miguelgrinberg / microdot

The impossibly small web framework for Python and MicroPython.
MIT License
1.54k stars 120 forks source link

Feature request: secure WebSocket (wss) #34

Closed beyonlo closed 2 years ago

beyonlo commented 2 years ago

Hello!

Congratulations for the great project.

I would like to know if you have intention to support secure WebSocket (use SSL over WebSocket) on the Microdot.

Thank you.

beyonlo commented 2 years ago

@miguelgrinberg Now that I was to stopping the test I observed that there is one more error, but is a same error happened some weeks ago and was fixed by you.

Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: [Errno 104] ECONNRESET

Complete log:

$ mpremote run echo_tls.py 
Starting sync server on 0.0.0.0:4443...
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30976, 'MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
GET / 200
GET /echo 200
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: [Errno 104] ECONNRESET

EDIT: Just to know: will this error or any error (even already fixed by you in the past) follow the same idea, do not will be suppressed/fixed, just do not stop the Microdot and show that error on the log?

EDIT 2: My question above is important to me know if I need to report about a new/different errors or not. Like as this one, one more different error happened:

OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
miguelgrinberg commented 2 years ago

@beyonlo There are no strict rules. If the error(s) prevent something from working, then they need to be investigated. If the errors are just noise, but everything works, then it really depends. I can silence errors that are clearly not a problem (such as an EPIPE, which just means that the other side closed the socket). Non-standard errors with crazy error codes I feel less inclined to mess with, as these are often the result of specific drivers or libraries, and can mean different things under different stacks.

beyonlo commented 2 years ago

@miguelgrinberg

Report: 1. A strange behaviour (bug too?) 2. A bug

1. Strange Behaviour:

Since last week (on my first test of hello_tls.py) I would like to report you about a different behaviour in different platforms: ESP32 and Linux.

-- Using Microdot (over MicroPython) on Linux, when I open the Linux IP, the browser quickly showed the option that indicated that it was not secure, and an option to accept anyway, and proceed with unsecure HTTPS (self-signed). This same behaviour happen in all browsers that I tested, and always errors was showed, but there is no delay. Follow the log:

$ micropython 
MicroPython v1.19.1-299-gaf54d2ce9 on 2022-08-22; linux [GCC 11.2.0] version
Use Ctrl-D to exit, Ctrl-E for paste mode
>>> 
>>> 
>>> import hello_tls
Starting sync server on 0.0.0.0:4443...
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
GET / 200
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
GET /shutdown 200
>>> 

-- Using Microdot on the ESP32, when I open the ESP32 IP, the browser stay processing for a long time (around 10 seconds, or more) until show the option to proceed with unsecure HTTPS. The same long time delay happen as well after that option already accepted, I mean, when I try to reopen the ESP32 IP. Is a long time to open the hello page. And, after opened, when I click in Click to shutdown the server that long time delay happen again, and just after that long time, the response The server is shutting down... is showed

-- This long time to reach ESP32 happen using Chromium, Edge and Safari (IOS) browsers, always showing errors on the log. Follow the log:

$ mpremote run hello_tls.py 
Starting sync server on 0.0.0.0:4443...
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
GET / 200
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
GET /shutdown 200

-- Some times, errors are very more intense (using chromium), and bigger delay, and ONE time was need to manually to stop the Microdot (CTRL+C) and start it again, because it was showing just the same error - not the normal errors. Follow the log:

$ mpremote run hello_tls.py 
Starting sync server on 0.0.0.0:4443...
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
GET / 200
GET /favicon.ico 404
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23

Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23

-- Using the Firefox to reach the ESP32 there is no error messages (better than running on Linux, that still has error messages), but still have a delay, but very less, around 1-2 seconds. Follow the log:

$ mpremote run hello_tls.py 
Starting sync server on 0.0.0.0:4443...
GET / 200
GET /favicon.ico 404
GET /shutdown 200

-- More tests was done using Microdot on ESP32 with hello_tls.py (using just Chromium), with sometimes different messages, just to report you. Follow the log:

--

$ mpremote run echo_tls.py 
Starting sync server on 0.0.0.0:4443...
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
GET / 200
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
GET /echo 200
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: [Errno 104] ECONNRESET
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: [Errno 104] ECONNRESET
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
GET / 200
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-30592, 'MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 45, in accept
OSError: 23

--

$ mpremote run hello_tls.py 
Starting sync server on 0.0.0.0:4443...
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-29312, 'MBEDTLS_ERR_SSL_CONN_EOF')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-29312, 'MBEDTLS_ERR_SSL_CONN_EOF')
Traceback (most recent call last):
  File "microdot.py", line 914, in run
  File "microdot_ssl.py", line 46, in accept
OSError: (-29312, 'MBEDTLS_ERR_SSL_CONN_EOF')
GET / 200
GET /shutdown 200

