ssl – SSL/TLS module — MicroPython latest documentation (original) (raw)

This is the documentation for the latest development branch of MicroPython and may refer to features that are not available in released versions.

If you are looking for the documentation for a specific release, use the drop-down menu on the left and select the desired version.

This module implements a subset of the corresponding CPython module, as described below. For more information, refer to the original CPython documentation: ssl.

This module provides access to Transport Layer Security (previously and widely known as “Secure Sockets Layer”) encryption and peer authentication facilities for network sockets, both client-side and server-side.

Functions¶

ssl.wrap_socket(sock, server_side=False, key=None, cert=None, cert_reqs=CERT_NONE, cadata=None, server_hostname=None, do_handshake=True)¶

Wrap the given sock and return a new wrapped-socket object. The implementation of this function is to first create an SSLContext and then call the SSLContext.wrap_socketmethod on that context object. The arguments sock, server_side and server_hostname are passed through unchanged to the method call. The argument do_handshake is passed through as_do_handshake_on_connect_. The remaining arguments have the following behaviour:

• cert_reqs determines whether the peer (server or client) must present a valid certificate. Note that for mbedtls based ports, ssl.CERT_NONE and ssl.CERT_OPTIONAL will not validate any certificate, only ssl.CERT_REQUIRED will.
• cadata is a bytes object containing the CA certificate chain (in DER format) that will validate the peer’s certificate. Currently only a single DER-encoded certificate is supported.

Depending on the underlying module implementation in a particularMicroPython port, some or all keyword arguments above may be not supported.

class SSLContext¶

class ssl.SSLContext(protocol, /)¶

Create a new SSLContext instance. The protocol argument must be one of the PROTOCOL_*constants.

SSLContext.load_cert_chain(certfile, keyfile)¶

Load a private key and the corresponding certificate. The certfile is a string with the file path of the certificate. The keyfile is a string with the file path of the private key.

Difference to CPython

MicroPython extension: certfile and keyfile can be bytes objects instead of strings, in which case they are interpreted as the actual certificate/key data.

SSLContext.load_verify_locations(cafile=None, cadata=None)¶

Load the CA certificate chain that will validate the peer’s certificate.cafile is the file path of the CA certificates. cadata is a bytes object containing the CA certificates. Only one of these arguments should be provided.

SSLContext.get_ciphers()¶

Get a list of enabled ciphers, returned as a list of strings.

SSLContext.set_ciphers(ciphers)¶

Set the available ciphers for sockets created with this context. ciphers should be a list of strings in the IANA cipher suite format .

SSLContext.wrap_socket(sock, *, server_side=False, do_handshake_on_connect=True, server_hostname=None)¶

Takes a stream sock (usually socket.socket instance of SOCK_STREAM type), and returns an instance of ssl.SSLSocket, wrapping the underlying stream. The returned object has the usual stream interface methods likeread(), write(), etc.

• server_side selects whether the wrapped socket is on the server or client side. A server-side SSL socket should be created from a normal socket returned fromaccept() on a non-SSL listening server socket.
• do_handshake_on_connect determines whether the handshake is done as part of the wrap_socketor whether it is deferred to be done as part of the initial reads or writes For blocking sockets doing the handshake immediately is standard. For non-blocking sockets (i.e. when the sock passed into wrap_socket is in non-blocking mode) the handshake should generally be deferred because otherwise wrap_socket blocks until it completes. Note that in AXTLS the handshake can be deferred until the first read or write but it then blocks until completion.
• server_hostname is for use as a client, and sets the hostname to check against the received server certificate. It also sets the name for Server Name Indication (SNI), allowing the server to present the proper certificate.

Warning

Some implementations of ssl module do NOT validate server certificates, which makes an SSL connection established prone to man-in-the-middle attacks.

CPython’s wrap_socket returns an SSLSocket object which has methods typical for sockets, such as send, recv, etc. MicroPython’s wrap_socketreturns an object more similar to CPython’s SSLObject which does not have these socket methods.

SSLContext.verify_mode¶

Set or get the behaviour for verification of peer certificates. Must be one of theCERT_* constants.

Note

ssl.CERT_REQUIRED requires the device’s date/time to be properly set, e.g. usingmpremote rtc --set or ntptime, and server_hostnamemust be specified when on the client side.

Exceptions¶

ssl.SSLError¶

This exception does NOT exist. Instead its base class, OSError, is used.

DTLS support¶

Difference to CPython

This is a MicroPython extension.

This module supports DTLS in client and server mode via the PROTOCOL_DTLS_CLIENTand PROTOCOL_DTLS_SERVER constants that can be used as the protocol argument of SSLContext.

In this case the underlying socket is expected to behave as a datagram socket (i.e. like the socket opened with socket.socket with socket.AF_INET as af andsocket.SOCK_DGRAM as type).

DTLS is only supported on ports that use mbed TLS, and it is not enabled by default: it requires enabling MBEDTLS_SSL_PROTO_DTLS in the specific port configuration.

Constants¶

ssl.PROTOCOL_TLS_CLIENT¶

ssl.PROTOCOL_TLS_SERVER¶

ssl.PROTOCOL_DTLS_CLIENT(when DTLS support is enabled)¶

ssl.PROTOCOL_DTLS_SERVER(when DTLS support is enabled)¶

Supported values for the protocol parameter.

ssl.CERT_NONE¶

ssl.CERT_OPTIONAL¶

ssl.CERT_REQUIRED¶

Supported values for cert_reqs parameter, and the SSLContext.verify_modeattribute.