diff options
| author | Carlosgg <carlosgilglez@gmail.com> | 2022-01-28 04:42:46 +0000 |
|---|---|---|
| committer | Damien George <damien@micropython.org> | 2022-07-20 16:46:04 +1000 |
| commit | b41cfea02ab9f566785da5e5e0863d009f3ac527 (patch) | |
| tree | e231bc4247d1731ce22c98e9fd2f279d3fd6caf0 /docs | |
| parent | 93a17b9581418c932d8cb3312040fdbaa04da5e0 (diff) | |
extmod/modussl_mbedtls: Implement cert_reqs and cadata arguments.
Add cert_reqs and cadata keyword-args to ssl.wrap_socket() and
ssl.CERT_NONE, ssl.CERT_OPTIONAL, ssl.CERT_REQUIRED constants to allow
certificate validation.
CPython doesn't accept cadata in ssl.wrap_socket(), but it does in
SSLContext.load_verify_locations(), so we use this name to at least match
the same name in load_verify_locations().
Add docs for these new arguments, as well as docs for the existing
server_hostname argument which is important for certificate validation.
Tests are added as well.
Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/library/ssl.rst | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/docs/library/ssl.rst b/docs/library/ssl.rst index 4726daa59..924b03b35 100644 --- a/docs/library/ssl.rst +++ b/docs/library/ssl.rst @@ -13,7 +13,7 @@ facilities for network sockets, both client-side and server-side. Functions --------- -.. function:: ssl.wrap_socket(sock, server_side=False, keyfile=None, certfile=None, cert_reqs=CERT_NONE, ca_certs=None, do_handshake=True) +.. function:: ssl.wrap_socket(sock, server_side=False, keyfile=None, certfile=None, cert_reqs=CERT_NONE, cadata=None, server_hostname=None, do_handshake=True) Takes a `stream` *sock* (usually socket.socket instance of ``SOCK_STREAM`` type), and returns an instance of ssl.SSLSocket, which wraps the underlying stream in @@ -31,6 +31,17 @@ Functions until it completes. Note that in AXTLS the handshake can be deferred until the first read or write but it then blocks until completion. + - *cert_reqs* determines whether the peer (server or client) must present a valid certificate. + Note that for mbedtls based ports, ``ssl.CERT_NONE`` and ``ssl.CERT_OPTIONAL`` will not + validate any certificate, only ``ssl.CERT_REQUIRED`` will. + + - *cadata* is a bytes object containing the CA certificate chain (in DER format) that will + validate the peer's certificate. Currently only a single DER-encoded certificate is supported. + + - *server_hostname* is for use as a client, and sets the hostname to check against the received + server certificate. It also sets the name for Server Name Indication (SNI), allowing the server + to present the proper certificate. + Depending on the underlying module implementation in a particular :term:`MicroPython port`, some or all keyword arguments above may be not supported. |