- mbed-tls - lists.trustedfirmware.org

by Martin Man

Hi guys, I use mbedtls for years (since 2.10 IIRC) upgrading to latest available as time goes by. For DTLS that is. I remember a case in the past where a link would have a small MTU (around 500 bytes) and I had to tune ssl_context.handshake.mtu to a lower value to successfully complete handshakes. I do not remember exactly why, but I did not want to actually restrict maximum value via mbedtls_ssl_set_mtu, maybe it was even ignored back then for handshakes… but Now when working on migration to 3.2.1 (gave some time to 3x releases to stabilize) I noticed that the whole ssl_context.handshake member is now private and inaccessible, which I guess is fine. Could somebody with more knowledge of the code recommend what is the best strategy for DTLS app where MTU may not always be 1400? thanks a lot for your time, Martin

2 years, 12 months

4
7
0 0

Regarding Connection ID (RFC 9146) support in Mbed TLS

by Jérémy Audiger

Hi everyone, I would like to know what is the current support of Mbed TLS regarding the RFC 9146 (https://datatracker.ietf.org/doc/html/rfc9146) published in March 2022. Mbed TLS is currently supporting a draft version of this RFC (https://datatracker.ietf.org/doc/html/draft-ietf-tls-dtls-connection-id-05) through the define MBEDTLS_SSL_DTLS_CONNECTION_ID, but I just wanted to know the progress on supporting the newly RFC released this year. Are there any plan to support it soon ? If yes, will it be in the coming weeks / months (i.e.: next release) ? I'm asking since I'm currently playing with the Connection ID on both a DTLS 1.2 Server and DTLS 1.2 Client. Anyway, have a nice day, Best regards, Jérémy Audiger [ioterop-your-lwm2m-partner]<https://ioterop.com/> [social-icon-linkedin]<https://www.linkedin.com/company/7955832/> [social-icon-twitter] <https://twitter.com/ioteropcompany> [social-icon-facebook] <https://www.facebook.com/IoteropCompany/>

3 years

2
1
0 0

Reminder: MBed TLS Technical Forum - US/Europe

by Don Harbin

Hi All, A gentle reminder that the US-Europe timezone-friendly MBed TLS Tech forum is next Monday at 4:30 PM UK time. Invite details can be found on the online calendar here <https://www.trustedfirmware.org/meetings/>. If you have any topics, please let Dave Rodgman know. :) Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

3 years

1
0
0 0

Re: What am I doing wrong?

by Marco Nilsson

We're seeing pretty much the same issue on 3.0.0 ARM. However, if I build the ssh_client2 tool on my host machine (x64) and try to mimic the config as close as possible, it works just fine. Do you think we're seeing the same problem? Will try with a newer version next week.

3 years

1
0
0 0

HMAC and CMAC Verification

by Ahmed Mohammed

Hello, I am wondering if there are APIs for Hmac and Cmac verification? from md.h and cmac.h, Hmac and Cmac generation functionalities are provided in a single and streaming approach. But is there a plan to add verification APIs for future releases maybe? Kind regards, Ahmed Mohammed

3 years

2
1
0 0

User configuration

by Ahmed Mohammed

Hello, What is the difference between these two macros in include/mbedtls/build_info.h: MBEDTLS_CONFIG_FILE MBEDTLS_USER_CONFIG_FILE In other words, why would I have two different user configuration files? Or I misunderstand the difference between such files. Kind regards, Ahmed Mohammed

3 years

2
1
0 0

Slowness in verification of a ecdsa secp256r1 signature using S32K Microcontroller (clock speed 112MHz) - bare metal implementation

by ammar.ahmed.mughal＠gmail.com

I am verifying a signature generated using ecdsa secp256r1. The signature is getting verified but the time taken by the verification step is too long. It takes 4-5 seconds to verify the signature. The implementation is bare metal i.e. no RTOS (one realizes the use of RTOS but still the time is too long). Can you please guide a way around for this issue. How to make it work faster , the ideal verification time would be 30ms - 60ms. Here is a gist of my code mbedtls_ecp_curve_info *curve_info = NULL; mbedtls_ecdsa_context ecdsa_context; /// Initialization mbedtls_ecdsa_init(&ecdsa_context); curve_info = mbedtls_ecp_curve_info_from_tls_id(23); /// 23 is tls_id of secp256r1 mbedtls_ecp_group_load(&ecdsa_context.grp, curve_info->grp_id); /// Processing result = mbedtls_ecp_point_read_binary( &ecdsa_context.grp, &ecdsa_context.Q, public_key_data, // public key data in uncompressed format i.e. including leading 0x04 sizeof(public_key_data) ); /// 32 /// 71 status_verify_signature = mbedtls_ecdsa_read_signature(&ecdsa_context, hash, sizeof(hash), signature, sizeof(sig)); /// converts the signature data to ASN1, verifies the signature Thank you :)

3 years

2
1
0 0

Mutual authentication support in Embed tls

by Anupma Jain

Hello, Can please provide me with any example on "how to achieve Mutual authentication(Client and server certificate validation)" in mbed-tls. Please help me with this.It is a little urgent. Thank you Regards Anupma Jain

3 years

1
0
0 0

Website update

by Dave Rodgman

Hi all, Apologies for the website outage. We have now restored the majority of the old content, which is reachable via our Trusted Firmware website (the old website address will redirect here). The new location for our documentation, including the knowledge base and security advisories, is: https://mbed-tls.readthedocs.io/en/latest/ Please let us know (on the mailing list, via the Tech Forum, or raise a GitHub issue or PR) if you find any issues or missing documentation. The source repository for the docs is here: https://github.com/Mbed-TLS/mbedtls-docs Community contributions to the docs are welcome! Regards Dave Rodgman

3 years

2
1
0 0

OID Issue

by Subramanian Gopi Krishnan

Hi, We have developed a propriety protocol that authenticate node using certificate. In our PKI, we have four level of certificates as ROOT_CA, PROXY_CA, LOCAL_CA, and DEVICE_CERTIFICATE. Parsing of trusted CA certificate is getting success. However, verifying PROXY_CA against ROOT_CA fails with below error code. MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND I have viewed the certificates transacted using OpenSSL command, the ASN1 OID is ECDSA_SHA384. Though, I have enabled the algorithm, it is failing. Any support would be appreciated. Attached the config.h for your reference. Thanks, Gopi Krishnan

3 years, 1 month

1
0
0 0

Adding option to disable the zeroisation of internal buffers

by joel.petersson＠dirac.com

After recently updating mbedtls I noticed a considerable slowdown (over 70% on my cortex-m7 board) in the sha256 implementation, and after some digging I found the offending commit: https://github.com/Mbed-TLS/mbedtls/commit/76749aea784cfec245390d0d6f0ab0a2… I understand the motivation behind the commit, but I think it may not be relevant to all use cases. So my question is if an option to disable the clearing of internal buffers in mbedtls_config.h would be a reasonable improvement? Or would that be considered to much of a foot gun? Regards, Joel Petersson

3 years, 1 month

4
7
0 0

support of Certificate exchange between client and server in Mbedtls

by Anupma Jain

Hi, In Embed tls version 2.28, is there any support to validate client certificate fields like for example: validity of certificate, CA validation or role extraction ? If support is present then, how can we enable that ? Please help me with this.Thanks in advance. Regards Anupma

3 years, 1 month

1
0
0 0

Reminder: MBed TLS Technical Forum - US/Europe

by Don Harbin

Hi All, A gentle reminder that the US-Europe timezone-friendly MBed TLS Tech forum is next Monday at 4:30 PM UK time. Invite details can be found on the online calendar here <https://www.trustedfirmware.org/meetings/>. If you have any topics, please let Dave Rodgman know. :) Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

3 years, 1 month

1
0
0 0

totally beginner question...

by boddeke＠mac.com

hello, we are testing a secure communication and got example code that uses the mbed-tls library. i am using the online keil studio with mbed.org: created a new project (compiles fine) and added in the mbed-tls library but this already gives compile errors. see below. i am using the latest greatest versions (mbed-os 6.16.0 and mbedtls-3.2.1) and tried some older versions. all seem to give the same problems. see below. i have tried commenting out MBEDTLS_HAVE_TIME in mbedtls_config.h but that does not seem to make any difference tried different target boards, also no difference any help is greatly appreciated! thanks frank Build started Using toolchain ARMC6 profile {'ENV': {'ARMLMD_LICENSE_FILE': '8224@10.10.101.194:8224@10.10.109.222'}, 'PATHS': {'ARMC6_PATH': '/opt/ARMCompiler6.15.13/bin/', 'ARM_PATH': '/opt/armcc5_06_u6/'}, 'common': ['-c', '--gnu', '-O3', '-Otime', '--split_sections', '--apcs=interwork'], 'cxx': ['--cpp', '--no_rtti'], 'COMPILE_C_AS_CPP': False, 'NEW_SCAN_RESOURCES': True} scan /tmp/chroots/ch-59110c86-ee99-44c4-9ef0-79f3efde74a7/src scan /tmp/chroots/ch-59110c86-ee99-44c4-9ef0-79f3efde74a7/extras/mbed-os.lib compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Config/RTX_Config.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/TOOLCHAIN_ARM/TARGET_RTOS_M4_M7/irq_cm4f.S compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_evflags.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_lib.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_mempool.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Library/cmsis_os1.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_evr.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_memory.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_delay.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_msgqueue.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_kernel.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_mutex.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_semaphore.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_system.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/Source/os_systick.c compile mbed-os/cmsis/CMSIS_5/CMSIS/TARGET_CORTEX_M/Source/mbed_tz_context.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_timer.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/Source/os_tick_ptim.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_thread.c "time.h included in a configuration without MBEDTLS_HAVE_TIME" unknown type name 'time_t'; did you mean 'size_t'? unknown type name 'time_t'; did you mean 'size_t'? unknown type name 'time_t'; did you mean 'size_t'? compile mbed-os/cmsis/device/rtos/source/mbed_rtos_rtx.c In file included from /extras/mbed-os.lib/cmsis/device/rtos/source/mbed_rtos_rtx.c:23: In file included from /extras/mbed-os.lib/platform/include/platform/mbed_error.h:21: In file included from /extras/mbed-os.lib/platform/include/platform/mbed_retarget.h:107: /src/mbedtls/tests/include/baremetal-override/time.h:18:2: error: "time.h included in a configuration without MBEDTLS_HAVE_TIME" #error "time.h included in a configuration without MBEDTLS_HAVE_TIME" ^ In file included from /extras/mbed-os.lib/cmsis/device/rtos/source/mbed_rtos_rtx.c:23: In file included from /extras/mbed-os.lib/platform/include/platform/mbed_error.h:21: /extras/mbed-os.lib/platform/include/platform/mbed_retarget.h:669:5: error: unknown type name 'time_t'; did you mean 'size_t'? time_t st_atime; ///< Time of last access ^~~~~~ size_t /opt/ARMCompiler6.15.13/bin/../include/stdio.h:53:26: note: 'size_t' declared here typedef unsigned int size_t; /* see <stddef.h> */ ^ In file included from /extras/mbed-os.lib/cmsis/device/rtos/source/mbed_rtos_rtx.c:23: In file included from /extras/mbed-os.lib/platform/include/platform/mbed_error.h:21: /extras/mbed-os.lib/platform/include/platform/mbed_retarget.h:670:5: error: unknown type name 'time_t'; did you mean 'size_t'? time_t st_mtime; ///< Time of last data modification ^~~~~~ size_t /opt/ARMCompiler6.15.13/bin/../include/stdio.h:53:26: note: 'size_t' declared here typedef unsigned int size_t; /* see <stddef.h> */ ^ In file included from /extras/mbed-os.lib/cmsis/device/rtos/source/mbed_rtos_rtx.c:23: In file included from /extras/mbed-os.lib/platform/include/platform/mbed_error.h:21: /extras/mbed-os.lib/platform/include/platform/mbed_retarget.h:671:5: error: unknown type name 'time_t'; did you mean 'size_t'? time_t st_ctime; ///< Time of last status change ^~~~~~ size_t /opt/ARMCompiler6.15.13/bin/../include/stdio.h:53:26: note: 'size_t' declared here typedef unsigned int size_t; /* see <stddef.h> */ ^ 4 errors generated. Internal error. Build failed Build failed

