← index #1862PR #3398
Related · high · value 0.764
QUERY · ISSUE

axTLS-based modussl: ussl.wrap_socket silently accepts invalid certificates

openby ncoghlanopened 2016-02-28updated 2024-09-08
port-esp8266

Investigating https://github.com/micropython/micropython-lib/issues/69, I found the current SSL/TLS socket creation code at https://github.com/micropython/micropython/blob/d19e4f0ba4df487b4ebd36b5fe6a16e68c0afe77/extmod/modussl.c#L49

If I'm reading that correctly:

  1. Wrapping a socket without providing any certificate verification details results in no verification being performed;
  2. Even if verification details are provided, they're still ignored

This makes the documentation at http://docs.micropython.org/en/latest/library/ussl.html#ussl.ssl.wrap_socket thoroughly misleading, as even if the additional arguments are passed in, they won't be processed.

I realise actually implementing this will require a significant amount of work, so my request at this point would be for passing in unsupported arguments to result in a hard failure, rather than silently appearing to succeed without actually providing the claimed security guarantees.

CANDIDATE · PULL REQUEST

extmod/modussl_axtls: Implement key and cert kw args to wrap_socket.

closedby dpgeorgeopened 2017-10-30updated 2021-09-28

This adds key/cert support to ussl (axtls implementation, mbedtls already has it). The key and cert must both be a str/bytes object in DER format (PEM format is not supported, but could be if additional options were enabled in axtls).

One modification that could be done to this PR would be to allow any object with the buffer protocol to be passed for key/cert (not just str/bytes), which, for example, would allow to use a bytearray and file.readinto() instead of file.read() when loading the data. But doing it that way would also require updating the mbedtls version to have the same behaviour, so for now it accepts just str/bytes.

Total code size increase is +247 bytes on unix x86-64, and +180 bytes on esp8266.

This PR was tested on unix and esp8266 with the MQTT endpoint of AWS IoT via the following code:

from umqtt.simple import MQTTClient

with open('my_thing.private.key.der') as f:
    key_data = f.read()

with open('my_thing.cert.pem.der') as f:
    cert_data = f.read()

client = MQTTClient('my_thing', 'endpoint.iot.region.amazonaws.com', ssl=True, ssl_params={'key': key_data, 'cert': cert_data})
client.connect()
client.publish('hello', 'from my_thing')
client.disconnect()

Note that esp8266 running at 160MHz takes 25 seconds to do the client.connect(), due to the large amount of processing needed for the key.

Keyboard

j / / n
next pair
k / / p
previous pair
1 / / h
show query pane
2 / / l
show candidate pane
c
copy suggested comment
r
toggle reasoning
g i
go to index
?
show this help
esc
close overlays

press ? or esc to close

copied