extmod/tls Move the native ssl module to tls.

felixdoerre · felixdoerre · commit 6b5750b3588f · 2024-01-30T08:49:23.000Z
The current ssl module has quite a few differences to the cpython
implementation. This change moves the micropython variant to tls
and provides a wrapper module for ssl.

Users who only rely on implemented comparible behavior can
continue to use "ssl", while users that rely on non-compatible
behavior should switch to "tls". Then we can make the facade in
"ssl" more strictly adhere to cpython.

Signed-off-by: Felix Dörre &lt;felix@dogcraft.de&gt;
diff --git a/docs/library/ssl.rst b/docs/library/ssl.rst
@@ -13,7 +13,7 @@ facilities for network sockets, both client-side and server-side.
 Functions
 ---------
 
-.. function:: ssl.wrap_socket(sock, server_side=False, keyfile=None, certfile=None, cert_reqs=CERT_NONE, cadata=None, server_hostname=None, do_handshake=True)
+.. function:: ssl.wrap_socket(sock, server_side=False, key=None, cert=None, cert_reqs=CERT_NONE, cadata=None, server_hostname=None, do_handshake=True)
 
     Wrap the given *sock* and return a new wrapped-socket object.  The implementation
     of this function is to first create an `SSLContext` and then call the `SSLContext.wrap_socket`
diff --git a/extmod/extmod.cmake b/extmod/extmod.cmake
@@ -39,8 +39,8 @@ set(MICROPY_SOURCE_EXTMOD
     ${MICROPY_EXTMOD_DIR}/modre.c
     ${MICROPY_EXTMOD_DIR}/modselect.c
     ${MICROPY_EXTMOD_DIR}/modsocket.c
-    ${MICROPY_EXTMOD_DIR}/modssl_axtls.c
-    ${MICROPY_EXTMOD_DIR}/modssl_mbedtls.c
+    ${MICROPY_EXTMOD_DIR}/modtls_axtls.c
+    ${MICROPY_EXTMOD_DIR}/modtls_mbedtls.c
     ${MICROPY_EXTMOD_DIR}/modtime.c
     ${MICROPY_EXTMOD_DIR}/modwebsocket.c
     ${MICROPY_EXTMOD_DIR}/modwebrepl.c
diff --git a/extmod/extmod.mk b/extmod/extmod.mk
@@ -36,8 +36,8 @@ SRC_EXTMOD_C += \
 	extmod/modre.c \
 	extmod/modselect.c \
 	extmod/modsocket.c \
-	extmod/modssl_axtls.c \
-	extmod/modssl_mbedtls.c \
+	extmod/modtls_axtls.c \
+	extmod/modtls_mbedtls.c \
 	extmod/modtime.c \
 	extmod/moductypes.c \
 	extmod/modwebrepl.c \
diff --git a/extmod/modtls_axtls.c b/extmod/modtls_axtls.c
@@ -160,6 +160,14 @@ STATIC void ssl_context_load_key(mp_obj_ssl_context_t *self, mp_obj_t key_obj, m
     self->key = key_obj;
     self->cert = cert_obj;
 }
+// SSLContext.load_cert_chain(certfile, keyfile)
+STATIC mp_obj_t ssl_context_load_cert_chain(mp_obj_t self_in, mp_obj_t cert, mp_obj_t pkey) {
+    mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(self_in);
+    ssl_context_load_key(self, pkey, cert);
+    return mp_const_none;
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_3(ssl_context_load_cert_chain_obj, ssl_context_load_cert_chain);
+
 
 STATIC mp_obj_t ssl_context_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) {
     enum { ARG_server_side, ARG_do_handshake_on_connect, ARG_server_hostname };
@@ -182,6 +190,7 @@ STATIC mp_obj_t ssl_context_wrap_socket(size_t n_args, const mp_obj_t *pos_args,
 STATIC MP_DEFINE_CONST_FUN_OBJ_KW(ssl_context_wrap_socket_obj, 2, ssl_context_wrap_socket);
 
 STATIC const mp_rom_map_elem_t ssl_context_locals_dict_table[] = {
+    { MP_ROM_QSTR(MP_QSTR_load_cert_chain), MP_ROM_PTR(&ssl_context_load_cert_chain_obj)},
     { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&ssl_context_wrap_socket_obj) },
 };
 STATIC MP_DEFINE_CONST_DICT(ssl_context_locals_dict, ssl_context_locals_dict_table);
@@ -413,48 +422,8 @@ STATIC MP_DEFINE_CONST_OBJ_TYPE(
 /******************************************************************************/
 // ssl module.
 
-STATIC mp_obj_t mod_ssl_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) {
-    enum {
-        ARG_key,
-        ARG_cert,
-        ARG_server_side,
-        ARG_server_hostname,
-        ARG_do_handshake,
-    };
-    static const mp_arg_t allowed_args[] = {
-        { MP_QSTR_key, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
-        { MP_QSTR_cert, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
-        { MP_QSTR_server_side, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = false} },
-        { MP_QSTR_server_hostname, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
-        { MP_QSTR_do_handshake, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = true} },
-    };
-
-    // Parse arguments.
-    mp_obj_t sock = pos_args[0];
-    mp_arg_val_t args[MP_ARRAY_SIZE(allowed_args)];
-    mp_arg_parse_all(n_args - 1, pos_args + 1, kw_args, MP_ARRAY_SIZE(allowed_args), allowed_args, args);
-
-    // Create SSLContext.
-    mp_int_t protocol = args[ARG_server_side].u_bool ? PROTOCOL_TLS_SERVER : PROTOCOL_TLS_CLIENT;
-    mp_obj_t ssl_context_args[1] = { MP_OBJ_NEW_SMALL_INT(protocol) };
-    mp_obj_ssl_context_t *ssl_context = MP_OBJ_TO_PTR(ssl_context_make_new(&ssl_context_type, 1, 0, ssl_context_args));
-
-    // Load key and cert if given.
-    if (args[ARG_key].u_obj != mp_const_none) {
-        ssl_context_load_key(ssl_context, args[ARG_key].u_obj, args[ARG_cert].u_obj);
-    }
-
-    // Create and return the new SSLSocket object.
-    return ssl_socket_make_new(ssl_context, sock, args[ARG_server_side].u_bool,
-        args[ARG_do_handshake].u_bool, args[ARG_server_hostname].u_obj);
-}
-STATIC MP_DEFINE_CONST_FUN_OBJ_KW(mod_ssl_wrap_socket_obj, 1, mod_ssl_wrap_socket);
-
-STATIC const mp_rom_map_elem_t mp_module_ssl_globals_table[] = {
-    { MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_ssl) },
-
-    // Functions.
-    { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&mod_ssl_wrap_socket_obj) },
+STATIC const mp_rom_map_elem_t mp_module_tls_globals_table[] = {
+    { MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_tls) },
 
     // Classes.
     { MP_ROM_QSTR(MP_QSTR_SSLContext), MP_ROM_PTR(&ssl_context_type) },
@@ -463,13 +432,13 @@ STATIC const mp_rom_map_elem_t mp_module_ssl_globals_table[] = {
     { MP_ROM_QSTR(MP_QSTR_PROTOCOL_TLS_CLIENT), MP_ROM_INT(PROTOCOL_TLS_CLIENT) },
     { MP_ROM_QSTR(MP_QSTR_PROTOCOL_TLS_SERVER), MP_ROM_INT(PROTOCOL_TLS_SERVER) },
 };
-STATIC MP_DEFINE_CONST_DICT(mp_module_ssl_globals, mp_module_ssl_globals_table);
+STATIC MP_DEFINE_CONST_DICT(mp_module_tls_globals, mp_module_tls_globals_table);
 
-const mp_obj_module_t mp_module_ssl = {
+const mp_obj_module_t mp_module_tls = {
     .base = { &mp_type_module },
-    .globals = (mp_obj_dict_t *)&mp_module_ssl_globals,
+    .globals = (mp_obj_dict_t *)&mp_module_tls_globals,
 };
 
-MP_REGISTER_EXTENSIBLE_MODULE(MP_QSTR_ssl, mp_module_ssl);
+MP_REGISTER_MODULE(MP_QSTR_tls, mp_module_tls);
 
 #endif // MICROPY_PY_SSL && MICROPY_SSL_AXTLS
diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c
@@ -92,24 +92,6 @@ STATIC mp_obj_t ssl_socket_make_new(mp_obj_ssl_context_t *ssl_context, mp_obj_t
 /******************************************************************************/
 // Helper functions.
 
