## Testing self-signed certificates and `load_verify_locations`
Obtain the badssl "self-signed" certificate in the correct form:
```sh
openssl s_client -servername self-signed.badssl.com -connect untrusted-root.badssl.com:443 < /dev/null | openssl x509 > self-signed.pem
```
Copy it and the script to CIRCUITPY:
```python
import os
import wifi
import socketpool
import ssl
import adafruit_requests
TEXT_URL = "https://self-signed.badssl.com/"
if not wifi.radio.ipv4_address:
wifi.radio.connect(os.getenv('WIFI_SSID'), os.getenv('WIFI_PASSWORD'))
pool = socketpool.SocketPool(wifi.radio)
context = ssl.create_default_context()
requests = adafruit_requests.Session(pool, context)
print(f"Fetching from {TEXT_URL} without certificate (should fail)")
try:
response = requests.get(TEXT_URL)
except Exception as e:
print(f"Failed: {e}")
else:
print(f"{response.status_code=}, should have failed with exception")
print("Loading server certificate")
with open("/self-signed.pem", "rb") as certfile:
context.load_verify_locations(cadata=certfile.read())
requests = adafruit_requests.Session(pool, context)
print(f"Fetching from {TEXT_URL} with certificate (should succeed)")
try:
response = requests.get(TEXT_URL)
except Exception as e:
print(f"Unexpected exception: {e}")
else:
print(f"{response.status_code=}, should be 200 OK")
```
Tested with badssl.com:
1. Get client certificates from https://badssl.com/download/
2. Convert public portion with `openssl x509 -in badssl.com-client.pem -out CIRCUITPY/cert.pem`
3. Convert private portion with `openssl rsa -in badssl.com-client.pem -out CIRCUITPY/privkey.pem` and the password `badssl.com`
4. Put wifi settings in CIRCUITPY/.env
5. Run the below Python script:
```py
import os
import wifi
import socketpool
import ssl
import adafruit_requests
TEXT_URL = "https://client.badssl.com/"
wifi.radio.connect(os.getenv('WIFI_SSID'), os.getenv('WIFI_PASSWORD'))
pool = socketpool.SocketPool(wifi.radio)
context = ssl.create_default_context()
requests = adafruit_requests.Session(pool, context)
print(f"Fetching from {TEXT_URL} without certificate (should fail)")
response = requests.get(TEXT_URL)
print(f"{response.status_code=}, should be 400 Bad Request")
input("hit enter to continue\r")
print("Loading client certificate")
context.load_cert_chain("/cert.pem", "privkey.pem")
requests = adafruit_requests.Session(pool, context)
print(f"Fetching from {TEXT_URL} with certificate (should succeed)")
response = requests.get(TEXT_URL)
print(f"{response.status_code=}, should be 200 OK")
```
Closes: #7017
* Remove the 'GP23' alias for CYW1
* Remove the 'CYW0' alias for CYW0
* Switch VBUS_SENSE to CYW2, remove 'GP24' alias
Code that wants to use SMPS_MODE, VBUS_SENSE and LED while being
portable to the W and non-W variants should use those names, not alias
names.
* Remove A3 / VOLTAGE_MONITOR
Right now this cannot be used. The ability to check the voltage monitor
should be added back in some fashion in the future.
This module has not been built in years, since the (removed) esp8266 port.
Delete the code, as it is not likely to be useful in its current form.
Closes: #7015
This is intended (but not entirely verified) to match our esp32 builds.
It does fix accessing https://circuitpython.org, which failed before with
"MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE".
It still doesn't work on a personal website of mine with valid letsencrypt
certificate but I haven't verified whether it works on esp32s2 with CP.
That site only allows TLS 1.3, while this mbedtls only supports up to
1.2.
The version of mbedtls we adopted based on micropython's use has no
TLS 1.3 support, but the one in espressif esp-idf does.