Hello,
This is my first message to this list. I'm also new to mbedTLS and TLS in
general, apologies in advance if I make any mistakes with my questions.
I have installed mbedTLS on a STM32H7 with CMSIS/Keil, using the Network
module and the mbedTLS pack (v2.6.0)
<https://www.keil.com/pack/doc/mbedTLS/html/index.html>. I have created a
server on the MCU, and as a client I am using a desktop application written
with Nodejs. Client and server communicate via ethernet interface and I
manage to transmit data between them. My priority is to develop the server,
not so much the client.
I have a specific requirement to use the cipher suite
“TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256”. As far as I understand, the
client must show a list of cipher suites to the server, and the server
chooses according to its priority. The priority is set with the macro
“MBEDTLS_SSL_CIPHERSUITES” When inspecting the communication with *WireShark
*I see that among the list sent by the client there is the cipher I need:
“TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)”
On the other hand in my mbedTLS_config.h file I have activated the
following macro:
#define MBEDTLS_SSL_CIPHERSUITES
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
When the client connects an error occurs in the handshake, the method
“mbedtls_ssl_handshake()” returns the return code -0x7380
(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN).
If I comment the macro “MBEDTLS_SSL_CIPHERSUITES” the handshake method does
not return error and works correctly, but the cipher I am looking for is
not used, but “TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384”.
Maybe I am forgetting some configuration macro to be able to use the
mentioned cipher? Any idea?
--
Jordi Enguídanos Naranjo
Hi all,
Please note that in the next couple of weeks, we will migrate Mbed TLS to a new GitHub organisation. Your existing scripts, links etc for accessing Mbed TLS on GitHub should not be affected.
This will change the url from https://github.com/ARMmbed/mbedtls to https://github.com/Mbed-TLS/mbedtls . GitHub will redirect any accesses to the old URL for the foreseeable future, but we would recommend updating your links once the migration is complete.
All of the Mbed TLS repositories will migrate to this new organisation, i.e.:
mbedtls
mbedtls-docs
mbedtls-test
Thanks
Dave Rodgman
Hi ,
*Problem description :*
Trying to run example
https://github.com/ARMmbed/mbedtls/blob/master/programs/ssl/ssl_server2.c .
Updated ssl_server2 port to listen on 7777 for incoming client request
,ssl_server2
will be waiting for remote connection continuously.
There was no client request for connection on this port, but still server
is getting some spurious connection request and goes for handshake and
fails with below error code.
Error code: mbedtls_ssl_handshake returned error -30976
*Steps to reproduce: =============*
1. start ssl_server2 program
2. Monitor for ssl_server2 connection waiting , observe ssl_server2 will
accept spurious connection request and goes for handshake and fails
with above
mentioned error code.
*Expected behavior:*
ssl_server2 wait for remote connection infinitely and connect to valid
client request and perform handshake every time.
*Actual behavior:*
Occasionally ssl_server2 will accept spurious connection request and goes
for handshake and fails with below error code.
Error code:
mbedtls_ssl_handshake returned error -30976 on ssl_server2
*Analysis:*
As per below logs what we understand is ssl_server2 will accept spurious
connection request and goes for handshake and fails with error code
-30796 ,MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
on ssl_server2 side .
Can you please help us to understand this behavior?
What could be the reason for ssl_server2 to connect to a spurious
connection request?, as mentioned above there was no client request for
connection on this ssl_server2 port( 7777) .
We have tried this on other SERVER_PORT as well .
*Logs Snippet:*
*==========*
. Seeding the random number generator... ok
. Loading the CA root certificate ... ok (0 skipped)
. Loading the server cert. and key... ok
. Bind on tcp://*:7777/ ... ok
. Setting up the SSL/TLS structure... ok
. Waiting for a remote connection ...ok
. Performing the SSL/TLS handshake... failed
! mbedtls_ssl_handshake returned -0x7900
Last error was: -30976 - SSL - Processing of the ClientHello handshake
message failed
. Waiting for a remote connection ... ok
. Performing the SSL/TLS handshake... failed
! mbedtls_ssl_handshake returned -0x7900
Last error was: -30976 - SSL - Processing of the ClientHello handshake
message failed
. Waiting for a remote connection ... ok
. Performing the SSL/TLS handshake... failed
! mbedtls_ssl_handshake returned -0x7900
Last error was: -30976 - SSL - Processing of the ClientHello handshake
message failed
Regards
Mahesh
Hi,
We are pleased to announce the release of Mbed TLS 2.16.12, 2.28.0 and 3.1.0.
