Request minimal SSL socket example. #17066

water5 · 2025-04-01T20:36:18Z

water5
Apr 1, 2025

About the SSL socket introduction in the document and tutorial so little, please post complete minimal SSL socket example between two ESP32 board?

https://docs.micropython.org/en/latest/library/ssl.html

Answered by shariltumin

Apr 7, 2025

I have just uploaded some examples to github

https://github.com/shariltumin/ssl-tls-examples-micropython

View full answer

shariltumin · 2025-04-01T22:25:35Z

shariltumin
Apr 1, 2025

You can find https server and client examples here:

https://github.com/micropython/micropython/tree/master/examples/network

0 replies

shariltumin · 2025-04-04T12:11:13Z

shariltumin
Apr 4, 2025

Here is an example (weather.py) that might be useful to someone:

# weather.py
import socket
import tls  # use tls directly
import network
import json
# import ntptime

from wifi import key # (SSID, PWD)
ssid, pwd = key  # give correct cred for your wifi

# Set up WiFi
sta_if = network.WLAN(network.STA_IF)
sta_if.active(True)
sta_if.connect(ssid, pwd)
while not sta_if.isconnected():
    pass

print("Client IP:", sta_if.ifconfig()[0])

# do not use certificate - no need for correct time
# # ntptime.host = 'time.google.com'
# ntptime.host = '216.239.35.12'
# ntptime.timeout = 5
# ntptime.settime()  # Syncs time with an NTP server

# Create SSL client context
ssl = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT)
ssl.verify_mode = tls.CERT_NONE
# tls.check_hostname = False

# api.open-meteo.com (94.130.142.35)
# Create socket
server_ip = "94.130.142.35" # Replace with server IP
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
addr = socket.getaddrinfo(server_ip, 443)[0][-1]  # Replace with server IP
s.connect(addr)

ssl_sock = ssl.wrap_socket(s, server_side=False) 

lat,log = 60.3913,5.3221 # change this to your city

req = f"""GET /v1/forecast?latitude={lat}&longitude={log}&current=temperature_2m,wind_speed_10m&hourly=temperature_2m,relative_humidity_2m,wind_speed_10m HTTP/1.1\r\nHost: api.open-meteo.com\r\nConnection: close\r\n\r\n"""

for i in range(1):
    try:
        print('Get weather')
        msg = f"Msg-{i} Hello from client!\n".encode()
        ssl_sock.write(req.encode())
        data = b''
        while True:
            response = ssl_sock.readline()
            if response:
               if len(response) > 100:
                  data += response
            else:
               break
        if data:
           wdata = json.loads(data.decode())
           print(json.dumps(wdata))
    except Exception as e:
        print('Error:', e)
ssl_sock.close()
s.close()
print('Done')

Now, if you are interested in secure communication between two ESP32s, you need to create a server self-signed certificate using openssl.

I might be able to put some examples up on the github when I find some time to do so.

0 replies

water5 · 2025-04-04T19:42:46Z

water5
Apr 4, 2025
Author

Thanks, I need time to understand and test.

0 replies

shariltumin · 2025-04-07T21:19:55Z

shariltumin
Apr 7, 2025

I have just uploaded some examples to github

https://github.com/shariltumin/ssl-tls-examples-micropython

1 reply

water5 Apr 8, 2025
Author

Very meticulously.

water5 · 2025-04-10T17:45:23Z

water5
Apr 10, 2025
Author

I found some introduction about generate certificate using config file and extfile like below:

configfile.conf

[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
ST = somestate
L = somecity
O = someorganization
OU = someunit
CN = somename

v3.ext

authorityKeyIdentifier=issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.2.7

openssl req -new -key rsa_server.key -config configfile.conf -out rsa_server.csr
openssl x509 -req -days 365 -extfile v3.ext -in rsa_server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out rsa_server.crt

The IP.1 value will alternate CN(Common Name), how to get full introduction about write the .conf file and .ext file? I can't find these on:
https://docs.openssl.org/master/man5/x509v3_config/

What different between tls and ssl module in MicroPython? tls equivalent to TLS supported ssl actually? CPython haven't tls module.

