docs/ussl: Add basic description of axTLS-based modussl.

In particular, disclose the fact that server certificates are not
validated.

docs/library/ussl.rst

@@ -8,56 +8,79 @@ This module provides access to Transport Layer Security (often known as
 “Secure Sockets Layer”) encryption and peer authentication facilities for
 network sockets, both client-side and server-side.
 
-Functions
+.. only:: not port_wipy
----------
 
-.. function:: ssl.wrap_socket(sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ca_certs=None)
+    Functions
+    ---------
 
-   Takes an instance sock of socket.socket, and returns an instance of ssl.SSLSocket, a subtype of 
+    .. function:: ssl.wrap_socket(sock, server_side=False)
-   ``socket.socket``, which wraps the underlying socket in an SSL context. sock must be a ``SOCK_STREAM``
-   socket and protocol number ``socket.IPPROTO_SEC``; other socket types are unsupported. Example::
 
-      import socket
+       Takes a stream `sock` (usually usocket.socket instance of ``SOCK_STREAM`` type),
-      import ssl
+       and returns an instance of ssl.SSLSocket, which wraps the underlying stream in
-      s = socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
+       an SSL context. Returned object has the usual stream interface methods like
-      ss = ssl.wrap_socket(s)
+       `read()`, `write()`, etc. In MicroPython, the returned object does not expose
-      ss.connect(socket.getaddrinfo('www.google.com', 443)[0][-1])
+       socket interface and methods like `recv()`, `send()`. In particular, a
+       server-side SSL socket should be created from a normal socket returned from
+       `accept()` on a non-SSL listening server socket.
 
-   Certificates must be used in order to validate the other side of the connection, and also to
+    .. warning::
-   authenticate ourselves with the other end. Such certificates must be stored as files using the
-   FTP server, and they must be placed in specific paths with specific names.
 
-   - The certificate to validate the other side goes in: **'/flash/cert/ca.pem'**
+       Currently, this function does NOT validate server certificates, which makes
-   - The certificate to authenticate ourselves goes in: **'/flash/cert/cert.pem'**
+       an SSL connection established prone to man-in-the-middle attacks.
-   - The key for our own certificate goes in: **'/flash/cert/private.key'**
 
-   .. note::
 
-      When these files are stored, they are placed inside the internal **hidden** file system
+.. only:: port_wipy
-      (just like firmware updates), and therefore they are never visible.
 
-   For instance to connect to the Blynk servers using certificates, take the file ``ca.pem`` located
+    Functions
-   in the `blynk examples folder <https://github.com/wipy/wipy/tree/master/examples/blynk>`_ 
+    ---------
-   and put it in '/flash/cert/'. Then do::
 
-      import socket
+    .. function:: ssl.wrap_socket(sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ca_certs=None)
-      import ssl
-      s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
-      ss = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED, ca_certs='/flash/cert/ca.pem')
-      ss.connect(socket.getaddrinfo('cloud.blynk.cc', 8441)[0][-1])
 
-   SSL sockets inherit all methods and from the standard sockets, see the :mod:`usocket` module.
+       Takes an instance sock of socket.socket, and returns an instance of ssl.SSLSocket, a subtype of 
+       ``socket.socket``, which wraps the underlying socket in an SSL context. sock must be a ``SOCK_STREAM``
+       socket and protocol number ``socket.IPPROTO_SEC``; other socket types are unsupported. Example::
 
-Exceptions
+          import socket
-----------
+          import ssl
+          s = socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
+          ss = ssl.wrap_socket(s)
+          ss.connect(socket.getaddrinfo('www.google.com', 443)[0][-1])
 
-.. data:: ssl.SSLError
+       Certificates must be used in order to validate the other side of the connection, and also to
+       authenticate ourselves with the other end. Such certificates must be stored as files using the
+       FTP server, and they must be placed in specific paths with specific names.
 
-Constants
+       - The certificate to validate the other side goes in: **'/flash/cert/ca.pem'**
----------
+       - The certificate to authenticate ourselves goes in: **'/flash/cert/cert.pem'**
+       - The key for our own certificate goes in: **'/flash/cert/private.key'**
 
-.. data:: ssl.CERT_NONE
+       .. note::
-.. data:: ssl.CERT_OPTIONAL
-.. data:: ssl.CERT_REQUIRED
 
-    supported values in ``cert_reqs``
+          When these files are stored, they are placed inside the internal **hidden** file system
+          (just like firmware updates), and therefore they are never visible.
+
+       For instance to connect to the Blynk servers using certificates, take the file ``ca.pem`` located
+       in the `blynk examples folder <https://github.com/wipy/wipy/tree/master/examples/blynk>`_ 
+       and put it in '/flash/cert/'. Then do::
+
+          import socket
+          import ssl
+          s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
+          ss = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED, ca_certs='/flash/cert/ca.pem')
+          ss.connect(socket.getaddrinfo('cloud.blynk.cc', 8441)[0][-1])
+
+       SSL sockets inherit all methods and from the standard sockets, see the :mod:`usocket` module.
+
+    Exceptions
+    ----------
+
+    .. data:: ssl.SSLError
+
+    Constants
+    ---------
+
+    .. data:: ssl.CERT_NONE
+    .. data:: ssl.CERT_OPTIONAL
+    .. data:: ssl.CERT_REQUIRED
+
+        supported values in ``cert_reqs``