Mbed TLS 3.6.4

Description

This release includes fixes for security issues.

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Security Advisories

For full details, please see the following links:

• Race condition in AESNI support detection
• Heap buffer under-read when parsing PEM-encrypted material
• Unchecked return value in LMS verification allows signature bypass
• Out-of-bounds read in mbedtls_lms_import_public_key()
• Timing side-channel in block cipher decryption with PKCS#7 padding
• NULL pointer dereference after using mbedtls_asn1_store_named_data()
• Misleading memory management in mbedtls_x509_string_to_names()

Release Notes

Features

• Add the function mbedtls_ssl_export_keying_material() which allows the
  client and server to extract additional shared symmetric keys from an SSL
  session, according to the TLS-Exporter specification in RFC 8446 and 5705.
  This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
  mbedtls_config.h.

Security

• Fix a buffer overread in mbedtls_lms_import_public_key() when the input is
  less than 3 bytes. Reported by Linh Le and Ngan Nguyen from Calif.
  CVE-2025-49601
• Fix a vulnerability in LMS verification through which an adversary could
  get an invalid signature accepted if they could cause a hash accelerator
  to fail. Found and reported by Linh Le and Ngan Nguyen from Calif.
  CVE-2025-49600
• On x86/amd64 platforms, with some compilers, when the library is
  compiled with support for both AESNI and software AES and AESNI is
  available in hardware, an adversary with fine control over which
  threads make progress in a multithreaded program could force software
  AES to be used for some time when the program starts. This could allow
  the adversary to conduct timing attacks and potentially recover the
  key. In particular, this attacker model may be possible against an SGX
  enclave.
  The same vulnerability affects GCM acceleration, which could allow
  a similarly powerful adversary to craft GCM forgeries.
  CVE-2025-52496
• Fix possible use-after-free or double-free in code calling
  mbedtls_x509_string_to_names(). This was caused by the function calling
  mbedtls_asn1_free_named_data_list() on its head argument, while the
  documentation did no suggest it did, making it likely for callers relying
  on the documented behaviour to still hold pointers to memory blocks after
  they were free()d, resulting in high risk of use-after-free or double-free,
  with consequences ranging up to arbitrary code execution.
  In particular, the two sample programs x509/cert_write and x509/cert_req
  were affected (use-after-free if the san string contains more than one DN).
  Code that does not call mbedtls_string_to_names() directly is not affected.
  Found by Linh Le and Ngan Nguyen from Calif.
  CVE-2025-47917
• Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
  an item in the output list in an inconsistent state with val.p == NULL but
  val.len > 0. This impacts applications that call this function directly,
  or indirectly via mbedtls_x509_string_to_names() or one of the
  mbedtls_x509write_{crt,csr}set{subject,issuer}_name() functions. The
  inconsistent state of the output could then cause a NULL dereference either
  inside the same call to mbedtls_x509_string_to_names(), or in subsequent
  users of the output structure, such as mbedtls_x509_write_names(). This
  only affects applications that create (as opposed to consume) X.509
  certificates, CSRs or CRLs, or that call mbedtls_asn1_store_named_data()
  directly. Found by Linh Le and Ngan Nguyen from Calif.
  CVE-2025-48965
• Fix an integer underflow that could occur when parsing malformed PEM
  keys, which could be used by an attacker capable of feeding encrypted
  PEM keys to a user. This could cause a crash or information disclosure.
  Found and reported by Linh Le and Ngan Nguyen from Calif.
  CVE-2025-52497
• Fix a timing side channel in the implementation of PKCS#7 padding
  which would allow an attacker who can request decryption of arbitrary
  ciphertexts to recover the plaintext through a timing oracle attack.
  Reported by Ka Lok Wu from Stony Brook University and Doria Tang from
  The Chinese University of Hong Kong.
  CVE-2025-49087