0 replies

water5 · 2025-04-10T19:02:50Z

water5
Apr 10, 2025
Author

CPython ssl_socket.getpeercert() will return readable ASCII format certificate, MicroPython ssl_socket.getpeercert() return binary/ASCII mixed format certificate,

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.2.7', 8443))

ssl_socket = context.wrap_socket(s, server_side = False, server_hostname = '192.168.2.7')

ssl_socket.getpeercert('192.168.2.7')

I try use binascii.hexlify(ssl_socket.getpeercert('192.168.2.7') but not readable still, how should I convert it?

3 replies

shariltumin Apr 10, 2025

I do not know how to parse getpeercert(). Certificate data is specially formatted data. I do not think that certificate parsing is implemented in MicroPython.

Josverl Apr 11, 2025
Sponsor

its most likely passed in PEM or DER format.
mbedtls x509 module does provide options to interrogate and verify these , but i do not think that is exposed to MicroPython

 * \file doc_x509.h
 
* The X.509 module provides X.509 support for reading, writing and verification
* of certificates.
* In summary:
*   - X.509 certificate (CRT) reading (see \c mbedtls_x509_crt_parse(),
*     \c mbedtls_x509_crt_parse_der(), \c mbedtls_x509_crt_parse_file()).
*   - X.509 certificate revocation list (CRL) reading (see
*     \c mbedtls_x509_crl_parse(), \c mbedtls_x509_crl_parse_der(),
*     and \c mbedtls_x509_crl_parse_file()).
*   - X.509 certificate signature verification (see \c
*     mbedtls_x509_crt_verify() and \c mbedtls_x509_crt_verify_with_profile().
*   - X.509 certificate writing and certificate request writing (see
*     \c mbedtls_x509write_crt_der() and \c mbedtls_x509write_csr_der()).
*
* This module can be used to build a certificate authority (CA) chain and
* verify its signature. It is also used to generate Certificate Signing
* Requests and X.509 certificates just as a CA would do.

you could try using the https://github.com/wbond/asn1crypto module ( or part of it) on MicroPython , but it'll be slower than mbedtls as it won't know how to access the crypto peripherals of your MCU

Carglglz Apr 12, 2025

@Josverl I've implemented this at https://github.com/Carglglz/mpy-mbedtls

water5 · 2025-04-11T17:26:10Z

water5
Apr 11, 2025
Author

I test ECC certificate verify between two ESP32 board success, but use CPython(client side) connect to ESP32 board(server side) fail(use same certificate and key file), appear:

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1018)

By the way, I test RSA certificate verify, use CPython(client side) connect to ESP32 board(server side) success.

6 replies

water5 Apr 12, 2025
Author

Appear Error still, this Error exist between two CPython connection use EC certificate verify also,

server side:

import socket, ssl

context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain(certfile = 'ec_server.crt', keyfile = 'ec_server.key')
context.load_verify_locations('ec_ca.crt') # CA certificate

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0', 8443))
s.listen(5)

conn, addr = s.accept()
ssl_conn = context.wrap_socket(conn, server_side = True)

ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1018)

client side:

import socket, ssl

context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain(certfile = 'ec_client.crt', keyfile = 'ec_client.key')
context.load_verify_locations('ec_chain.crt') # server certificate and CA certificate combined

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.2.7', 8443))

ssl_sock = context.wrap_socket(s, server_side = False, server_hostname = 'somehostname')

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1000)

shariltumin Apr 12, 2025

You will need to do the same for the client certificate chain if you want the server to verify client authentication,

$ cat ec_client.crt > ec_client_chain.crt
$ cat ec_ca.crt >> ec_client_chain.crt

then use it on the server:

# Create ssl server context
ss = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ss.load_cert_chain(certfile="ec_server.crt", keyfile="ec_server.key")
ss.verify_mode = ssl.CERT_REQUIRED    # Require client certificate
ss.load_verify_locations("ec_client_chain.crt")

water5 Apr 13, 2025
Author

Error still exist.

CPython client side:

context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain(certfile = 'ec_client.crt', keyfile = 'ec_client.key')
context.load_verify_locations('ec_server_ca_chain.crt')	# server and CA certificate combined.

