Dear MbedTLS maintainers,
we are already using MBedTLS, however, we recently enabled TLS 1.3 and
found that our certificates doesn't work anymore, because they are
brainpoolP256r1 (https://datatracker.ietf.org/doc/html/rfc8734). So the
question would be, if I missed any configuration to enable the usage of
brainpool curves (which are working for TLS 1.2) or if there are any
plans, that these are getting supported by MBedTLS 3.6.x?
Best regards,
Maren Konrad
Hi Mbed TLS users,
We have released Mbed TLS versions 3.6.4.
These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Hi Mbed TLS users,
We have released Mbed TLS versions 3.6.4.
These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org
Hi
We are using mbedtls 2.28.9 and want to offload crypto operations to HSM
from NXP imx-secure-enclave.
is the below approach correct or please suggest alternate approaches if any?
1.Transition all apis from traditional apis to psa in modules
Use PSA crypto module
https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-transition.md
2. Integrate PSA module with imx-secure-enclave in our custom mbedtls
3. All modules will use custom mbedtls which will internally offload crypto
operations to HSM
or Do you recommend to use MBEDTLS_PK_RSA_ALT_SUPPORT? and implement the
key creation/signing/export of public key operations ?
Thanks,
Kavitha
Hi!
We are working with Mbed TLS 3.6.0 library and need the following information:
1.
Is there any End-Of-Life date planned for this library?
2. What is the current version?
3. How can we obtain support for the library enquiries? Does this support has a cost?
4.
How is the library update? Does this update has a cost?
5.
Are this library Open Source?
Thanks in advance for your help! 🙂
Have a great day!
Héctor J. Solís Castillo
Embedded Engr I
Honeywell | HTS Building Automation
990, Av. Eje 5 Norte, Mexico City
CDMX
hectorjose.solis(a)honeywell.com<mailto:hectorjose.solis@honeywell.com>
honeywell.com<http://www.honeywell.com/>
Pronouns: He/Him<https://www.mypronouns.org/what-and-why>
Hello,
I have the following two certificate chains: server <- intermediateCA <-
rootCA and client <- intermediateCA <- rootCA.
Currently there are two ways the client is authenticated by the server:
both the intermediateCA and rootCA certificates are configured as CAs on
the server or if only intermediateCA is configured.
I am using a custom verify callback set by mbedtls_ssl_conf_verify().
I would like to achieve two separate cases:
1) Make the MbedTLS' built-in pre-verify be successful, even when only
the rootCA certificate is set as the server's CA.
2) Always obtain the whole certificate chain up to the root in the
verify callback.
For case 1) this is how our OpenSSL TLS implementation works, it is
discussed here <https://github.com/openssl/openssl/issues/7871>. From my
understanding the server should be able to build the certificate chain
by inquiring the client about its certificate's issuer, etc.
For case 2), whenever both rootCA and intermediateCA are configured on
the server, only the chain client <- intermediateCA is received by the
callback. I would like to be able to receive the chain client <-
intermediateCA <- rootCA.
Are these two cases achievable with mbedTLS? For reference I am using
mbedTLS 3.5.2. For my server I would like to utilize both cases 1) and
2) and for the client only the case 1).
Kind regards,
Roman Janota
