need help with X.509 certificate verification (esp_eap_client and mbedtls libraries)

[h-milz]

I am trying to get WPA2 Enterprise to run. EAP-PWD runs fine but something is weird in the TLS handshake for EAP-PEAP and EAP-TTLS (the two of them are very similar if not identical anyway as long as you use MSCHAPv2 for phase 2).

I use much of the code from the ESP-IDF 5.2.2 examples/wifi/wifi_enterprise code, namely the esp_eap_client interface. While the example code runs fine against our university eduroam RADIUS server, something goes wrong when doing exactly the same in MPY 1.23.0 with ESP-IDF 5.2.2 (newer MPY versions throw too many runtime or compilation errors so I am staying with 1.23.0 for now).

The following items are 100% identical: username, password, identity, the CA certificate (which is the official Telesec root certificate T-TeleSec_GlobalRoot_Class_2 that is rolled out with the eduroam catinstaller for the participating universities and institutes in the Munich area), and the ESP-IDF version (containing wpa_supplicant and embedtls). Using the same credentials, EAP-PEAP also works without a glitch on my Android phone (although the official recommendation is EAP-PWD but I was curious if), and needless to say on my Ubuntu laptop.

Attached are the two logfiles with wifi and embedtls logging set to DEBUG (only the relevant portions beginning with the auth handshake until success or failure). As you can tell, the sequence of events looks similar if not identical until on MPY the X.509 certificate check fails with

mbedtls: ssl_tls.c:8006 x509_verify_cert() returned -9984 (-0x2700)
I searched the net for this error message but I cannot find anything that is related enough to give a clue.

So if someone with better MPY knowledge than I could have a look at the logs that would be brilliant. Maybe it's a known error I don't know about? What is the difference in X.509 handling between the bare-metal ESP-IDF example and the same code (attached but still very very raw) on MPY?

The attached code snippet was added to ports/esp32/network_wlan.c and wpa_supplicant was added to the IDF_COMPONENTS in esp32_common.cmake. The new function network_wlan_eap_connect() is invoked like this:

        try:
            if method == wlan.EAP_PWD:
                wlan.eap_connect(ssid=ssid, eap_method=method, 
                                username=username, password=password)
            elif method == wlan.EAP_PEAP:
                wlan.eap_connect(ssid=ssid, eap_method=method, 
                                username=username, password=password, 
                                identity=identity, ca_cert=ca_cert)        
            elif method == wlan.EAP_TTLS:  
                wlan.eap_connect(ssid=ssid, eap_method=method, 
                                username=username, password=password, 
                                identity=identity, ca_cert=ca_cert,
                                ttls_phase2_method=ttls_phase2_method)

depending on the configured method. Mind you, this is just some test code still. Sadly, I am not able ATM to test EAP-TLS because I have no such network at my disposal. EAP-TTLS I can test with MSCHAPv2 and PAP, which are supported by our eduroam environment.

mpy-mbedtls-log-short.txt
example-mbedtls-log-short.txt
network_wlan.c.txt

Thank you!

[Carglglz]

mbedtls: ssl_tls.c:8006 x509_verify_cert() returned -9984 (-0x2700)
I searched the net for this error message but I cannot find anything that is related enough to give a clue.

check lib/mbedtls/include/mbedtls/x509.h
:71

/** Certificate verification failed, e.g. CRL, CA or signature check failed. */
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED               -0x2700

A few lines below there are x509 verify codes

 * \name X509 Verify codes
 * \{
 */
/* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */
#define MBEDTLS_X509_BADCERT_EXPIRED             0x01  /**< The certificate validity has expired. */
#define MBEDTLS_X509_BADCERT_REVOKED             0x02  /**< The certificate has been revoked (is on a CRL). */
#define MBEDTLS_X509_BADCERT_CN_MISMATCH         0x04  /**< The certificate Common Name (CN) does not match with the expected CN. */
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED         0x08  /**< The certificate is not correctly signed by the trusted CA. */
#define MBEDTLS_X509_BADCRL_NOT_TRUSTED          0x10  /**< The CRL is not correctly signed by the trusted CA. */
#define MBEDTLS_X509_BADCRL_EXPIRED              0x20  /**< The CRL is expired. */
#define MBEDTLS_X509_BADCERT_MISSING             0x40  /**< Certificate was missing. */
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY         0x80  /**< Certificate verification was skipped. */
#define MBEDTLS_X509_BADCERT_OTHER             0x0100  /**< Other reason (can be used by verify callback) */
#define MBEDTLS_X509_BADCERT_FUTURE            0x0200  /**< The certificate validity starts in the future. */
#define MBEDTLS_X509_BADCRL_FUTURE             0x0400  /**< The CRL is from the future */
#define MBEDTLS_X509_BADCERT_KEY_USAGE         0x0800  /**< Usage does not match the keyUsage extension. */
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE     0x1000  /**< Usage does not match the extendedKeyUsage extension. */
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE      0x2000  /**< Usage does not match the nsCertType extension. */
#define MBEDTLS_X509_BADCERT_BAD_MD            0x4000  /**< The certificate is signed with an unacceptable hash. */
#define MBEDTLS_X509_BADCERT_BAD_PK            0x8000  /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
#define MBEDTLS_X509_BADCERT_BAD_KEY         0x010000  /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */
#define MBEDTLS_X509_BADCRL_BAD_MD           0x020000  /**< The CRL is signed with an unacceptable hash. */
#define MBEDTLS_X509_BADCRL_BAD_PK           0x040000  /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
#define MBEDTLS_X509_BADCRL_BAD_KEY          0x080000  /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */

/** \} name X509 Verify codes */

To know which one is this case you need mbedtls_ssl_get_verify_result() and mbedtls_x509_crt_verify_info() , you can see how this is done in extmod/modtls_mbedtls.c

:584

cleanup:
    if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
        flags = mbedtls_ssl_get_verify_result(&o->ssl);
    }

    o->sock = MP_OBJ_NULL;
    mbedtls_ssl_free(&o->ssl);

    if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
        char xcbuf[256];
        int ret_info = mbedtls_x509_crt_verify_info(xcbuf, sizeof(xcbuf), "\n", flags);
        // The length of the string written (not including the terminated nul byte),
        // or a negative err code.
        if (ret_info > 0) {
            mp_raise_msg_varg(&mp_type_ValueError, MP_ERROR_TEXT("%s"), xcbuf);
        }
    }

    mbedtls_raise_error(ret);
}

One of the common pitfalls is certificate date/time validation, so be sure you set the RTC correctly before the TLS handshake. (this was enabled for esp32 port at 30b0ee3)

[h-milz]

@Carglglz thank you for the hint. Could have anticipated this myself after 30 years in IT. 🤦

When the ESP32 boots, the system date is set to 1970-01-01 (Unix epoch). This is true for the bare metal variant and for MicroPython. MicroPython seems to set the system time to 2000-01-01 later, though.

The difference between the bare metal version and the MicroPython build is this:

Bare metal ESP-IDF examples/wifi/wifi_enterprise sets

# CONFIG_MBEDTLS_HAVE_TIME_DATE is not set
CONFIG_MBEDTLS_HAVE_TIME=y

whereas MicroPython is built with

CONFIG_MBEDTLS_HAVE_TIME=y
CONFIG_MBEDTLS_HAVE_TIME_DATE=y

which means that the bare metal build does not verify the validity of a certificate to begin with. Thank you very much, Espressif.

I do not want to globally disable HAVE_TIME_DATE in sdkconfig because I do not know if that breaks anything else. My workaround having no battery buffered hardware RTC is to set the local time to the image build time, which is better than nothing:

    (year, month, day) = sys.version.split(" on ")[1].split("-")
    rtc = machine.RTC()
    date_time = (int(year), int(month), int(day), 0, 0, 0, 0, 0)
    rtc.init(date_time) 

Got to think about a slightly more robust version but this can be dealt with on the Python level just fine.

Anyway. WPA2 Enterprise auth works now in our local eduroam with the following variants:

• EAP-PWD
• EAP-PEAP (with default MSCHAPv2)
• EAP-TTLS with MSCHAPv2 and PAP.

Yay! Finally we have WPA2 Enterprise in MicroPython!

Is anyone interested in a PR?