Bugfix

• Fix failures of PSA multipart or interruptible operations when the
  library or the application is built with a compiler where
  "union foo x = {0}" does not initialize non-default members of the
  union, such as GCC 15 and some versions of Clang 18. This affected MAC
  multipart operations, MAC-based key derivation operations, interruptible
  signature, interruptible verification, and potentially other operations
  when using third-party drivers. This also affected one-shot MAC
  operations using the built-in implementation. Fixes #9814.
• On entry to PSA driver entry points that set up a multipart operation
  ("xxx_setup"), the operation object is supposed to be all-bits-zero.
  This was sometimes not the case when an operation object is reused,
  or with compilers where "union foo x = {0}" does not initialize
  non-default members of the union. The PSA core now ensures that this
  guarantee is met in all cases. Fixes #9975.
• Resolved build issue with C++ projects using Mbed TLS 3.6 when compiling
  with the MSVC toolset v142 and earlier. Fixes mbedtls issue #7087.
• Silence spurious -Wunterminated-string-initialization warnings introduced
  by GCC 15. Fixes #9944.
• Fix a sloppy check in LMS public key import, which could lead to accepting
  keys with a different LMS or LM-OTS types on some platforms. Specifically,
  this could happen on platforms where enum types are smaller than 32 bits
  and compiler optimization is enabled. Found and reported by Linh Le and
  Ngan Nguyen from Calif.
• Fix a race condition on x86/amd64 platforms in AESNI support detection
  that could lead to using software AES in some threads at the very
  beginning of a multithreaded program. Reported by Solar Designer.
  Fixes #9840.
• Fix mbedtls_base64_decode() on inputs that did not have the correct
  number of trailing equal signs, or had 4*k+1 digits. They were accepted
  as long as they had at most two trailing equal signs. They are now
  rejected. Furthermore, before, on inputs with too few equal signs, the
  function reported the correct size in *olen when it returned
  MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, but truncated the output to the
  last multiple of 3 bytes.
• When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two
  arguments, undefined behaviour would be triggered, in the form of a call to
  memcpy(..., NULL, 0). This was harmless in practice, but could trigger
  complains from sanitizers or static analyzers.

Changes

• The function mbedtls_x509_string_to_names() now requires its head argument
  to point to NULL on entry. This makes it likely that existing risky uses of
  this function (see the entry in the Security section) will be detected and
  fixed.

Note

❕ mbedtls-3.6.4.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external dependencies, and can't be configured

Checksum

The SHA256 hashes for the archives are:
ec35b18a6c593cf98c3e30db8b98ff93e8940a8c4e690e66b41dfc011d678110 mbedtls-3.6.4.tar.bz2

Mbed TLS 4.0.0-beta

Description

The Mbed TLS 4.0.0-beta and TF-PSA-Crypto 1.0.0-beta releases introduce a major codebase restructuring:

• PSA Crypto functionality now resides in its own repository Mbed-TLS/TF-PSA-Crypto.
• TLS and X.509 components remain in Mbed TLS.

API Changes & Migration

These betas include significant API changes that break backward compatibility with previous releases. Please test your integration thoroughly and follow the 4.0-migration-guide to update your codebase to the new interfaces.

Please note

• These beta versions must be used together to validate your integration against the newly split interfaces.
• The 4.0 Migration Guide is currently under construction and will be continuously updated as we prepare for the full, non-beta release.

Intended audience for this beta

• Integrators: To evaluate the impact of the Mbed TLS split and API changes on your codebase.
• Early adopters: Anyone who wants to experiment with the upcoming interfaces and provide feedback before the formal release.

These betas are not production-ready. For deployments requiring stability and the latest security fixes, please continue using the LTS release Mbed TLS 3.6.4

Security Advisories

For full details, please see the following links:

• CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG
• Stack buffer overflow in ECDSA signature conversion functions
• Limited authentication bypass in TLS 1.3 optional client authentication
• Buffer underrun in pkwrite when writing an opaque key pair
• TLS clients should generally call mbedtls_ssl_set_hostname
• Potential authentication bypass in TLS handshake
• Misleading memory management in mbedtls_x509_string_to_names()
• NULL pointer dereference after using mbedtls_asn1_store_named_data()

