Skip to content

Commit 0c8b261

Browse files
jeplerjepler
committed
picow: Add support of self-signed certificates.
## Testing self-signed certificates and `load_verify_locations` Obtain the badssl "self-signed" certificate in the correct form: ```sh openssl s_client -servername self-signed.badssl.com -connect untrusted-root.badssl.com:443 < /dev/null | openssl x509 > self-signed.pem ``` Copy it and the script to CIRCUITPY: ```python import os import wifi import socketpool import ssl import adafruit_requests TEXT_URL = "https://self-signed.badssl.com/" if not wifi.radio.ipv4_address: wifi.radio.connect(os.getenv('WIFI_SSID'), os.getenv('WIFI_PASSWORD')) pool = socketpool.SocketPool(wifi.radio) context = ssl.create_default_context() requests = adafruit_requests.Session(pool, context) print(f"Fetching from {TEXT_URL} without certificate (should fail)") try: response = requests.get(TEXT_URL) except Exception as e: print(f"Failed: {e}") else: print(f"{response.status_code=}, should have failed with exception") print("Loading server certificate") with open("/self-signed.pem", "rb") as certfile: context.load_verify_locations(cadata=certfile.read()) requests = adafruit_requests.Session(pool, context) print(f"Fetching from {TEXT_URL} with certificate (should succeed)") try: response = requests.get(TEXT_URL) except Exception as e: print(f"Unexpected exception: {e}") else: print(f"{response.status_code=}, should be 200 OK") ```
1 parent c98174e commit 0c8b261

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

ports/raspberrypi/common-hal/ssl/SSLSocket.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,14 @@ ssl_sslsocket_obj_t *common_hal_ssl_sslcontext_wrap_socket(ssl_sslcontext_obj_t
174174
if (self->crt_bundle_attach != NULL) {
175175
mbedtls_ssl_conf_authmode(&o->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
176176
self->crt_bundle_attach(&o->conf);
177-
// } else if(self->cacert_buf && self->cacert_bytes) { // TODO: user bundle
177+
} else if (self->cacert_buf && self->cacert_bytes) {
178+
ret = mbedtls_x509_crt_parse(&o->cacert, self->cacert_buf, self->cacert_bytes);
179+
if (ret != 0) {
180+
goto cleanup;
181+
}
182+
mbedtls_ssl_conf_authmode(&o->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
183+
mbedtls_ssl_conf_ca_chain(&o->conf, &o->cacert, NULL);
184+
178185
} else {
179186
mbedtls_ssl_conf_authmode(&o->conf, MBEDTLS_SSL_VERIFY_NONE);
180187
}

0 commit comments

Comments
 (0)