Hi all,

 

I’m using an mbedTLS server on a CPU with a small memory foot print. In a search to serve as many as possible TLS clients, I found that the mbedtls_ssl_session.master[48] structure member is still in memory after the handshake is over.
(I filed an issue to start with, but was quickly directed to this mailing list, thanks to Tom Cosgrove. See Clear master secret from mbedtls_ssl_session after handshake is ready · Issue #5832 · Mbed-TLS/mbedtls (github.com))

 

I’m wondering why this is needed. The `master` secret references I can find in the code are either related to the TLS handshake, or to serialization/deserialization. I am wondering whether it makes sense to serialize/deserialize the master secret but I’m not sure if it is a use case to support serialization of ongoing handshake operations.

 

Based on this 2 questions:

• Is the master secret relevant when the handshake is over?
• Is the master secret really useful in serialization/deserialization? If so, I could use `MBEDTLS_SSL_CONTEXT_SERIALIZATION` in my eventual merge request to keep facilitating this.

 

Looking forward for relevant answers. Thanks in advance,

 

Maarten