WPA3 regression on ESP32 device with 13.3.0?

[schildbach]

I've got a Sonoff M5-3C (ESP32) and I'm pretty sure in some pre-13.3.0 Tasmota it connected to my Wi-Fi router via WPA3. Now, with version 13.3.0, it only connects via WPA2. Is this intentional? Should I open a bug report?

Program Version	13.3.0(tasmota32)
Build Date & Time	2023-12-12T14:31:42
Core/SDK Version	2_0_14/4.4.6.231122
ESP Chip Id	13217284 (ESP32-D0WD-V3 v3.0)
Flash Chip Id	0x16405E (DIO)

[Jason2866]

We have reduced the amount of mbedtls ciphers to reduce flash memory footprint.
This affects the cypher used for WPA3 too. We are checking how much of flash increase does it costs to re-enable the needed one(s) for WPA3. If it consumes to much flash, WPA3 will left disabled.
So, no it is not a bug.

[Kahless2001]

This isn't really ok. If we are going to disable ciphers to save space, we should be removing old broken ones, not the ones that enable the most secure configurations.

[Jason2866]

Arduino core 2.0.14 is based on IDF 4.4. IDF 4.4 does not have the possibility to disable WPA2 ciphers and only enable WPA3. btw. by doing this all users only having WPA2 would have a broken device.
For core 2.0.14 ciphers are disabled which are unused or broken. Sadly the used ones for WPA3 can't be enabled only. As said Arduino Core 3.0.0 based on IDF 5.1 has more granular control possibilitys of enabling ciphers.
If you can't or want to wait using WPA3 use a older Tasmota version or compile actual Tasmota with Arduino Core 3.0.0 alpha

[schildbach]

It's sad to hear. I hope it can be re-enabled at least for ESP32.

[Jason2866]

There will be no different setups. Checked already the configs. For core 2.0.14 it will not re-enabled since IDF 4.4 does not support such fine granular control.
Since Tasmota will move to core 3.0.0 when it is released, there is a chance since IDF 5.1 has more granular settings.

[Jason2866]

Tasmota compiled with core 3.0.0 should connect to WPA3 APS, since ESP_WIFI_ENABLE_WPA3_SAE is set.

        Select this option to allow the device to establish a WPA3-Personal connection with eligible AP's.
        PMF (Protected Management Frames) is a prerequisite feature for a WPA3 connection, it needs to be
        explicitly configured before attempting connection. Please refer to the Wi-Fi Driver API Guide for details.

[schildbach]

I'm now on Tasmota 14 with Core version 3.0.0:

Program Version	14.0.0 (release-tasmota32)
Build Date & Time	2024-05-14T13:54:09
Core/SDK Version	3_0_0/5.1.3.240430

But the Wifi connection is still WPA2. Is there anything I need to enable to get WPA3? I didn't see anything about it in the release notes.

[schildbach]

It's not possible with most home routers, e.g. FritzBox (largest brand in Germany). There is only WPA2/3 auto for the moment.

Note that Tasmota 12.x worked fine with the same router, I see that every time I cycle through the safe mode.

[schildbach]

Also, "WPA3 only" would exclude all the ESP8266 from the same network, assuming they won't get WPA3 with Tasmota 14?

Is there a way to tell Tasmota to prefer (or force) WPA3?

[Jason2866]

No, it is done "under the hood" from the closed source wifi stack. Can not be set granular. If both is enabled (WPA2/3) the wifi stack decides how to connect.
You can send out another SSID from your AP which has only WPA3 enabled.
I know the Fritz Box Routers. Highly overpriced with reduced crippled features.
Have you checked if PMF is set for WPA3 in the Fritz Box?

[schildbach]

PMF seems to be enabled as a "Signal property", but the encryption is still WPA2.

[schildbach]

[Jason2866]

Regarding https://docs.espressif.com/projects/esp-idf/en/release-v5.1/esp32/api-guides/wifi-security.html#setting-up-wpa3-personal-with-esp32 WPA3 is used by default when the requirements are met.
The mentioned configs are all set, when the Tasmota Arduino Libs are compiled with IDF 5.1

[schildbach]

The document states:

WPA3-Personal is now the highest supported protocol in terms of security, so it will be automatically selected for the connection whenever available. For example, if an AP is configured to be in WPA3 Transition Mode, where it will advertise as both WPA2 and WPA3 capable, Station will choose WPA3 for the connection with above settings.

I think this "WPA3 Transition Mode" is exactly the "WPA2/3" setting that home routers offer at the moment. But WPA3 isn't automatically selected as stated above.

