This module provides access to Transport Layer Security (previously and widely known as “Secure Sockets Layer”) encryption and peer authentication facilities for network sockets, both client-side and server-side.
wrap_socket(sock, server_side=False, keyfile=None, certfile=None, cert_reqs=CERT_NONE, ca_certs=None, server_hostname=None, do_handshake=True)¶
streamsock (usually usocket.socket instance of
SOCK_STREAMtype), and returns an instance of ssl.SSLSocket, which wraps the underlying stream in an SSL context. Returned object has the usual
streaminterface methods like
write(), etc. In MicroPython, the returned object does not expose socket interface and methods like
send(). In particular, a server-side SSL socket should be created from a normal socket returned from
accept()on a non-SSL listening server socket.
server_side: creates a server connection if True, else client connection. A server connection requires a
cert_reqs: specifies the level of certificate checking to be performed.
ca_certs: root certificates to use for certificate checking.
server_hostname: specifies the hostname of the server for verification purposes as well for SNI (Server Name Identification).
do_handshake: if True, initiates the TLS handshake and waits for its completion; if False, proceeds without handshake and performs is with the first write making it non-blocking if asyncio is used, see git commit 9c7c082.
Depending on the underlying module implementation in a particular
MicroPython port, some or all keyword arguments above may be not supported.
ESP32 implementation notes:
- The esp32 implementation does not support cert_reqs: it never validates certs!
- The esp32 implementation supports key-exchange and bidirectional authentication
using Pre-Shared Keys. Use KW options
psk_key=binascii.unhexlify(b'<key in hex>'). PSK ciphers are only supported for client-side connections. See below for more info about PSK ciphers.
Some implementations of
ussl module do NOT validate server certificates,
which makes an SSL connection established prone to man-in-the-middle attacks.
Supported values for cert_reqs parameter.
- CERT_NONE: in client mode accept just about any cert, in server mode do not request a cert from the client.
- CERT_OPTIONAL: in client mode behaves the same as CERT_REQUIRED and in server mode requests an optional cert from the client for authentication.
- CERT_REQUIRED: in client mode validates the server’s cert and in server mode requires the client to send a cert for authentication. Note that ussl does not actually support client authentication.