3 years, 1 month

1
0
0 0

misc. questions

by Frank Bergmann

Hi all, I have some questions. 1) If you have an established TLS connection (mbed TLS 3.x) and while the connection is up the (server-) certificate expires: Will the connection stay up? Or is a new handshake (with valid cert) REQUIRED? 2) Related to question 1: CAN mbed TLS switch to a new cert on an existing TLS connection? (e.g. by doing another handshake from server OR client side) 3) With 3.x some struct members are now "private". Even if you can allow private access by a define it would be better to use a getter. But for ssl context's "state" I am missing this and also for "p_bio" (to access fd). Is there a chance to get this implemented? BTW - a big "LIKE" for 3.x! I really appreciate the changes. Thank you! kind regards, Frank

3 years, 2 months

5
6
0 0

inline assembly MULADDC_CORE for Cortex M4

by Work Only

Hello everyone, Can anyone share some example code or hints on writing MULADDC_CORE for Cortex M4 in bn_mul.h? With Many thanks! Wade

3 years, 2 months

1
0
0 0

Reminder: MBed TLS Technical Forum - US/Europe

by Don Harbin

Hi All, A gentle reminder that the US-Europe timezone-friendly MBed TLS Tech forum is tomorrow (Monday) at 4:30 PM UK time. If you have any topics, please let Dave Rodgman know. :) Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

3 years, 2 months

1
2
0 0

[Mbed-tls-announce] Mbed TLS 3.2.1 release

by Paul Elliott via Mbed-tls-announce

Hi Mbed TLS users, We have released Mbed TLS version 3.2.1. This release is functionally identical to 3.2.0, but includes a file that was missing from the 3.2.0 release (see https://github.com/Mbed-TLS/mbedtls/issues/6084). Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.2.1). We recommend all users to consider whether they are impacted, and to upgrade appropriately. Many thanks, Mbed TLS Team. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org

3 years, 2 months

1
0
0 0

Release of Mbed TLS 3.2.0 and 2.28.1

by Dave Rodgman

Hi Mbed TLS users, We have released Mbed TLS versions 3.2.0 and 2.28.1. These releases of Mbed TLS address several security issues, provide bug fixes, and for 3.2.0, add various features. Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.2.0, https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.1). We recommend all users to consider whether they are impacted, and to upgrade appropriately. Dave Rodgman

3 years, 2 months

1
0
0 0

What is the URL to access the Mbed TLS knowledge base?

by Max Peng

Hi mbed-tls Team, I notice that https://tls.mbed.org has been directed to https://www.trustedfirmware.org/projects/mbed-tls/. However, I does not see any link to the old Mbed TLS knowledge base. It is a good resource for learning Mbed TLS. What is the URL to access it? Thanks, Max Peng

3 years, 2 months

2
2
0 0

State of documentation

by Tim Becker

Hi all, it feels like the state of documentation has deteriorated since the last time I've used mbedtls (a couple of months ago). I'm not sure if the google index hasn't fully been updated yet, or I don't understand the new structure of the docs or ... Also, is this the proper forum to make suggestions? Should I raise an issue on Github? 1.) a lot of previously linked, useful information now redirects here: https://www.trustedfirmware.org/projects/mbed-tls/ which (please excuse my frankness) feels like an utterly useless abomination that only marketing people could love. - Some examples of previously useful links: from the wiki ( https://developer.trustedfirmware.org/w/mbed-tls/) : > Old Mbed TLS website > Documentation: Mbed TLS API Reference; Knowledge base; Dev corner all redirect to trustedfirmware.org ! As do nearly all the links in https://github.com/Mbed-TLS/mbedtls/blob/development/SUPPORT.md 2.) there is no longer an doxygen generated API documentation anywhere only. I could generate it myself, but then I'd need to get and install Doxygen, figure how to use it, etc. It would be great if this were restored. It can't be that expensive to host :) Anyway, it feels like I've been running around for hours trying to find _anything_ useful, but I just realized everything is redirected to trustedfirmware.org ... Is there any way to still access the old, useful docs? Thanks & sorry that this post is so negative, -tim