2. The Bug:

-- While I was doing that tests above with hello_tls.py, when I tried to open the ESP32 IP, the Hello was showed and Microdot immediately stopped. This test was done with Firefox. Follow the log:

$ mpremote run hello_tls.py 
Starting sync server on 0.0.0.0:4443...
GET / 200
Traceback (most recent call last):
  File "<stdin>", line 36, in <module>
  File "microdot.py", line 923, in run
  File "microdot.py", line 32, in create_thread
  File "microdot.py", line 966, in handle_request
  File "microdot.py", line 485, in write
OSError: -104
miguelgrinberg commented 2 years ago

@beyonlo So all these tests that you are doing are with a self-signed certificate that the browser does not accept? Have you tested a certificate that the browser is configured to accept/trust, which is the normal workflow? I haven't really tested self-signed certificates, they're just not very practical since all browsers reject them.

beyonlo commented 2 years ago

Hi @miguelgrinberg

@beyonlo So all these tests that you are doing are with a self-signed certificate

Yes, following the README.md how to create self-signed certificates - that is exactly what I need for my project, thank you!

that the browser does not accept?

I don't know if I understand this question part very well. After that browser detect that is a self-signed certificate, it show a option to Accept the Risk and Continue (screenshot below). So after that I click in the Accept the Risk and Continue button, and I do not need anymore accept the second time that I access this IP and this self-signed certificate. So, answering your question: the browser accept, but I need first click in Accept the Risk and Continue button.

Screenshot from 2022-09-12 15-30-53

Have you tested a certificate that the browser is configured to accept/trust, which is the normal workflow?

This means that is not self-signed certificate, but a certificate (mostly payed) that is generated and guaranteed by a entity, right? No, I do not have this kind of certificate! Anyway, what I need (and maybe many others) is just to use the self-signed certificates on the applications, where this applications will not be online on the internet, but mostly offline, but supporting secure connection (HTTPS and wss), even not connected to the internet, but just on local WLAN/LAN.

I haven't really tested self-signed certificates, they're just not very practical since all browsers reject them.

Sorry, I was thinking that you created the the README.md just to explain how to create a self-signed certificates to me and other people to test the TLS examples. So you do not used that for tests? Sorry, I'm a bit confuse.

miguelgrinberg commented 2 years ago

@beyonlo self-signed certificates have become less practical, because browsers introduce all these barriers to use them. Chrome for example does not provide an option to access the site anymore when the certificate is self-signed.

I believe this was mentioned above, you can configure your browser to accept certificates from a certificate authority that is managed by yourself. This is closer to how official certificates work. The mkcert tool makes it easy to create them, and to configure browsers to accept them. My goal is to offer support for proper certificates. Self-signed certs is less interesting to me because they have no practical use outside if testing, and even that is not easy anymore with some browsers.

The examples in the README are okay to use when you use a client that is not a browser that you can configure to ignore validation. Most clients have an option for this. Browsers unfortunately are not a good case for self-signed certs. I think I'm going to update those instructions to use mkcert instead, because it was not my intention to suggest or recommend self-signed certs for any use other than quick tests between two scripts running a client and a server.

beyonlo commented 2 years ago

@beyonlo self-signed certificates have become less practical, because browsers introduce all these barriers to use them. Chrome for example does not provide an option to access the site anymore when the certificate is self-signed.

Understood. I tested that on the Chrome for Android and works. But I tested just Chrome for Android, not Chrome for PC. As my smartphone has a old version of Android, maybe this version of Chrome on Mobile still works.

I believe this was mentioned above, you can configure your browser to accept certificates from a certificate authority that is managed by yourself. This is closer to how official certificates work.

So sorry, I remember that, but I was thinking that is just about Accept the Risk and Continue. Now I understand better, thank you!

The mkcert tool makes it easy to create them, and to configure browsers to accept them. My goal is to offer support for proper certificates. Self-signed certs is less interesting to me because they have no practical use outside if testing, and even that is not easy anymore with some browsers.

Perfect! I wasn't know if that is possible - like as a official certificates!

The examples in the README are okay to use when you use a client that is not a browser that you can configure to ignore validation. Most clients have an option for this. Browsers unfortunately are not a good case for self-signed certs.

All right, understood!

I think I'm going to update those instructions to use mkcert instead, because it was not my intention to suggest or recommend self-signed certs for any use other than quick tests between two scripts running a client and a server.

I think that instructions for the mkcert on the README will be great, but maybe you can to have the both options on the instructions. For example, in the future I plan to have one application that will not have browsers to connect to Microdot HTTPS and wss, just clients applications, and in this case will works using a secure connection of SSL/TLS, because as you wrote: is possible to configure the clients (that is not a browser) to ignore the validation. Maybe more people can have the same scenario where do not need browsers as clients.

Carglglz commented 2 years ago

-- Using the Firefox to reach the ESP32 there is no error messages (better than running on Linux, that still has error messages), but still have a delay, but very less, around 1-2 seconds.

@beyonlo This delay is expected (at least what I've tested so far), TLS handshake takes approx 1 second in ESP32

-------------------------------------------------------------- benchmark 'device': 1 tests --------------------------------------------------------------
Name (time in ms)                                            Min         Max      Mean   StdDev    Median       IQR  Outliers     OPS  Rounds  Iterations
---------------------------------------------------------------------------------------------------------------------------------------------------------
test_dev[TLS Context Client Benchmark]:[sdev@esp32]     926.4680  1,067.2600  982.6270  74.5092  931.7590  136.1090       2;0  1.0177       5           1
---------------------------------------------------------------------------------------------------------------------------------------------------------

And for the requests

ESP32

Server Software:
Server Hostname:        espdev.local
Server Port:            4443
SSL/TLS Protocol:       TLSv1.2,ECDHE-ECDSA-AES256-GCM-SHA384,256,256
Server Temp Key:        ECDH P-384 384 bits
TLS Server Name:        espdev.local

Document Path:          /
Document Length:        306 bytes

Concurrency Level:      2
Time taken for tests:   6.197 seconds
Complete requests:      4
Failed requests:        0
Total transferred:      1484 bytes
HTML transferred:       1224 bytes
Requests per second:    0.65 [#/sec] (mean)
Time per request:       3098.607 [ms] (mean)
Time per request:       1549.303 [ms] (mean, across all concurrent requests)
Transfer rate:          0.23 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:     1371 2214 716.3   2743    2870
Processing:    26   29   2.6     30      33
Waiting:       15   18   3.9     18      23
Total:       1400 2243 716.4   2776    2897

Percentage of the requests served within a certain time (ms)
  50%   2776
  66%   2776
  75%   2897
  80%   2897
  90%   2897
  95%   2897
  98%   2897
  99%   2897
 100%   2897 (longest request)

UNIX

Server Software:
Server Hostname:        localhost
Server Port:            4443
SSL/TLS Protocol:       TLSv1.2,AES256-SHA256,4096,256
TLS Server Name:        localhost

Document Path:          /
Document Length:        306 bytes

Concurrency Level:      4
Time taken for tests:   2.784 seconds
Complete requests:      100
Failed requests:        0
Total transferred:      37100 bytes
HTML transferred:       30600 bytes
Requests per second:    35.92 [#/sec] (mean)
Time per request:       111.366 [ms] (mean)
Time per request:       27.842 [ms] (mean, across all concurrent requests)
Transfer rate:          13.01 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:       38  107  12.4    106     145
Processing:     0    1   0.7      1       6
Waiting:        0    0   0.2      0       1
Total:         38  108  12.3    107     146

Percentage of the requests served within a certain time (ms)
  50%    107
  66%    109
  75%    109
  80%    111
  90%    115
  95%    131
  98%    145
  99%    146
 100%    146 (longest request)
beyonlo commented 2 years ago

@beyonlo This delay is expected (at least what I've tested so far), TLS handshake takes approx 1 second in ESP32

@Carglglz So, if I use just HTTPS (with no wss), on the website (Microdot) running on the ESP32, will delay 1s for each click that I do right? Because as HTTP protocol is not a persistent connection, each click will be one more handshake, so will delay 1s - that is very bad. So in this case the better is always to use secure persistent WebSocket (wss) over HTTPS, so each click on the website will send/receive data over wss, that is persistent connections, and do not need to do a handshake every time. In this scenario will have just 1 handshake, when user open the website and connect to the wss. Is this thought correct?

Carglglz commented 2 years ago

So in this case the better is always to use secure persistent WebSocket (wss) over HTTPS, so each click on the website will send/receive data over wss, that is persistent connections, and do not need to do a handshake every time. In this scenario will have just 1 handshake, when user open the website and connect to the wss. Is this thought correct?

@beyonlo Yes, although there is a feature in TLS called session resumption (it is available in Python see rfc 5077 and SSLContext.wrap_socket), but unfortunately it hasn't been implemented yet in MicroPython and I'm not sure if it will be.