[Jason2866]

As already said before, everything is set for WPA3. If it does not work we can do nothing.

[schildbach]

I'm just wondering why did it work without problem with version 12.x? You said you removed ciphers for version 13 – maybe that has caused the regression?

[Jason2866]

No. The ciphers are there. espressif does changes and fixes in the closed source wifi libs. Since the mentioned version the libs have changed a lot. There is no description what has changed. The wifi libs needs needs to fit to the used IDF version. There is no choice possible which libs to use.
The only choice you have is using the older Tasmota version which works for you with WPA3.
Have you removed TKIP? Only AES is allowed for WPA3. The insecure TKIP protocol should be removed in general (for WPA2 too).

[l-jonas]

Version 13.0.0 works fine for me with WPA3. Issues start at newer versions.

[Jason2866]

WPA3 support is removed in later framework builds. Reason support for WPA 3 takes a lot of flash space.
If needed support can be added with Hybrid Compile.
Example env

[env:tasmota32-WPA3_SAE]
; Arduino libs with WiFi Enterprise support
extends                     = env:tasmota32_base
build_flags                 = ${env:tasmota32_base.build_flags}
                              -DFIRMWARE_TASMOTA32
                              -DOTA_URL='""'
lib_ignore                  = Micro-RTSP
custom_sdkconfig            = CONFIG_ESP_WIFI_ENTERPRISE_SUPPORT=y
                              CONFIG_ESP_WIFI_ENABLE_WPA3_SAE=y
                              CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA=y

[Jason2866]

@schildbach Tasmota is Open Source :-)! As described above with Hybrid Compile you can simply add the needed sdkconfig settings to support WPA3. There are no changes needed in Tasmota. WPA support is done in the IDF / Arduino (precompiled) libs.
A runtime option makes no sense, if WPA3 support is added there is a lot of flash space already lost.
That is the reason why it is removed. One of the design goals of Tasmota is to provide as much as possible functions without having many different builds. So there will be no official Tasmota WPA3 version.

[sfromis]

Removing features making Tasmota easy to use for a wide swath of users may not be that helpful just to cater to a tiny minority wanting more than perimeter security in their networks. There's really not that much in features which would be good candidates for trimming, as most of the included drivers (in the standard precompiled build) are for lights and energy monitoring, both of which are used a lot.

[l-jonas]

"Removing features making Tasmota easy to use" and a "a security-first variant" can co-exist.

Looking at the proposed configuration, it looks like the WPA3 support could be smaller. Somehow, older versions with WPA3 were small enough.

[l-jonas]

"A runtime option makes no sense" can not apply to "force WPA3 during connecting". There are users that want to use WPA2 temporarily or permanently. Tasmota does not provide an option like this yet so that theoretically (did not try it) makes a downgrade attack easy.

[Jason2866]

If you found a way to enable WPA3 without using a lot of flash space, a PR is very welcome.
As I already wrote you can change settings and compile a version where a WPA3 connection is possible

[l-jonas]

In my experiments, WPA3 support took 53 KB (or 3 KB more when including the two options that I consider unnecessary). The suggested configuration had a Used Flash size : 2003810 bytes. According to this, the app0 partition has a size of 2,8 MB. I do not see a size issue.

My test safeboot image using the default configuration had a Used Flash size : 716348 bytes. The partition is 832 KB big. So another 53 KB would fit (assuming that the size difference caused by WPA3 is similar to the regular image).

[Jason2866]

That's why I made Hybrid Compile mode. Small changes users wants in sdkconfig.
Happy Christmas and enjoy your possible WPA3 connection.
Adding 53k to safeboot makes some MCU variants to go over the limit.

[schildbach]

Related: there is some effort to re-implement the proprietary ESP32 Wi-Fi stack as open source. They say that WPA is handled by the hardware. Among various other improvements, they want to implement standards-conformant mesh networking, which could be interesting for Tasmota imho.

https://media.ccc.de/v/38c3-liberating-wi-fi-on-the-esp32

[Jason2866]

@schildbach I know this Open Source attempt to build an Open Source Wifi Stack for the esp32. Currently it is far away from being useable.

[sfromis]

FTR: https://github.com/esp32-open-mac/esp32-open-mac (more links there too)
At least, the project seems to be active

[Ramalama2]

TBH, it's 2025, i have like 14 tasmota devices and none of them has less then 300kb free space.
53kb for wpa3 is reasonable.