3 years, 2 months

6
8
0 0

TLS Handshake failure while connecting to mqtt broker from device

by urvi＠milltech.in

Hello Sir/Madam, I am developing TI's EFM32 series micro controller based IOT device. This device will connect to mqtt broker and publish/ subscribes to/from data. In my application, I am trying to connect to AWS using mbedtls library over lwIP (no rtos mode). While my device is in debug mode (i.e. JTAG programmer connected) then it gets connected to AWS successfully. But when I remove JTAG programmer and operate device in normal running mode, then it failed to get connect to broker (i.e. AWS). I observe following errors occured while performing TLS handshaking stage: SSL - The connection indicated an EOF X509 - Certificate verification failed, e.g. CRL, CA or signatur SSL - Processing of the ServerHello handshake message failed

3 years, 2 months

1
0
0 0

Setup to test and debug a single funciton.

by Victor Micó

Hi all, First of all apologies if this is not the right place for this topic. For my master thesis I am using the mbedtls library to analyze it using side channel analysis. My objective was to use it as a starting point to analyze the resistance of different exponentiation algorithms. With this objective I am trying to set up a environment where I can call the function "mbedtls_mpi_exp_mod" https://github.com/Mbed-TLS/mbedtls/blob/f5b7082f6e8af72868966b6ea99eae228f… and debug it. I have been trying for at least two weeks but I couldn't be able to succeed. I believe that when If I can get a debugging environment for that function I will be able to adapt it and use other exponentiation algorithms such as the Left-to-right k-ary (HAC 14.82). I am using VScode and the code is located in WLS Ubuntu 20.04. So far I been able to compile the full library and run all the tests. Anyone here could give mean indication on how to set up the environment to debug this function? Thanks! Victor.

3 years, 2 months

1
0
0 0

Looking for information regarding the long-term support of the MbedTls library.

by heinrich.mueller＠g-ushin.com

Hello, Currently, we are evaluating the MbedLib to be eventually used in small and midsized automotive ECUs. * Since we have to follow the UNECE Regulation R155, R156, and ISO/SAE 21434 I need some information regarding the long-term support of the library and how the communication of bugs is organized? * I also do not understand the involvement and responsibility of ARM company? * Furthermore, I'm not sure if I understood the terms PSA and MbedTls and their mutual dependencies as well as the technical meaning? I checked the web for I but did not find anything about it yet. It would be just great if somebody can give me some hints or links to the information I am looking for. Regards Heico

3 years, 2 months

2
1
0 0

How to secure two simultaneous sockets?

by Fred Wedemeier

I have an application using mbedTls 2.9.0 that's been running successfully for a few years. It secures connections for the AWS MQTT broker, for https GET/PUT transfers, and for SSL/TLS email servers - But only one secure connection at a time. I need to add support for an FTPS client. This requires opening/securing a control channel on port 21, then opening/securing a second port for data transfer. Opening/securing the control channel works as expected. Then, when the client calls connect() for the data transfer socket, the server log shows messages indicating it is preparing for a TLS handshake. Now, here's where I may be missing something... The client calls the same code as for the control connection: Allocates a second mbedtls_ssl_context, mbedtls_ssl_config, mbedtls_x509_crt, et.al, and calls some mbedtls_ssl_*() functions which were copy/pasted from example code several years ago. The server name and root cert are the same. I think the only difference in the second negotiation is the underlying socket descriptor allocated by the IP stack for the data channel. When mbedtls_ssl_handshake() is called, both the filezilla log and client log show a successful handshake. The filezilla log then shows it trying to establish yet another secure data connection, which fails, and reports "TLS session of data connection not resumed." Questions: -- Is the above sequence correct for opening and securing a second connection? -- In searching through ssl.h I see mbedtls_ssl_get_session() and mbedtls_ssl_set_session(). Are these relevant to the situation? I cannot tell from their one-sentence descriptions.

3 years, 2 months

1
0
0 0

2025

2024

2023

2022

2021

2020

mbed-tls