From f3d1495fd3da2c737a043cfc65d5a4f5c6155ad5 Mon Sep 17 00:00:00 2001
From: Carlosgg <carlosgilglez@gmail.com>
Date: Sat, 30 Jul 2022 17:01:56 +0100
Subject: [PATCH] all: Update bindings, ports and tests for mbedtls v3.5.1.

Changes include:

- Some mbedtls source files renamed or deprecated.

- Our `mbedtls_config.h` files are renamed to `mbedtls_config_port.h`, so
  they don't clash with mbedtls's new default configuration file named
  `mbedtls_config.h`.

- MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE is deprecated.

- MBEDTLS_HAVE_TIME now requires an `mbedtls_ms_time` function to be
  defined but it's only used for TLSv1.3 (currently not enabled in
  MicroPython so there is a lazy implementation, i.e. seconds * 1000).

- `tests/multi_net/ssl_data.py` is removed (due to deprecation of
  MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE), there are the existing
  `ssl_cert_rsa.py` and `sslcontext_server_client.py` tests which do very
  similar, simple SSL data transfer.

- Tests now use an EC key by default (they are smaller and faster), and the
  RSA key has been regenerated due to the old PKCS encoding used by openssl
  rsa command, see
  https://stackoverflow.com/questions/40822328/openssl-rsa-key-pem-and-der-conversion-does-not-match
  (and `tests/README.md` has been updated accordingly).

Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
---
 extmod/extmod.cmake                           |  25 +++----
 extmod/extmod.mk                              |  27 +++----
 extmod/mbedtls/mbedtls_config_common.h        |  11 ++-
 ...mbedtls_config.h => mbedtls_config_port.h} |   1 +
 ports/mimxrt/mbedtls/mbedtls_port.c           |  10 ++-
 .../mbedtls_config_board.h                    |   2 +-
 ...mbedtls_config.h => mbedtls_config_port.h} |   1 +
 ports/renesas-ra/mbedtls/mbedtls_port.c       |  10 ++-
 ...mbedtls_config.h => mbedtls_config_port.h} |   1 +
 ports/rp2/mbedtls/mbedtls_port.c              |   9 ++-
 .../ARDUINO_GIGA/mbedtls_config_board.h       |   2 +-
 .../mbedtls_config_board.h                    |   2 +-
 .../mbedtls_config_board.h                    |   2 +-
 ...mbedtls_config.h => mbedtls_config_port.h} |   1 +
 ports/stm32/mbedtls/mbedtls_port.c            |  10 ++-
 ...mbedtls_config.h => mbedtls_config_port.h} |   1 -
 tests/README.md                               |   2 +-
 tests/multi_net/asyncio_tls_server_client.py  |   4 +-
 ...o_tls_server_client_cert_required_error.py |   4 +-
 .../asyncio_tls_server_client_readline.py     |   4 +-
 .../asyncio_tls_server_client_verify_error.py |   4 +-
 tests/multi_net/ec_cert.der                   | Bin 0 -> 471 bytes
 tests/multi_net/ec_key.der                    | Bin 0 -> 121 bytes
 tests/multi_net/expired_cert.der              | Bin 1331 -> 471 bytes
 tests/multi_net/rsa_cert.der                  | Bin 867 -> 867 bytes
 tests/multi_net/rsa_key.der                   | Bin 1217 -> 1193 bytes
 tests/multi_net/ssl_cert_ec.py                |  56 +++++++++++++++
 .../{ssl_data.py.exp => ssl_cert_ec.py.exp}   |   0
 tests/multi_net/ssl_data.py                   |  67 ------------------
 .../sslcontext_check_hostname_error.py        |   4 +-
 tests/multi_net/sslcontext_getpeercert.py     |   4 +-
 tests/multi_net/sslcontext_getpeercert.py.exp |   2 +-
 tests/multi_net/sslcontext_server_client.py   |   4 +-
 .../sslcontext_server_client_ciphers.py       |   8 +--
 .../sslcontext_server_client_files.py         |   4 +-
 tests/multi_net/sslcontext_verify_error.py    |   4 +-
 .../multi_net/sslcontext_verify_time_error.py |   2 +-
 37 files changed, 156 insertions(+), 132 deletions(-)
 rename ports/mimxrt/mbedtls/{mbedtls_config.h => mbedtls_config_port.h} (96%)
 rename ports/renesas-ra/mbedtls/{mbedtls_config.h => mbedtls_config_port.h} (96%)
 rename ports/rp2/mbedtls/{mbedtls_config.h => mbedtls_config_port.h} (97%)
 rename ports/stm32/mbedtls/{mbedtls_config.h => mbedtls_config_port.h} (96%)
 rename ports/unix/mbedtls/{mbedtls_config.h => mbedtls_config_port.h} (98%)
 create mode 100644 tests/multi_net/ec_cert.der
 create mode 100644 tests/multi_net/ec_key.der
 create mode 100644 tests/multi_net/ssl_cert_ec.py
 rename tests/multi_net/{ssl_data.py.exp => ssl_cert_ec.py.exp} (100%)
 delete mode 100644 tests/multi_net/ssl_data.py

diff --git a/extmod/extmod.cmake b/extmod/extmod.cmake
index ac10faa86..a55cd76f8 100644
--- a/extmod/extmod.cmake
+++ b/extmod/extmod.cmake
@@ -174,20 +174,24 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_DIR}/lib/mbedtls_errors/mp_mbedtls_errors.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/aes.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/aesni.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/arc4.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/asn1parse.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/asn1write.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/base64.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum_core.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum_mod.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum_mod_raw.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/blowfish.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/camellia.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ccm.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/certs.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/chacha20.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/chachapoly.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/cipher.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/cipher_wrap.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/nist_kw.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/aria.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/cmac.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/mps_reader.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/mps_trace.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ctr_drbg.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/debug.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/des.c
@@ -200,17 +204,13 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_LIB_MBEDTLS_DIR}/library/entropy.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/entropy_poll.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/gcm.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/havege.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/hmac_drbg.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/md2.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/md4.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/md5.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/md.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/oid.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/padlock.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pem.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pk.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/pkcs11.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pkcs12.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pkcs5.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pkparse.c
@@ -221,15 +221,17 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_LIB_MBEDTLS_DIR}/library/poly1305.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ripemd160.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/rsa.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/rsa_internal.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/rsa_alt_helpers.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/sha1.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/sha256.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/sha512.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_cache.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_ciphersuites.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_cli.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_tls12_client.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_tls12_server.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_client.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_cookie.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_srv.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_debug_helpers_generated.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_msg.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_ticket.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_tls.c
@@ -242,11 +244,10 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_LIB_MBEDTLS_DIR}/library/x509_csr.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/x509write_crt.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/x509write_csr.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/xtea.c
     )
 
     if(NOT MBEDTLS_CONFIG_FILE)
-        set(MBEDTLS_CONFIG_FILE "${MICROPY_PORT_DIR}/mbedtls/mbedtls_config.h")
+        set(MBEDTLS_CONFIG_FILE "${MICROPY_PORT_DIR}/mbedtls/mbedtls_config_port.h")
     endif()
 
