moduasyncio: Add SSL support #5840
Conversation
|
This sounds great - problems with SSL/TLS constantly crop up on the forum. I've only succeeded with it on the Pyboard D. Will it work with
I was under the impression that some ports don't use mbedtls. |
Yes, that's a big motivation behind this since the new uasyncio uses non-blocking sockets. This is why all this requires #5825
The actual mbedtls library is different for the esp32 vs other ports because the esp-idf version is used for the esp32 instead of the one in the MP tree. I now have a PYBD so I'll test there as well.
Correct, unix and esp8266 use axtls. I am testing the unix port. I don't know what to do about the esp8266 port, I don't want to spend all my time trying to craft test cases that don't run out of memory... Note that this PR can't merge until #5850, #5819 and #5825 are in... |
|
👍 💐 |
Yes, I like your approach, it's very clean indeed. It effectively allows you to poll the SSL object itself, and then it takes care of polling the underlying socket to get what you want (eg it may poll for writes on the socket even if you poll the SSL only for reads). That seems like a good way to abstract/separate things. (In contrast to the use of A few points about this approach:
I think there's a clean solution here: you can actually raise an OSError directly in the
I was also trying to write a test case that shows this is needed, but didn't succeed yet.
I'm not sure if it's possible at all to get this working with axtls.... so might need to drop that and test with mbedtls on unix instead (unix will already build with mbedtls). |
extmod/modussl_mbedtls.c
Outdated
| vstr_init_len(&vstr, 80); | ||
|
|
||
| // Including mbedtls_strerror takes about 16KB on the esp32 due to all the strings | ||
| #if 1 |
There was a problem hiding this comment.
Note to self: this needs adaptation per tve@cdb0143
|
I think all prerequisites for this are now merged. Can you please rebase on master? |
|
What was the outcome re ESP8266? |
b4835ee to
de583a7
Compare
|
Any idea when this will be merged? |
Enable Turkish language builds
|
The underlying non-blocking functionality in @tve if you're interested to keep working on this PR for the uasyncio SSL support (which we definitely want!) then please rebase on latest master to pick up the mbedtls changes. Effectively you won't need to have any changes to C code in this PR anymore. |
|
I'm swamped at the moment, so I won't be able to get to this in the coming days, sorry... |
|
Closing in favour of #11897. |
This PR sits on top of #5819 and
#5825#6615 and adds SSL support to uasyncio. Update: I backed out #5819 and#5825#6615 to make the PR easier to review on github, obviously CI now fails. I'll do the proper rebase once the fate of these other PRs is determined.Adding the wrap_socket to Stream.open_connection is relatively straight-forward. It's different from CPython (no SSLContext) but compatible. The trickier part is to deal with poll, see comments in modussl_mbedtls. I believe I came up with a clean solution but so far I have failed to produce a test case that generates the problem so I can have a fail-before/success-after confirmation that the solution actually works or actually is necessary. I need to think about a test case more but if anyone can construct one I'd love that too!
I added a errstr class function to ussl in order to convert an ssl error number to a string. This is needed when using uasyncio because it uses read/write which means ussl doesn't raise an OSError (which would have the error string) and when the app gets the OSError through the Stream stuff it is again unintelligible. Now at least one can write something like
if e.args[0] < -120: print(ssl.errstr(e.args[0])).Open to-do items:
I should say that the tests don't all pass. Specifically, net_inet/test_tls_sites fails on the esp32. I'm pretty sure the issue is an out-of-memory in esp-idf situation. It ends up dropping wifi. I believe if I fix #5835 there may be just enough memory again to sail through...
I'll proceed once I have feedback