Release Notes

API changes

• The experimental functions psa_generate_key_ext() and
  psa_key_derivation_output_key_ext() have been replaced by
  psa_generate_key_custom() and psa_key_derivation_output_key_custom().
  They have almost exactly the same interface, but the variable-length
  data is passed in a separate parameter instead of a flexible array
  member. This resolves a build failure under C++ compilers that do not
  support flexible array members (a C99 feature not adopted by C++).
  Fixes #9020.
• Align the mbedtls_ssl_ticket_setup() function with the PSA Crypto API.
  Instead of taking a mbedtls_cipher_type_t as an argument, this function
  now takes 3 new arguments: a PSA algorithm, key type and key size, to
  specify the AEAD for ticket protection.
• The PSA and Mbed TLS error spaces are now unified. mbedtls_xxx()
  functions can now return PSA_ERROR_xxx values.
  There is no longer a distinction between "low-level" and "high-level"
  Mbed TLS error codes.
  This will not affect most applications since the error values are
  between -32767 and -1 as before.
• All API functions now use the PSA random generator psa_get_random()
  internally. As a consequence, functions no longer take RNG parameters.
  Please refer to the migration guide at :
  tf-psa-crypto/docs/4.0-migration-guide.md.

Default behavior changes

• In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
  !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the
  corresponding PSA mechanism is enabled, since the server provides the
  crypto. Fixes #9126.
• The PK, X.509, PKCS7 and TLS modules now always use the PSA subsystem
  to perform cryptographic operations, with a few exceptions documented
  in docs/architecture/psa-migration/psa-limitations.md. This
  corresponds to the behavior of Mbed TLS 3.x when
  MBEDTLS_USE_PSA_CRYPTO is enabled. In effect, MBEDTLS_USE_PSA_CRYPTO
  is now always enabled.
• psa_crypto_init() must be called before performing any cryptographic
  operation, including indirect requests such as parsing a key or
  certificate or starting a TLS handshake.
• The PSA_WANT_XXX symbols as defined in
  tf-psa-crypto/include/psa/crypto_config.h are now always used in the
  configuration of the cryptographic mechanisms exposed by the PSA API.
  This corresponds to the configuration behavior of Mbed TLS 3.x when
  MBEDTLS_PSA_CRYPTO_CONFIG is enabled. In effect, MBEDTLS_PSA_CRYPTO_CONFIG
  is now always enabled and the configuration option has been removed.
• In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
  mbedtls_ssl_handshake() now fails with
  MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
  if certificate-based authentication of the server is attempted.
  This is because authenticating a server without knowing what name
  to expect is usually insecure.

Removals

• Drop support for VIA Padlock. Removes MBEDTLS_PADLOCK_C.
  Fixes #5903.
• Drop support for crypto alt interface. Removes MBEDTLS_XXX_ALT options
  at the module and function level for crypto mechanisms only. The remaining
  alt interfaces for platform, threading and timing are unchanged.
  Fixes #8149.
• Remove support for the RSA-PSK key exchange in TLS 1.2.
• Remove deprecated mbedtls_x509write_crt_set_serial(). The function was
  already deprecated and superseeded by
  mbedtls_x509write_crt_set_serial_raw().
• Remove the function mbedtls_ssl_conf_curves() which had been deprecated
  in favour of mbedtls_ssl_conf_groups() since Mbed TLS 3.1.
• Remove support for the DHE-PSK key exchange in TLS 1.2.
• Remove support for the DHE-RSA key exchange in TLS 1.2.
• Following the removal of DHM module (#9972 and TF-PSA-Crypto#175) the
  following SSL functions are removed:
  • mbedtls_ssl_conf_dh_param_bin
  • mbedtls_ssl_conf_dh_param_ctx
  • mbedtls_ssl_conf_dhm_min_bitlen
• Remove support for the RSA key exchange in TLS 1.2.
• Remove mbedtls_low_level_sterr() and mbedtls_high_level_strerr(),
  since these concepts no longer exists. There is just mbedtls_strerror().
  * Removal of the following sample programs:
  pkey/rsa_genkey.c
  pkey/pk_decrypt.c
  pkey/dh_genprime.c
  pkey/rsa_verify.c
  pkey/mpi_demo.c
  pkey/rsa_decrypt.c
  pkey/key_app.c
  pkey/dh_server.c
  pkey/ecdh_curve25519.c
  pkey/pk_encrypt.c
  pkey/rsa_sign.c
  pkey/key_app_writer.c
  pkey/dh_client.c
  pkey/ecdsa.c
  pkey/rsa_encrypt.c
  wince_main.c
  aes/crypt_and_hash.c
  random/gen_random_ctr_drbg.c
  random/gen_entropy.c
  hash/md_hmac_demo.c
  hash/hello.c
  hash/generic_sum.c
  cipher/cipher_aead_demo.c
• Remove compat-2-x.h header from mbedtls.
• The library no longer offers interfaces to look up values by OID
  or OID by enum values.
  The header <mbedtls/oid.h> now only defines functions to convert
  between binary and dotted string OID representations, and macros
  for OID strings that are relevant to X.509.
  The compilation option MBEDTLS_OID_C no longer
  exists. OID tables are included in the build automatically as needed.

