Code size report:

   bare-arm:    +0 +0.000% 
minimal x86:    +0 +0.000% 
   unix x64: +5376 +0.670% standard[incl +640(data)]
      stm32:    +0 +0.000% PYBV10
     mimxrt:    +0 +0.000% TEENSY40
        rp2:    +0 +0.000% RPI_PICO
       samd:    +0 +0.000% ADAFRUIT_ITSYBITSY_M4_EXPRESS

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (4365edb) 98.36% compared to head (c9eb6bc) 98.39%.

@@            Coverage Diff             @@
##           master   #13098      +/-   ##
==========================================
+ Coverage   98.36%   98.39%   +0.02%     
==========================================
  Files         159      159              
  Lines       20989    21063      +74     
==========================================
+ Hits        20646    20724      +78     
+ Misses        343      339       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

TODO:

• SSLContext.set_ciphers implementation (see comments in extmod/asyncio: Add ssl support with SSLContext. #11897 )
• Buffer size/implementation for cert verify errors.
• SSLContext.load_cert_chain(certfile, keyfile=) MicroPython signature.

#11897 (comment)

@dpgeorge checking mbedtls programs, they use 512, so this may be a sensible default?,
otherwise if the buffer is too small the error info may be truncated?

mbedtls$ rg vrfy_buf
programs/x509/cert_app.c
331:                char vrfy_buf[512];
335:                mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
337:                mbedtls_printf("%s\n", vrfy_buf);

programs/ssl/ssl_mail_client.c
195:        char vrfy_buf[512];
201:        mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
203:        mbedtls_printf("%s\n", vrfy_buf);

programs/ssl/ssl_client1.c
207:        char vrfy_buf[512];
213:        mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
215:        mbedtls_printf("%s\n", vrfy_buf);

programs/ssl/dtls_client.c
236:        char vrfy_buf[512];
242:        mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
244:        mbedtls_printf("%s\n", vrfy_buf);

programs/ssl/ssl_server2.c
3431:            char vrfy_buf[512];
3434:            x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
3436:            mbedtls_printf("%s\n", vrfy_buf);
3489:        char vrfy_buf[512];
3493:        x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
3494:        mbedtls_printf("%s\n", vrfy_buf);

programs/ssl/ssl_client2.c
2347:        char vrfy_buf[512];
2350:        x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf),
2353:        mbedtls_printf("%s\n", vrfy_buf);

Other than this I will consider this PR done so let me know what you think 👍🏼

Regarding the load_cert_chain() signature: I really think we should keep this simple and just support positional arguments. Reasoning:

• smaller code
• still CPython compatible, CPython allows passing in both arguments as positional
• the CPython docs and all code in the CPython stdlib either do load_cert_chain(cert, key) or load_cert_chain(certfile=cert, keyfile=key), ie they either pass both as keyword args or both as positional args, and never one positional one keyword

checking mbedtls programs, they use 512, so this may be a sensible default?,
otherwise if the buffer is too small the error info may be truncated?

512 bytes is a lot of stack space to allocate. It's not critical for the error message to fit, even if it's truncated at least it gives a good indication of the problem.

I suggest using 256. That's a good balance of stack usage and available space for the error.

Otherwise, it could be implemented using dynamically allocated memory.

This looks good now. I have adjusted some of the tests so they pass on bare-metal targets (tested stm32 and esp32).

Thanks @Carglglz for all of your hard work on this, and replying promptly to all of the many code reviews!