urequests and SSL on WiPy

Questions and discussion about The WiPy 1.0 board and CC3200 boards.
Target audience: Users with a WiPy 1.0 or CC3200 board.
danielm
Posts: 167
Joined: Mon Oct 05, 2015 12:24 pm

Re: urequests and SSL on WiPy

Post by danielm » Tue Sep 06, 2016 4:15 pm

I did move s.connect() after the SSL wrapper and I also sync RTC via NTP.

When I upload ca.pem which is not DER encoded (e.g. Base64 encoded) I get error 456:
#define SL_ESECBADCAFILE (-456) /* error secure level bad CA file */

In case I use ca.pem file with proper DER encoding I always get error 155:
#define SL_ESEC_ASN_SIG_CONFIRM_E (-155) /* ASN sig error, confirm failure */
This happens independently on if I used valid or invalid CA certificate for testing server - I tested with https://www.google.sk and exported GeoTrust Global CA certificate through Chrome.

I did the test with Service Pack 1.0.1.6-2.6.0.5. I will repeat the test with version 1.0.0.10.0.

jgmdavies
Posts: 57
Joined: Tue Aug 09, 2016 2:39 pm

Re: urequests and SSL on WiPy

Post by jgmdavies » Tue Sep 06, 2016 4:43 pm

My 'good' ca.pem works with https://www.google.sk, in that I get status 200 and then the memory allocation error on 'content'.

I tried a different .DER file from Firefiox, common name 'EC-ACC' ('Agencia Catalana de Certificacio (NIF Q-0801176-I)') and got OSError 155.

Have you got a decent list of these OSError numbers please? I usually have trouble Googling the higher ones :(

danielm
Posts: 167
Joined: Mon Oct 05, 2015 12:24 pm

Re: urequests and SSL on WiPy

Post by danielm » Tue Sep 06, 2016 6:19 pm

Thats interesting, do you know which service pack is installed on your WiPy/CC3200?
Is your "good CA" from GeoTrust Global CA?

You can find error codes with short explanation in header files in CC3200SDK folder "cc3200-sdk\simplelink\include". Those error codes we are talking about are in "socket.h".
SDK can be found on TI site: http://www.ti.com/tool/cc3200sdk

I am not sure which version of SDK is currently being used for MicroPython development.

jgmdavies
Posts: 57
Joined: Tue Aug 09, 2016 2:39 pm

Re: urequests and SSL on WiPy

Post by jgmdavies » Tue Sep 06, 2016 7:10 pm

I've no idea re. the service pack - how can I find out?

The good cert is 'Equifax Secure CA' in my Firefox, from Equifax with serial number 35:DE:F4:CF.

I've just tried 'GeoTrust Global CA' in my Firefox, and I get OSError 155!

danielm
Posts: 167
Joined: Mon Oct 05, 2015 12:24 pm

Re: urequests and SSL on WiPy

Post by danielm » Tue Sep 06, 2016 7:24 pm

Thats a good question - I dont know how. In CCS Uniflash you can launch Get Version command, but this will only return bootloader and chipset version. I know which one I am using because I flashed it - I am currently using 10.0.0.10.0.

I dont uderstand why Chrome says that google.sk cert was issued by Google Internet Authority G2 and that one was issued by GeoTrust Global CA. None of that two worked for me.

Equifax Secure CA you recommended does work! Thank you.
Last edited by danielm on Tue Sep 06, 2016 7:58 pm, edited 1 time in total.

jgmdavies
Posts: 57
Joined: Tue Aug 09, 2016 2:39 pm

Re: urequests and SSL on WiPy

Post by jgmdavies » Tue Sep 06, 2016 7:26 pm

That's great - "onwards and upwards"!

jgmdavies
Posts: 57
Joined: Tue Aug 09, 2016 2:39 pm

Re: urequests and SSL on WiPy

Post by jgmdavies » Tue Sep 06, 2016 7:29 pm

I'm wondering if my version of urequests.py should have some control over whether or not the cert validation is done, either by an optional parameter for get() and post() or some other mechanism - any thoughts on the 'best' approach please?

danielm
Posts: 167
Joined: Mon Oct 05, 2015 12:24 pm

Re: urequests and SSL on WiPy

Post by danielm » Tue Sep 06, 2016 7:57 pm

In my understanding, SSL socket with server cert validation using CA cert can be created and connected only if CA cert has proper format and is valid for particular server. Otherwise it will throw error 155 or 456.

You can try it in the REPL:

Code: Select all

>>> import usocket
>>> import ussl
>>> ai = usocket.getaddrinfo("www.google.sk", 443)
>>> addr = ai[0][4]
>>> s = usocket.socket(usocket.AF_INET, usocket.SOCK_STREAM, usocket.IPPROTO_SEC)
>>> s = ussl.wrap_socket(s, keyfile=None, certfile=None, server_side=False, cert_reqs=ussl.CERT_REQUIRED, ca_certs='/flash/cert/ca.pem')
>>> s.connect(addr)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: 155
You could catch that code on urequests.py module level as an exception however it will not allow you to continue without successful cert validation, despite the fact that there are such error codes:
SL_ESECDATEERROR (-461) /* connected with certificate date verification error */
SL_ESECSNOVERIFY (-453) /* Connected without server verification */

Maybe some modification of how ussl module is implemented in C could help you to achieve your goal.

With cert_reqs = ussl.CERT_OPTIONAL socket is connected with invalid CA cert, but there is no notification on MicroPython level:

Code: Select all

>>> import usocket
>>> import ussl
>>> ai = usocket.getaddrinfo("www.google.sk", 443)
>>> addr = ai[0][4]
>>> s = usocket.socket(usocket.AF_INET, usocket.SOCK_STREAM, usocket.IPPROTO_SEC)
>>> s = ussl.wrap_socket(s, keyfile=None, certfile=None, server_side=False, cert_reqs=ussl.CERT_OPTIONAL, ca_certs='/flash/cert/ca.pem')
>>> s.connect(addr)
>>>
Both REPL tests were done with invalid CA file with proper DER format (Google Internet Authority G2 CA cert).

In my opinion the best approach would be to create new cert_reqs constat (e.g. ussl.CERT_OPTIONAL_NOTIFY) and in case this one is used for ussl.wrap_socket() add new property of returned socket object which would contain some error codes or strings describing if there was any exception when creating SSL socket.

jgmdavies
Posts: 57
Joined: Tue Aug 09, 2016 2:39 pm

Re: urequests and SSL on WiPy

Post by jgmdavies » Tue Sep 06, 2016 8:44 pm

Thanks danielm.

So am I right in thinking that server certificate validation can't be done in the case where we either don't know which server(s) are going to be used, or don't know which cert(s) to use for the server(s)? I believe a .pem file in the 'Python format' can contain several certificates, but can a .DER file?

danielm
Posts: 167
Joined: Mon Oct 05, 2015 12:24 pm

Re: urequests and SSL on WiPy

Post by danielm » Tue Sep 06, 2016 9:12 pm

I just seen that SL_ESECDATEERROR (-461) /* connected with certificate date verification error */ can also bubble up to MicroPython, with ussl.CERT_REQUIRED but the socket was not connected.

Post Reply