Skip to content

Not cacert parameter in micropython/extmod/modussl_mbedtls.c #3687

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Sunrise17 opened this issue Mar 29, 2018 · 12 comments
Closed

Not cacert parameter in micropython/extmod/modussl_mbedtls.c #3687

Sunrise17 opened this issue Mar 29, 2018 · 12 comments
Labels
extmod Relates to extmod/ directory in source

Comments

@Sunrise17
Copy link

Sunrise17 commented Mar 29, 2018
edited
Loading

Dear @dpgeorge ,
I am trying to establish SSL connection to AWS IoT via ESP32. Normally i have below three files (certs and key) in flash folder.
KEY_PATH = "/flash/cert/deviceCert.key"
CERT_PATH = "/flash/cert/deviceCertAndCACert.pem"
CACERT_PATH = "/flash/cert/root.pem"

In first, i defined the ssl_params={"certfile":CERT_PATH, "keyfile":KEY_PATH, "ca_certs":CACERT_PATH}) as like that but i was always getting "Error in mqtt connect: [Exception] TypeError: extra keyword arguments given." error.

Then, i have checked the modussl_mbedtls.c in extmod and SSL parameters are defined as like in struct below (Line 59).

struct ssl_args {
    mp_arg_val_t key;
    mp_arg_val_t cert;
    mp_arg_val_t server_side;
    mp_arg_val_t server_hostname;
};

i have adjusted the ssl_params={"cert":CERT_PATH, "key":KEY_PATH})
I have tried to create connection without using cacert.

Then, it started to try establishing connection but i have received following error then board reboots.

assertion "ret == 0" failed: file "../../extmod/modussl_mbedtls.c", line 182, function: socket_new
abort() was called at PC 0x40135e2f on core 0

Backtrace: 0x4008c983:0x3ffb61f0 0x4008c9af:0x3ffb6210

Rebooting...
0�?anic'ed ( 0�?anic'ed ( 0�?anic'ed ( 0�?anic'ed ( 0�?anic'ed ( 0�?anic'ed ( 0�?anic'ed (ets Jun  8 2016 00:22:57

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)

I will be glad if it is possible to add "cacert" parameter inside arguments of ussl module.

Thanks for your efforts...
@Sunrise17
Copy link
Author

Sunrise17 commented Mar 29, 2018
edited
Loading

I have applied based on your guidance in the link Directly i added key and cert inside of main.py as follows;

# this is the mbedtls test RSA key; you must change it to your own for production!
key = """-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r
lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2
2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ
Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i
GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb
y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoI......
-----END RSA PRIVATE KEY-----
"""

# this is the mbedtls test certificate; you must change it to your own for production!
cert = """-----BEGIN CERTIFICATE-----
MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM.....
-----END CERTIFICATE-----
"""

client = MQTTClient(client_id=MQTT_CLIENT_ID, server=MQTT_HOST, port=MQTT_PORT, keepalive=10000, ssl=True, ssl_params={ "key":key, "cert":cert, "server_side":True })

mqtt.py (Line 69):

if self.ssl:
    import ssl
    self.sock = ssl.wrap_socket(self.sock, **self.ssl_params)

However, right now, It is waiting during the connection and about after 15 secs, i have received following error

mbedtls_ssl_handshake error: -7280
Traceback (most recent call last):
  File "main.py", line 300, in <module>
  File "main.py", line 258, in mqtt_connect
  File "mqtt.py", line 69, in connect
OSError: [Errno 5] EIO

I think that it is caused by the missing of "ca_cert" certificate. I will be glad if you share your opinions about the issue. Thanks...

@Sunrise17
Copy link
Author

Sunrise17 commented Apr 10, 2018
edited
Loading

Dear @dpgeorge ,
Is it not possible to add following module (modussl.c in cc3200) below, into ESP32 ports?
~/ports/cc3200/mods/modussl.c

@Sunrise17 Sunrise17 mentioned this issue Apr 11, 2018
Open
@silbo
Copy link

silbo commented Jun 30, 2018

@Sunrise17 Did you manage to get it working ? I am also trying to get SSL working for my WebSocket connection on the ESP32.

@Sunrise17
Copy link
Author

@Silps , Unfortunately over mqtt to AWS IoT, i could not succeed to connect but normally it's connecting well other ssl required socket servers (without ca_cert parameter).