Features

• When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
  the number of volatile PSA keys is virtually unlimited, at the expense
  of increased code size. This option is off by default, but enabled in
  the default mbedtls_config.h. Fixes #9216.
• Add a new psa_key_agreement() PSA API to perform key agreement and return
  an identifier for the newly created key.
• Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which
  uses static storage for keys, enabling malloc-less use of key slots.
  The size of each buffer is given by the option
  MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the
  largest PSA key enabled in the build.
• Add an interruptible version of key agreement to the PSA interface.
  See psa_key_agreement_iop_setup() and related functions.
• Add an interruptible version of generate key to the PSA interface.
  See psa_generate_key_iop_setup() and related functions.
• Add the function mbedtls_ssl_export_keying_material() which allows the
  client and server to extract additional shared symmetric keys from an SSL
  session, according to the TLS-Exporter specification in RFC 8446 and 5705.
  This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
  mbedtls_config.h.

Security

• Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
  not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
  MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
  C...

Mbed TLS 3.6.3.1

Description

This release is fully identical to Mbed TLS 3.6.3 in content, but without the .gitmodules file, which was left in by mistake and was causing difficulties for users who are getting Mbed TLS through git.

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Note

❕ mbedtls-3.6.3.1.tar.bz2 and mbedtls-3.6.3.1.tar.bz2-sha256sum.txt are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external dependencies, and can't be configured

Checksum

The SHA256 hash for the archive is:
243ed496d5f88a5b3791021be2800aac821b9a4cc16e7134aa413c58b4c20e0c mbedtls-3.6.3.1.tar.bz2

Mbed TLS 3.6.3

Description

This release of Mbed TLS provides the fix for a tls compatibility issue of handling fragmented handshake messages. This release includes fixes for security issues.

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Security Advisories

For full details, please see the following links:

• Potential authentication bypass in TLS handshake
• TLS clients should generally call mbedtls_ssl_set_hostname

Release Notes

Default behavior changes

• In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
  mbedtls_ssl_handshake() now fails with
  MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
  if certificate-based authentication of the server is attempted.
  This is because authenticating a server without knowing what name
  to expect is usually insecure. To restore the old behavior, either
  call mbedtls_ssl_set_hostname() with NULL as the hostname, or
  enable the new compile-time option
  MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.

Features

• Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which
  uses static storage for keys, enabling malloc-less use of key slots.
  The size of each buffer is given by the option
  MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the
  largest PSA key enabled in the build.
• MD module can now perform PSA dispatching also when
  MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C, even though this
  configuration is not officially supported. This requires that a
  PSA Crypto provider library which:
  • supports the required PSA_WANT_ALG_xxx and
  • implements psa_can_do_hash() on the client interface
    is linked against Mbed TLS and that psa_crypto_init() is called before
    performing any PSA call.

