MicroPython Forum (Archive)

I think that there can only be one CA cert at a time. Maybe you could dynamically copy different ca.pem files to "/flash/cert" based on your needs during runtime of your application. Btw, did you try if server cert validation works if you use different name than ca.pem and provide real name in ca_ce...

I just seen that SL_ESECDATEERROR (-461) /* connected with certificate date verification error */ can also bubble up to MicroPython, with ussl.CERT_REQUIRED but the socket was not connected.

In my understanding, SSL socket with server cert validation using CA cert can be created and connected only if CA cert has proper format and is valid for particular server. Otherwise it will throw error 155 or 456. You can try it in the REPL: >>> import usocket >>> import ussl >>> ai = usocket.getad...

Thats a good question - I dont know how. In CCS Uniflash you can launch Get Version command, but this will only return bootloader and chipset version. I know which one I am using because I flashed it - I am currently using 10.0.0.10.0. I dont uderstand why Chrome says that google.sk cert was issued ...

Thats interesting, do you know which service pack is installed on your WiPy/CC3200? Is your "good CA" from GeoTrust Global CA? You can find error codes with short explanation in header files in CC3200SDK folder "cc3200-sdk\simplelink\include". Those error codes we are talking about are in "socket.h"...

I did move s.connect() after the SSL wrapper and I also sync RTC via NTP. When I upload ca.pem which is not DER encoded (e.g. Base64 encoded) I get error 456: #define SL_ESECBADCAFILE (-456) /* error secure level bad CA file */ In case I use ca.pem file with proper DER encoding I always get error 15...

Just thinking - maybe it means that format of the file is not valid and not that server certificate was not validated with this CA certificate?

Thank you Jim for extensive post. I will perform next test based on your recommendations. OSError 456 means following: SL_ESECBADCAFILE (-456) /* error secure level bad CA file */ By junk file you mean CA certificate with DER format which is not valid for testing server or just any file?

You can flash incorrect/different CA certificate as a 'negative' test. I believe that if working correctly, you should get some error code or at least you should not receive any http response.

That means it worked - the client was able to get content of that url :) Wait for ESP32(LoPy) - it should be equipped with approx. 512kB of RAM - not sure what portion of that will be available for users of LoPy MP port. Hope they will share some info soon because they should ship in the end of the ...