Add Native SSL Library #2202
Comments
|
Would be great to have a common TLS approach. |
|
We could have the ssl module actually do SSL over the wrapped socket. |
|
This would be great to have so Wiznet and potentially other Ethernet MACs like in the i.MX RT can support SSL too. Are there any plans yet? |
|
There are MicroPython SSL implementations, could they be used as a starting point? |
|
@timonsku No plans for Adafruit-funded folks. @askpatrickw Yup! Definitely. Their code is usually well done and a good reference. |
|
Seems like WolfSSL Python should be pretty easy to add? |
The WolfSSL library is GPL2 and commercial. We don't put GPL code in CircuitPython so as not to GPL-ize the whole thing, and the commercial restrictions are also an issue. |
|
I think the CircuitPython core elements are now in place for this, but it needs some changes in the ESP32SPI-related libraries (and possibly NINA) to make the ESP32 sockets compatible. There's a compatibility checklist in #8954. The native Tested config:
This code tries to simulate an HTTPS Request over ESP32SPI using a native- import time
import os
import board
import digitalio
import socketpool
import ssl
import wifi
import adafruit_connection_manager
from adafruit_esp32spi import adafruit_esp32spi
HOST = "httpbin.org"
PATH = "/get"
PORT = 443
time.sleep(3) # wait for serial
buf = bytearray(1024)
spi = board.SPI()
esp32_cs = digitalio.DigitalInOut(board.D13)
esp32_reset = digitalio.DigitalInOut(board.D12)
esp32_ready = digitalio.DigitalInOut(board.D11)
radio = adafruit_esp32spi.ESP_SPIcontrol(spi, esp32_cs, esp32_ready, esp32_reset)
radio2 = wifi.radio
pool = adafruit_connection_manager.get_radio_socketpool(radio) # ESP32SPI
ssl_context = adafruit_connection_manager.get_radio_ssl_context(radio2) # native wifi
print(f'Connecting to wifi... ', end='')
radio.connect(os.getenv("WIFI_SSID"), os.getenv("WIFI_PASSWORD"))
print(f'{radio.ipv4_address}')
for _ in range(0, 10):
print(f'{"-"*25}')
print('Creating TCP client socket...')
s = pool.socket(pool.AF_INET, pool.SOCK_STREAM)
ss = ssl_context.wrap_socket(s, server_hostname=HOST)
print('Connecting to remote socket...')
ss.connect((HOST, PORT))
sbytes = f'GET {PATH} HTTP/1.1\r\nHost: {HOST}:{PORT}\r\n\r\n'.encode()
# note that esp32spi doesn't return the number of bytes sent like CPython:
ssize = ss.send(sbytes)
print(f'Sent {ssize} bytes: {sbytes}')
rsize = ss.recv_into(buf)
print(f'Received {rsize} bytes: {buf[:rsize]}')
ss.close()
time.sleep(1) |
|
It's now possible to use the core ssl module with sockets implemented in Python (#8954); this actually works with wiznet. However, nobody's checked whether this actually works with airlift; it might require changes in the airlift socket implementation to correctly align with the standard socket. If it doesn't, the esp32spi github repo is probably the right place to open issues. Additionally, few or no builds for board with an airlift include the core ssl module. If there are combos for which this is sensible, a PR within CircuitPython to enable SSL would be the way to go. |
We're currently using the mbedTLS implementation of the TLS and SSL protocols on the ESP32 Co-Processor/AirLifts by communicating with an ESP32 running nina-fw from CircuitPython. While this solution is stable, a native CircuitPython SSL/TLS library would be faster, remove the hardware dependency for an ESP32 and allow for different transports (not just wifi).
Some embedded ssl/tls implementations:
BearSSL: https://bearssl.org
AxTLS: http://axtls.sourceforge.net
The text was updated successfully, but these errors were encountered: