ussl.wrapsocket and mbedtls
The function arguments for ussl.wrapsocket for ESP32 do not match with the documentation. ussl.wrap_socket(sock, server_side=False, keyfile=None, certfile=None, cert_reqs=CERT_NONE, ca_certs=None)
It seems that the modussl_mbedtls file has a modified function that has parameters listed as "key" and "cert" and missing argument for ca_cert.
Also, in socket_new, the call to mbedtls_ctr_drbg_seed takes null_entropy_func instead of mbedtls_entropy_func.
How to make the ussl.wrapsocket working for ESP32 for use with AWS IoT?
extmod/modussl_mbedtls.c: Add missing args and constants to ssl module.
This PR adds cert_reqs , ca_certs arguments to ssl.wrap_socket and
ssl.CERT_NONE, ssl.CERT_OPTIONAL, ssl.CERT_REQUIRED constants to ssl module following documentation.
This enables mutual authentication (mTLS), so it possible to authenticate both servers and clients.
Also I'm aware there is a previous draft of this at #5998 however there the authentication mode is hard coded to optional (MBEDTLS_SSL_VERIFY_OPTIONAL) which may not be recommended
On client, MBEDTLS_SSL_VERIFY_REQUIRED is the recommended mode. With MBEDTLS_SSL_VERIFY_OPTIONAL, the user needs to call mbedtls_ssl_get_verify_result() at the right time(s), which may not be obvious, while REQUIRED always perform the verification as soon as possible. For example, REQUIRED was protecting against the "triple handshake" attack even before it was found.
I'm not sure if these lines could be just one line or if it is better this way?
int certreq = (args->cert_reqs.u_int);
mbedtls_ssl_conf_authmode(&o->conf, certreq);
Also here
{ MP_QSTR_cert_reqs, MP_ARG_KW_ONLY | MP_ARG_INT, {.u_int = 0}}
It may be better use MBEDTLS_SSL_VERIFY_NONE for clarity?