     target_compile_definitions(micropy_lib_mbedtls INTERFACE
diff --git a/extmod/extmod.mk b/extmod/extmod.mk
index 59e530d34..fdaa3d930 100644
--- a/extmod/extmod.mk
+++ b/extmod/extmod.mk
@@ -231,7 +231,7 @@ SRC_THIRDPARTY_C += $(addprefix $(AXTLS_DIR)/,\
 	)
 else ifeq ($(MICROPY_SSL_MBEDTLS),1)
 MBEDTLS_DIR = lib/mbedtls
-MBEDTLS_CONFIG_FILE ?= \"mbedtls/mbedtls_config.h\"
+MBEDTLS_CONFIG_FILE ?= \"mbedtls/mbedtls_config_port.h\"
 GIT_SUBMODULES += $(MBEDTLS_DIR)
 CFLAGS_EXTMOD += -DMBEDTLS_CONFIG_FILE=$(MBEDTLS_CONFIG_FILE)
 CFLAGS_EXTMOD += -DMICROPY_SSL_MBEDTLS=1 -I$(TOP)/$(MBEDTLS_DIR)/include
@@ -239,20 +239,25 @@ SRC_THIRDPARTY_C += lib/mbedtls_errors/mp_mbedtls_errors.c
 SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	aes.c \
 	aesni.c \
-	arc4.c \
 	asn1parse.c \
 	asn1write.c \
 	base64.c \
+	bignum_core.c \
+	bignum_mod.c \
+	bignum_mod_raw.c \
 	bignum.c \
-	blowfish.c \
 	camellia.c \
 	ccm.c \
-	certs.c \
 	chacha20.c \
 	chachapoly.c \
 	cipher.c \
 	cipher_wrap.c \
+	nist_kw.c \
+	aria.c \
 	cmac.c \
+	constant_time.c \
+	mps_reader.c \
+	mps_trace.c \
 	ctr_drbg.c \
 	debug.c \
 	des.c \
@@ -265,17 +270,13 @@ SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	entropy.c \
 	entropy_poll.c \
 	gcm.c \
-	havege.c \
 	hmac_drbg.c \
-	md2.c \
-	md4.c \
 	md5.c \
 	md.c \
 	oid.c \
 	padlock.c \
 	pem.c \
 	pk.c \
-	pkcs11.c \
 	pkcs12.c \
 	pkcs5.c \
 	pkparse.c \
@@ -286,20 +287,21 @@ SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	poly1305.c \
 	ripemd160.c \
 	rsa.c \
-	rsa_internal.c \
+	rsa_alt_helpers.c \
 	sha1.c \
 	sha256.c \
 	sha512.c \
 	ssl_cache.c \
 	ssl_ciphersuites.c \
-	ssl_cli.c \
+	ssl_client.c \
 	ssl_cookie.c \
-	ssl_srv.c \
+	ssl_debug_helpers_generated.c \
 	ssl_msg.c \
 	ssl_ticket.c \
 	ssl_tls.c \
+	ssl_tls12_client.c \
+	ssl_tls12_server.c \
 	timing.c \
-	constant_time.c \
 	x509.c \
 	x509_create.c \
 	x509_crl.c \
@@ -307,7 +309,6 @@ SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	x509_csr.c \
 	x509write_crt.c \
 	x509write_csr.c \
-	xtea.c \
 	)
 endif
 endif
diff --git a/extmod/mbedtls/mbedtls_config_common.h b/extmod/mbedtls/mbedtls_config_common.h
index 95458f18d..db1562f27 100644
--- a/extmod/mbedtls/mbedtls_config_common.h
+++ b/extmod/mbedtls/mbedtls_config_common.h
@@ -45,9 +45,9 @@
 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-// #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED // enabling this currently breaks ssl_data.py test
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_CAN_ECDH
+#define MBEDTLS_PK_CAN_ECDSA_SIGN
 #define MBEDTLS_PKCS1_V15
 #define MBEDTLS_SHA256_SMALLER
 #define MBEDTLS_SSL_PROTO_TLS1
@@ -81,12 +81,13 @@
 #define MBEDTLS_PLATFORM_C
 #define MBEDTLS_RSA_C
 #define MBEDTLS_SHA1_C
+#define MBEDTLS_SHA224_C
 #define MBEDTLS_SHA256_C
+#define MBEDTLS_SHA384_C
 #define MBEDTLS_SHA512_C
 #define MBEDTLS_SSL_CLI_C
 #define MBEDTLS_SSL_SRV_C
 #define MBEDTLS_SSL_TLS_C
-#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 #define MBEDTLS_X509_CRT_PARSE_C
 #define MBEDTLS_X509_USE_C
 
@@ -97,6 +98,7 @@
 #define MBEDTLS_PLATFORM_MEMORY
 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
 #define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_NO_PLATFORM_ENTROPY
 
 // Bare-metal memory allocation hooks.
 #include <stdlib.h>
@@ -109,7 +111,4 @@ void m_tracked_free(void *ptr);
 
 #endif
 
-// Include mbedtls configuration checker.
-#include "mbedtls/check_config.h"
-
 #endif // MICROPY_INCLUDED_MBEDTLS_CONFIG_COMMON_H
diff --git a/ports/mimxrt/mbedtls/mbedtls_config.h b/ports/mimxrt/mbedtls/mbedtls_config_port.h
similarity index 96%
rename from ports/mimxrt/mbedtls/mbedtls_config.h
rename to ports/mimxrt/mbedtls/mbedtls_config_port.h
index f264ed4ad..414f30527 100644
--- a/ports/mimxrt/mbedtls/mbedtls_config.h
+++ b/ports/mimxrt/mbedtls/mbedtls_config_port.h
@@ -30,6 +30,7 @@
 #include <time.h>
 extern time_t mimxrt_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO mimxrt_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)
diff --git a/ports/mimxrt/mbedtls/mbedtls_port.c b/ports/mimxrt/mbedtls/mbedtls_port.c
index 044de317f..230e264bf 100644
--- a/ports/mimxrt/mbedtls/mbedtls_port.c
+++ b/ports/mimxrt/mbedtls/mbedtls_port.c
@@ -28,10 +28,11 @@
 
 #ifdef MICROPY_SSL_MBEDTLS
 
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 #if defined(MBEDTLS_HAVE_TIME) || defined(MBEDTLS_HAVE_TIME_DATE)
 #include "fsl_snvs_lp.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 #endif
 
 void trng_random_data(unsigned char *output, size_t len);
@@ -52,6 +53,13 @@ time_t mimxrt_rtctime_seconds(time_t *timer) {
     SNVS_LP_SRTC_GetDatetime(SNVS, &date);
     return timeutils_seconds_since_epoch(date.year, date.month, date.day, date.hour, date.minute, date.second);
 }
+
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = mimxrt_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif
 
