Rather than returning the negative error value.
This is intended to close#7606, though I did not test with mqtt.
Instead, I created a simple standalone test program:
```python
import wifi, socketpool, ssl, time
#wifi.radio.connect(<omitted>)
import socketpool
socket = socketpool.SocketPool(wifi.radio)
ctx = ssl.create_default_context()
b = bytearray(8)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sss = ctx.wrap_socket(s, server_hostname='example.com')
sss.connect(('example.com', 443))
sss.setblocking(False)
r = sss.recv_into(b)
print(r, b) # prints 4294967285 which is -11 as unsigned
sss.close()
```
Before the change, r was the out of range value 4294967285. After the
change, the recv_into call raises OSError instead.
This is comparable to the behavior on standard Python, though an
SSLWantReadError is raised instead.
The original (mis)behavior seems to match what was uncovered deep inside
minimqtt by adding logging:
```
370.578: DEBUG - PKT: _sock_exact_recv: recv_len = 4294967285
```
The prefixed versions raise Python exceptions, the un-prefixed return
negative error values. We don't want to raise an exception from here,
it leaves the SSL stack in an undefined state.
## Testing self-signed certificates and `load_verify_locations`
Obtain the badssl "self-signed" certificate in the correct form:
```sh
openssl s_client -servername self-signed.badssl.com -connect untrusted-root.badssl.com:443 < /dev/null | openssl x509 > self-signed.pem
```
Copy it and the script to CIRCUITPY:
```python
import os
import wifi
import socketpool
import ssl
import adafruit_requests
TEXT_URL = "https://self-signed.badssl.com/"
if not wifi.radio.ipv4_address:
wifi.radio.connect(os.getenv('WIFI_SSID'), os.getenv('WIFI_PASSWORD'))
pool = socketpool.SocketPool(wifi.radio)
context = ssl.create_default_context()
requests = adafruit_requests.Session(pool, context)
print(f"Fetching from {TEXT_URL} without certificate (should fail)")
try:
response = requests.get(TEXT_URL)
except Exception as e:
print(f"Failed: {e}")
else:
print(f"{response.status_code=}, should have failed with exception")
print("Loading server certificate")
with open("/self-signed.pem", "rb") as certfile:
context.load_verify_locations(cadata=certfile.read())
requests = adafruit_requests.Session(pool, context)
print(f"Fetching from {TEXT_URL} with certificate (should succeed)")
try:
response = requests.get(TEXT_URL)
except Exception as e:
print(f"Unexpected exception: {e}")
else:
print(f"{response.status_code=}, should be 200 OK")
```
Tested with badssl.com:
1. Get client certificates from https://badssl.com/download/
2. Convert public portion with `openssl x509 -in badssl.com-client.pem -out CIRCUITPY/cert.pem`
3. Convert private portion with `openssl rsa -in badssl.com-client.pem -out CIRCUITPY/privkey.pem` and the password `badssl.com`
4. Put wifi settings in CIRCUITPY/.env
5. Run the below Python script:
```py
import os
import wifi
import socketpool
import ssl
import adafruit_requests
TEXT_URL = "https://client.badssl.com/"
wifi.radio.connect(os.getenv('WIFI_SSID'), os.getenv('WIFI_PASSWORD'))
pool = socketpool.SocketPool(wifi.radio)
context = ssl.create_default_context()
requests = adafruit_requests.Session(pool, context)
print(f"Fetching from {TEXT_URL} without certificate (should fail)")
response = requests.get(TEXT_URL)
print(f"{response.status_code=}, should be 400 Bad Request")
input("hit enter to continue\r")
print("Loading client certificate")
context.load_cert_chain("/cert.pem", "privkey.pem")
requests = adafruit_requests.Session(pool, context)
print(f"Fetching from {TEXT_URL} with certificate (should succeed)")
response = requests.get(TEXT_URL)
print(f"{response.status_code=}, should be 200 OK")
```
Note: at this time, the ssl module on pico_w never verifies the server
certificate. This means it does not actually provide a higher security
level than regular socket / http protocols.
hathach
Jeff Epler