Security

• Note that TLS clients should generally call mbedtls_ssl_set_hostname()
  if they use certificate authentication (i.e. not pre-shared keys).
  Otherwise, in many scenarios, the server could be impersonated.
  The library will now prevent the handshake and return
  MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
  if mbedtls_ssl_set_hostname() has not been called.
  Reported by Daniel Stenberg.
  CVE-2025-27809
• Zeroize a temporary heap buffer used in psa_key_derivation_output_key()
  when deriving an ECC key pair.
• Zeroize temporary heap buffers used in PSA operations.
• Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
  or there was a cryptographic hardware failure when calculating the
  Finished message, it could be calculated incorrectly. This would break
  the security guarantees of the TLS handshake.
  CVE-2025-27810

Bugfix

• When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with
  peers that have middlebox compatibility enabled, as long as no
  problematic middlebox is in the way. Fixes #9551.
• Fix invalid JSON schemas for driver descriptions used by
  generate_driver_wrappers.py.
• Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
  and 'mbedtls_net_connect' to prevent possible double close fd
  problems. Fixes #9711.
• Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or
  mbedtls_psa_der_to_raw() is called with bits=0.
• Fix compilation on MS-DOS DJGPP. Fixes #9813.
• Fix missing constraints on the AES-NI inline assembly which is used on
  GCC-like compilers when building AES for generic x86_64 targets. This
  may have resulted in incorrect code with some compilers, depending on
  optimizations. Fixes #9819.
• Support re-assembly of fragmented handshake messages in TLS (both
  1.2 and 1.3). The lack of support was causing handshake failures with
  some servers, especially with TLS 1.3 in practice. There are a few
  limitations, notably a fragmented ClientHello is only supported when
  TLS 1.3 support is enabled. See the documentation of
  mbedtls_ssl_handshake() for details.
• Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
  occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
  with Visual Studio 2013 or MinGW.
  Fixes #10017.
• Remove Everest Visual Studio 2010 compatibility headers, which could
  shadow standard CRT headers inttypes.h and stdbool.h with incomplete
  implementatios if placed on the include path, eg. when building Mbed TLS
  with the .sln file shipped with the project.
• Fix issue where psa_key_derivation_input_integer() is not detecting
  bad state after an operation has been aborted.

Changes

• Improve performance of PSA key generation with ECC keys: it no longer
  computes the public key (which was immediately discarded). Fixes #9732.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

❕ mbedtls-3.6.3.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external dependencies, and can't be configured

Checksum

The SHA256 hashes for the archives are:
64cd73842cdc05e101172f7b437c65e7312e476206e1dbfd644433d11bc56327 mbedtls-3.6.3.tar.bz2

Mbed TLS 2.28.10

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28.10 is the last release of the 2.28 LTS and won't receive bug fixes or security fixes anymore.
Users are advised to upgrade to a maintained version.

Security Advisories

For full details, please see the following links:

• Potential authentication bypass in TLS handshake
• TLS clients should generally call mbedtls_ssl_set_hostname

Release Notes

Default behavior changes

• In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
  mbedtls_ssl_handshake() now fails with
  MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
  if certificate-based authentication of the server is attempted.
  This is because authenticating a server without knowing what name
  to expect is usually insecure. To restore the old behavior, either
  call mbedtls_ssl_set_hostname() with NULL as the hostname, or
  enable the new compile-time option
  MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
  The content of ssl->hostname after mbedtls_ssl_set_hostname(ssl, NULL)
  has changed, see the documentation of the hostname field in the
  mbedtls_ssl_context struct type for details.

Security

• Note that TLS clients should generally call mbedtls_ssl_set_hostname()
  if they use certificate authentication (i.e. not pre-shared keys).
  Otherwise, in many scenarios, the server could be impersonated.
  The library will now prevent the handshake and return
  MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
  if mbedtls_ssl_set_hostname() has not been called.
  CVE-2025-27809
• Zeroize temporary heap buffers used in PSA operations.
• Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
  or there was a cryptographic hardware failure when calculating the
  Finished message, it could be calculated incorrectly. This would break
  the security guarantees of the TLS handshake.
  CVE-2025-27810