-STATIC mp_obj_t read_file(mp_obj_t self_in) {
-    // file = open(args[0], "rb")
-    mp_obj_t f_args[2] = {
-        self_in,
-        MP_OBJ_NEW_QSTR(MP_QSTR_rb),
-    };
-    mp_obj_t file = mp_vfs_open(2, &f_args[0], (mp_map_t *)&mp_const_empty_map);
-
-    // data = file.read()
-    mp_obj_t dest[2];
-    mp_load_method(file, MP_QSTR_read, dest);
-    mp_obj_t data = mp_call_method_n_kw(0, 0, dest);
-
-    // file.close()
-    mp_stream_close(file);
-    return data;
-}
-
 #ifdef MBEDTLS_DEBUG_C
 STATIC void mbedtls_debug(void *ctx, int level, const char *file, int line, const char *str) {
     (void)ctx;
@@ -258,9 +240,7 @@ STATIC mp_obj_t ssl_context_make_new(const mp_obj_type_t *type_in, size_t n_args
     }
 
     if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
-        // The CPython default is MBEDTLS_SSL_VERIFY_REQUIRED, but to maintain
-        // backwards compatibility we use MBEDTLS_SSL_VERIFY_NONE for now.
-        self->authmode = MBEDTLS_SSL_VERIFY_NONE;
+        self->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
     } else {
         self->authmode = MBEDTLS_SSL_VERIFY_NONE;
     }
@@ -398,25 +378,9 @@ STATIC void ssl_context_load_key(mp_obj_ssl_context_t *self, mp_obj_t key_obj, m
 }
 
 // SSLContext.load_cert_chain(certfile, keyfile)
-STATIC mp_obj_t ssl_context_load_cert_chain(mp_obj_t self_in, mp_obj_t certfile, mp_obj_t keyfile) {
+STATIC mp_obj_t ssl_context_load_cert_chain(mp_obj_t self_in, mp_obj_t cert, mp_obj_t pkey) {
     mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(self_in);
-    mp_obj_t pkey;
-    mp_obj_t cert;
-    if (certfile != mp_const_none) {
-        // check if key is a string/path
-        if (!(mp_obj_is_type(keyfile, &mp_type_bytes))) {
-            pkey = read_file(keyfile);
-        } else {
-            pkey = keyfile;
-        }
-        // check if cert is a string/path
-        if (!(mp_obj_is_type(certfile, &mp_type_bytes))) {
-            cert = read_file(certfile);
-        } else {
-            cert = certfile;
-        }
-        ssl_context_load_key(self, pkey, cert);
-    }
+    ssl_context_load_key(self, pkey, cert);
     return mp_const_none;
 }
 STATIC MP_DEFINE_CONST_FUN_OBJ_3(ssl_context_load_cert_chain_obj, ssl_context_load_cert_chain);
@@ -433,25 +397,20 @@ STATIC void ssl_context_load_cadata(mp_obj_ssl_context_t *self, mp_obj_t cadata_
     mbedtls_ssl_conf_ca_chain(&self->conf, &self->cacert, NULL);
 }
 
-// SSLContext.load_verify_locations(cafile=None, *, cadata=None)
+// SSLContext.load_verify_locations(*, cadata=None)
 STATIC mp_obj_t ssl_context_load_verify_locations(size_t n_args, const mp_obj_t *pos_args,
     mp_map_t *kw_args) {
 
     static const mp_arg_t allowed_args[] = {
-        { MP_QSTR_cafile, MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
         { MP_QSTR_cadata, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
     };
 
     mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(pos_args[0]);
     mp_arg_val_t args[MP_ARRAY_SIZE(allowed_args)];
     mp_arg_parse_all(n_args - 1, pos_args + 1, kw_args, MP_ARRAY_SIZE(allowed_args), allowed_args, args);
-    // cafile
-    if (args[0].u_obj != mp_const_none) {
-        ssl_context_load_cadata(self, read_file(args[0].u_obj));
-    }
     // cadata
-    if (args[1].u_obj != mp_const_none) {
-        ssl_context_load_cadata(self, args[1].u_obj);
+    if (args[0].u_obj != mp_const_none) {
+        ssl_context_load_cadata(self, args[0].u_obj);
     }
     return mp_const_none;
 }
@@ -810,65 +769,8 @@ STATIC MP_DEFINE_CONST_OBJ_TYPE(
 /******************************************************************************/
 // ssl module.
 