@silbo
Copy link

silbo commented Jun 30, 2018
edited
Loading

@Sunrise17 Can you give me some example code and possibly a server hostname (if public) to try it on? I am currently unsure how to use the ssl library, I tried this.

>>> import socket
>>> s = socket.socket()
>>> import ssl
>>> ssl.wrap_socket(s)
mbedtls_ssl_handshake error: -80
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: [Errno 5] EIO

@Sunrise17
Copy link
Author

Sunrise17 commented Jul 1, 2018
edited
Loading

@Silps , You can use following code below;

import usocket
import ussl

KEY_PATH = "/flash/cert/client.key"
CERT_PATH = "/flash/cert/client.crt"
HOST, PORT = "45.255.66.124", 5100

with open(KEY_PATH, 'rb') as f:
    key1 = f.read()

with open(CERT_PATH, 'rb') as f:
    cert1 = f.read()

s = usocket.socket(usocket.AF_INET, usocket.SOCK_STREAM)
addr = usocket.getaddrinfo(HOST, PORT)[0][-1]
s.connect(addr)
sock = ussl.wrap_socket(s, key = key1, cert = cert1)
sendObject = 'hello'
bytesObject = sendObject.encode()
sock.write(bytesObject)
recvData = sock.read(4096).decode()

@silbo
Copy link

silbo commented Jul 1, 2018
edited
Loading

@Sunrise17 The server you provided is unreachable for me. I tried using the key and cert above you provided earlier to connect to google.com. Once I use the wrap_socket my ESP32 reboots. I guess you also had this problem before.

>>> s = usocket.socket(usocket.AF_INET, usocket.SOCK_STREAM)
>>> addr = usocket.getaddrinfo(HOST, PORT)[0][-1]
>>> addr
('216.58.212.46', 443)
>>> s.connect(addr)
>>> sock = ussl.wrap_socket(s, key=key, cert=cert)
assertion "ret == 0" failed: file "../../extmod/modussl_
mbedtls.c", line 176, function: socket_new
abort() was called at PC 0x4013893f on core 0

When I try again with google.com and my own generated key and cert then I got this. Looks a bit better I guess.

>>> s = usocket.socket(usocket.AF_INET, usocket.SOCK_STREAM)
>>> addr = usocket.getaddrinfo(HOST, PORT)[0][-1]
>>> s.connect(addr)
>>> sock = ussl.wrap_socket(s, key = key1, cert = cert1)
mbedtls_ssl_handshake error: -7280
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: [Errno 5] EIO

@Sunrise17
Copy link
Author

@Silps what is the version of your micropython on ESP32 board? if it is not 1.9.4, please flash your device with following fw: esp32-20180701-v1.9.4-227-gab02abe9.bin

@silbo
Copy link

silbo commented Jul 1, 2018
edited
Loading

@Sunrise17 I am using the latest firmware yes, just updated it also and tried again. Same error with google.com. Did you try google.com and it works ?

MicroPython v1.9.4-227-gab02abe9 on 2018-07-01; ESP32 module with ESP32
Type "help()" for more information.

I used the following to create the cert and key. I am suspecting this is not correct, that is why the handshake fails.

openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out client.crt

@Sunrise17
Copy link
Author

It is connecting to my SSL server as follows but i could not connect your IP, i think you should check your configuration. In addition, please be aware that your ESP board is connected to internet, because in this last version, it delays and sometimes it connects after 15secs, that's why you should add some delay before making your ssl request.

Request_Sent::
HTTP/1.1 200 OK
Connection: close
Content-Type: text/x-python
Last-Modified: Wed, 27 Jun 2018 20:32:48 GMT
Content-Length: 367

@silbo
Copy link

silbo commented Jul 1, 2018

Ok thanks a lot for the help. I will try to figure it out. Seems like some configuration issue yes, with the cert maybe etc.

@pumelo pumelo mentioned this issue May 1, 2020
Closed
tannewt added a commit to tannewt/circuitpython that referenced this issue Nov 14, 2020
@tannewt
Merge pull request micropython#3687 from weblate/weblate-circuitpytho…
9169878 
…n-main

Translations update from Weblate
@dpgeorge dpgeorge added the extmod Relates to extmod/ directory in source label Jul 11, 2022
@dpgeorge
Copy link
Member

I'll close this as a duplicate of #3646, with the issue being that ca_certs and cert_reqs arguments are not implemented yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
extmod Relates to extmod/ directory in source
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@silbo @dpgeorge @Sunrise17