These releases of Mbed TLS address several security issues, provide bug fixes, and new features, including initial support for TLS 1.3 in Mbed TLS 3.1.0.
Full details are available in the release notes (https://github.com/ARMmbed/mbedtls/releases/tag/v3.1.0, https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0, https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12).
Mbed TLS 2.16.12 will be the last release in the 2.16 LTS; it will no longer be supported.
Mbed TLS 2.28 is the new long-term support release, and will be supported with bug-fixes and security fixes until end of 2024.
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Dave Rodgman
Hi,
On Monday at 10am UK time, we will hold the Mbed TLS Tech Forum. This is an open forum conference call for anyone to participate; please reply here if there are any agenda topics you would like to raise.
Zoom details are in the TF calendar: https://www.trustedfirmware.org/meetings/mbed-tls-technical-forum/ or see below
Dave
Join Zoom Meeting
https://linaro-org.zoom.us/j/99948462765?pwd=SGlHYlF1Z2owUDNFWWppaGlSRDh5UT…
Meeting ID: 999 4846 2765
Passcode: 196117
One tap mobile
+12532158782,,99948462765# US (Tacoma)
+13462487799,,99948462765# US (Houston)
Dial by your location
+1 253 215 8782 US (Tacoma)
+1 346 248 7799 US (Houston)
+1 669 900 9128 US (San Jose)
+1 301 715 8592 US (Washington DC)
+1 312 626 6799 US (Chicago)
+1 646 558 8656 US (New York)
888 788 0099 US Toll-free
877 853 5247 US Toll-free
Meeting ID: 999 4846 2765
Find your local number: https://linaro-org.zoom.us/u/anpWWkRdt
Hi,
Mbed TLS 2.16 LTS is approaching the end of its support period – it was originally announced that it would be maintained for at least 3 years up until the end of 2021 – and currently there is no other LTS branch.
To ensure that there is no period of time without a supported LTS branch, we plan to release 2.28 LTS in the near future (which will have the usual 3 year support period). We will continue supporting 2.16 LTS until this is available. The expectation is that as 2.28 will be API-compatible with 2.16, users of 2.16 LTS will be able to upgrade to 2.28 very easily.
Progress towards 2.28 LTS can be followed here: https://github.com/orgs/ARMmbed/projects/18#column-15836286
Dave Rodgman
Hi,
On Monday 8th we will have the next Mbed TLS Tech Forum. Please reply to the list if you have any agenda topics to raise.
As a starter for the agenda, we will likely discuss: https://github.com/ARMmbed/mbedtls/pull/5067 Proposal for driver dispatch code gen
Dave Rodgman
Zoom details below. The call will be recorded and made available on the TF website : https://www.trustedfirmware.org/meetings/
Join Zoom Meeting
https://linaro-org.zoom.us/j/99948462765?pwd=SGlHYlF1Z2owUDNFWWppaGlSRDh5UT…
Meeting ID: 999 4846 2765
Passcode: 196117
One tap mobile
+12532158782,,99948462765# US (Tacoma)
+13462487799,,99948462765# US (Houston)
Dial by your location
+1 253 215 8782 US (Tacoma)
+1 346 248 7799 US (Houston)
+1 669 900 9128 US (San Jose)
+1 301 715 8592 US (Washington DC)
+1 312 626 6799 US (Chicago)
+1 646 558 8656 US (New York)
888 788 0099 US Toll-free
877 853 5247 US Toll-free
Meeting ID: 999 4846 2765
Find your local number: https://linaro-org.zoom.us/u/anpWWkRdt
Hi,
I would like to announce the Mbed TLS Tech Forum, a regular engineering call to discuss topics of interest to the Mbed TLS community.
The call is currently planned to take place every two weeks, alternating between US-friendly and China-friendly times (16:30 and 10:00 UK time), starting on the 25th October at 16:30 BST.
