Unfortunately I am facing the same problem. I want my devices to connect to our corporate Wi-Fi that I don't have control over. I can connect with my Android phone with only Identity and Password (although I don't really know what android _really_ sends.
Unfortunately I lack the neccessary knowledge about WPA2 Enterprise to tell where the problem could be and what meaning those certificates and keys really have. I have tried without certificates and with the ones in the WPA2 example in case they are meant only as client side identification.
With the certificates I get:
Code: Select all
I (268) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable
I (378) phy: phy_version: 3910, c0c45a3, May 21 2018, 18:07:06, 0, 0
I (378) wifi: mode : sta (xx:xx:xx:xx:xx:xx)
I (498) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1478) wifi: state: init -> auth (b0)
I (1488) wifi: state: auth -> assoc (0)
I (1518) wifi: state: assoc -> run (10)
I (1518) wpa: wpa2_task prio:2, stack:6656
I (1668) wpa: SSL: Need 2347 bytes more input data
I (1758) wpa: SSL: Need 1057 bytes more input data
I (2048) wpa: >>>>>wpa2 FIALED
I (2058) wpa: wpa2 task delete
Without them with only username, identity or both I get:
Code: Select all
I (266) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable
I (376) phy: phy_version: 3910, c0c45a3, May 21 2018, 18:07:06, 0, 0
I (376) wifi: mode : sta (xx:xx:xx:xx:xx:xx)
I (506) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1476) wifi: state: init -> auth (b0)
I (1486) wifi: state: auth -> assoc (0)
I (1516) wifi: state: assoc -> run (10)
I (1516) wpa: wpa2_task prio:2, stack:6656
I (1596) wpa: EAP-TLS: Private key not configured
E (1596) wpa: Method private structure allocated failure
I (1636) wpa: >>>>>wpa2 FIALED
I (1646) wpa: wpa2 task delete
The MAC address in both cases is censored. Interstingly sometimes in the second case I don't get the "Private key not configure" but a loop with:
Code: Select all
I (232) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable
I (352) phy: phy_version: 3910, c0c45a3, May 21 2018, 18:07:06, 0, 0
I (352) wifi: mode : sta (xx:xx:xx:xx:xx:xx)
I (472) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1452) wifi: state: init -> auth (b0)
I (1452) wifi: state: auth -> assoc (0)
I (2462) wifi: state: assoc -> init (4)
I (2462) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (2582) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (2582) wifi: state: init -> auth (b0)
I (2582) wifi: state: auth -> assoc (0)
I (3582) wifi: state: assoc -> init (4)
I (3592) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (3712) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (3712) wifi: state: init -> auth (b0)
I (3732) wifi: state: auth -> assoc (0)
...
I also looked around if somebody else found a solution and have a little link collection:
- https://github.com/espressif/esp-idf/issues/1297
- https://github.com/espressif/esp-idf/issues/1054
- https://github.com/espressif/esp-idf/issues/248
Most interesting for me was the quote from #248:
[...]I couldnt make it work without calling esp_wifi_sta_wpa2_ent_set_ca_cert (ie, once I added in esp_wifi_sta_wpa2_ent_set_ca_cert with the CA used in my authentication server's TLS Server Hello, it worked and wouldnt work without it). This might just be an older IDF thing as the IDF I am using is from a while ago, but still, it seems like its very easy to get the process to fail without a CA certificate. Reason seems to be that the client (ESP32) will send a TLS Alert telling the server that the server certificate was bad even if you call esp_wifi_sta_wpa2_ent_clear_ca_cert[...]
Optimal for me would be to connect without any certificate but if there is a way to extract this without access to the infrastructure (promiscious mode wifi?) it would also solve the problem. We will have >100 devices with ESP and would like to refrain from creating an additional wifi network.
Best regards,
Paul
Update:
I re-ran the example every log set to Verbose and with the WPA2 enterprise example there is the following error:
Code: Select all
D (3002) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (3012) wpa: TLSv1: Server certificate chain validation failed (reason=6)
D (3022) wpa: TLSv1: Send Alert(2:48)
D (3022) wpa: SSL: 7 bytes left to be sent out (of total 7 bytes)
I (3102) wpa: >>>>>wpa2 FIALED
After that I removed the esp_wifi_sta_wpa2_ent_set_ca_cert because this can not match and get to the point:
Code: Select all
D (74001) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (74001) wpa: X509: Certificate chain validation disabled - ignore unknown CA issue
D (74011) wpa: X509: Certificate chain valid
D (74021) wpa: TLSv1: Received CertificateRequest
D (74021) wpa: TLSv1: Received ServerHelloDone
D (74031) wpa: TLSv1: Send Certificate
D (74031) wpa: TLSv1: Full client certificate chain not configured - validation may fail
D (74041) wpa: TLSv1: Send ClientKeyExchange
D (74211) wpa: TLSv1: Send CertificateVerify
D (76101) wpa: TLSv1: Send ChangeCipherSpec
D (76101) wpa: TLSv1: Record Layer - New write cipher suite 0x0035
D (76101) wpa: TLSv1: Send Finished
D (76101) wpa: SSL: 1458 bytes left to be sent out (of total 1458 bytes)
D (76111) wpa: SSL: sending 1400 bytes, more fragments will follow
D (76211) wpa: SSL: Received packet(len=6) - Flags 0x00
D (76211) wpa: SSL: 58 bytes left to be sent out (of total 1458 bytes)
D (76281) wpa: SSL: Received packet(len=17) - Flags 0x80
D (76281) wpa: SSL: TLS Message Length: 7
D (76281) wpa: TLSv1: Received content type 21 version 3.1 length 2
D (76281) wpa: TLSv1: Received alert 2:49
D (76291) wpa: SSL: No data to be sent out
D (76291) wpa: SSL: Building ACK (type=13 id=8 ver=0)
I (76371) wpa: >>>>>wpa2 FIALED
D (76371) wpa: TLSv1: Selected cipher suite: 0x0000
D (76371) wpa: TLSv1: Record Layer - New write cipher suite 0x0000
D (76371) wpa: TLSv1: Record Layer - New read cipher suite 0x0000
I (76391) wpa: wpa2 task delete
I assume that "D (76281) wpa: TLSv1: Received alert 2:49" corresponds to
https://tools.ietf.org/html/rfc5246#section-7.2: fatal - access_denied and that might be because "D (74031) wpa: TLSv1: Full client certificate chain not configured - validation may fail".
access_denied has the description:
A valid certificate was received, but when access control was
applied, the sender decided not to proceed with negotiation. This
message is always fatal.
Update 2:
I also tried to generate my own certificate with 2048 bit just in case. Could it be that the client certificate has to be referenced to the server CA?