5 Dec
2024
5 Dec
'24
12:28 p.m.
Hi Peter,
Mbed TLS 2.28 is fully API-compatible with 2.16 and has many bug fixes including security fixes. But as noted earlier, 2.28 reaches its end-of-life this month (or whenever we do that last 2.28 release, which I suspect will happen in early 2025).
Regarding the license, we stopped offering the GPLv2 for a while, but we've gone back to offering a dual license (GPLv2 or Apache 2.0, at your choice). I can't offer any legal advice, but generally Apache is suitable for use in commercial products, whereas GPL is very constraining.
Best regards,
--
Gilles Peskine
Mbed TLS developer
On 05/12/2024 12:57, Peter via mbed-tls wrote:
> Hello All,
>
> I have a product which uses MbedTLS 2.16.2.
>
> How different is 2.28? Is it just a case of dropping in new files,
> with the same API so everything should still work?
>
> We see no functional issues at all with 2.16.2.
>
> I also have a note on the project:
>
> ===
> Note that MbedTLS cannot be updated beyond 2.16 due to this
> https://github.com/OpenVPN/openvpn/commit/110eee0288cff0720952a2cf16c4fb191d...
> although there is a disagreement on this:
> Why would the Apache2.0 license be a problem? It is more permissive
> than GPLv2 and does not have a copy left requirement as the GPL
> licenses do. It does not require that you redistribute the source code
> and any modifications that you have made to it, only that you include
> a description of those changes in any copies of the code that you do
> distribute.
> It may be used commercially without any requirement that the rest of
> the project in which it is used is covered by the same license.
> ===
>
> Is the above relevant? The product is a commercial one.
>
> Thank you in advance.
>
> Peter