Bugfix

• Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
  and 'mbedtls_net_connect' to prevent possible double close fd
  problems. Fixes #9711.
• Fix compilation on MS-DOS DJGPP. Fixes #9813.
• Fix missing constraints on the AES-NI inline assembly which is used on
  GCC-like compilers when building AES for generic x86_64 targets. This
  may have resulted in incorrect code with some compilers, depending on
  optimizations. Fixes #9819.
• Fix issue where psa_key_derivation_input_integer() is not detecting
  bad state after an operation has been aborted.
• Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
  occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
  with Visual Studio 2013 or MinGW.
  Fixes #10017.
• Remove Everest Visual Studio 2010 compatibility headers, which could
  shadow standard CRT headers inttypes.h and stdbool.h with incomplete
  implementatios if placed on the include path, eg. when building Mbed TLS
  with the .sln file shipped with the project.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

❕ mbedtls-2.28.10.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external dependencies, and can't be configured

Checksum

The SHA256 hashes for the archives are:
19e5b81fdac0fe22009b9e2bdcd52d7dcafbf62bc67fc59cf0a76b5b5540d149 mbedtls-2.28.10.tar.bz2

Mbed TLS 3.6.2

Description

This release of Mbed TLS provides the fix for a security vulnerability.

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Security Advisories

For full details, please see the following links:

• Buffer underrun in pkwrite when writing an opaque key pair

❕ Release notes are truncated in GitHub's releases page: Please refer to the 3.6.2 release page.

Release Notes

Security

• Fix a buffer underrun in mbedtls_pk_write_key_der() when
  called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled,
  and the output buffer is smaller than the actual output.
  Fix a related buffer underrun in mbedtls_pk_write_key_pem()
  when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled
  and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
  CVE-2024-49195

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

❕ mbedtls-3.6.2.tar.bz2 is our official release file. source.tar.gz and source.zip are automatically generated snapshots that github generates. They do not include external dependencies, and can't be configured

Checksum

The SHA256 hash for the archive is:

8b54fb9bcf4d5a7078028e0520acddefb7900b3e66fec7f7175bb5b7d85ccdca mbedtls-3.6.2.tar.bz2

Mbed TLS 3.6.1

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Security Advisories

For full details, please see the following links:

• CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG
• Stack buffer overflow in ECDSA signature conversion functions
• Limited authentication bypass in TLS 1.3 optional client authentication

❕ Release notes are truncated in GitHub's releases page: Please refer to the 3.6.1 release page.

Release Notes

API changes

• The experimental functions psa_generate_key_ext() and
  psa_key_derivation_output_key_ext() are no longer declared when compiling
  in C++. This resolves a build failure under C++ compilers that do not
  support flexible array members (a C99 feature not adopted by C++).
  Fixes #9020.

Default behavior changes

• In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
  !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the
  corresponding PSA mechanism is enabled, since the server provides the
  crypto. Fixes #9126.
• A TLS handshake may now call psa_crypto_init() if TLS 1.3 is enabled.
  This can happen even if TLS 1.3 is offered but eventually not selected
  in the protocol version negotiation.
• By default, the handling of TLS 1.3 tickets by the Mbed TLS client is now
  disabled at runtime. Applications that were using TLS 1.3 tickets
  signalled by MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return values now
  need to enable the handling of TLS 1.3 tickets through the new
  mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() API.

