Hi all,
I am writing in behalf of Security Pattern, a security firm specialized
in embedded systems.
We are a member of the QUBIP European Funded Project (https://qubip.eu),
which aims at transitioning protocols, networks, and systems to Post
Quantum algorithms.
As a result of the project, we have integrated a set of Post Quantum
algorithms in the TLS1.3 stack of the MbedTLS code (see here
https://github.com/QUBIP/pq-mqtt-client-mbedtls).
We have code running on STM32 Nucleo board in two versions:
the former is a full software, by leveraging the crypto primitives
provided in a library developed by another partner, the latter using a
Secure Element emulated by FPGA connected via I2C (also developed by
another partner of QUBIP).
Our main work has beed dedicated to integrating the new hybrid KEM and
signatures (MLKEM768-x25519 and MLDSA44-Ed25519) into the TLS stack, in
order to demonstrate communication with an MQTT broker running OpenSSL.
At the current stage we are about to publish the code on github with MIT
license (here https://github.com/QUBIP/pq-mqtt-client-mbedtls).
Meanwhile, we think the effort we made could be of help for MBedTLS
development/developers. So I would like to ask if you can address me to
some contact that is responsible in MbedTLS or ARM about the PQC
transition or the best way to facilitate the use/integration of our work.
Best Regards,
Alberto
--
Security Pattern <https://www.securitypattern.com/>
Alberto Battistello
Senior Security Engineer
M. +39 333 3239810
Via G. Boccaccio, 58 | 25080 Mazzano (BS) | Italy | P.I. 03943650980
www.securitypattern.com
<https://www.securitypattern.com/?utm_source=newsletter&utm_medium=email&utm…>
| Follow Linkedin <https://www.linkedin.com/company/securitypattern/> |
We value your privacy
<https://www.iubenda.com/privacy-policy/40319464/legal>
Hi,
I'm the main developer of Leshan Library. This is a Java open source
implementation of LWM2M protocol hosted at Eclipse Foundation.
We currently use Scandium (from Californium Project) as DTLS library.
This library fits our needs until now but we have some concerns about
future-proofness of it (Especially, there is no plan for DTLS 1.3) and
there is no support of TLS.
So we explore some other way for the future.
I had consider to use OpenJdk but there is a lot of missing IoT
Features. I contact OpenJdk security dev and they makes me understand
politely that IoT is not the priority (at least this is my understanding)
Another solution we explore would be to use an mbedtls Java binding.
(as mbedtls is well supported and focus IoT)
There is a not official one at :
https://github.com/open-coap/kotlin-mbedtls
*Questions :
*
1. Is there any official java binding ?
2. If no, is there any plan for that kind of binding ?
3. If no, if there is a community initiative could it be hosted by you ?
Thx,
Simon
Hi all,
We have encountered a challenge while using mbedTLS 3.5.1 and would greatly appreciate the assistance of the experts. Thank you in advance for your support.
I used mbedTLS 3.5.1 to connect to the server acc.connect.cpms.milence.com, and the TLS handshake failed with an Alert (Level: Fatal, Description: Protocol Version) error. Detailed information is described at this GitHub issue<https://github.com/Mbed-TLS/mbedtls/issues/10141>.
* We attempted to connect with the Windows EDGE browser and found through packet capture that the handshake was successful.
* We were also able to successfully handshake using TLS 1.2.
* When we limited the supported group to only: MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 and used TLS 1.3, the handshake was also successful.
For more details, please refer to the discussion on GitHub: Handshake fail with "Alert (Level: Fatal, Description: Protocol Version)" ・ Issue #10141 ・ Mbed-TLS/mbedtls<https://github.com/Mbed-TLS/mbedtls/issues/10141>.
Best Regards,
Fu Baicheng
Dear Mbed TLS users,
We have released Mbed TLS versions 3.6.3 and 2.28.10. These releases provide bugfixes, security fixes and minor improvements.