-STATIC mp_obj_t mod_ssl_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) {
-    enum {
-        ARG_key,
-        ARG_cert,
-        ARG_server_side,
-        ARG_server_hostname,
-        ARG_cert_reqs,
-        ARG_cadata,
-        ARG_do_handshake,
-        ARG_cert_callback,
-    };
-    static const mp_arg_t allowed_args[] = {
-        { MP_QSTR_key, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
-        { MP_QSTR_cert, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
-        { MP_QSTR_server_side, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = false} },
-        { MP_QSTR_server_hostname, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
-        { MP_QSTR_cert_reqs, MP_ARG_KW_ONLY | MP_ARG_INT, {.u_int = MBEDTLS_SSL_VERIFY_NONE}},
-        { MP_QSTR_cadata, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
-        { MP_QSTR_do_handshake, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = true} },
-        { MP_QSTR_cert_callback, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
-    };
-
-    // Parse arguments.
-    mp_obj_t sock = pos_args[0];
-    mp_arg_val_t args[MP_ARRAY_SIZE(allowed_args)];
-    mp_arg_parse_all(n_args - 1, pos_args + 1, kw_args, MP_ARRAY_SIZE(allowed_args), allowed_args, args);
-
-    // Create SSLContext.
-    mp_int_t protocol = args[ARG_server_side].u_bool ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT;
-    mp_obj_t ssl_context_args[1] = { MP_OBJ_NEW_SMALL_INT(protocol) };
-    mp_obj_ssl_context_t *ssl_context = MP_OBJ_TO_PTR(ssl_context_make_new(&ssl_context_type, 1, 0, ssl_context_args));
-
-    // Load key and cert if given.
-    if (args[ARG_key].u_obj != mp_const_none) {
-        ssl_context_load_key(ssl_context, args[ARG_key].u_obj, args[ARG_cert].u_obj);
-    }
-
-    // Set the verify_mode.
-    mp_obj_t dest[2] = { MP_OBJ_SENTINEL, MP_OBJ_NEW_SMALL_INT(args[ARG_cert_reqs].u_int) };
-    ssl_context_attr(MP_OBJ_FROM_PTR(ssl_context), MP_QSTR_verify_mode, dest);
-    mp_obj_t dest2[2] = { MP_OBJ_SENTINEL, args[ARG_cert_callback].u_obj };
-    ssl_context_attr(MP_OBJ_FROM_PTR(ssl_context), MP_QSTR_cert_callback, dest2);
-
-    // Load cadata if given.
-    if (args[ARG_cadata].u_obj != mp_const_none) {
-        ssl_context_load_cadata(ssl_context, args[ARG_cadata].u_obj);
-    }
-
-    // Create and return the new SSLSocket object.
-    return ssl_socket_make_new(ssl_context, sock, args[ARG_server_side].u_bool,
-        args[ARG_do_handshake].u_bool, args[ARG_server_hostname].u_obj);
-}
-STATIC MP_DEFINE_CONST_FUN_OBJ_KW(mod_ssl_wrap_socket_obj, 1, mod_ssl_wrap_socket);
-
-STATIC const mp_rom_map_elem_t mp_module_ssl_globals_table[] = {
-    { MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_ssl) },
-
-    // Functions.
-    { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&mod_ssl_wrap_socket_obj) },
+STATIC const mp_rom_map_elem_t mp_module_tls_globals_table[] = {
+    { MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_tls) },
 
     // Classes.
     { MP_ROM_QSTR(MP_QSTR_SSLContext), MP_ROM_PTR(&ssl_context_type) },
@@ -881,13 +783,13 @@ STATIC const mp_rom_map_elem_t mp_module_ssl_globals_table[] = {
     { MP_ROM_QSTR(MP_QSTR_CERT_OPTIONAL), MP_ROM_INT(MBEDTLS_SSL_VERIFY_OPTIONAL) },
     { MP_ROM_QSTR(MP_QSTR_CERT_REQUIRED), MP_ROM_INT(MBEDTLS_SSL_VERIFY_REQUIRED) },
 };
-STATIC MP_DEFINE_CONST_DICT(mp_module_ssl_globals, mp_module_ssl_globals_table);
+STATIC MP_DEFINE_CONST_DICT(mp_module_tls_globals, mp_module_tls_globals_table);
 
-const mp_obj_module_t mp_module_ssl = {
+const mp_obj_module_t mp_module_tls = {
     .base = { &mp_type_module },
-    .globals = (mp_obj_dict_t *)&mp_module_ssl_globals,
+    .globals = (mp_obj_dict_t *)&mp_module_tls_globals,
 };
 
-MP_REGISTER_EXTENSIBLE_MODULE(MP_QSTR_ssl, mp_module_ssl);
+MP_REGISTER_MODULE(MP_QSTR_tls, mp_module_tls);
 
 #endif // MICROPY_PY_SSL && MICROPY_SSL_MBEDTLS
diff --git a/lib/micropython-lib b/lib/micropython-lib
@@ -1 +1 @@
-Subproject commit 7cdf70881519c73667efbc4a61a04d9c1a49babb
+Subproject commit 6f45bd9504ddfc4faad551d3a8f9c6de7c08ddea
diff --git a/ports/rp2/boards/manifest.py b/ports/rp2/boards/manifest.py
@@ -1,5 +1,6 @@
 freeze("$(PORT_DIR)/modules")
 include("$(MPY_DIR)/extmod/asyncio")
+require("ssl")
 require("onewire")
 require("ds18x20")
 require("dht")
diff --git a/ports/unix/variants/coverage/manifest.py b/ports/unix/variants/coverage/manifest.py
@@ -1,3 +1,4 @@
 freeze_as_str("frzstr")
 freeze_as_mpy("frzmpy")
 freeze_mpy("$(MPY_DIR)/tests/frozen")
+require("ssl")
diff --git a/ports/unix/variants/manifest.py b/ports/unix/variants/manifest.py
@@ -1 +1,2 @@
 require("mip-cmdline")
+require("ssl")
diff --git a/ports/unix/variants/nanbox/manifest.py b/ports/unix/variants/nanbox/manifest.py
@@ -0,0 +1 @@
+reqiure("ssl")
diff --git a/ports/unix/variants/nanbox/mpconfigvariant.mk b/ports/unix/variants/nanbox/mpconfigvariant.mk
@@ -1,3 +1,4 @@
 # build interpreter with nan-boxing as object model (object repr D)
 
+FROZEN_MANIFEST ?= $(VARIANT_DIR)/manifest.py
 MICROPY_FORCE_32BIT = 1
diff --git a/ports/windows/variants/manifest.py b/ports/windows/variants/manifest.py
@@ -0,0 +1 @@
+require("ssl")
diff --git a/ports/windows/variants/standard/manifest.py b/ports/windows/variants/standard/manifest.py
@@ -0,0 +1 @@
+include("$(PORT_DIR)/variants/manifest.py")
diff --git a/ports/windows/variants/standard/mpconfigvariant.mk b/ports/windows/variants/standard/mpconfigvariant.mk
@@ -1 +1,2 @@
 # This is the default variant when you `make` the Windows port.
+FROZEN_MANIFEST ?= $(VARIANT_DIR)/manifest.py
diff --git a/ports/windows/variants/standard/mpconfigvariant.props b/ports/windows/variants/standard/mpconfigvariant.props
@@ -1,3 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="14.0">
+  <PropertyGroup>
+    <FrozenManifest>$(PyVariantDir)manifest.py</FrozenManifest>
+  </PropertyGroup>
 </Project>
diff --git a/tests/extmod/ssl_sslcontext_ciphers.py b/tests/extmod/ssl_sslcontext_ciphers.py
@@ -1,7 +1,7 @@
 # Basic test of ssl.SSLContext get_ciphers() and set_ciphers() methods.
 
 try:
-    import ssl
+    import tls as ssl
 except ImportError:
     print("SKIP")
     raise SystemExit
diff --git a/tests/extmod/ssl_sslcontext_micropython.py b/tests/extmod/ssl_sslcontext_micropython.py
@@ -1,7 +1,7 @@
 # Test MicroPython-specific behaviour of ssl.SSLContext.
 
 try:
-    import ssl
+    import tls as ssl
 except ImportError:
     print("SKIP")
     raise SystemExit
diff --git a/tests/multi_net/sslcontext_server_client_ciphers.py b/tests/multi_net/sslcontext_server_client_ciphers.py
@@ -4,6 +4,7 @@
     import os
     import socket
     import ssl
+    import tls
 except ImportError:
     print("SKIP")
     raise SystemExit
@@ -13,6 +14,8 @@
 # These are test certificates. See tests/README.md for details.
 cert = cafile = "ec_cert.der"
 key = "ec_key.der"
+with open(cafile, "rb") as f:
+    cadata = f.read()
 
 try:
     os.stat(cafile)
@@ -46,12 +49,12 @@ def instance1():
     multitest.next()
     s = socket.socket()
     s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
-    client_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    client_ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT)
     ciphers = client_ctx.get_ciphers()
     assert "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" in ciphers
     client_ctx.set_ciphers(["TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"])
     client_ctx.verify_mode = ssl.CERT_REQUIRED
-    client_ctx.load_verify_locations(cafile=cafile)
+    client_ctx.load_verify_locations(cadata=cadata)
     s = client_ctx.wrap_socket(s, server_hostname="micropython.local")
     s.write(b"client to server")
     print(s.read(16))
diff --git a/tests/net_hosted/ssl_certcallback.py b/tests/net_hosted/ssl_certcallback.py
diff --git a/tests/ports/unix/extra_coverage.py.exp b/tests/ports/unix/extra_coverage.py.exp

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`require("mip-cmdline")`
	`2`	`+require("ssl")`