ussl
– SSL/TLS module¶
This module implements a subset of the corresponding CPython
module,
as described below. For more information, refer to the original
CPython documentation: ssl
.
This module provides access to Transport Layer Security (previously and widely known as “Secure Sockets Layer”) encryption and peer authentication facilities for network sockets, both client-side and server-side.
Functions¶
-
ussl.
wrap_socket
(sock, server_side=False, keyfile=None, certfile=None, cert_reqs=CERT_NONE, ca_certs=None, server_hostname=None, do_handshake=True)¶ Takes a
stream
sock (usually usocket.socket instance ofSOCK_STREAM
type), and returns an instance of ssl.SSLSocket, which wraps the underlying stream in an SSL context. Returned object has the usualstream
interface methods likeread()
,write()
, etc. In MicroPython, the returned object does not expose socket interface and methods likerecv()
,send()
. In particular, a server-side SSL socket should be created from a normal socket returned fromaccept()
on a non-SSL listening server socket.Parameters:
server_side
: creates a server connection if True, else client connection. A server connection requires akeyfile
and acertfile
.cert_reqs
: specifies the level of certificate checking to be performed.ca_certs
: root certificates to use for certificate checking.server_hostname
: specifies the hostname of the server for verification purposes as well for SNI (Server Name Identification).do_handshake
: if True, initiates the TLS handshake and waits for its completion; if False, proceeds without handshake and performs is with the first write making it non-blocking if asyncio is used, see git commit 9c7c082.
Depending on the underlying module implementation in a particular
MicroPython port
, some or all keyword arguments above may be not supported.ESP32 implementation notes:
- The esp32 implementation does not support cert_reqs: it never validates certs!
- The esp32 implementation supports key-exchange and bidirectional authentication
using Pre-Shared Keys. Use KW options
psk_ident=<identity hint>
andpsk_key=binascii.unhexlify(b'<key in hex>')
. PSK ciphers are only supported for client-side connections. See below for more info about PSK ciphers.
Warning
Some implementations of ussl
module do NOT validate server certificates,
which makes an SSL connection established prone to man-in-the-middle attacks.
Constants¶
-
ussl.
CERT_NONE
¶ -
ussl.
CERT_OPTIONAL
¶ -
ussl.
CERT_REQUIRED
¶ Supported values for cert_reqs parameter.
- CERT_NONE: in client mode accept just about any cert, in server mode do not request a cert from the client.
- CERT_OPTIONAL: in client mode behaves the same as CERT_REQUIRED and in server mode requests an optional cert from the client for authentication.
- CERT_REQUIRED: in client mode validates the server’s cert and in server mode requires the client to send a cert for authentication. Note that ussl does not actually support client authentication.