This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220MODA: Clarification on TLS Versions Supported During WPA2-Enterprise Secured Connections

Part Number: CC3220MODA
Other Parts Discussed in Thread: CC3220SF, CC3235SF

We are using the CC3220 Module in our design, and can successfully make WAP2-Enterprise encrypted connections using our Radius Test Server environment.  We have a customer reporting a problem and they believe it is because the module is only supporting TLS v1.0 rather than a higher version.  I am not sure this is the problem but I wanted to first confirm what versions the CC3220 will present during the session creation.  It was not clear reading the documentation and I guess its possible its related to the codebase we are using.  I can dig that up if necessary.

Can you point to where we would find this information or supply it if the response is straightforward?  

Thanks, Pete

  • Hi Pete,

    For EAP connection is supported TLS 1.0 only. There is not way how this can be changed from your side. TI have decided that they will not add support for TLS 1.2 for EAP at CC32xx and CC31xx devices (including latest CC3235 generation). It is sad, but you cannot do anything about this. It is their decision.

    Jan

  • The CC32xx has a limited memory for patches which is not enough to support the required changes for the TLS1.2 support.

    It is a limitation rather than a decision.

  • Ok this is unfortunate as it means possible problems in the future as support for TLS1.0 goes away.  Thanks for the answer.  If I learn more about the specific issue I'll share details.

  • Hi,

    Support for TLS 1.0 goes away already and TLS 1.0 is deprecated by Microsoft, Google and other big tech companies (formally deprecated in RFC 8996 in March 2021). Many other companies have "no TLS 1.0" policy. At these days is hard to find company which have enabled TLS 1.0 at RADIUS server.

    Jan

  • I checked with our Radius Server provider and as of 12/2021 they only support TLS 1.2, and we are having no problems with WPA-Enterprise connections.  I believe we are using PEAP-MSCHAPv2 but can I get some clarification how the CC3220 supports this connection?  It is very difficult to analyze when there is a problem.  I'm trying to understand better the answer about support being limited to TLS 1.0 and why this does not impact our connection. 

    Our Radius Server host supports the following ciphers:  

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA

    How can we check what the CC3220 supports and bounce that against our customer's Radius Server requirements?

    Is there an element or version of the WPA-Enterprise authentication process that this particular limitation of the CC3220 would be exposed?  A lot of this process is low level and invisible to us making debugging more difficult.  

    Thanks

  • Hi Pete,

    Only explanation is that your RADIUS server provider have not properly disabled TLS 1.0 support. PEAP-MSCHAPv2 have still limitation for TLS 1.0. I am pretty sure, because I have this validated with FreeRADIUS server and many other end users servers.

    Best way for diagnose issue with WPA2-EAP is to check logs at RADIUS server. Other way may to be sniffing network between CC3220 and RADIUS server. If you want to be sure that your CC3220 will work with EAP at your customer network you should ask for TLS 1.0 for EAP security.

    Diagnosing from CC3220 is not much useful in case of EAP security is used. You can check disconnect reason codes. According my experiences are mainly following:

    • 208 - wrong username or password, unable to validate CA file for RADIUS server, missing private key to TLS EAP, RADIUS server does not support TLS 1.0, other errors (RADIUS server is not running or is wrongly configured).
    • 209 - missing CA file at filesystem, missing certificate at filesystem
    • 210 - CA file expired or time is not set

    Last diagnostic way is to capture NWP log. But this way is not much flexible when you interact with customers, because you need to ask TI for decoding NWP log.

    According my experiences CC3220 EAP security works well when TLS 1.0 is enabled. If EAP security does not work, you may to be sure at 99% that culprit is TLS 1.2.

    Jan

  • Does this only impact WPA-Enterprise secured connection or also WPA2 secured connections?  It sounds like the CC3220 is documented to support Enterprise but its impossible for anyone to know it really doesn't work until they run into this problem. It might have been a feature when the part was introduced but its really obsolete.  This is going to be a huge problem for us.

  • Hi Pete,

    For socket connections is by NWP supported TLS 1.2. Limitation to TLS 1.0 is for WPA-EAP security only. TLS version issue is not related to WPA2, WPA3 personal. At latest SDK (7.10) was even introduced TLS 1.3 for SF (CC3220SF, CC3235SF) devices. At this latest SDK is illustrated how to run external TLS stack (mBed TLS) at application processor.

    I fully understand your frustration. We also lost some interesting and profitable projects due to lack of TLS 1.2 for EAP security at CC3220SF. I have discussed this issue with TI many times. They was never able convince me that reasons are technical only. Because I have done some research with TI CC3220 binaries with Ghidra.

    Jan