 #if defined(MBEDTLS_HAVE_TIME_DATE)
diff --git a/ports/renesas-ra/boards/ARDUINO_PORTENTA_C33/mbedtls_config_board.h b/ports/renesas-ra/boards/ARDUINO_PORTENTA_C33/mbedtls_config_board.h
index 63c1b284f..ef264a46b 100644
--- a/ports/renesas-ra/boards/ARDUINO_PORTENTA_C33/mbedtls_config_board.h
+++ b/ports/renesas-ra/boards/ARDUINO_PORTENTA_C33/mbedtls_config_board.h
@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/renesas-ra/mbedtls/mbedtls_config.h"
+#include "ports/renesas-ra/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */
diff --git a/ports/renesas-ra/mbedtls/mbedtls_config.h b/ports/renesas-ra/mbedtls/mbedtls_config_port.h
similarity index 96%
rename from ports/renesas-ra/mbedtls/mbedtls_config.h
rename to ports/renesas-ra/mbedtls/mbedtls_config_port.h
index f036f536c..5660566ff 100644
--- a/ports/renesas-ra/mbedtls/mbedtls_config.h
+++ b/ports/renesas-ra/mbedtls/mbedtls_config_port.h
@@ -30,6 +30,7 @@
 #include <time.h>
 extern time_t ra_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO ra_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)
diff --git a/ports/renesas-ra/mbedtls/mbedtls_port.c b/ports/renesas-ra/mbedtls/mbedtls_port.c
index 10c89bbcf..feeefa9c0 100644
--- a/ports/renesas-ra/mbedtls/mbedtls_port.c
+++ b/ports/renesas-ra/mbedtls/mbedtls_port.c
@@ -25,11 +25,12 @@
  */
 
 #include "rng.h"
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 
 #if defined(MBEDTLS_HAVE_TIME) || defined(MBEDTLS_HAVE_TIME_DATE)
 #include "rtc.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 #endif
 
 int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) {
@@ -57,6 +58,13 @@ time_t ra_rtctime_seconds(time_t *timer) {
     rtc_get_date(&date);
     return timeutils_seconds_since_epoch(2000 + date.Year, date.Month, date.Date, time.Hours, time.Minutes, time.Seconds);
 }
+
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = ra_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif
 
 #if defined(MBEDTLS_HAVE_TIME_DATE)
diff --git a/ports/rp2/mbedtls/mbedtls_config.h b/ports/rp2/mbedtls/mbedtls_config_port.h
similarity index 97%
rename from ports/rp2/mbedtls/mbedtls_config.h
rename to ports/rp2/mbedtls/mbedtls_config_port.h
index 81be6c111..4e4c6e263 100644
--- a/ports/rp2/mbedtls/mbedtls_config.h
+++ b/ports/rp2/mbedtls/mbedtls_config_port.h
@@ -37,6 +37,7 @@
 #include <time.h>
 time_t rp2_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO rp2_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)
diff --git a/ports/rp2/mbedtls/mbedtls_port.c b/ports/rp2/mbedtls/mbedtls_port.c
index 9067eca90..9b1e0d20e 100644
--- a/ports/rp2/mbedtls/mbedtls_port.c
+++ b/ports/rp2/mbedtls/mbedtls_port.c
@@ -27,10 +27,11 @@
 
 #ifdef MICROPY_SSL_MBEDTLS
 
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 
 #include "hardware/rtc.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 
 extern uint8_t rosc_random_u8(size_t cycles);
 
@@ -48,4 +49,10 @@ time_t rp2_rtctime_seconds(time_t *timer) {
     return timeutils_seconds_since_epoch(t.year, t.month, t.day, t.hour, t.min, t.sec);
 }
 
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = rp2_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif
diff --git a/ports/stm32/boards/ARDUINO_GIGA/mbedtls_config_board.h b/ports/stm32/boards/ARDUINO_GIGA/mbedtls_config_board.h
index 0e1703f1b..07aef7946 100644
--- a/ports/stm32/boards/ARDUINO_GIGA/mbedtls_config_board.h
+++ b/ports/stm32/boards/ARDUINO_GIGA/mbedtls_config_board.h
@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/stm32/mbedtls/mbedtls_config.h"
+#include "ports/stm32/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */
diff --git a/ports/stm32/boards/ARDUINO_NICLA_VISION/mbedtls_config_board.h b/ports/stm32/boards/ARDUINO_NICLA_VISION/mbedtls_config_board.h
index 0e1703f1b..07aef7946 100644
--- a/ports/stm32/boards/ARDUINO_NICLA_VISION/mbedtls_config_board.h
+++ b/ports/stm32/boards/ARDUINO_NICLA_VISION/mbedtls_config_board.h
@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/stm32/mbedtls/mbedtls_config.h"
+#include "ports/stm32/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */
diff --git a/ports/stm32/boards/ARDUINO_PORTENTA_H7/mbedtls_config_board.h b/ports/stm32/boards/ARDUINO_PORTENTA_H7/mbedtls_config_board.h
index 0e1703f1b..07aef7946 100644
--- a/ports/stm32/boards/ARDUINO_PORTENTA_H7/mbedtls_config_board.h
+++ b/ports/stm32/boards/ARDUINO_PORTENTA_H7/mbedtls_config_board.h
@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/stm32/mbedtls/mbedtls_config.h"
+#include "ports/stm32/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */
diff --git a/ports/stm32/mbedtls/mbedtls_config.h b/ports/stm32/mbedtls/mbedtls_config_port.h
similarity index 96%
rename from ports/stm32/mbedtls/mbedtls_config.h
rename to ports/stm32/mbedtls/mbedtls_config_port.h
index 336fee0a1..5f8bb1cfd 100644
--- a/ports/stm32/mbedtls/mbedtls_config.h
+++ b/ports/stm32/mbedtls/mbedtls_config_port.h
@@ -30,6 +30,7 @@
 #include <time.h>
 extern time_t stm32_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO stm32_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)
diff --git a/ports/stm32/mbedtls/mbedtls_port.c b/ports/stm32/mbedtls/mbedtls_port.c
index cdfcd172a..a51144871 100644
--- a/ports/stm32/mbedtls/mbedtls_port.c
+++ b/ports/stm32/mbedtls/mbedtls_port.c
@@ -25,11 +25,12 @@
  */
 
 #include "rng.h"
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 
 #if defined(MBEDTLS_HAVE_TIME) || defined(MBEDTLS_HAVE_TIME_DATE)
 #include "rtc.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 #endif
 
 int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) {
@@ -57,6 +58,13 @@ time_t stm32_rtctime_seconds(time_t *timer) {
     HAL_RTC_GetDate(&RTCHandle, &date, RTC_FORMAT_BIN);
     return timeutils_seconds_since_epoch(2000 + date.Year, date.Month, date.Date, time.Hours, time.Minutes, time.Seconds);
 }
+
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = stm32_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif
 
 #if defined(MBEDTLS_HAVE_TIME_DATE)
diff --git a/ports/unix/mbedtls/mbedtls_config.h b/ports/unix/mbedtls/mbedtls_config_port.h
similarity index 98%
rename from ports/unix/mbedtls/mbedtls_config.h
rename to ports/unix/mbedtls/mbedtls_config_port.h
index 629064abc..c619de9b8 100644
--- a/ports/unix/mbedtls/mbedtls_config.h
+++ b/ports/unix/mbedtls/mbedtls_config_port.h
@@ -30,7 +30,6 @@
 #define MBEDTLS_CIPHER_MODE_CTR // needed for MICROPY_PY_CRYPTOLIB_CTR
 
 // Enable mbedtls modules
-#define MBEDTLS_HAVEGE_C
 #define MBEDTLS_TIMING_C
 
 // Include common mbedtls configuration.
diff --git a/tests/README.md b/tests/README.md
index 47fcacf40..3bc626bf9 100644
--- a/tests/README.md
+++ b/tests/README.md
@@ -189,7 +189,7 @@ In this case CN is: micropython.local
 
 Convert them to DER format:
 ```
-$ openssl rsa -in rsa_key.pem -out rsa_key.der -outform DER
+$ openssl pkey -in rsa_key.pem -out rsa_key.der -outform DER
 $ openssl x509 -in rsa_cert.pem -out rsa_cert.der -outform DER
 ```
 
diff --git a/tests/multi_net/asyncio_tls_server_client.py b/tests/multi_net/asyncio_tls_server_client.py
index 59e13ec45..98f15c662 100644
--- a/tests/multi_net/asyncio_tls_server_client.py
+++ b/tests/multi_net/asyncio_tls_server_client.py
@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
diff --git a/tests/multi_net/asyncio_tls_server_client_cert_required_error.py b/tests/multi_net/asyncio_tls_server_client_cert_required_error.py
index 8607e4ff1..178ad3927 100644
--- a/tests/multi_net/asyncio_tls_server_client_cert_required_error.py
+++ b/tests/multi_net/asyncio_tls_server_client_cert_required_error.py
@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
diff --git a/tests/multi_net/asyncio_tls_server_client_readline.py b/tests/multi_net/asyncio_tls_server_client_readline.py
index fd8685f5a..da5f1afee 100644
--- a/tests/multi_net/asyncio_tls_server_client_readline.py
+++ b/tests/multi_net/asyncio_tls_server_client_readline.py
@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
diff --git a/tests/multi_net/asyncio_tls_server_client_verify_error.py b/tests/multi_net/asyncio_tls_server_client_verify_error.py
index c600dcc2c..362f0fc8e 100644
--- a/tests/multi_net/asyncio_tls_server_client_verify_error.py
+++ b/tests/multi_net/asyncio_tls_server_client_verify_error.py
@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
diff --git a/tests/multi_net/ec_cert.der b/tests/multi_net/ec_cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..a503a39dfe49443dfdecfd79af0eab9f7cc2337d
GIT binary patch
literal 471
zcmXqLV!Uk7#8|n2nTe5!NyJ%n`Pu%=fBV!N4E<`RU*l3$UMp(A#m1r4=5fxJg_+5~
z-cZUwf{i(pg_%b%H#4~?zo4=tBR@|sCqFqc$56yT2qeeF!|e-_3joU*avN}hMA?Ly
z977G{#CeTO3=9oT3`|UoO^u^~TvH&|7|NyGf=B~lHg>RknHZrCXJ%w)c4A=h-2U}f
zM$M+EDJh4i2Q+%l)OU$#<33-&G_`Mwahch%^({PCPMo)%_Q}E{;l?_<$G?PQcd^Q~
zu|CtjQJ66&>x<3eV1qydS)f;B`B=nQL>xD-6PKO%*uYV?)p?iegHKmCO_er~2T3cl
zNEnDUU{}BoQXtI8_@9N<fEh?3hc2@RgMllPLPUMyVRy@GzqU4LrTd-<aj|-NqIPi!
zdyn74v&~=DicMisWH^5$_Pm-$$FW^HX3x7XRd1^ZyWT#FRrmU;y7NV%-*-*|00+RB
AkpKVy

literal 0
HcmV?d00001

diff --git a/tests/multi_net/ec_key.der b/tests/multi_net/ec_key.der
new file mode 100644
index 0000000000000000000000000000000000000000..7d50fe3bcda1afbbc7d941be66a673c5fbb541b2
GIT binary patch
literal 121
zcmV-<0EYiCcLD(c1R$DG+%@_9vL<@B;!Ue6N^g&V-V~d-iN0|&7;OcczVo081_&yK
zNX|V20SBQ(13~}<Nw@X-Xne9-lw`w~P=QIAFGO613(s%@m5#JCb~eVZgbdWk&pVd#
bI7ndFu0G@X6J5Fm9)<<xE7);poNDwuB2_g{

literal 0
HcmV?d00001

diff --git a/tests/multi_net/expired_cert.der b/tests/multi_net/expired_cert.der
index 8e1db02aee5ef883dc1e1ae326db234fa3db6fd5..3801fca17761174736f4171f341468531bcd8e7c 100644
GIT binary patch
literal 471
zcmXqLV!Uk7#8|n2nTe5!Nu*BpNZtQQLNlUu>ef_u8yt6&GhJf9#m1r4=5fxJg_+5~
z-cZUwf{i(pg_%b%H#4~?zo4=tBR@|sCqFqc$56yT2qeeF!|e-_3joU*avN}hMA?Ly
z977G{#CeTO3=9p83`|W;jm@K=Tw^Ggatk62gxT1^?qy<xI-Hr2o!N<j#dG`DUl}!<
zqNb!Ao*vNXIaA*yrj7f20n^mJEyiVL$JV#-Tsd*xdfF!okAxfR>>mFTj@`v7*T(ux
z`$l2LoUAW4i-QdU4P=2{k>z6%V-a!OyiQzp;$s6x*;eOWt`9z4-85C&KprHm%pzeR
z)_`3BKS+TvBjbM-Rs&`rg&exf9t;MqOo|LICr=KWmT9*jwDd8b&GN&}KaSm=T>2t4
y?r0-xoayo}tC$oR|2~Q8KYq|<|5Xp)IegZtfBv0#ckD{-B&OFcSJ{uPPzL}=8=4vb

delta 1258
zcmcc4yqPP|povxApov+WNyO^r?ch+qmHZ}^=~qu3PTlb3%f{OVylk9WZ60mkc^MhG
zSs4sM47m+B*_cCF*o2uJLk)!u1VJ1Q9<Jd0+*IA*lEjkKiR;8C8cDkt$cghB85<fI
z7#bNF8X8$fLAgdyF7Zay8#FN~Av=VTm4Ug5iJt)|&c)Qk#K>^(op}Y{o+Wksj@}E5
zUq734X^*)V-^MShVf)pxuCpjKioN6Q*1xb-g5B%F3>p86M!GM=rk#1!+|jZjKkV}B
zCv!f82?TumaqjB(FCT3=vNg(QO>^J<>)GMYYcrN^>U&YY@Z6?^8+D5r3{z(wxjR3h
z>Bq#BtrPCIO<j9c!gzkV!M!6NqUFAsdKk^-@@O(J-DGb5*}yt%m8$HGJ0A}5<;ZFZ
zmmF+ems)KyN1;fjhH>HM$tQDt;<Zmax__#6b!VRb3g36Zmv-mw6$qQozpznR^u@cm
zlQy58{9tSHrIP*ZcPr}?_`Wdjl=XQb;@GWme%+?+Hyq?rzFqk|srkMU%cp;gpZ;ph
zk5#C+`A&b@wtMndG<+wO{Ib}vcK)Ap{r}R^tsk8?@O!ware@8mFQ>{rzHpIz_JTiz
z>#p6zvu-n)U!L2xS6jyT)Y4g}L&eT@9pEdzzBF)m>gCzj*0VUuH6G&2zEV<uefoku
zS7tm)SJ<1d&VK^;#`R0*R2^SzrfySiaw?+aRr2q?<L#>p6dYZ27fMaiULU`2=et+_
z^F2??r_K(OV7nwXci)8?=g^)BJyRa0O#COMbav8?&o+WBrq*|6#B>ztr#@*=naE#c
zV0z%Pb;V2#&HRm%&mA-6Xi>3d*dOSmb)kO#c1G=+r>+!cFgs~KxF~pU%}e25Cr)cW
ze3`$(WkQBCUx><H?u$&!j0}v(sRWo@fvJR%VX2wm;?oz!k4<%q*ITn=ZqO3;^g@w8
z^TcHuOK$#`zxivwY$Ee_RgQV3Pi`%f-{x#N_1$ky^<1@&TDz=W1Lvd}7uRbxeGrQb
zy|wbeCK<<HG5d8kGy2Dz367hX+O}a{;e0#U%gh@i9N4$_?5jQ+q1NF3GSH37r}@@-
zizn%wY~tUXKi}Vf?rKhI^Vcu4TQj21Tc-RtoZBcf`G8jVvWYXRLOOXrYX95dAbaES
z_ClE(X1N;IPI|qaTKDGTvv+;w@{%4G>-TQ)5sLCUtovov$~XDPE}wOu#WB0ax;9y$
z@XX0gu51}sH!MzBGi#2Pa4PRn)w6e&eOPQS{Zl}5`BS}4V;lX;y~|AYo_NW+c5>UU
zHvOmx|9RzDCx<>g&#Sp@?@_;>ugbMwM7S~euKw+AEFC3zzcNznNd0Q5@(pied<}2>
zSfgcBpDGe^xjlnt*9Pl{Q7yu6vrk?=lt1(DgrhGe{oHf%3$Oj<A5V&H6hpSG%TL?A
z_w#uX^Joq|U0sWg!>KPD?o0`qTzKQ|?S`WbqJgqpP2q?4z4L2k6v`J)@s9BKJ@56u
zyYz*ES>Meg?^W0`k5=eR3GvR`s=iI>pFzBBMZ^*3Uye@Q)k_iu4H|2&W=a0;J|!#7
z+UoGCrR2R+S^egBZx;NQ)$06bnzr!3m6O{7IpcdZ=U+B{dNF+d$z_#ST)4eId_LLK
F4gijKKdb-%

