Why wpa_supplicant disable TLSv1.2 by default?

axellin
Posts: 197
Joined: Mon Sep 17, 2018 9:09 am

Why wpa_supplicant disable TLSv1.2 by default?

Postby axellin » Sun May 17, 2020 2:36 am

In current master tree, wpa_supplicant: Disable TLSv1.2 by default.
The commit log says "Some Enterprise Authentication Servers do not support TLS v1.2".
Does it really cause problem if ESP32 enable TLSv1.2 but Enterprise Authentication Servers do not support TLS v1.2?

I thought the TLS version is negotiated between two ends so why disable TLSv1.2 on ESP32 helps?
Disable TLSv1.2 by default also means it won't work if the FreeRADIUS only support TLSv1.2.
Can someone clarify this -- what is the real issue when TLS v1.2 enabled on ESP32?

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Why wpa_supplicant disable TLSv1.2 by default?

Postby WiFive » Sun May 17, 2020 1:35 pm

Good question. It should be possible to enable both and set the minimum version to 1.1 but it is unclear whether the code supports it.

ESP_sagar
Posts: 9
Joined: Mon Nov 19, 2018 9:55 am

Re: Why wpa_supplicant disable TLSv1.2 by default?

Postby ESP_sagar » Wed May 20, 2020 3:57 am

Hi Axelin,
We witnessed a few interoperability issues when TLS 1.2 was enabled, so we kept it disable by default. We are in process of fixing those issues and will soon enable this by default.

axellin
Posts: 197
Joined: Mon Sep 17, 2018 9:09 am

Re: Why wpa_supplicant disable TLSv1.2 by default?

Postby axellin » Wed May 20, 2020 4:43 am

But disable it by default only hide the bug.
People can enable it anyway and no body really knows what was the problem,
and even the commit message is ambiguous. The problem is definitely not because
"Some Enterprise Authentication Servers do not support TLS v1.2" as the commit log says.

It would be helpful if you can point out what was the problem (e.g. does not work in what kind of settings/servers combinations).
I even cannot find the interoperability issues when TLS 1.2 on github issues.

axellin
Posts: 197
Joined: Mon Sep 17, 2018 9:09 am

Re: Why wpa_supplicant disable TLSv1.2 by default?

Postby axellin » Mon Jul 13, 2020 7:52 am

ESP_sagar wrote:
Wed May 20, 2020 3:57 am
Hi Axelin,
We witnessed a few interoperability issues when TLS 1.2 was enabled, so we kept it disable by default. We are in process of fixing those issues and will soon enable this by default.
Hi ESP_saggar,
It has been quite long time since the TLSv1.2 disabled by default, could you please update the status?
Does TLS 1.2 still has issue? (It's still disable by default in current master tree).

axellin
Posts: 197
Joined: Mon Sep 17, 2018 9:09 am

Re: Why wpa_supplicant disable TLSv1.2 by default?

Postby axellin » Wed Jul 22, 2020 7:22 am

ESP_sagar wrote:
Wed May 20, 2020 3:57 am
Hi Axelin,
We witnessed a few interoperability issues when TLS 1.2 was enabled, so we kept it disable by default. We are in process of fixing those issues and will soon enable this by default.

I'm nervous regarding the fact you disable TLS1.2 without telling the real problem.
Some servers only enable TLS1.2 and disable TLS1.0/TLS1.1, so in such case the esp32 default config won't connect these servers.
So I have 2 options now:
1. Disable TLS1.2, so the device cannot connect servers that use TLS1.2 only.
2. Enable TLS1.2, and may has risk of running into interoperability issues.
I'm not sure which option is better since I don't find more information of the interoperability issues.

When the reply says "We are in process of fixing those issues and will soon enable this by default.",
I don't expect to wait for more than 2 months.
Can someone help to clarify what's going on with the TLS1.2 issue?

In additional, the TLS1.2 is disable in 4.x branches but is enabled by default in 3.x branches.
Does that mean there is no interoperability issues in 3.x branches?

ESP_sagar
Posts: 9
Joined: Mon Nov 19, 2018 9:55 am

Re: Why wpa_supplicant disable TLSv1.2 by default?

Postby ESP_sagar » Wed Jul 22, 2020 12:27 pm

Hi Axelin,
v3.x never supported TLS v1.2. Regarding disabling TLS v1.2, we faced the same choices as yours when we encountered the interop issues, but we favoured keeping TLS v1.2 disabled to maintain the behaviour consistent with v3.3. It is common for us to try new features on branches that are not LTS subjected to existing functionality is not broken. However, in this case it seemed broken and we had to revert. The issues were related to WFA setup and we are in the process of verifying those using the recent mbedtls port we have for TLS. We also have plans to backport those onto previous v4.x releases.

Hope this helps!

Who is online

Users browsing this forum: No registered users and 320 guests