New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pico_w: implement ssl with caveats #6999
Conversation
Before this, CIRCUITPY would start at 1MB anyway. This appeared to work only because I hadn't checked the actual size of the CIRCUITPY drive, and because until now the flash hadn't actually crossed that 1MB boundary into CIRCUITPY storage. WARNING: on pico_w, upgrading/downgrading CircuitPython across this commit boundary will erase the CIRCUITPY filesystem. After this commit, switching between pico and pico_w firmware will erase the CIRCUITPY filesystem
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not tested but looks fine by me.
Note: at this time, the ssl module on pico_w never verifies the server certificate. This means it does not actually provide a higher security level than regular socket / http protocols.
.. this gets rid of one of the steps of converting it
This is intended (but not entirely verified) to match our esp32 builds. It does fix accessing https://circuitpython.org, which failed before with "MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE". It still doesn't work on a personal website of mine with valid letsencrypt certificate but I haven't verified whether it works on esp32s2 with CP. That site only allows TLS 1.3, while this mbedtls only supports up to 1.2. The version of mbedtls we adopted based on micropython's use has no TLS 1.3 support, but the one in espressif esp-idf does.
Now,
I believe this should broadly work across websites, and it now works on https://circuitpython.org/ Size wise, here's how pico_w is:
And regular pico:
So we could give back another ~256kB to CIRCUITPY and still have more remaining flash than regular pico. However, we do need to consider that we might want to enable some of these in the future:
the latter two are challenging since as of right now the picow doesn't have the separate heap for long-lived data like espressif does with the esp-idf heap. They are not currently targeted to implement. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, looks good, and let's get it in!
As a note, it can build just fine with another 512kB given back to CIRCUITPY and there is plenty space free. |
I'd like to leave at least much free flash space as the non-"W" variant so that in a year we're not facing the dilemma of which modules that are enabled on Pico must be disabled on Pico W for it to fit. |
Huge caveats:
This PR does not yet validate server certificates. This means that https URLs do not actually provide higher security than http URLs, because a "server in the middle" need not prove they are the site you intended to reach in order to successfully impersonate it.Server certificates are now validated, except that expired certificates are not detected. (same as espressif port, see wifi/ssl: automatically set time from ntp; verify certificate validity #7004)This brings the firmware size up to
1159444 bytes used, 671468 bytes free in flash firmware space out of 1830912 bytes (1788.0kB).
with a CIRCUITPY drive size of 260kB (usable size about 240kB). It should be possible to add a certificate store in the remaining flash space; I just haven't started on this work yet.Testing performed: Fetched the quotes json file a couple of times
Working URLs:
Correctly fails:
Not working URLs:
NotImplementedErrors (none of these should block merging this PR IMO):
Other shortcomings:
Test code