diff --git a/tests/multi_net/rsa_cert.der b/tests/multi_net/rsa_cert.der
index 8fae71d4baa8cd3e2be3f3d2bedb62ebb33e371c..d0ea34bf4d63e2b84bbf19da64d0a98f4af8a9f5 100644
GIT binary patch
delta 665
zcmV;K0%rZ=2IB@JFoFYLFoFU{paTK{0s<5wuk(~YwW*=sF0&t&g6?5ev6!}zBUl$P
zH83<YF)}k+7Y#BsFflPSFf=nUGBc5qV}H&yNqOli$Uf9P6=kE4m){ZFFVoovnR48V
zJb9ye+%dx&A*wfkEw`h5Y1p*VbHHJ2n|IB@@7(Nc+(Pnr8U5M#iJ9k#&5Ye#M}4mp
zN>~n(-~B>m8NtJ@P)w=k;z7H~BZDBCUpB+9;^>h6MH8}Ga~8vldteb$NpznL0Dn{%
zCE!HpWMd+HmqgEzI>d^wrK$Gt8E=lU1?~MLOMAX;eyY8>*9M~gtF4&OyIORggw2og
zTl5C5%vA;jf7?)gKYoC()^HO_P(@37TSaQ3@_Nw!v1W}hJqbGm4LYeBKEo{H*;m@(
zK5Rr9p44n~`<|q72dsN@Hp_dFs7sqw0s{d60i#neQ7|0_163Uk1QrAo7;&25ymyP}
zpp3dN8Zw9saXEX?Fdqg3RUIP)7%&!q6c}-u;JkN>=%9?cFB&q43~@Po(33s_C4ZzS
z8WNT@%AM*xlN9r<dnWC2K2EWXp*FeyUr!eMLR_SLSv>E^88fp0JFN6)na<5h)xI<)
zOpw}m%r^H)vrFQjDJEr4(C8w}kYfkx&Rj20xS1-0Y^O+@R+C)1-CH7F0-z~bCTRLb
z1?zpyZ=W}6aHuIspl;*x`Z4a^$bVjL@OYAu#662If--{;=3H{A8VH+Kxkck-52Z+>
zp*xqR5Iqb4MO;P}Qw)lEDIZz(8tvTQhdg2PI7?kE;7PC-)Pt9*M5#p0-Gie?P3t6B
zSaptjPPz#Nkn?7rYT`&E2#cPo+L8$q5qs=iyZoi4of<8HuT()FX7*IJ^#YrQIJz(-

delta 665
zcmV;K0%rZ=2IB@JFoFYLFoFU{paTK{0s<6J0J0h?GD>%Ez0s|59Ejj-UIm?zBUl$O
zGcYwXGchz;7Y#BsFflMPFf}tXF*K2qV}HoC3RHxqbshyHD~&AWjI=0;s1j0L*e~~z
zL^m(ZIj$0x9CQ*ch)BQf@in2UhmM(%7<4|j5_G5vCzLRn<j-80Qv4QZ;R#$+f!68J
zmq~QM;PoKOhbGaj_`_6NQnu{$X0X1=vRfNwUXsqV%)LJdCrBbv!$x)9&Os<^9DjS^
zyU2Lu8+w_l0@MLIGNld$Sot<5!PT35m0uh_XbHAIp3;9US;~UOgXX}zb8Biw=ZEW9
zM?&l#Ex^Klzrf{-!>}c7dh;xUk=}d?K;3g<REI6SJ=ksoh7UwadX*5Rq)50<F`b~7
zW^jrL{BrSzSw~jg-q6q;2Oc$ipi68?0s{d60i#neQ7|0_163Uk1QrAo_<{z$&4=@C
z+gq}N<1EdXfjAT*Fdqg3RUIP)7%&!q6!?M$zRid8ZQEP2g5xaBn1MJHB9lG>C4WRp
zs3_^3zKR`w+dbY)1_mCp&qhyBZ>Had<k;(G7bW4R66JQq3FPm3ewsUwm%{}@b;vrK
zY06q9P8Ipv1cVzAQtG&3EO9;oGkEUaM0$w%TZ<e-KQl}~N}MozDHxnWw}RgujjTtP
z3pmVIalE#;etZ3Z8RZ<7kZ=b){ePsr?bu7+?6~-*zlf?Oml}Hb)*B1pW&PlC90l>u
z7gh8tp|d)4@PFn#e=SthjK>9V;y5C_LHyrnfV2S#sR>h1fMC{ApaYR_O2uiC1OJg|
zfaKozGeLUR@7{*GxA&(b^Y~qys$bl))&e^VaT``uYO-(&&%Lq&AYkPKI0BDexBV;%