This release of Mbed TLS provides the fix for the TLS compatibility issue of handling fragmented handshake messages. This release includes fixes for security issues.
Full details are available in the release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.10https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.3
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Many thanks,
Minos Galanakis
Mbed TLS developer
Dear Mbed TLS users,
We have released Mbed TLS versions 3.6.3 and 2.28.10. These releases provide bugfixes, security fixes and minor improvements.
This release of Mbed TLS provides the fix for the TLS compatibility issue of handling fragmented handshake messages. This release includes fixes for security issues.
Full details are available in the release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.10https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.3
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Many thanks,
Minos Galanakis
Mbed TLS developer
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org
Dear Mbed TLS users,
The next release of Mbed TLS (3.6.3 and 2.28.10) is scheduled on Monday
2025-03-24. It will include a security fix for a vulnerability with a
high impact to affected applications.
Due to the nature of the vulnerability, which involves an insecure
default in current versions of Mbed TLS, fixing it may require a small
change in application code. We will provide instructions in the release
notes. Without this change, affected applications will fail at runtime
with Mbed TLS 3.6.3 or 2.28.10. Applications that are currently secure
will generally not require any change.
We apologize for the inconvenience.
Best regards,
--
Gilles Peskine
On behalf of the Mbed TLS security team
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org
Hi Team,
I am working on an embedded security project and exploring ECC support in
MbedTLS 3.6.2. I would like to confirm whether the MbedTLS supports ECC-160
i.e. Elliptic Curve Cryptography with a 160 bit key size, in the latest
version or any earlier versions.
Looking forward to your response.
Thanks and regards,
Ankita Hatmode
--
-------------------------------------------------------------------------------------------------------------------------
**Disclaimer:** This email message including any attachments is
confidential, and may be privileged and proprietary to Agiliad. If you are
not the intended recipient, please notify us immediately by replying to
this message and destroy all copies of this message including any
attachments. You are NOT authorized to read, print, retain, copy,
disseminate, distribute, or use this message or any part thereof. Thank
you.
------------------------------------------------------------------------------------------------------------------------
Hello Everybody,
I am trying to migrate my cross-compilation setup from version 2.28.9 to
version 3.6.2.
I use a Makefile based approach for compilation.
Everything seems to work fine up to the point where the compilation process
reaches the test_suite data generation
Gen suites/test_suite_psa_crypto_generate_key.generated.data
suites/test_suite_psa_crypto_low_hash.generated.data
suites/test_suite_psa_crypto_not_supported.generated.data
suites/test_suite_psa_crypto_op_fail.generated.data
suites/test_suite_psa_crypto_storage_format.current.data
suites/test_suite_psa_crypto_storage_format.v0.data
At that point it seems that the python based tools attempts to execute a
temp executable (generated for my cross-compilation target ?) which fails.