Shouldnt there be at least by default one esp32 build with wpa3?
(i mean only the basic english version, no one needs localized versions in my opinion)
Im myself german and never used the german tasmota versions...

Tasmota is one of the last things that forces me to run wpa2 in my home, or to be more specific i need to broadcast a depricated wifi just for wpa2.
Because WPA2 is not compatible with MLO.
(WPA2 is not compatible with Wifi-7 at all)

Cheers

[schildbach]

WPA2 is not compatible with Wifi-7 at all

Interesting. Does this mean Tasmota can't connect to a Wifi-7 router?

[sfromis]

Some router including the feature of Wifi 7 would probably also support older versions.

[Ramalama2]

Yes and No,
Wifi-7 is absolutely incompatible with WPA2, since Wifi-7 is WPA3 only.

Wifi-7 has no compatibility mode for WPA2!
You have either to spin up a dedicated second Wifi Network with Wifi-6 and WPA2 or WPA2/WPA3 mixed mode.
Or if your Access Point/Router cant broadcast multiple Wifi networks, you have to degrade to Wifi-6.

So in any case, tasmota is incompatible with Wifi-7 completely.

[Jason2866]

Not planned to change since safeboot partition is to small for adding around 53k.
Already explained #20472 (reply in thread)
Yes, Tasmota is incompatible to WiFi 7
For WPA3 support this env can be compiled

Tasmota/platformio_tasmota_cenv_sample.ini

Lines 70 to 83 in ac8236a

	[env:tasmota32-WPA3_SAE]
	; Arduino libs with WiFi Enterprise support
	extends = env:tasmota32_base
	build_flags = ${env:tasmota32_base.build_flags}
	-DFIRMWARE_TASMOTA32
	-DOTA_URL='""'
	lib_ignore = Micro-RTSP
	custom_sdkconfig = CONFIG_ESP_WIFI_ENTERPRISE_SUPPORT=y
	CONFIG_WIFI_AUTH_WPA2_ENTERPRISE=y
	CONFIG_WIFI_AUTH_WPA3_ENTERPRISE=y
	CONFIG_WIFI_AUTH_WPA2_WPA3_ENTERPRISE=y
	CONFIG_ESP_WIFI_ENABLE_WPA3_SAE=y
	CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA=y

A device flashed with this firmware will be a kind of a brick when trying to upgrade since the safeboot firmware is WPA2 only. A safeboot variant with WPA3 is not possible to build, since the safeboot partition is not big enough for a safeboot firmware with enabled WPA3 support.

[sfromis]

Safeboot is indeed an independent smaller partition (what you call micro/minimal firmware), which you can upgrade independently of the normal OTA partition - meaning that that it could be quite some time behind in what Tasmota version was used. Not sure exactly how old would still work, but I suspect that lots of users have been upgrading the regular Tasmota partition without worrying about what version safeboot (from time of first install) is on the device.

You could build your own safeboot binary to fit withing he partition scheme, but there's not room to add much, and not many opportunities for reducing size. If you don't need TLS while upgrading (useful for remote upgrades via MQTT-TLS), you could trim that, but I've not looked into sizes, or done any experimentation.

I think that you are overestimating the "need" for WPA3 in regular home networks. You are borderline in seeing it as "very important". "Some people" have spent years on arguing the importance of IPv6, while IPv4 is still a major part of network traffic.

[Ramalama2]

Thanks for the explanation @sfromis
If safeboot is only a partition, then it can be actually repartitioned?
This would need some work, probably repartitioning is only doable with an USB cable or Usb2Serial adapter.
And since you cannot dissasemble most devices, it even more Problematic.

However, so if safeboot is indeed independent, then its actually not that big of a hurdle, at least there are ways (older images, removing tls or other features etc...).

Wifi-7 is not mandatory at the moment, thats true.

But let me visualize my situation (As Example for probably other Nerds using tasmota)
I have a Proxmox Server (Mini-ITX with ECC and ~180TB HDD Storage for Crap Data & 4TB Nvme-Storage for VMs/Containers)
(Others have probably a NAS or just a small MiniPC, im just the extreme case)

And as you imagine, im transferring a lot of Data between my Macbook and the Server.
And i need the speed.

My Macbook has Wifi 6E and i have a dedicated 6ghz Wifi Network with WPA3.
So my connection speed is 2,4Gbit/s at 100% of the time (The AP is not far away, probably 3 Meters)

In the Image you see:
Tornado_6G -> Only 6ghz (I don't need this one anymore actually)
Tornado_Netzwerk -> MLO 2,4+5+6, it's the default Wifi for all Devices that supports WPA3
Tornado_Depricated -> For IOT Crap without WPA3 Support, like tasmota.

