-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wifi/ssl: automatically set time from ntp; verify certificate validity #7004
Comments
Seems like we would want the NTP server to be runtime-configurable. Particularly in a case of LAN-only operation, so that a local NTP server could be used. (BTW, NINA does get the time automatically for Airlift configs, assuming there's an internet connection.) |
Agreed; I have some NTP servers on my LAN and I'd prefer to use them if possible. Finding a way to make certificate time validity checks optional in mbedtls would be nice, so that users who can't/won't use ntp can still use secure sockets, but on the other hand if you have a private, non-internet network then you may not need SSL to provide your security level... |
Defense-in-depth ;-) But seriously, I wouldn't want to run my router without SSL on the LAN side, and it's an NTP server. |
I don't think ntp is useful without a complete and current timezone-database. Translation to the correct local time is complicated. A better approach is to query an api that directly returns the correct local time. |
Curious, why does it need to be timezone aware? |
NTP returns time in UTC (i.e. UK-time). But most of us don't live in UK, and we want our devices to run with local time. So you need two things: the device must know it's timezone and it must have all the logic and data available to convert UK-time to local time. So it must know the offset, the exact dates for DST-switch and so on. You can hard-code all of this for your specific location, but as soon as you share your code other users will have problems. So it is much simpler to query the local time directly instead of UTC/UK time. E.g. from http://worldtimeapi.org/. This also saves you from the hassle of implementing the ntp-protocol. |
So requiring this, would set the RTC time, and thus if you used local time in your project it would cause issues? I always set my RTC to UTC and when I want to display it translate it. This way I don't need to adjust the RTC for things like daylight savings (summer time) or when it changes timezones. |
That is what you usually do on PCs/laptops. But how will you do this on a MCU with limited amount of memory? And I am talking about programs you can put on Github that others can download and just use, without tinkering with the adjustment logic. With CircuitPython, we don't have a complete From the two alternatives
I btw. don't require anything. This issue is titled "automatically set time from ntp" and I just want to argue against implementing this in any way because it won't work (or won't be efficient) for the given reasons. I would also not want that the core CircuitPython would automatically set time from any other source. This should be left to the application program if needed. Memory is tight on many systems, e.g. on a Pico-W when you use wifi you loose a large part of it and this should be under control by the application programmer. |
I hear your points, and not arguing for or against. It would be nice if you could turn it on or off, or pick a build that had it enabled. I'll have to do some footprint comparisons in my own time. I understand the goal of copy/paste code. I use the following for simple apps, which I find works fine on MCUs import time
OFFSET = -60 * 60 * 5 # currently in CDT
def get_local_time(offset=None):
if offset is None:
offset = OFFSET
return time.localtime(time.mktime(time.localtime()) + offset) I also have a method that will set |
If the following change relative to #6999 is added, and board time is set with adafruit_ntp, then certificate date validity works:
however, requiring use of adafruit_ntp 'manually' would be a new requirement, and there's no way I spotted to runtime disable checking if the pico's RTC has never been set since boot, just the compile time check
It appears that what I propose is what esp32 does implicitly.No, our espressif port doesn't check time validity eitherWe can study mbedtls's "sntp app" for C implementation ideas; it should probably run <200 lines of code.
Note that this should use
0.adafruit.pool.ntp.org
as the server name.After implementing this, ensure that
expired.badssl.com
correctly fails to load.The text was updated successfully, but these errors were encountered: