micropython
diff --git a/‎extmod/modussl_axtls.c
Lines changed: 3 additions & 0 deletions b/‎extmod/modussl_axtls.c
Lines changed: 3 additions & 0 deletions
diff --git a/‎extmod/modussl_mbedtls.c
Lines changed: 63 additions & 1 deletion b/‎extmod/modussl_mbedtls.c
Lines changed: 63 additions & 1 deletion
diff --git a/‎extmod/uasyncio/stream.py
Lines changed: 1 addition & 4 deletions b/‎extmod/uasyncio/stream.py
Lines changed: 1 addition & 4 deletions
diff --git a/‎tests/net_inet/uasyncio_ssl.py
Lines changed: 47 additions & 0 deletions b/‎tests/net_inet/uasyncio_ssl.py
Lines changed: 47 additions & 0 deletions
@@ -176,6 +176,7 @@ STATIC mp_uint_t ussl_socket_read(mp_obj_t o_in, void *buf, mp_uint_t size, int
 
     while (o->bytes_left == 0) {
         mp_int_t r = ssl_read(o->ssl_sock, &o->buf);
+        printf("R{%d}", r);
         if (r == SSL_OK) {
             // SSL_OK from ssl_read() means "everything is ok, but there's
             // no user data yet". It may happen e.g. if handshake is not
@@ -242,6 +243,7 @@ STATIC mp_uint_t ussl_socket_write(mp_obj_t o_in, const void *buf, mp_uint_t siz
     mp_int_t r;
 eagain:
     r = ssl_write(o->ssl_sock, buf, size);
+    printf("W{%d}", r);
     if (r == SSL_OK) {
         // see comment in read method
         if (o->blocking) {
@@ -356,6 +358,7 @@ STATIC MP_DEFINE_CONST_FUN_OBJ_KW(mod_ssl_wrap_socket_obj, 1, mod_ssl_wrap_socke
 STATIC const mp_rom_map_elem_t mp_module_ssl_globals_table[] = {
     { MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_ussl) },
     { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&mod_ssl_wrap_socket_obj) },
+    { MP_ROM_QSTR(MP_QSTR_errstr), MP_ROM_PTR(&mod_ssl_errstr_obj) },
 };
 
 STATIC MP_DEFINE_CONST_DICT(mp_module_ssl_globals, mp_module_ssl_globals_table);
 
@@ -45,6 +45,15 @@
 #include "mbedtls/debug.h"
 #include "mbedtls/error.h"
 
+// flags for _mp_obj_ssl_socket_t.poll_flag that control the poll ioctl
+// the issue is that when using ipoll we may be polling only for reading, and the socket may never
+// become readable because mbedtls needs to write soemthing (like a handshake or renegotiation) and
+// so poll never returns "it's readable" or "it's writable" and so nothing ever makes progress.
+// See also the commit message for
+// https://github.com/micropython/micropython/commit/9c7c082396f717a8a8eb845a0af407e78d38165f
+#define READ_NEEDS_WRITE 0x1 // mbedtls_ssl_read said "I need a write"
+#define WRITE_NEEDS_READ 0x2 // mbedtls_ssl_write said "I need a read"
+
 typedef struct _mp_obj_ssl_socket_t {
     mp_obj_base_t base;
     mp_obj_t sock;
@@ -55,6 +64,7 @@ typedef struct _mp_obj_ssl_socket_t {
     mbedtls_x509_crt cacert;
     mbedtls_x509_crt cert;
     mbedtls_pk_context pkey;
+    uint8_t poll_flag;
 } mp_obj_ssl_socket_t;
 
 struct ssl_args {
@@ -92,6 +102,26 @@ STATIC NORETURN void mbedtls_raise_error(int err) {
 #endif
 }
 
+STATIC mp_obj_t mod_ssl_errstr(mp_obj_t err_in) {
+    size_t err = mp_obj_get_int(err_in);
+    vstr_t vstr;
+    vstr_init_len(&vstr, 80);
+
+    // Including mbedtls_strerror takes about 16KB on the esp32 due to all the strings
+#if 1
+    vstr.buf[0] = 0;
+    mbedtls_strerror(err, vstr.buf, vstr.alloc);
+    vstr.len = strlen(vstr.buf);
+    if (vstr.len == 0) {
+        return MP_OBJ_NULL;
+    }
+#else
+    vstr_printf(vstr, "mbedtls error -0x%x\n", -err);
+#endif
+    return mp_obj_new_str_from_vstr(&mp_type_bytes, &vstr);
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_1(mod_ssl_errstr_obj, mod_ssl_errstr);
+
 // _mbedtls_ssl_send is called by mbedtls to send bytes onto the underlying socket
 STATIC int _mbedtls_ssl_send(void *ctx, const byte *buf, size_t len) {
     mp_obj_t sock = *(mp_obj_t *)ctx;
@@ -214,10 +244,10 @@ STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
         }
     }
 
+    o->poll_flag = 0;
     if (args->do_handshake.u_bool) {
         while ((ret = mbedtls_ssl_handshake(&o->ssl)) != 0) {
             if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
-                printf("mbedtls_ssl_handshake error: %d/-0x%x\n", ret, -ret);
                 goto cleanup;
             }
         }
@@ -267,6 +297,7 @@ STATIC void socket_print(const mp_print_t *print, mp_obj_t self_in, mp_print_kin
 STATIC mp_uint_t socket_read(mp_obj_t o_in, void *buf, mp_uint_t size, int *errcode) {
     mp_obj_ssl_socket_t *o = MP_OBJ_TO_PTR(o_in);
 
+    o->poll_flag &= ~READ_NEEDS_WRITE; // clear flag
     int ret = mbedtls_ssl_read(&o->ssl, buf, size);
     if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
         // end of stream
@@ -281,6 +312,7 @@ STATIC mp_uint_t socket_read(mp_obj_t o_in, void *buf, mp_uint_t size, int *errc
         // If handshake is not finished, read attempt may end up in protocol
         // wanting to write next handshake message. The same may happen with
         // renegotation.
+        o->poll_flag |= READ_NEEDS_WRITE; // set flag
         ret = MP_EWOULDBLOCK;
     }
     *errcode = ret;
@@ -306,6 +338,7 @@ STATIC MP_DEFINE_CONST_FUN_OBJ_2(socket_recv_obj, socket_recv);
 STATIC mp_uint_t socket_write(mp_obj_t o_in, const void *buf, mp_uint_t size, int *errcode) {
     mp_obj_ssl_socket_t *o = MP_OBJ_TO_PTR(o_in);
 
+    o->poll_flag &= ~WRITE_NEEDS_READ; // clear flag
     int ret = mbedtls_ssl_write(&o->ssl, buf, size);
     if (ret >= 0) {
         return ret;
@@ -316,6 +349,7 @@ STATIC mp_uint_t socket_write(mp_obj_t o_in, const void *buf, mp_uint_t size, in
         // If handshake is not finished, write attempt may end up in protocol
         // wanting to read next handshake message. The same may happen with
         // renegotation.
+        o->poll_flag |= WRITE_NEEDS_READ; // set flag
         ret = MP_EWOULDBLOCK;
     }
     *errcode = ret;
@@ -355,6 +389,33 @@ STATIC mp_uint_t socket_ioctl(mp_obj_t o_in, mp_uint_t request, uintptr_t arg, i
         mbedtls_ssl_config_free(&self->conf);
         mbedtls_ctr_drbg_free(&self->ctr_drbg);
         mbedtls_entropy_free(&self->entropy);
+    } else if (request == MP_STREAM_POLL) {
+        // If we're polling to read but not write but mbedtls previously said it needs to write in
+        // order to be able to read then poll for both and if either is available pretend the socket
+        // is readable. When the app then performs a read, mbedtls is happy to perform the writes as
         // well. Essentially, what we're ensuring is that one of mbedtls' read/write functions is
+        // called as soon as the socket can do something.
+        if ((arg & MP_STREAM_POLL_RD) && !(arg & MP_STREAM_POLL_WR) &&
+                self->poll_flag & READ_NEEDS_WRITE) {
+            arg |= MP_STREAM_POLL_WR;
+            mp_uint_t ret = mp_get_stream(self->sock)->ioctl(self->sock, request, arg, errcode);
+            if (ret & MP_STREAM_POLL_WR) {
+                ret |= MP_STREAM_POLL_RD;
+                ret &= ~MP_STREAM_POLL_WR;
+            }
+            return ret;
+        // Now comes the same logic flipped around for write
+        } else if ((arg & MP_STREAM_POLL_WR) && !(arg & MP_STREAM_POLL_RD) &&
+                self->poll_flag & WRITE_NEEDS_READ) {
+            arg |= MP_STREAM_POLL_RD;
+            mp_uint_t ret = mp_get_stream(self->sock)->ioctl(self->sock, request, arg, errcode);
+            if (ret & MP_STREAM_POLL_RD) {
+                ret |= MP_STREAM_POLL_WR;
+                ret &= ~MP_STREAM_POLL_RD;
+            }
+            return ret;
+        }
+        // fall-through if there's no wonky XX_NEEDS_YY situation
     }
     // Pass all requests down to the underlying socket
     return mp_get_stream(self->sock)->ioctl(self->sock, request, arg, errcode);
@@ -418,6 +479,7 @@ STATIC MP_DEFINE_CONST_FUN_OBJ_KW(mod_ssl_wrap_socket_obj, 1, mod_ssl_wrap_socke
 STATIC const mp_rom_map_elem_t mp_module_ssl_globals_table[] = {
     { MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_ussl) },
     { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&mod_ssl_wrap_socket_obj) },
+    { MP_ROM_QSTR(MP_QSTR_errstr), MP_ROM_PTR(&mod_ssl_errstr_obj) },
 };
 
 STATIC MP_DEFINE_CONST_DICT(mp_module_ssl_globals, mp_module_ssl_globals_table);
 
@@ -7,8 +7,6 @@
     import ssl as modssl # module is used in function that has an ssl parameter
 except:
     modssl = None
-# Note a major issue with SSL in this commit message:
-# https://github.com/micropython/micropython/commit/9c7c082396f717a8a8eb845a0af407e78d38165f
 
 class Stream:
     def __init__(self, s, e={}):
@@ -67,13 +65,11 @@ async def open_connection(host, port, ssl=None, server_hostname=None):
     ai = socket.getaddrinfo(host, port)[0]  # TODO this is blocking!
     s = socket.socket()
     s.setblocking(False)
-    ss = Stream(s)
     try:
         s.connect(ai[-1])
     except OSError as er:
         if er.args[0] != EINPROGRESS:
             raise er
-    yield core._io_queue.queue_write(s)
     # wrap with SSL, if requested
     if ssl:
         if not modssl:
@@ -91,6 +87,7 @@ async def open_connection(host, port, ssl=None, server_hostname=None):
             raise ValueError("invalid ssl param")
         ssl["do_handshake"] = False # as non-blocking as possible
         s = modssl.wrap_socket(s, **ssl)
+    ss = Stream(s)
     return ss, ss
 
 
 
@@ -0,0 +1,47 @@
+# Attempt to test the funky poll patch in modussl_mbedtls, but sadly this works
+# without the patch...
+
+try:
+    import uasyncio as asyncio, ussl as ssl
+except ImportError:
+    try:
+        import asyncio, ssl
+    except ImportError:
+        print("SKIP")
+        raise SystemExit
+
+
+# open a connection and start by reading, not writing
+    reader, writer = await asyncio.open_connection(host, port, ssl=True)
+
+    print("read something")
+    inbuf = b''
+    while len(inbuf) < 20:
+        try:
+            b = await reader.read(100)
+        except OSError as e:
+            if e.args[0] < -120:
+                print("read SSL error -%x : %s" % (-e.args[0], ssl.errstr(e.args[0])))
+                raise OSError(e.args[0], bytes.decode(ssl.errstr(e.args[0])))
+            else:
+                print("read OSError: %d / -%x" % (e.args[0], -e.args[0]))
+                raise
+        print("read:", b)
+        if b is None:
+            continue
+        elif len(b) == 0:
+            print("EOF")
+            break
+        elif len(b) > 0:
+            inbuf += b
+        else:
+            raise ValueError("negative length returned by recv")
+
+    print("close")
+    writer.close()
+    await writer.wait_closed()
+    print("done")
+
+
+asyncio.run(read_first("aspmx.l.google.com", 25))