mirrors/micropython
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs/esp8266: Clarify limitations of SSL in esp8266 and fix typos.

Browse Source
This commit is contained in:
Mordy Ovits 2017-11-02 14:31:17 -04:00 committed by Damien George
parent 2bf1beef5c
commit d70ab87b2b
1 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
docs/esp8266/general.rst
View File

@ -163,25 +163,26 @@ SSL/TLS limitations
~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
ESP8266 uses `axTLS <http://axtls.sourceforge.net/>`_ library, which is one ESP8266 uses `axTLS <http://axtls.sourceforge.net/>`_ library, which is one
of the smallest TLS libraries with the compatible licensing. However, it of the smallest TLS libraries with compatible licensing. However, it
also has some known issues/limitations: also has some known issues/limitations:
1. No support for Diffie-Hellman (DH) key exchange and Elliptic-curve 1. No support for Diffie-Hellman (DH) key exchange and Elliptic-curve
cryptography (ECC). This means it can't work with sites which force cryptography (ECC). This means it can't work with sites which require
the use of these features (it works ok with classic RSA certificates). the use of these features (it works ok with the typical sites that use
RSA certificates).
2. Half-duplex communication nature. axTLS uses a single buffer for both 2. Half-duplex communication nature. axTLS uses a single buffer for both
sending and receiving, which leads to considerable memory saving and sending and receiving, which leads to considerable memory saving and
works well with protocols like HTTP. But there may be problems with works well with protocols like HTTP. But there may be problems with
protocols which don't follow classic request-response model. protocols which don't follow classic request-response model.
Besides axTLS own limitations, the configuration used for MicroPython is Besides axTLS's own limitations, the configuration used for MicroPython is
highly optimized for code size, which leads to additional limitations highly optimized for code size, which leads to additional limitations
(these may be lifted in the future): (these may be lifted in the future):
3. Optimized RSA algorithms are not enabled, which may lead to slow 3. Optimized RSA algorithms are not enabled, which may lead to slow
SSL handshakes. SSL handshakes.
4. Stored sessions are not supported (may allow faster repeated connections 4. Session Reuse is not enabled, which means every connection must undergo
to the same site in some circumstances). the full, expensive SSL handshake.
Besides axTLS specific limitations described above, there's another generic Besides axTLS specific limitations described above, there's another generic
limitation with usage of TLS on the low-memory devices: limitation with usage of TLS on the low-memory devices:
@ -195,13 +196,16 @@ limitation with usage of TLS on the low-memory devices:
accessing various REST APIs, which usually require much smaller messages. accessing various REST APIs, which usually require much smaller messages.
The buffers size is on the order of 5KB, and is adjusted from time to The buffers size is on the order of 5KB, and is adjusted from time to
time, taking as a reference being able to access https://google.com . time, taking as a reference being able to access https://google.com .
The smaller buffer hower means that some sites can't be accessed using The smaller buffer however means that some sites can't be accessed using
it, and it's not possible to stream large amounts of data. it, and it's not possible to stream large amounts of data. axTLS does
have support for TLS's Max Fragment Size extension, but no HTTPS website
does, so use of the extension is really only effective for local
communication with other devices.
There are also some not implemented features specifically in MicroPython's There are also some not implemented features specifically in MicroPython's
``ussl`` module based on axTLS: ``ussl`` module based on axTLS:
6. Certificates are not validated (this may make connections susceptible 6. Certificates are not validated (this makes connections susceptible
to man-in-the-middle attacks). to man-in-the-middle attacks).
7. There is no support for client certificates (scheduled to be fixed in 7. There is no support for client certificates (scheduled to be fixed in
1.9.4 release). 1.9.4 release).