Other Parts Discussed in Thread: CC3135, CC3100, UNIFLASH
Hi,
We're trying to establish the EAP connection from CC3135 via FreeRADIUS to our TCP test server (CC3135 is the TCP client).
The FreeRADIUS TLS mode was tested with an alternative WiFi module so the configuration seems to be correct (using our custom ca.pem, client.pem, and client.key certificates).
We can also connect to the TCP test server when using SL_WLAN_ENT_EAP_METHOD_PEAP0_MSCHAPv2 with disabled server authentication (SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH) using the CC3135 module.
If we try to use SL_WLAN_ENT_EAP_METHOD_TLS, we get an error SL_WLAN_DISCONNECT_MISSING_CERT.
We're uploading the certificates to the file system on the CC3135 using the code below that was adopted from CC3100 (where this mechanism was working):
static const char* cc3135_cert_name[VP_CERT_TYPE_END] = { [VP_CERT_TYPE_PRIVATE_KEY] = "/sys/cert/private.key", [VP_CERT_TYPE_PUBLIC_KEY] = "/sys/cert/client.pem", [VP_CERT_TYPE_CA] = "/sys/cert/ca.pem", }; #define FLASH_CHUNK_LEN 1024 static uint32_t cc3135_load_certificate(enum vp_cert_type type, uint8_t *data, uint32_t length) { int32_t retVal; uint32_t movingOffset, chunkLen; if ((type >= VP_CERT_TYPE_END) || (NULL == cc3135_cert_name[type])) { return -1; } int32_t fileHandle = sl_FsOpen((const _u8*)cc3135_cert_name[type], SL_FS_CREATE_MAX_SIZE(length) | SL_FS_CREATE | SL_FS_OVERWRITE | SL_FS_CREATE_PUBLIC_READ, NULL); if (fileHandle < 0) { return -1; } movingOffset = 0; do { chunkLen = (_u32)find_min(FLASH_CHUNK_LEN, length); retVal = sl_FsWrite(fileHandle, movingOffset, (_u8 *)&data[movingOffset], chunkLen); if (retVal < 0) { return -1; } length -= chunkLen; movingOffset += chunkLen; } while (chunkLen > 0); retVal = sl_FsClose(fileHandle, NULL, NULL, 0); if (retVal < 0) { return -1; } return 0; }
According to the User guide chapter Enterprise security 4.6.2 the "Client Authentication" states:
– Private Key – Station (client) RSA private key file in PEM format
– Client Certificate – Certificate of the client, given by the authenticating network (has the public key
matches to the private key) in PEM format
On the other hand, the user guide describes that certificates should be in DER format in chapter 8.4.3.2 Forced creation flags, table 8-4, which contradicts chapter 4.6.2.
Questions:
1. Is the upper code for writing the EAP-TLS certificates correct (especially the file creation flags)?
2. Is it mandatory to use certificates in DER format for EAP-TLS as specified in chapter 8.4.3.2?