diff --git a/tests/multi_net/rsa_key.der b/tests/multi_net/rsa_key.der
index c2cfb76d207e7afb33394bbcaf5525d7382dc2b6..c9c535ae639557e4e0023490a8f491a8ebf8985d 100644
GIT binary patch
literal 1193
zcmV;a1XlYnf&`@k0RRGm0RaHcHA#8tD#$+6Jr!l6keA;P+b`4E2bpr*i#&OwdE7C>
z8zHJUfGxM9d}-LU(sRIJY@2t@!SCGcY}`Wfcp3fK_=%b4iOr1NTt|Jc6iQeQlHdJ8
zWf{T4u24*==i))T$s>axnqM}<uj1&C{zVhAT5}e|jC)`aQ%Q864FFUaCE!HpWMd+H
zmqgEzI>d^wrK$Gt8E=lU1?~MLOMAX;eyY8>*9M~gtF4&OyIORggw2ogTl5C5%vA;j
zf7?)gKYoC()^HO_P(@37TSaQ3@_Nw!v1W}hJqbGm4LYeBKEo{H*;m@(K5Rr9p44n~
z`<|q72dsN@Hp_dFsGC&+0|5X50)hbmJHn%_st#2IC|n<eS~tL3%zyevY5`KtKkha&
zhE@Heib$oS|NE@OD5My~&HAImAUNuQc;@(x%@XTwmw1T>(U88#6q^z+{lg8A_8DqM
zM9TUR8ky8G9CW)L%&Nd1j=qNlEP$|)U3%`uxu%BvV^-xowxm+&4}4UxaGS#U7Uimh
z3Qj$y>E+E`?pGOWI19{1fg*x~LZsS-li6Vjd!SOf$?%fxLE*Ur4}R;11W>?`_D&Wm
zR1{Gf)N1K#^D#3p^RU`kI*3;Xt)j&8;P8I(Td0h#3R;SeIhat1+Q=%?RQnRwDTn%C
z&W>s?JM{}k2Z!{{b=YJKF!R7o0)c@5>hgq)q8a96ry81^*EVOYrOU6BaXowMHDP@n
zUdk|WHe<T9&Hqn&3Nz>LHi+ENYyvaob_#M4-My~dV5W!@VZf)t5i#E;s;uq5tSZJI
zjPERM%2Q*UQwB;t!VjUk_LQ-sM1Qi#cJb6qThdD#7+()3p_k@;6g-;tb&5M@0)c@5
z;ID+9HImxTl$yoIaK;Vb&<?Or!~L;}+WD<}R!bG79W$-`>W-<oTC^nj6h9@L`jF$K
z0S+_JqWXUNZ$?+QDr&hoY~E^nYXW{?yl+BkJe6^IbR3aw;LZpb!&&zGVs9a|iG?e6
z;Y{GY>^p_&mUT--XY)t2;BBI}dc-;70)c@5(+c;WulSwl1M#%dkINDRmWD}qh~w7H
zC=DYj-@COL?B-UF6u)w>$UJH3iOv+WuVJSqMhgl49CgQiv){ux&BPV05N`nKCB))q
z8w%|n=p^fY&yZ?Zz=u@l+`rf2E}qbqJn)P%;0;JiGV98PQ#J@u>?oUL-D$Tq4bB#y
z0)c@5ti=jD1%n9^Ie5{)Ol@A;k>S~%AvXZPe<dPI2F>xb=Rt?|ME<gGzS(Nr#J<tf
zWw7V^f_+0qnJf8Q<rug2HhrEn6b$O%Kqkn#<?6q!B`n<b!CU@M`Cl|freKv+G#a#4
zII!3KFTID$Ld|+<WwM9RwBQplc&U{~boEko0)c@5xj2ZU_Pm*)ca-Rw-~#LDGH<H|
z8hQ{Xh<&p`d9I7LjS0oDd*{L<sB$R&SD;6^MF=B`p$7OYVQifubcm;Q^|39LlP!Zz
zpY+Tto;IOEA<(#X%5HB*pzfTrwfG?N4&ufcQuOEI!fA&_UO)v0G%<@!NK==yOmv^i
HjY4VnT+>^e

literal 1217
zcmV;y1U~yPf&{$+0RS)!1_>&LNQU<f0RaI800e>rr!ay9qXGc{0)hbn0LZlpRD`B=
z9t9&SjV$Giv?z(F5>j2*FZYr}H!saOt`e3UbP_IzNWbmzHKD49j+v1dbUwEdbf^j^
zlrWm)&s>>O{1#~830zcx*6GlfNp!&A^&rcKCef|<!&F;Rw(Rs~u)fK%TN`FxlFqcu
zy*~&iNFq|hMs?oKK`3h+d*Qptc;y><nW_TR0Xj0J4h2~GHYdT=n|zgD96o3Xwm+WI
ze=S+cg2sd9z`S#7YDVXW>sUuZ>>e$^!hXNN<%`3xC2e~1EQ68Wd<sC_b7EA7ExkS1
zZUcr7L`r&<5T&F@xK1&hpqFNFiV6I3@rGGPR^8sv&>aUJHGH6KNdf}_009Dm0RSW}
zE{uuQ59_yeU6yxmaqG|;@P|zO$;j){93}3e3Ng(4?rA0!=}%+%+OL*V4Op>iEQDAA
z+<Vss?U$1yc=y0_i#QTG8OHoG=d1iaGv{;qi4x~DiAsPa;$S1j%A{KsyQD<mOB{_=
z=-Pr5sf)Yc7G<=0Lgiw<C1fp&5qTM}YbTXM!oEu1g}9(&obJBkh#52GE?W#WoyQxn
z6ZT1MegY#NL$U)!qRj+$fSqSEi*K4p3&L!n)6^7Ua7lt6KuyXEzRLop#Ti$@ZWusV
zDHrq_y!;Y~Vx-)1V{g@_D=C`R-1}UOg$NJHMwOJgw{fV&Qdl-5gC-8Xi}?b9fdK3t
z+^yDBF{93qA2uy0N&=ZEQ5YB}avf6E^P?)RZ<acTC^*mbVabb6fF74Jzx=2$mi1si
zGL$JBlJ6BXOg=o2OuMlWlxS$jCLsh_^xY{&7A0!ut03Y#Os@IRcX>uBBMa|DdLj^L
zh2>yytH@+-8JoegV^T#X1+$KCb{_(PfdJW>=*RfG!M;vGYUSVov*B)gB2e0lZJ`Ot
z{m-JTH`87cEMkJFkmPGH8{9`dhN8^bciA$-J=V6fn#a~2FJRRUe}rMH$}fUo9PtXs
zP@5c3YA(E?dApGqU>9Vw|Ii<8LgQ%}$MtF_7}?!8LBAO-^`8Z&-xqhL{)rW4K$il6
zfHW#`SlXmXKSpq(<fcDka)p7}z_<Np0l|KW-#?qcJ#l)_(G+Nkek+g(-#AKF4lCYh
zOPA9AimNtLRSera2>1GJX?`k09(o_0b?5Ih;PkL=P9OV3+=Kqp=SX|q8D{;-r)F9^
zopAt`tYM8J_NVcODA_lcw&Gq79%ojH!vcYT3@6|#6O{pctq5>^NartdKW4Xs2Et=`
zWPh0>88$zp8Wb<kjP>`b8s@|osShE~L|i?ZuYf|E6!)=&%1lFFNN1Ps06N8gqwCa?
z4uvEmmJn0!Dsg7Wc#(kwt%h`(-nNd;|5pZCibaOl+{eJYc^;i2_5ka!cIl`*W-6f{
z0)c@5#<6P*4-tn^u^N#BUGa_+Bhj_x8=HnWhab^MWBD<<iGjdTuI*Se^{-ILA>g_)
zfWDZ7Aax0^@U*8#QrcEUcV8%n1x<kn<e(220x|dX)NCfw?Vl3s`BF}%@2#zhNxHWn
f7G%7Ni6SARKjeJo|32fsp|%A0fItwWJ4>#c*n>Jm

