To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun’s guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina
From: Shaun Longhorn <shaun.longhorn(a)linaro.org<mailto:shaun.longhorn@linaro.org>>
Sent: Tuesday, September 30, 2025 7:08 PM
To: Ken Chen <Ken.Chen(a)netgear.com<mailto:Ken.Chen@netgear.com>>
Cc: enquiries(a)trustedfirmware.org<mailto:enquiries@trustedfirmware.org>
Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing(a)netgear.com<mailto:reportphishing@netgear.com>.
Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs:
https://github.com/Mbed-TLS/mbedtls?tab=readme-ov-file#license<https://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=readme-o…>
https://mbed-tls.readthedocs.io/en/latest/kb/licensing/<https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/kb/lic…>
You can also reach out to the Mbed-TLS community on the following public mailing list. https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirm…<https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3/lists…>
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://www.trustedfirmware.org/join/<https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCR…> membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks,
Shaun
Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries(a)trustedfirmware.org<mailto:enquiries@trustedfirmware.org>> wrote:
Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products.
I was unable to find a specific contact point for this type of query.
Could you kindly forward this message to the appropriate person or team for further discussion?
Thank you for your assistance.
Best regards
Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
Hi Mbed TLS users,
We have released Mbed TLS version 3.6.5.
These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.5.
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
I am currently doing an ECDH exchange over MQTT (i.e. at the message layer; MQTT is fundamentally `untrusted') - with a bit of out of band work to confirm end to end integrity.
That worked nicely (and interoperable with java-bouncy-castle and openssl, etc with:
mbedtls_ecp_group_load( &ctx_cli.grp, MBEDTLS_ECP_DP_CURVE25519 )
mbedtls_ecdh_gen_public( &ctx_cli.grp, &ctx_cli.d, &ctx_cli.Q, mbedtls_ctr_drbg_random, &ctr_drbg)
mbedtls_mpi_write_binary( &ctx_cli.Q.X, node_publicsession, 32 )
to create the keys and with
mbedtls_mpi_lset( &ctx_cli.private_Qp.Z, 1 ))
mbedtls_mpi_read_binary( &ctx_cli.private_Qp.X, pubencr_tmp, CURVE259919_KEYLEN))
mbedtls_ecdh_compute_shared( &ctx_cli.grp, &ctx_cli.private_z, &ctx_cli.private_Qp, &ctx_cli.private_d, mbedtls_ctr_drbg_random, &ctr_drbg )
mbedtls_mpi_write_binary( &ctx_cli.private_z, sessionkey, CURVE259919_KEYLEN)
to calculate the emphemeral session key.
With the mbedtls_ecdh_context going increasingly private; I assume I can change the latter with:
mbedtls_ecdh_calc_secret(&ctx_cli, &len_sessionkey, sessionkey, sizeof(sessionkey), mbedtls_ctr_drbg_random, &ctr_drbg)
but am struggling to see how I an replace the key generation itself. Is there a similar option that does not look `into' ctx_cli ??
With kind regards,
Dw.
PS: actual code at https://github.com/MakerSpaceLeiden/AccesSystem/blob/master/lib-arduino/ACN…
FYI
From: Saheer Babu via Tf-openci <tf-openci(a)lists.trustedfirmware.org>
Date: Wednesday, 10 September 2025 at 15:17
To: tf-openci(a)lists.trustedfirmware.org <tf-openci(a)lists.trustedfirmware.org>
Subject: [Tf-openci] CI infrastructure scheduled maintenance: 12th Sep 2025
Hi all,
We will be performing upgrade of the clusters hosting review.trustedfirmware.org and ci.trustedfirmware.org on Friday, 12th Sep 2025 at 16:00 GMT+1.
During this maintenance window, both services will be unavailable for approximately 4 hours.
A follow-up email will be sent once the services are fully restored.
Best regards,
Saheer
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Tf-openci mailing list -- tf-openci(a)lists.trustedfirmware.org
To unsubscribe send an email to tf-openci-leave(a)lists.trustedfirmware.org
Hi Team,
I am working on exploring DTLS handshake using the mbedtls-3.6.4 version on
our embedded platform. I enabled the hello verify request feature and got
stuck at hello verify request state on server side if I don't reset the ssl
context and don't set the client transport ID. I want to know if there is
any way to complete a handshake by bypassing the reset of ssl context and
setting the client transport ID.
Also, our environment only supports C89 constructs. I could not see
inttypes.h in the mbedtls-3.6.4, is there any specific reason to remove
this file? I am getting compilation errors without inttypes.h and stdint.h.
Is there any macro to be enabled to support the c89 compilation in mbedtls
stack?
Looking forward to your response.
Thanks and regards,
Ankita Hatmode
--
-------------------------------------------------------------------------------------------------------------------------
**Disclaimer:** This email message including any attachments is
confidential, and may be privileged and proprietary to Agiliad. If you are
not the intended recipient, please notify us immediately by replying to
this message and destroy all copies of this message including any
attachments. You are NOT authorized to read, print, retain, copy,
disseminate, distribute, or use this message or any part thereof. Thank
you.
------------------------------------------------------------------------------------------------------------------------
Dear MbedTLS maintainers,
we are already using MBedTLS, however, we recently enabled TLS 1.3 and
found that our certificates doesn't work anymore, because they are
brainpoolP256r1 (https://datatracker.ietf.org/doc/html/rfc8734). So the
question would be, if I missed any configuration to enable the usage of
brainpool curves (which are working for TLS 1.2) or if there are any
plans, that these are getting supported by MBedTLS 3.6.x?
Best regards,
Maren Konrad
Hi
We migrated from mbedtls 2.28 to mbedtls 3.6.2
https://github.com/Mbed-TLS/mbedtls/tree/107ea89daaefb9867ea9121002fbbdf926…
and
we see TLS handshake fails when we use TLS 1.2 in mbedtls 3.6.2 instead of
1.3.
We get below error
20E094B0FFFF0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof
while reading:/usr/src/debug/openssl/3.1.0-r0/ssl/record/rec_layer_s3.c:303:
# openssl s_client -connect 192.168.142.1:7001 -no_tls1_3 fails
After seeing the trace we have enabled ciphers but still we see the issue.
please advise, thanks.
Thanks
Kavitha
Hi Mbed TLS users,
We have released Mbed TLS versions 3.6.4.
These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.