WPA3 authentication does not work
Closed this issue · 9 comments
Hi,
thank you for this cool project! I tried to re-create this with an ESP32 NodeMCU from AZDelivery. I installed the idf toolchain on Windows. I used menuconfig to set all config settings, build the application and flashed it to the esp via USB. The ESP boots and connects to my WiFi, I can see the WiFi device listed on my router, a Fritzbox 7590.
However, I cannot initiate an SIP call currently. I have chosen GPIO 0 for the input for testing with the boot button of the ESP, as suggested in the description of the configuration option. There are some weird errors on the console
I (21364) SipSm: [sip_states<SipClientInt<AsioUdpClient, MbedtlsMd5, sip_states, SipClient<AsioUdpClient, MbedtlsMd5> > >][process_event] ev_reply_timeout
I (21364) SipSm: [sip_states<SipClientInt<AsioUdpClient, MbedtlsMd5, sip_states, SipClient<AsioUdpClient, MbedtlsMd5> > >][transition] waiting_for_auth_reply -> waiting_for_auth_reply
I (21384) SipSm: [sip_states<SipClientInt<AsioUdpClient, MbedtlsMd5, sip_states, SipClient<AsioUdpClient, MbedtlsMd5> > >][action] sip_states<SipClientT>::operator()() const [with SipClientT = SipClientInt<AsioUdpClient, MbedtlsMd5, sip_states, SipClient<AsioUdpClient, MbedtlsMd5> >]::<lambda(SipClientInt<AsioUdpClient, MbedtlsMd5, sip_states, SipClient<AsioUdpClient, MbedtlsMd5> >&, const auto:3&)> ev_reply_timeout
E (22864) task_wdt: Task watchdog got triggered. The following tasks did not reset the watchdog in time:
E (22864) task_wdt: - IDLE0 (CPU 0)
E (22864) task_wdt: Tasks currently running:
E (22864) task_wdt: CPU 0: sip_task
E (22864) task_wdt: CPU 1: IDLE1
This repeats over and over again. I have pasted the full log to https://pastebin.com/kDb6f9B9, in case this helps. Do you have any idea what could be the issue here?
Hello,
i think the log messages from the wifi drivers even after initial communications with the SIP server looks fishy. I know that i had problems with certain wifi firmware versions in the esp32 firmware.
Edit: Also the watchdog messages should not appear and the association with the access point should be stable. So there should only be one message reagarding connection and getting a valid IP.
-> Your log shows a WIFI connection problem (and probably caused by that some issues with my code that does not handle these issues well).
I just tested with the current esp-idf master and it works for me and my board. But i have a different AP and use the FritBox7940. In my test i also used GPIO0, but had to change the source code a little:
diff --git a/main/button_handler.h b/main/button_handler.h
index 96d9be5..e65608a 100644
--- a/main/button_handler.h
+++ b/main/button_handler.h
@@ -76,7 +76,7 @@ public:
gpioConfig.mode = GPIO_MODE_INPUT;
gpioConfig.pull_up_en = GPIO_PULLUP_ENABLE;
gpioConfig.pull_down_en = GPIO_PULLDOWN_DISABLE;
- gpioConfig.intr_type = GPIO_INTR_POSEDGE;
+ gpioConfig.intr_type = GPIO_INTR_NEGEDGE;
gpio_config(&gpioConfig);
}
- Can you retry with the current master of esp-idf (including updated submodules)?
- If this does not work, can you retry with the esp-idf version 4.2-rc?
@chrta Thank you very much for the swift reply! I have tried with current master of esp-idf (v4.3-dev-1901-g178b122c1), but without any success: https://pastebin.com/mE42ZpST. Getting significantly more output with CPU 1 backtrace though. Next, I have tried with the release/v4.2 branch of esp-idf (v4.2-rc-5-g511965b26), but results seem to be pretty much the same: https://pastebin.com/DS4uNABK.
Given that you said you are using FritzBox 7490 while I am using 7590, I was wondering what could be the difference. Especially in terms of your hint that my log shows a WiFi problem. I am using WPA3 with the setting "WPA2 + WPA3" in my Fritzbox. Changing this to "WPA + WPA2" lets my ESP connect! For completeness, I tried "WPA2 (CCMP)" as well, which is also fine. So it seems like the setting "WPA2 + WPA3" is the only problem here.