diff --git a/tests/multi_net/ssl_cert_ec.py b/tests/multi_net/ssl_cert_ec.py
new file mode 100644
index 000000000..2c5734e05
--- /dev/null
+++ b/tests/multi_net/ssl_cert_ec.py
@@ -0,0 +1,56 @@
+# Simple test creating an SSL connection and transferring some data
+# This test won't run under CPython because CPython doesn't have key/cert
+
+try:
+    import binascii, os, socket, ssl
+except ImportError:
+    print("SKIP")
+    raise SystemExit
+
+PORT = 8000
+
+# These are test certificates. See tests/README.md for details.
+certfile = "ec_cert.der"
+keyfile = "ec_key.der"
+
+try:
+    os.stat(certfile)
+    os.stat(keyfile)
+except OSError:
+    print("SKIP")
+    raise SystemExit
+
+with open(certfile, "rb") as cf:
+    cert = cadata = cf.read()
+
+with open(keyfile, "rb") as kf:
+    key = kf.read()
+
+
+# Server
+def instance0():
+    multitest.globals(IP=multitest.get_network_ip())
+    s = socket.socket()
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1])
+    s.listen(1)
+    multitest.next()
+    s2, _ = s.accept()
+    s2 = ssl.wrap_socket(s2, server_side=True, key=key, cert=cert)
+    print(s2.read(16))
+    s2.write(b"server to client")
+    s2.close()
+    s.close()
+
+
+# Client
+def instance1():
+    multitest.next()
+    s = socket.socket()
+    s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
+    s = ssl.wrap_socket(
+        s, cert_reqs=ssl.CERT_REQUIRED, server_hostname="micropython.local", cadata=cadata
+    )
+    s.write(b"client to server")
+    print(s.read(16))
+    s.close()
diff --git a/tests/multi_net/ssl_data.py.exp b/tests/multi_net/ssl_cert_ec.py.exp
similarity index 100%
rename from tests/multi_net/ssl_data.py.exp
rename to tests/multi_net/ssl_cert_ec.py.exp
diff --git a/tests/multi_net/ssl_data.py b/tests/multi_net/ssl_data.py
deleted file mode 100644
index a21c8c658..000000000
--- a/tests/multi_net/ssl_data.py
+++ /dev/null
@@ -1,67 +0,0 @@
-# Simple test creating an SSL connection and transferring some data
-# This test won't run under CPython because it requires key/cert
-
-try:
-    import binascii, socket, ssl
-except ImportError:
-    print("SKIP")
-    raise SystemExit
-
-PORT = 8000
-
-# This self-signed key/cert pair is randomly generated and to be used for
-# testing/demonstration only.  You should always generate your own key/cert.
-key = binascii.unhexlify(
-    b"3082013b020100024100cc20643fd3d9c21a0acba4f48f61aadd675f52175a9dcf07fbef"
-    b"610a6a6ba14abb891745cd18a1d4c056580d8ff1a639460f867013c8391cdc9f2e573b0f"
-    b"872d0203010001024100bb17a54aeb3dd7ae4edec05e775ca9632cf02d29c2a089b563b0"
-    b"d05cdf95aeca507de674553f28b4eadaca82d5549a86058f9996b07768686a5b02cb240d"
-    b"d9f1022100f4a63f5549e817547dca97b5c658038e8593cb78c5aba3c4642cc4cd031d86"
-    b"8f022100d598d870ffe4a34df8de57047a50b97b71f4d23e323f527837c9edae88c79483"
-    b"02210098560c89a70385c36eb07fd7083235c4c1184e525d838aedf7128958bedfdbb102"
-    b"2051c0dab7057a8176ca966f3feb81123d4974a733df0f958525f547dfd1c271f9022044"
-    b"6c2cafad455a671a8cf398e642e1be3b18a3d3aec2e67a9478f83c964c4f1f"
-)
-cert = binascii.unhexlify(
-    b"308201d53082017f020203e8300d06092a864886f70d01010505003075310b3009060355"
-    b"0406130258583114301206035504080c0b54686550726f76696e63653110300e06035504"
-    b"070c075468654369747931133011060355040a0c0a436f6d70616e7958595a3113301106"
-    b"0355040b0c0a436f6d70616e7958595a3114301206035504030c0b546865486f73744e61"
-    b"6d65301e170d3139313231383033333935355a170d3239313231353033333935355a3075"
-    b"310b30090603550406130258583114301206035504080c0b54686550726f76696e636531"
-    b"10300e06035504070c075468654369747931133011060355040a0c0a436f6d70616e7958"
-    b"595a31133011060355040b0c0a436f6d70616e7958595a3114301206035504030c0b5468"
-    b"65486f73744e616d65305c300d06092a864886f70d0101010500034b003048024100cc20"
-    b"643fd3d9c21a0acba4f48f61aadd675f52175a9dcf07fbef610a6a6ba14abb891745cd18"
-    b"a1d4c056580d8ff1a639460f867013c8391cdc9f2e573b0f872d0203010001300d06092a"
-    b"864886f70d0101050500034100b0513fe2829e9ecbe55b6dd14c0ede7502bde5d46153c8"
-    b"e960ae3ebc247371b525caeb41bbcf34686015a44c50d226e66aef0a97a63874ca5944ef"
-    b"979b57f0b3"
-)
-
-
-# Server
-def instance0():
-    multitest.globals(IP=multitest.get_network_ip())
-    s = socket.socket()
-    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-    s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1])
-    s.listen(1)
-    multitest.next()
-    s2, _ = s.accept()
-    s2 = ssl.wrap_socket(s2, server_side=True, key=key, cert=cert)
-    print(s2.read(16))
-    s2.write(b"server to client")
-    s2.close()
-    s.close()
-
-
-# Client
-def instance1():
-    multitest.next()
-    s = socket.socket()
-    s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
-    s = ssl.wrap_socket(s)
-    s.write(b"client to server")
-    print(s.read(16))
-    s.close()
diff --git a/tests/multi_net/sslcontext_check_hostname_error.py b/tests/multi_net/sslcontext_check_hostname_error.py
index ac39211b0..d85363f00 100644
--- a/tests/multi_net/sslcontext_check_hostname_error.py
+++ b/tests/multi_net/sslcontext_check_hostname_error.py
@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
diff --git a/tests/multi_net/sslcontext_getpeercert.py b/tests/multi_net/sslcontext_getpeercert.py
index 8748c1f78..e9d96be24 100644
--- a/tests/multi_net/sslcontext_getpeercert.py
+++ b/tests/multi_net/sslcontext_getpeercert.py
@@ -12,8 +12,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
diff --git a/tests/multi_net/sslcontext_getpeercert.py.exp b/tests/multi_net/sslcontext_getpeercert.py.exp
index 7b0e9d40a..e7a0ab0b4 100644
--- a/tests/multi_net/sslcontext_getpeercert.py.exp
+++ b/tests/multi_net/sslcontext_getpeercert.py.exp
@@ -1,5 +1,5 @@
 --- instance0 ---
 b'client to server'
 --- instance1 ---
-3082058930820371a00302010202141b3da08b15005eea265d0b57b8ba99812ab274cb300d06092a864886f70d01010b05003054310b30090603550406130241553113301106035504080c0a536f6d652d537461746531143012060355040a0c0b4d6963726f507974686f6e311a301806035504030c116d6963726f707974686f6e2e6c6f63616c301e170d3233313131393032323932375a170d3238313131373032323932375a3054310b30090603550406130241553113301106035504080c0a536f6d652d537461746531143012060355040a0c0b4d6963726f507974686f6e311a301806035504030c116d6963726f707974686f6e2e6c6f63616c30820222300d06092a864886f70d01010105000382020f003082020a0282020100deee37780ebca47e0f414ba033ebe692d2bc374a0eb1f42556bf266ad704208116ee0d8b2fd0b518074ad0981c4fd1322de81696ccea838884b06f56d3ebe49cf0561050f6f8ced5f7f4f13d086b28779a9647bbfae6c3f3ad68a5b28ee8a1ceb260d87ea300316599c4dd9f6082f89164b590df8695add518339f6730dec4f05b1ef63548329b0a48823035b23737f3303b56aa251dd8dcf0c20e6c1d291374c185ae657b349c20721c7c01a1b393c96d4c5f2bc8e2dfca7dab896e2fa84dee53d2bb6dbd1056970fa1812315e8ee9d92b3cb93e0b563d274bf07dd79600ef403b91d4ce814418b28cfaeb2b7d8401e64f6d4f39283df3204f2fe01f2fd289f5d2078d9ee2f96b6de1fd4284d9274fa38b0ad9ffcce8ffe66673be2cf304ee1b27c7cacaaf4ca76f1e84419e6e80f540add3e91cd469903e9ceb6bd2b1c33caa59acb5516ce8ac00e73d7a551bb65d39bd6af04411e81c20e6bd474d797a0bcd498e26720bd60ae4f900bb1afa59c7ac7a336273c7734ca5874ea63fb8ec787ab702041442da11a922baf5fbeb9eeea4f9f49cb1f659b561806d2169dbed07c43558c908c94e16491fe1a22cd92b8f33c1184353bdc985c88722f65e48024910f723035c0d33b789928296fb193cec6350884243b00bf51422ad09fb7012bd9cad4716803422be0d111deace913fac8cb2be1e96fa8449068430e5424bd0bd10203010001a3533051301d0603551d0e041604147d392a82ab464936fd7d74226694556a2945fd8d301f0603551d230418301680147d392a82ab464936fd7d74226694556a2945fd8d300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382020100ae40c015e3eade8dabc84ee357ac9d694e7cd69ce4a1b265880273d16257119aa72fb2aa8b841e2899bea3e8690146f24d963a37825c93bf745447dc6ab09b5f2947671dca13b1e71f5c3e43011d74cdc688ed1215b3016071ae7235d77f79d7bb81f097bb04a08ccf400717721b29e2ea913eb23614610597deee477ed716db7e8ebe11aed39c7035f48259dfa54d88871c1f67159d52ce11eb111fa00708a7d7081c07fd92d54abbaec7ff1b50ce2f6f358857d2f55d1c7b5aa6dd66b9c3c2e654397e2d5330aca9834ff8fd749ce968c706fe3bb1b8510a379ec1910d7ece0212c34d56a2073fb7f25c88fe298568e448d03ec30b348f7d9a8836390216a6da7a8efed50dfb8c21a8531efc158e7f4398f87af18d1bd2926d08d34364bf5d85e88040dff3d3f1da6268dbc0cafa64f544c065380fa695a8d015b385aed0a1fd9ff1d7c2b28a549e04c1132b421f85a85640acac11c69416859fb9b461eeddffa92ae303b35c7233537077068de558dd02715e25aee976a97879038d2952be0d327892ab2fc78716b0d7aab4b923d5d79905f7f8b6a18c42e466fec62f84b6e5957deae0964dab8436b0e0cd4e08012661bafb9588fbfd7068fd6c08ab79101a4bdfe21d95cd0ee0aad7dd8a3ed128071c0ec2d063dc6dfa63189e51bf5d9259e776d7623f745a73f4e12e5c2b90493de1c6436b339e1400891e3e35c31057
+308201d330820179a00302010202144315a7cd8f69febe2640314e7c97d60a2523ad15300a06082a8648ce3d040302303f311a301806035504030c116d6963726f707974686f6e2e6c6f63616c31143012060355040a0c0b4d6963726f507974686f6e310b3009060355040613024155301e170d3234303131343034353335335a170d3235303131333034353335335a303f311a301806035504030c116d6963726f707974686f6e2e6c6f63616c31143012060355040a0c0b4d6963726f507974686f6e310b30090603550406130241553059301306072a8648ce3d020106082a8648ce3d0301070342000449b7f5fa687cb25a9464c397508149992f445c860bcf7002958eb4337636c6af840cd4c8cf3b96f2384860d8ae3ee3fa135dba051e8605e62bd871689c6af43ca3533051301d0603551d0e0416041441b3ae171d91e330411d8543ba45e0f2d5b2951b301f0603551d2304183016801441b3ae171d91e330411d8543ba45e0f2d5b2951b300f0603551d130101ff040530030101ff300a06082a8648ce3d04030203480030450220587f61c34739d6fab5802a674dcc54443ae9c87da374078c4ee1cd83f4ad1694022100cfc45dcf264888c6ba2c36e78bd27bb67856d7879a052dd7aa7ecf7215f7b992
 b'server to client'
diff --git a/tests/multi_net/sslcontext_server_client.py b/tests/multi_net/sslcontext_server_client.py
index c263ae31b..473c9c376 100644
--- a/tests/multi_net/sslcontext_server_client.py
+++ b/tests/multi_net/sslcontext_server_client.py
@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-certfile = "rsa_cert.der"
-keyfile = "rsa_key.der"
+certfile = "ec_cert.der"
+keyfile = "ec_key.der"
 