The traceback obtained is the following:
Traceback (most recent call last):
File "../framework/scripts/generate_psa_tests.py", line 849, in <module>
test_data_generation.main(sys.argv[1:], __doc__, PSATestGenerator)
File
"/home/dev/test/mbed-TLS_3.6.2/framework/scripts/mbedtls_framework/test_data_generation.py",
line 224, in main
generator.generate_target(target)
File "../framework/scripts/generate_psa_tests.py", line 845, in
generate_target
super().generate_target(name, self.info)
File
"/home/dev/test/mbed-TLS_3.6.2/framework/scripts/mbedtls_framework/test_data_generation.py",
line 177, in generate_target
self.write_test_data_file(name, test_cases)
File
"/home/dev/test/mbed-TLS_3.6.2/framework/scripts/mbedtls_framework/test_data_generation.py",
line 164, in write_test_data_file
test_case.write_data_file(filename, test_cases)
File
"/home/dev/test/mbed-TLS_3.6.2/framework/scripts/mbedtls_framework/test_case.py",
line 88, in write_data_file
for tc in test_cases:
File "../framework/scripts/generate_psa_tests.py", line 694, in
all_test_cases
if key.location_value() != 0:
File
"/home/dev/test/mbed-TLS_3.6.2/framework/scripts/mbedtls_framework/psa_storage.py",
line 186, in location_value
return self.lifetime.value() >> 8
File
"/home/dev/test/mbed-TLS_3.6.2/framework/scripts/mbedtls_framework/psa_storage.py",
line 89, in value
self.update_cache()
File
"/home/dev/test/mbed-TLS_3.6.2/framework/scripts/mbedtls_framework/psa_storage.py",
line 67, in update_cache
include_path=includes) #type: List[str]
File
"/home/dev/test/mbed-TLS_3.6.2/framework/scripts/mbedtls_framework/c_build_helper.py",
line 158, in get_c_expression_values
output = subprocess.check_output([exe_name])
File "/usr/lib/python3.7/subprocess.py", line 395, in check_output
**kwargs).stdout
File "/usr/lib/python3.7/subprocess.py", line 472, in run
with Popen(*popenargs, **kwargs) as process:
File "/usr/lib/python3.7/subprocess.py", line 775, in __init__
restore_signals, start_new_session)
File "/usr/lib/python3.7/subprocess.py", line 1522, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
OSError: [Errno 8] Exec format error: '/tmp/tmp--m95sjmdw'
make[2]: *** [Makefile:127: generated_psa_test_data] Error 1
make[2] : on quitte le répertoire « /home/dev/test/mbed-TLS_3.6.2/tests »
make[1]: *** [Makefile:35: tests] Error 2
make[1] : on quitte le répertoire « /home/dev/test/mbed-TLS_3.6.2 »
make: *** [test.make:152: all] Error 2
Looking at the format of the generated tmp executable, it seems it is
generated for my cross-compilation target, it therefore cannot be executed
in my compilation environment.
I would like to be able to generate the test and test data in order to be
able to execute them on my compilation target, which is what I used to do
with the previously integrated version of the library.
Is there something I am missing in my compilation? am I missing a specific
setup variable in my Makefile?
Thanks for your feedback.
Best regards,
Francois
Hello,
I recently updated mbedTLS library version 2.6.2 to 3.6.2. I am using the
library to add https to Mongoose web server on a STM32H753 with FreeRTOS +
LWIP.
2.6.2 was generated in a IAR project using STMCubeMX.
What I am noticing is that file transfer performance has gotten much worse.
With version 2.6.2 it took a few minutes to transfer a file of around 33
MB, now with version 3.6.2 it takes around 15 min. What could this depend
on? Attached is the configuration used for the two versions. The
certificate for https is EC curve secp256r1.
Thank you
Dear Mbed TLS and PSA Crypto users,
We would like to update you on the release timeline for Mbed TLS 4.0/TF-PSACrypto1.0 release.
As a reminder, the key objectives of the release are a separate TF-PSA Crypto repo., PSA Crypto becoming the de facto Crypto API and Mbed TLS using PSA Crypto APIs as the crypto API by default.
While TF-PSA Crypto repository is now available, the remaining effort to be ready for the release is more than we originally planned for.
Based on remaining effort estimates, we plan to make Mbed TLS 4.0-Beta and TF-PSA Crypto 1.0-Beta release around end of June. The Mbed TLS 4.0, and TF-PSA Crypto 1.0 release is expected around end of September.
We don’t expect users to integrate the Beta release. Beta is aimed to pipeclean the separate Mbed TLS and TF-PSA Crypto release process and get any early feedback. The release in September is expected to be integrated by users to their projects.
We wanted to provide these revised release dates so that the users can plan accordingly. In the meantime, bug fixes and security fixes will continue to be provided via. Mbed TLS 3.6.x LTS releases.
Thanks,
Mbed TLS/PSA Crypto Maintainers.
--
Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org