So actually it would be amazing, if i could get rid of that depricated network already now xD
Even my Printer (MFC-L3760CDW) Supports WPA3, but its anyway connected vial LAN.

Basically in my home is nothing left other then tasmota devices, that is not supporting WPA3.
And im buying actually only IOT-Stuff, which i can reflash with Tasmota since i heard first time about tasmota years ago.
And glad god for TasmoAdmin, i can keep everything Up2Date with 1 Click :-)

Like i said, im an extreme user.
But i think people that are using tasmota are similarly Tech-Geeky Nerds.
And in 2-3 Years (max), i believe this will get an issue for a lot of tasmota users.

I would even go that far to replace every Tasmota Device in my home, for an Tasmotable device based on Esp32 with 4m Flash.
But i cannot, because there is almost nothing on the market to buy (with 4m) to replace my stuff.
Even Shelly is switching in new Devices to some new Unsupported Crap SoC....

And please don't laugh, i know that im looking probably a bit tooo Geeky/Nerdy/Stupid.
Just wanted to Explain somehow, why im Active in this Github Issue....

[sfromis]

Tasmota includes tools for partitoning operations, the Partition Manager and Partition Wizard.
https://tasmota.github.io/docs/Tasmota-Application/#partition-management

While safeboot is independent, I'm not declaring the cooperation between safeboot and the regular partition to be independent of Tasmota versions. Also I'm not saying that there is a "close dependency". Older safeboot versions is likely to be workable, but better make sure to have the option of "cold reflashing" while you are experimenting.

When it comes to what networks you have, it is already common for people with strong ideas about security to very deliberately separate IoT stuff into a separate network, instead of trying to merge networks.

[Jason2866]

@Ramalama2 There will be a way to repartiton Tasmota devices without serial access. We do this already when OTA converting Shelly devices to Tasmota. BUT since this will be no automated process and needs "hands on" and there is a risk to brick the device we will do this when really needed. We will not do for "just" WPA3 now. Increasing safeboot partition decreases useable space for firmware functions.
We want to avoid uncomfortable work and breaking changes as long this is not really needed.

[Ramalama2]

Thanks @sfromis and @Jason2866 for the explanations and your time!

@sfromis Separating iot Stuff is indeed a really good argument for security reasons, but broadcasting a WPA2 network is less secure either than WPA3 xD
(By less secure, i dont mean unsecure or an issue, just less secure)

So for now im pretty fine with building myself, if i really need WPA3. (I dont think)
But just for completeness, as far i unserstood i will just have the issue with Upgrading from an older WPA3 image to a never WPA3 image, without a WPA2 network for safeboot?
(Glad god you can define an alternative/second Wifi network in Tasmota)

However, thank you both a lot!
Cheers :-)

[schildbach]

The weird thing is that my safeboot still contains an older version of Tasmota that indeed can do WPA3. Guess I will be forever stuck on that version, as I value safety more than support for more and more devices and features I don't need.

[schildbach]

A safeboot variant with WPA3 is not possible to build

This issue is about a regression. This means WPA3 worked perfectly, both for regular boot and safeboot. Now, it doesn't work any more.

[Jason2866]

A regression we can't fix without breaking changes. The regression is out of Tasmota code. The actual framework (Arduino / IDF) increased a lot in size so it is not possible to include WPA3 in safeboot firmware anymore.

[Jason2866]

If the version you currently use has all the features you need, stay with this version. There are no know security holes.

[sfromis]

As a workaround for safeboot not supporting WPA3, you could temporarily connect to a separate Wifi network to upgrade if you build your own binary to include this support.

Or it might be workable to deliberately keep safeboot at an older level while the full Tasmota binary could be current. Not tried this, and it would still incur a compatibility risk.

Of course, wired flashing (without erasing) could also be an option, if accessibility is not too bad.

[schildbach]

As a workaround for safeboot not supporting WPA3, you could temporarily connect to a separate Wifi network to upgrade if you build your own binary to include this support.

Sure, but this does not solve the WPA3 issue for regular boot, which to my understanding boots from a more than three times as big partition.

[sfromis]

If you create your own binary to include WPA3 support, I'd expect it to work ok for booting the regular partition. Of course, you'd have to reconfigure to the primary network after completing the upgrade on the special-purpose network used for upgrading.