 try:
     os.stat(certfile)
diff --git a/tests/multi_net/sslcontext_server_client_ciphers.py b/tests/multi_net/sslcontext_server_client_ciphers.py
index be7c332b4..d65d860fb 100644
--- a/tests/multi_net/sslcontext_server_client_ciphers.py
+++ b/tests/multi_net/sslcontext_server_client_ciphers.py
@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
@@ -48,8 +48,8 @@ def instance1():
     s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
     client_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
     ciphers = client_ctx.get_ciphers()
-    assert "TLS-RSA-WITH-AES-256-CBC-SHA256" in ciphers
-    client_ctx.set_ciphers(["TLS-RSA-WITH-AES-256-CBC-SHA256"])
+    assert "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" in ciphers
+    client_ctx.set_ciphers(["TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"])
     client_ctx.verify_mode = ssl.CERT_REQUIRED
     client_ctx.load_verify_locations(cafile=cafile)
     s = client_ctx.wrap_socket(s, server_hostname="micropython.local")
diff --git a/tests/multi_net/sslcontext_server_client_files.py b/tests/multi_net/sslcontext_server_client_files.py
index e1ea1b3aa..64a4215c7 100644
--- a/tests/multi_net/sslcontext_server_client_files.py
+++ b/tests/multi_net/sslcontext_server_client_files.py
@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
diff --git a/tests/multi_net/sslcontext_verify_error.py b/tests/multi_net/sslcontext_verify_error.py
index 4a7a6cfcc..5dc461e77 100644
--- a/tests/multi_net/sslcontext_verify_error.py
+++ b/tests/multi_net/sslcontext_verify_error.py
@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
diff --git a/tests/multi_net/sslcontext_verify_time_error.py b/tests/multi_net/sslcontext_verify_time_error.py
index e5dc49645..fbefdecf9 100644
--- a/tests/multi_net/sslcontext_verify_time_error.py
+++ b/tests/multi_net/sslcontext_verify_time_error.py
@@ -12,7 +12,7 @@ PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
 cert = cafile = "expired_cert.der"
-key = "rsa_key.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)