6 years ago @XinDeng11 Hi, we are running into the same Guru Mediation error with a properly configured PKI since the end of August. Before that, the same binary and certificates are running without any issues. The difference to the certificates provided by the example seams to be the size of the CA certificate and the used signing algorithm. The example is using a 1024bit CA certificate and SHA-1 to sign the client/server certificates. Both leads to smaller signatures, which seams to be the cause, why all other configurations fail.
A test implementation with a fresh CA and the same certificate parameters works perfectly. If we than change the size of the CA certificate to 2048bit and use a state-of-the-art SHA-265 signing algorithm, we run again into the same Guru Mediation error. In both cases we exchange the ca.pem, client.crt and client.key on the client-side and the ca.pem, server.crt and server.key on the radius-server-side.
I've attached the certificates for both cases. It would be a big help if you could test both configurations and analyse, why 2048bit certificates (CA and client/server) in combination with SHA-256 are causing this issue. From my point of view, this configuration is pretty standard in enterprise environments and should be supported by the esp-idf.
Thanks in advance.
nubiator123
commented
6 years ago @igrr Do you have an idea, what line is causing this / how to use a workaround? Currently the WPA2 support only works with ca with 1024. However eduroam is using 4096bit and SHA256 certificates. The WPA2 example currently only works with commits prior to May - August.
nubiator123
commented
6 years ago @XinDeng11: Are there any Updates for this issue? Could you find the rootcause?
Many thanks
XinDeng11
commented
6 years ago @nubiator123 @mduanaa @ToBeSmavoo Hi, guys.We have reproduced the phenmenon and found the root casue, the issue had fixed already, maybe you can check the commit bc97b0f3 for detail, thanks.
negativekelvin
commented
6 years ago @XinDeng11 does it also fix this tls alert issue https://github.com/espressif/esp-idf/issues/248#issuecomment-360338336 ?
mtowara
commented
6 years ago @XinDeng11 there doesn't seem to be a commit bc97b0f3 in the repo, can you please link to it?
igrr
commented
6 years ago @mtowara Apologies, the fix (along with a few other changes) did not make it to Github yet. It may take an hour or two for the integration tests to complete, then the change will be deployed to Github.
mtowara
commented
6 years ago With the new commits I see connection attempts in my eduroam logs, which is an improvement. However I'm now stuck in an boot loop with the following dump:
Guru Meditation Error: Core 1 panic'ed (LoadProhibited)
. Exception was unhandled.
Core 1 register dump:
PC : 0x4000c2e0 PS : 0x00060630 A0 : 0x80104e0c A1 : 0x3ffca040
A2 : 0x3ffb66c8 A3 : 0x00000000 A4 : 0x00000020 A5 : 0x3ffb66c8
A6 : 0x3ffbacd6 A7 : 0x00000002 A8 : 0x00000000 A9 : 0x3ffca000
A10 : 0x00000003 A11 : 0x00060623 A12 : 0x00060620 A13 : 0x3ffca078
A14 : 0x3ffc73d0 A15 : 0x00000000 SAR : 0x0000001f EXCCAUSE: 0x0000001c
EXCVADDR: 0x00000000 LBEG : 0x4000c2e0 LEND : 0x4000c2f6 LCOUNT : 0x00000001
Backtrace: 0x4000c2e0:0x3ffca040 0x40104e09:0x3ffca050 0x40107296:0x3ffca070 0x40104e09: wpa_set_pmk at ??:? 0x40107296: wpa2Task at ??:?
I'm running the wpa2_enterprise example adapted for username / pw instead of certificates.
averri
commented
6 years ago I have never had success connecting the ESP32 to a WPA2 Enterprise network. This is very frustrating. The other scenario that does not work: https://github.com/espressif/arduino-esp32/issues/1381
pfe-aicoe
commented
6 years ago Hi, Can someone please help me with the following error: IP address: 0.0.0.0
E (3905) wpa: Method private structure allocated failure
E (33913) wpa: Method private structure allocated failure
[D][WiFiGeneric.cpp:304] _eventCallback(): Event: 5 - STA_DISCONNECTED [W][WiFiGeneric.cpp:309] _eventCallback(): Reason: 4 - ASSOC_EXPIRE
I am trying to connect my ESP32 with a WPA2 -Enterprise network.
ybuyankin
commented
6 years ago Hi @igrr sorry I've posted this in the arduino-esp32 first but supposedly it's related here more. wpa2_enterprise example is struggling with connecting to WS2008 / Cisco-based corporate PEAP-MSCHAPv2 network. I'm in a no way a wpa2 expert but it seems that it depends on the certificates configuration (or maybe negotiation scenario) on the network and the wpa2 supplicant code somehow did not ignore optional certificate checking results so it's either failing on checking server self-signed certificate when ca cert is supplied like this:
wpa: X509: Did not find any of the issuers from the list of trusted certificates wpa: TLSv1: Server certificate chain validation failed (reason=6)
or failing to provide a proper certificate to server when it was not set up (by commenting out these lines):
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ca_cert(ca_pem_start, ca_pem_bytes) ); ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_cert_key(client_crt_start, client_crt_bytes, client_key_start, client_key_bytes, NULL, 0) );
It fails this time on server side after this diagnostic appears locally:
wpa: TLSv1: Full client certificate chain not configured - validation may fail
What is still not quite clear to me is why is the local decision to test for remote server certificate validity is based on local one being supplied or not.
Android phones are connecting to the network just fine without any certificates being installed.