Please reply to the list if you have any agenda topics to raise. As a starting point, we will cover:
Format – check if times & cadence are suitable
TLS 1.3 – high-level update on progress & direction
PSA Cryptoprocessor Driver Interface – code generation for driver dispatch as per https://github.com/ARMmbed/mbedtls/pull/5067
Zoom details below. The call will be recorded and made available on the TF website: https://www.trustedfirmware.org/meetings/
Dave Rodgman
Mbed TLS tech lead
--
Dave Rodgman is inviting you to a scheduled Zoom meeting.
Join Zoom Meeting
https://armltd.zoom.us/j/93259847316?pwd=N0d4Z0o5RXRLKzZFaE1sd044bm14dz09&f…
Meeting ID: 932 5984 7316
Passcode: 991642 One tap mobile
+442034815240,,93259847316#,,,,*991642# United Kingdom
Dial by your location
+44 203 481 5240 United Kingdom
+1 346 248 7799 US (Houston)
+1 408 638 0968 US (San Jose)
+1 646 518 9805 US (New York)
+91 116 480 2722 India
+91 224 879 8012 India
+91 406 480 2722 India
+91 806 480 2722 India
+852 5803 3730 Hong Kong SAR
+46 8 4468 2488 Sweden
+972 3 978 6688 Israel
+353 1 536 9320 Ireland
+36 1 408 8456 Hungary
+33 1 7037 2246 France
+358 3 4109 2129 Finland
+45 32 70 12 06 Denmark
+1 438 809 7799 Canada
+65 3158 7288 Singapore
+27 87 550 3946 South Africa
+32 1579 5132 Belgium
+48 22 307 3488 Poland
+386 1600 3102 Slovenia
+60 3 3099 2229 Malaysia
+886 (2) 7741 7473 Taiwan
Meeting ID: 932 5984 7316
Passcode: 991642 Find your local number: https://armltd.zoom.us/u/adTMafG7oQ
Join by SIP
93259847316(a)zoomcrc.com
Join by H.323
162.255.37.11 (US West)
162.255.36.11 (US East)
115.114.131.7 (India Mumbai)
115.114.115.7 (India Hyderabad)
213.19.144.110 (Amsterdam Netherlands)
213.244.140.110 (Germany)
103.122.166.55 (Australia Sydney)
103.122.167.55 (Australia Melbourne)
209.9.211.110 (Hong Kong SAR)
149.137.40.110 (Singapore)
64.211.144.160 (Brazil)
69.174.57.160 (Canada Toronto)
65.39.152.160 (Canada Vancouver)
207.226.132.110 (Japan Tokyo)
149.137.24.110 (Japan Osaka)
Meeting ID: 932 5984 7316
Passcode: 991642
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi,
Today we are switching our branches around, so that the development branch focuses on Mbed TLS 3.0, to be released mid-year. This will include API-breaking changes.
2.x development work will continue on the development_2.x branch. After merging development_3.0 onto development, the development_3.0 branch will be removed.
There is no change to the process for submitting PRs: new PRs should continue to target development, with backports to 2.x and 2.16 as needed. (The exception would be a bug-fix that only affects older branches, which would only need ports to the affected branches and not to development).
As part of the 3.0 work, we are looking at various things that can be removed from the library. For some of these, we’ve notified the mailing list – please let us know in the next week if you have a good reason for retaining the feature in question.
- Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0 https://github.com/ARMmbed/mbedtls/issues/4286
- Remove support for the "Truncated HMAC" (D)TLS extension https://github.com/ARMmbed/mbedtls/issues/4341
- Remove support for 3DES ciphersuites in (D)TLS https://github.com/ARMmbed/mbedtls/issues/4367
- Remove support for RC4, Blowfish, XTEA, MD2 and MD4 https://github.com/ARMmbed/mbedtls/issues/4084
- Remove support for pre-v3 X.509 certificates with extensions https://github.com/ARMmbed/mbedtls/issues/4386
- Remove the RSA key mutex https://github.com/ARMmbed/mbedtls/issues/4124
- Remove MBEDTLS_CHECK_PARAMS https://github.com/ARMmbed/mbedtls/issues/4313
- 3.0 and 2.x :- Minimum development environment: is it OK to require Python >= 3.6 and/or CMake >= 3.5.2? https://lists.trustedfirmware.org/pipermail/mbed-tls/2021-March/000319.html
Dave Rodgman
