Hello,
We are considering dropping support for Visual Studio 2013 and Visual
Studio 2015 from Mbed TLS 3.6 onwards. This would make Mbed TLS 3.6
require Visual Studio 2017 or newer. (Mbed TLS 2.28 LTS is not affected.)
Per the Visual Studio product lifecycle
<https://learn.microsoft.com/en-us/visualstudio/productinfo/vs-servicing#old…>,
VS 2013 and 2015 are currently on extended support, but their support
will end during the lifetime of Mbed TLS 3.6 LTS.
Our reasons are:
* We prefer not to support products that are not supported upstream,
such as VS 2013 and 2015 will be during the lifetime of 3.6 LTS.
* Older versions of Visual Studio tend to require workarounds due to
their incomplete support for C99, and we would like to reduce those.
We may drop support for older versions of MinGW as well for this reason.
* The development branch of Mbed TLS is currently triggering an
internal compiler error in VS 2015
<https://github.com/Mbed-TLS/mbedtls/issues/8735>.
If you want to keep support for VS 2013 and 2015 in Mbed TLS 3.6, please
let us know as soon as possible and tell us why it's important.
Assistance with the internal compiler error would be appreciated.
Best regards,
--
Gilles Peskine
Mbed TLS developer
Hi,
Please let me know if MBed TLS is designed for Security level at Transport
/ Network Level Implementation of OSI model - at network socket connection
level.
Please let us know if MBed TLS routines can be used at DataLink Layer
specifically for 802.1x protocols.
Referring to the example as provided in tutorial -
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/mbedtls-tutorial/
What would be setup / config accordingly for non socket
dependent implementation.
Thanks in advance.
Regards,
Prakash
Hi,
I was referring to below URLs for understanding key exchange using
certificate in TLS framework:
https://tls12.xargs.org/https://tls13.xargs.org/
I have some confusion related to above TLS 1.2 and 1.3 flows and require
guidance from your side accordingly. I understand the key exchange using
certificates highly depends on configuration and capabilities setup.
But then how do we know what goes on a TLS connection based on
configuration and setup capabilities? What are the different configurations
and when should we set them?
I need the same details with reference to a TLS connection setup from a
client in our codebase while other for EAP TLS using the below example
available in the url below:
https://github.com/prplfoundation/hostap/blob/master/eap_example/eap_exampl…
Firstly in the above code we do see a lot of configuration and
initialization like below:
eap_cb.get_config = peer_get_config;
eap_cb.get_bool = peer_get_bool;
eap_cb.set_bool = peer_set_bool;
eap_cb.get_int = peer_get_int;
eap_cb.set_int = peer_set_int;
eap_cb.get_eapReqData = peer_get_eapReqData;
eap_cb.set_config_blob = peer_set_config_blob;
eap_cb.get_config_blob = peer_get_config_blob;
eap_cb.notify_pending = peer_notify_pending;
Whereas our client code which connects to the cloud using certificates to
obtain some data in below mentioned way:
keyman_creds_for_purpose() - get the creds read and parse the crt.pem,
key.pem and trusted_ca.pem files. It make uses of below APis:readfile() -
read the file from key storageparse_private_key() & mbedtls_pk_parse_key()
- I believe it is for parsing the keys read from file
Setup MBed TLS
mbedtls_ssl_config_init() - Initialize
mbedtls_ssl_configmbedtls_ctr_drbg_init() - CTR_DRBG context initialization
mbedtls_ctr_drbg_seed()
mbedtls_ssl_conf_rng()
mbedtls_ssl_conf_ca_chain()
mbedtls_ssl_conf_own_cert()
mbedtls_ssl_conf_authmode()
t_socket()
I am quite new to this code so could have missed or provided wrong info -
but I hope I give the overall picture of code implementation - note that
this client code is a working code with no issues.
My queries are mentioned below:
1) Does the same TLS message flow occur in both cases - our client code and
EAP TLS? If not then what's the difference in-between them?
2) How do we understand exact implementation and message flows?
3) What are the different ways to implement TLS connection using certs?
4) Any additional information that can helpful to me like - some references
to tutorials / examples / guide would be an added advantage
Thanks in advance.
Regards,
Prakash
Hi,
when upgrading MBed TLS from 2.16.x to the LTS 2.28.x version on an ARM
32 bit system,
I realized that the byte-order macros were collected to one file
(common.h) with the possibility to replace them.
After writing ARM optimized macros, I checked this topic in the 3.5.x
version where it was implemented in a similar way in alignment.h.
With this input the following solution was made for the 2.28.x branch:
https://github.com/jojwoos/MbedTLS_wrapper
A bit late, but maybe someone can still use it:)
Perhaps the 64 bit swap, build from two optimized 32bit swaps, can
provide some input for the actual 3.5.x version.
You can find it at:
"// general 64 bit optimization if only 32 bit optimization is available"
(32bit ARM systems usually don't have optimized 64bit swap functions)
Best regards,
Jürgen
Hi,
Referring to the example as in
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/mbedtls-tutorial/
(secure connection) does the secret key exchange takes place in-between
server and client.
Is there any flowchart / diagram that states what happens during the server
client connection - how the keys are exchanged and what types of certs are
exchanged, I mean like .pem, X.509 etc?
Can we take this way that be it any type of certificate the code
implementation is the same for all TLS communication?
Thanks in advance.
Regards,
Prakash
Hello,
In psa_validate_key_attributes(), when the key ID is invalid for persistent keys the function returns PSA_ERROR_INVALID_ARGUMENT. See https://github.com/Mbed-TLS/mbedtls/blob/development/library/psa_crypto.c#L….
The comments for PSA_ERROR_INVALID_ARGUMENT explicitly states that this error should not be returned when key identifier is invalid, instead PSA_ERROR_INVALID_HANDLE should be returned.
For the above psa_validate_key_attributes() usecase, which is the correct return code - PSA_ERROR_INVALID_ARGUMENT or PSA_ERROR_INVALID_HANDLE?
Regards,
Archanaa
