This topic has without a doubt been silently visited by many MbedTLS users :)
The biggest problem I see is that the MbedTLS devs produce a new version roughly every 2.3 weeks :) And any customer with a brain and internet access will google MbedTLS, discover that the current version is about a year later than the one in your product, and ask you a very pointed question "why aren't you using a version with the latest security patches?".
You then end up in an impossible position of having to explain to your customer (who, like everybody on the internet is a security expert, and has read all about deprecated crypto suites, hash collisions, and doesn't care that e.g. TLS 1.3 removes a bunch of hashes which are still used on some of the CACERT.PEM certificates) that for commercial and technical (e.g. product testing, over many months) reasons you had to freeze your product with MbedTLS v2.8 or whatever.
You also have to explain to your "security expert" customer that most of the mods done in the last couple of years are at best tangential to any concept of secure comms in an embedded product which 99% of the time is running in an environment without physical (access) security, so "nice" stuff like zeroing malloc'd buffers before freeing them does nothing for security because only somebody totally "inside" your box is going to be reading RAM.
So I don't think the license is a problem :)
Peter
Hi Praveen,
Mbed TLS is distributed under both the Apache 2.0 and GPL 2.0 licenses (dual-licensed), users may use the library under the terms of whichever license they prefer.
The Apache 2.0 license is a permissive license which usually allows commercial use, however you should check the terms of this license for yourself to ensure it is compatible with your usecase.
We do not provide paid support for Mbed TLS. We provide some support via the mailing list (for general support queries) and GitHub (for bug reports) but it is on a best-effort basis only.
I hope that helps.
Kind regards, David Horstmann Mbed TLS Developer ________________________________ From: Kumar, Praveen via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 06 August 2024 11:59 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Requesting information for mbed-tls commercial license & support
Hi,
We are in the process of qualifying a suitable encryption library for our pre-hospital patient monitor and the telemedicine system. I am writing to request your guidance regarding the mbed-tls use for commercial purposes. I look forward to your response.
Regards,
Praveen Kumar
R&D Project Manager
Emergency Care Professional (EC-Pro)
Philips
Tel +44 (0) 1256 362427 Email praveen.m.kumar@philips.commailto:praveen.m.kumar@philips.com
Remote Diagnostic Technologies Limited. Registered office: Ascent 1, Farnborough Aerospace Centre, Aerospace Boulevard, Farnborough GU14 6XW, UK. Registered in England No. 3321782.
[Logo Description automatically generated]http://www.philips.com/
Connect with Philips
[cid:image002.gif@01DAE7F8.0802FC50]https://www.linkedin.com/company/philips/[cid:image003.gif@01DAE7F8.0802FC50]https://twitter.com/PhilipsHealth[cid:image004.gif@01DAE7F8.0802FC50]https://www.youtube.com/PhilipsHealthcare/videos
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.