axTLS-based modussl: ussl.wrap_socket silently accepts invalid certificates
Investigating https://github.com/micropython/micropython-lib/issues/69, I found the current SSL/TLS socket creation code at https://github.com/micropython/micropython/blob/d19e4f0ba4df487b4ebd36b5fe6a16e68c0afe77/extmod/modussl.c#L49
If I'm reading that correctly:
- Wrapping a socket without providing any certificate verification details results in no verification being performed;
- Even if verification details are provided, they're still ignored
This makes the documentation at http://docs.micropython.org/en/latest/library/ussl.html#ussl.ssl.wrap_socket thoroughly misleading, as even if the additional arguments are passed in, they won't be processed.
I realise actually implementing this will require a significant amount of work, so my request at this point would be for passing in unsupported arguments to result in a hard failure, rather than silently appearing to succeed without actually providing the claimed security guarantees.
Does ussl.wrap_socket() support providing cert for client request?
Does ussl.wrap_socket() support providing cert? Can someone provide an example? Don't see anything in http_client_ssl.py, using ESP8266. Also getting the urequests.py OSError -40. Even with self signed cert. Have made requests to this server with ESP8266/Arduino.
import usocket
import ussl
addr = usocket.getaddrinfo('server.net', 443)[0][-1]
f = open('cert.pem')
cert = f.read()
f.close()
s = usocket.socket()
s.connect(addr)
ss = ussl.wrap_socket(s, cert=cert)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: -40