Any idea how the issue with WPA3 could be solved? I would prefer using WPA3 obviously. According to https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/wifi.html it should be possible somehow...
I do not have any WPA3 AP. Can you test this:
diff --git a/main/main.cpp b/main/main.cpp
index 80961ed..cbb91cb 100644
--- a/main/main.cpp
+++ b/main/main.cpp
@@ -137,7 +137,7 @@ static void initialize_wifi()
/* Setting a password implies station will connect to all security modes including WEP/WPA.
* However these modes are deprecated and not advisable to be used. Incase your Access point
* doesn't support WPA2, these mode can be enabled by commenting below line */
- wifi_config.sta.threshold.authmode = WIFI_AUTH_WPA2_PSK;
+ wifi_config.sta.threshold.authmode = WIFI_AUTH_WPA2_WPA3_PSK;
wifi_config.sta.pmf_cfg.capable = true;
wifi_config.sta.pmf_cfg.required = false;I have tried both WIFI_AUTH_WPA2_WPA3_PSK and WIFI_AUTH_WPA3_PSK, but neither seems to work.
Hmm, does completely removing the line work, so wifi_config.sta.threshold.authmode is not set?
After checking the wifi component of ESPHome, where it seems they are not using any explizit option either, I just had the same idea. However, this doesn't work either: https://pastebin.com/qgVKc4uv. This may be ESP32-related, since I am using ESPHome only with ESP8266 currently, but otherwise, I had not any problems with WPA2+WPA3 yet.
I think I found the trick, this works for me with FritzBox 7590 and WPA2+WPA3 enabled:
diff --git a/main/main.cpp b/main/main.cpp
index 80961ed..9f2ffa6 100644
--- a/main/main.cpp
+++ b/main/main.cpp
@@ -137,10 +137,10 @@ static void initialize_wifi()
/* Setting a password implies station will connect to all security modes including WEP/WPA.
* However these modes are deprecated and not advisable to be used. Incase your Access point
* doesn't support WPA2, these mode can be enabled by commenting below line */
- wifi_config.sta.threshold.authmode = WIFI_AUTH_WPA2_PSK;
+ //wifi_config.sta.threshold.authmode = WIFI_AUTH_WPA2_WPA3_PSK;
- wifi_config.sta.pmf_cfg.capable = true;
- wifi_config.sta.pmf_cfg.required = false;
+ //wifi_config.sta.pmf_cfg.capable = true;
+ //wifi_config.sta.pmf_cfg.required = false;
ESP_LOGI(TAG, "Setting WiFi configuration SSID %s...", wifi_config.sta.ssid);
ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA));Thank you for the information. This seems to be an issue in esp-idf, since this is documented there https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/wifi.html#protected-management-frames-pmf
Since PMF is a mandatory requirement for WPA3, PMF capability should be at least set to "PMF capable, but not required" for {IDF_TARGET_NAME} to use WPA3 mode.
I tested this today with the current master branch (and esp-idf v4.3) with my fritzbox 7490 set to wpa mode "WPA2 + WPA3" and it works for me:
I (5999) wifi:state: auth -> init (200)
I (5999) wifi:new:<1,0>, old:<1,0>, ap:<255,255>, sta:<1,0>, prof:1
I (8069) wifi:new:<1,0>, old:<1,0>, ap:<255,255>, sta:<1,0>, prof:1
I (8079) wifi:state: init -> auth (b0)
I (10359) wifi:state: auth -> assoc (0)
I (10369) wifi:state: assoc -> run (10)
I (10399) wifi:connected with SSID, aid = 1, channel 1, BW20, bssid = aa:bb:cc:dd:ee:ff
I (10399) wifi:security: WPA3-SAE, phy: bgn, rssi: -66
I (10409) wifi:pm start, type: 0
I (10429) wifi:AP's beacon interval = 102400 us, DTIM period = 1
I (11099) esp_netif_handlers: sta ip: 192.168.1.100, mask: 255.255.255.0, gw: 192.168.1.1
I (11099) main: got ip:192.168.1.100