Dear MbedTLS maintainers,
we are already using MBedTLS, however, we recently enabled TLS 1.3 and found that our certificates doesn't work anymore, because they are brainpoolP256r1 (https://datatracker.ietf.org/doc/html/rfc8734). So the question would be, if I missed any configuration to enable the usage of brainpool curves (which are working for TLS 1.2) or if there are any plans, that these are getting supported by MBedTLS 3.6.x?
Best regards,
Maren Konrad
Hi Maren,
The TLS 1.3 specification defines only 3 ECDSA algorithms: ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384 and ecdsa_secp521_sha512, we only support these in Mbed TLS. Unfortunately, there are no config options that would make Brainpool curves work with TLS 1.3.
I am sorry, but at the moment we don’t have any plans about adding Brainpool curve support for TLS 1.3.
Best regards, Janos
From: Maren Konrad via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Tuesday, 12 November 2024 at 11:51 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] TLS 1.3 and brainpool curves Dear MbedTLS maintainers,
we are already using MBedTLS, however, we recently enabled TLS 1.3 and found that our certificates doesn't work anymore, because they are brainpoolP256r1 (https://datatracker.ietf.org/doc/html/rfc8734). So the question would be, if I missed any configuration to enable the usage of brainpool curves (which are working for TLS 1.2) or if there are any plans, that these are getting supported by MBedTLS 3.6.x?
Best regards,
Maren Konrad
Dear Maren,
Sorry for the very long delay. I don't think you're missing anything, we just haven't implemented RFC 8734 yet.
This is absolutely something we can consider adding in Mbed TLS 4.x, but probably not 3.6.x which, being an LTS branch, should only receive bug fixes and security fixes.
To be candid with you, we have a lot of other things going on, and this seems unlikely to make it to the top of our list soon (unless more people come asking about it), but if you have the bandwidth to open a PR about it, please ping me (mpg on github) and I'll be sure to review it!
Best regards, Manuel.
________________________________ From: Maren Konrad via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 12 November 2024 12:50 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] TLS 1.3 and brainpool curves
Dear MbedTLS maintainers,
we are already using MBedTLS, however, we recently enabled TLS 1.3 and found that our certificates doesn't work anymore, because they are brainpoolP256r1 (https://datatracker.ietf.org/doc/html/rfc8734). So the question would be, if I missed any configuration to enable the usage of brainpool curves (which are working for TLS 1.2) or if there are any plans, that these are getting supported by MBedTLS 3.6.x?
Best regards,
Maren Konrad
mbed-tls@lists.trustedfirmware.org
-
Janos Follath -
Manuel Pegourie-Gonnard -
Maren Konrad