All I know about network configuration so far is that it has been set years ago (and still working just fine) up by admin with this Cisco how-to (so this setup expected to be also very common):
There is a discussion here as well, and there is at least one guy with exactly the same problem.
https://www.esp32.com/viewtopic.php?f=2&t=3108&p=29227#p29227
Something is still wrong with PEAP/MSCHAPv2 in esp32 and this is gating us from finally going to production. Help please, thanks!
sagb2015
commented
3 years ago We now have mbedtls port for supplicant TLS connection as well as option to enable/disable server certificate validation. Please help to check with latest build. If not seen we will close this issue.
WilliamAtek
commented
3 years ago Please tell us how to test even with master pull and phase 2 selected to MSCHAPV2 it doesn't work ! Do we have to change something in menuconfig ? I also saw that LwIP can do mschap ???? I tried to enable it no success either.
ayoubazz
commented
3 years ago I'm trying to connect to our wpa2 enterprise, but it no success The debug info. is as follow : E (370) WPA: Method private structure allocated failure -> ->
kapilkedawat
commented
3 years ago Hi @WilliamAtek ,
Is it possible to provide whole server logs? Please run the authentication server in debug mode to capture all the logs..
Please also provide following along with that:
In case you have recently pulled the IDF, please make sure you have updated the submodules.
WilliamAtek
commented
3 years ago For everyone having the same problem, the problem comes from MbedTLS that doesn't support PEAPv0.
To fix it go to menuconfig > components config > Wpa supplicant > Unchek "Use mbedTLS crypto API"
Then it will work with Windows, Linux and everything else like it should.
Please note that this problem seems purely related to mbedTLS as I had the same problem on openWRT and when I switched to openSSL the problem disappeared.
For espressif you should use openSSL calls for peap mschapv2 instead of mbedTLS automatically, or else I don't know what is the difference but you can easily reproduce the problem so it should be easy to fix.
PunishedSnakePr
commented
3 years ago @WilliamAtek : Thank u so much! That really did the trick!
I try to flash the wpa2_enterprise example to my ESP32 board but facing endless failure. The debug info. is as follow. //debug info. begins I (246) phy: phy_version: 366.0, ba9923d, Oct 31 2017, 18:06:17, 0, 0 I (246) wifi: mode : sta (24:0a:c4:0e:56:74) I (376) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1 I (1346) wifi: state: init -> auth (b0) I (1356) wifi: state: auth -> assoc (0) I (1366) wifi: state: assoc -> run (10) I (1366) wpa: wpa2_task prio:2, stack:6656
I (1376) wpa: TLSv1: tlsv1_add_cert_der - failed to parse certificate I (1376) wpa: TLS: Failed to configure trusted CA certificates I (1376) wpa: TLS: Failed to set TLS connection parameters I (1386) wpa: EAP-PEAP: Failed to initialize SSL. E (1386) wpa: Method private structure allocated failure
I (2396) wpa: >>>>>wpa2 FIALED
I (2406) wpa: wpa2 task delete
I (4246) example:
~~~ I (4246) example: IP:0.0.0.0 I (4246) example: MASK:0.0.0.0 I (4246) example: GW:0.0.0.0 I (4246) example:~~~ I (4366) wifi: pm start, type:0 //debug info. endsThere is no logging info. in the Radius Server which means this program fails at the self-configuration stage. The issues seems to be the certification verification.
////////////////////////////////////////////////////////////////////////////////////////////////////////////// I tried to comment the certification command in the wpa2_enterprise_main.c as someone says the certification is optional for EAP+PEAP. However, the connection is still unsuccessful. The corresponding error info. is : Guru meditation error: core 1 panic'ed(LoadProhibited). Exception was unhandled.
//debug info. begeins Guru Meditation Error: Core 1 panic'ed (LoadProhibited) . Exception was unhandled. Register dump: PC : 0x40129a71 PS : 0x00060330 A0 : 0x8012af39 A1 : 0x3ffc83f0 0x40129a71: bignum_set_unsigned_bin at ??:?
A2 : 0x3ffba464 A3 : 0x00000001 A4 : 0x3ffca378 A5 : 0x3ffca379 A6 : 0x3ffc84c4 A7 : 0x00000001 A8 : 0x80129a6c A9 : 0x3ffc83d0 A10 : 0x3ffba478 A11 : 0x000000ff A12 : 0x3ffba464 A13 : 0x92492493 A14 : 0x00000014 A15 : 0x00000000 SAR : 0x00000018 EXCCAUSE: 0x0000001c EXCVADDR: 0x00000001 LBEG : 0x40129a59 LEND : 0x40129a5d LCOUNT : 0x00000000 0x40129a59: bignum_set_unsigned_bin at ??:?
0x40129a5d: bignum_set_unsigned_bin at ??:?
Backtrace: 0x40129a71:0x3ffc83f0 0x4012af36:0x3ffc8410 0x400fd81d:0x3ffc8440 0x400fda17:0x3ffc84f0 0x400fa742:0x3ffc85c0 0x400fab31:0x3f fc8600 0x400f9dc1:0x3ffc8680 0x400f9844:0x3ffc86d0 0x400f989d:0x3ffc8710 0x400f7ea8:0x3ffc8730 0x400f75fe:0x3ffc8770 0x400f5c1d:0x3ffc87 d0 0x400f5f75:0x3ffc8810 //debug info ends /////////////////////////////////////////////////////////////////////////////////////////////// Supplement Information: 1) latest esp-idf version; 2) wifi try to be reached eduroam; 3) development enviroment / tools: windows7-64bit msys32 / mingw32
Can anyone give a hint? Thanks a lot.