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1000)

CPython server side:

context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain(certfile = 'ec_server.crt', keyfile = 'ec_server.key')
context.load_verify_locations('ec_client_ca_chain.crt')	# client and CA certificate combined.

ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1018)

##################################################

Between two MicroPython(ESP32), I just config these and verify success:

MicroPython client side:

context = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT)
context.verify_mode = tls.CERT_REQUIRED
context.load_cert_chain(client_cert, client_key)
context.load_verify_locations(ca_cert)	# CA certificate

MicroPython server side:

context = tls.SSLContext(tls.PROTOCOL_TLS_SERVER)
context.verify_mode = tls.CERT_REQUIRED
context.load_cert_chain(server_cert, server_key)
context.load_verify_locations(ca_cert)	# CA certificate

Can you do a complete test between two CPython use EC certificate?

Carglglz Apr 13, 2025

@water5 this may help https://github.com/JustinS-B/Mosquitto_CA_and_Certs, see original discussion https://github.com/orgs/micropython/discussions/10559

shariltumin Apr 13, 2025

I ran these tests in CPython on a Linux PC (Linux 5.15.0-136-generic 147~20.04.1-Ubuntu).

There is one thing you can try. You can force both sides to use the same certificate (server), just for testing.

Use minimal scripts, just test handshakes.

Client test script:

# cm3.py - client
import socket
import ssl

# Create SSL client context
ss = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ss.verify_mode = ssl.CERT_REQUIRED  
ss.load_cert_chain(certfile="ec_server.crt", keyfile="ec_server.key")
ss.load_verify_locations("ec_chain.crt")

# Create socket
server_ip = "127.0.0.1" # Replace with server IP
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
addr = socket.getaddrinfo(server_ip, 8443)[0][-1] 
s.connect(addr)

# Handshake
ss_conn = ss.wrap_socket(s, server_side=False, server_hostname='kaki5') # change server_hostname to the CN in the certificate 

print('Success')
ss_conn.close()
s.close()
print('Done')

Server test script:

# sm3.py
import socket
import ssl

# Create ssl server context
ss = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ss.verify_mode = ssl.CERT_REQUIRED
ss.load_cert_chain(certfile="ec_server.crt", keyfile="ec_server.key")
ss.load_verify_locations("ec_chain.crt")

# Create socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
addr=socket.getaddrinfo('0.0.0.0', 8443)[0][-1]
s.bind(addr)
s.listen(5)

print("Waiting for connection...")
conn, addr = s.accept()
print("Connection from:", addr)

ss_conn = ss.wrap_socket(conn, server_side=True) # Handshake

print('Success')
ss_conn.close()
s.close()
print('Done')

These are what I got.

Server log:

$ /usr/bin/python3 sm3.py
Waiting for connection...
Connection from: ('127.0.0.1', 45324)
Success
Done

Client log:

$ /usr/bin/python3 cm3.py
Success
Done

It is hard for me to say why it did not work for you. I do not know what your certificates look like.

Request minimal SSL socket example. #17066

Uh oh!

Replies: 7 comments · 10 replies

Uh oh!

Uh oh!

Uh oh!

water5 Apr 4, 2025 Author

Uh oh!

Uh oh!

water5 Apr 8, 2025 Author

Uh oh!

water5 Apr 10, 2025 Author

Uh oh!

water5 Apr 10, 2025 Author

Uh oh!

Uh oh!

Uh oh!

Josverl Apr 11, 2025 Sponsor

Uh oh!

Uh oh!

water5 Apr 11, 2025 Author

Uh oh!

water5 Apr 12, 2025 Author

Uh oh!

Uh oh!

Uh oh!

water5 Apr 13, 2025 Author

Uh oh!

Uh oh!

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Replies: 7 comments 10 replies

water5
Apr 4, 2025
Author

water5 Apr 8, 2025
Author

water5
Apr 10, 2025
Author

water5
Apr 10, 2025
Author

Josverl Apr 11, 2025
Sponsor

water5
Apr 11, 2025
Author

water5 Apr 12, 2025
Author

water5 Apr 13, 2025
Author