← index #1862Issue #10832
Related · high · value 0.546
QUERY · ISSUE

axTLS-based modussl: ussl.wrap_socket silently accepts invalid certificates

openby ncoghlanopened 2016-02-28updated 2024-09-08
port-esp8266

Investigating https://github.com/micropython/micropython-lib/issues/69, I found the current SSL/TLS socket creation code at https://github.com/micropython/micropython/blob/d19e4f0ba4df487b4ebd36b5fe6a16e68c0afe77/extmod/modussl.c#L49

If I'm reading that correctly:

  1. Wrapping a socket without providing any certificate verification details results in no verification being performed;
  2. Even if verification details are provided, they're still ignored

This makes the documentation at http://docs.micropython.org/en/latest/library/ussl.html#ussl.ssl.wrap_socket thoroughly misleading, as even if the additional arguments are passed in, they won't be processed.

I realise actually implementing this will require a significant amount of work, so my request at this point would be for passing in unsupported arguments to result in a hard failure, rather than silently appearing to succeed without actually providing the claimed security guarantees.

CANDIDATE · ISSUE

SSL certificate verify failure lacks specifics

closedby davidmcnabnzopened 2023-02-23updated 2023-12-12

When a ussl.wrap_socket() call fails due to a certificate verification issue, the only information the user can see is the exception:

  • OSError: (-9984, 'MBEDTLS_ERR_X509_CERT_VERIFY_FAILED')

The exception per se suggests an inherent fault with the certificate and/or its CA chain.

However, that exception also occurs if the device's clock is not manually set, even if the certificate and its CA chain are inherently valid. On startup, the clock gets set to a hardwired datetime in 2022. If it sees a certificate with a validity start date later than this default, the validation will fail with no explanation.

Recommended remedies:

  1. Create a range of different exception titles for ussl.wrap_socket(), rather than just the single terse MBEDTLS_ERR_X509_CERT_VERIFY_FAILED. Include in this a couple of titles which indicate the system datetime is before the certificate start time, or later than the certificate expiry time
  2. Alternately, add some extra attributes into the OSError exception object to help users diagnose the verification failure, and make sure to document these in the API page for ussl.wrap_socket()
  3. Either way, update the API page to (i) warn users that a device's default datetime may pre-date a presented certificate, and (ii) recommend that users set the datetime themselves, possibly via calling ntptime.settime()

Keyboard

j / / n
next pair
k / / p
previous pair
1 / / h
show query pane
2 / / l
show candidate pane
c
copy suggested comment
r
toggle reasoning
g i
go to index
?
show this help
esc
close overlays

press ? or esc to close

copied