New deprecations

• The experimental functions psa_generate_key_ext() and
  psa_key_derivation_output_key_ext() are deprecated in favor of
  psa_generate_key_custom() and psa_key_derivation_output_key_custom().
  They have almost exactly the same interface, but the variable-length
  data is passed in a separate parameter instead of a flexible array
  member.
• The following cryptographic mechanisms are planned to be removed
  in Mbed TLS 4.0:
  • DES (including 3DES).
  • PKCS#1v1.5 encryption/decryption (RSAES-PKCS1-v1_5).
    (OAEP, PSS, and PKCS#1v1.5 signature are staying.)
  • Finite-field Diffie-Hellman with custom groups.
    (RFC 7919 groups remain supported.)
  • Elliptic curves of size 225 bits or less.
• The following cipher suites are planned to be removed from (D)TLS 1.2
  in Mbed TLS 4.0:
  • TLS_RSA_* (including TLS_RSA_PSK_), i.e. cipher suites using
    RSA decryption.
    (RSA signatures, i.e. TLS_ECDHE_RSA_, are staying.)
  • TLS_ECDH_, i.e. cipher suites using static ECDH.
    (Ephemeral ECDH, i.e. TLS_ECDHE_, is staying.)
  • TLS_DHE_, i.e. cipher suites using finite-field Diffie-Hellman.
    (Ephemeral ECDH, i.e. TLS_ECDHE_, is staying.)
  • TLS_CBC, i.e. all cipher suites using CBC.
• The following low-level application interfaces are planned to be removed
  from the public API in Mbed TLS 4.0:
  • Hashes: hkdf.h, md5.h, ripemd160.h, sha1.h, sha3.h, sha256.h, sha512.h;
  • Random generation: ctr_drbg.h, hmac_drbg.h, entropy.h;
  • Ciphers and modes: aes.h, aria.h, camellia.h, chacha20.h, chachapoly.h,
    cipher.h, cmac.h, gcm.h, poly1305.h;
  • Private key encryption mechanisms: pkcs5.h, pkcs12.h.
  • Asymmetric cryptography: bignum.h, dhm.h, ecdh.h, ecdsa.h, ecjpake.h,
    ecp.h, rsa.h.
    The cryptographic mechanisms remain present, but they will only be
    accessible via the PSA API (psa_xxx functions introduced gradually
    starting with Mbed TLS 2.17) and, where relevant, pk.h.
    For guidance on migrating application code to the PSA API, please consult
    the PSA transition guide (docs/psa-transition.md).
• The following integration interfaces are planned to be removed
  in Mbed TLS 4.0:
  • MBEDTLS_xxx_ALT replacement of cryptographic modules and functions.
    Use PSA transparent drivers instead.
  • MBEDTLS_PK_RSA_ALT and MBEDTLS_PSA_CRYPTO_SE_C.
    Use PSA opaque drivers instead.

Features

• When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
  the number of volatile PSA keys is virtually unlimited, at the expense
  of increased code size. This option is off by default, but enabled in
  the default mbedtls_config.h. Fixes #9216.

Security

• Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
  not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
  MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
  CVE-2024-45157
• Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and
  mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the
  largest supported curve. In some configurations with PSA disabled,
  all values of bits are affected. This never happens in internal library
  calls, but can affect applications that call these functions directly.
  CVE-2024-45158
• With TLS 1.3, when a server enables optional authentication of the
  client, if the client-provided certificate does not have appropriate values
  in keyUsage or extKeyUsage extensions, then the return value of
  mbedtls_ssl_get_verify_result() would incorrectly have the
  MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits
  clear. As a result, an attacker that had a certificate valid for uses other
  than TLS client authentication could be able to use it for TLS client
  authentication anyway. Only TLS 1.3 servers were affected, and only with
  optional authentication (required would abort the handshake with a fatal
  alert).
  CVE-2024-45159

Bugfix

• Fix TLS 1.3 client build and runtime when support for session tickets is
  disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395.
• Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
• MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled
  as soon as MBEDTLS_RSA_C is enabled. Fixes #9041.
• Fix undefined behaviour (incrementing a NULL pointer by zero length) when
  passing in zero length additional data to multipart AEAD.
• Fix rare concurrent access bug where attempting to operate on a
  non-existent key while concurrently creating a new key could potentially
  corrupt the key store.
• Fix error handling when creating a key in a dynamic secure element
  (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
  the creation could return PSA_SUCCESS but using or destroying the key
  would not work. Fixes #8537.
• Fix issue of redefinition warning messages for _GNU_SOURCE in
  entropy_poll.c and sha_256.c. There was a build warning during
  building for linux platform.
  Resolves #9026
• Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
• Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
  CMAC is enabled, but no built-in unauthenticated cipher is enabled.
  Fixes #9209.
• Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled.
  Fixes #9029.
• Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes
  long. Credit to Cryptofuzz. Fixes #9314.
• Fix interference between PSA volatile keys and built-in keys
  when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and
  MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096.
• Document and enforce the limitation of mbedtls_psa_register_se_key()
  to persistent keys. Resolves #9253.
• Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled
  but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188.
• Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but
  MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
• When MBEDTLS_PSA_CRYPTO_C was disabled and MBEDTLS_ECDSA_C enabled,
  some code was defining 0-size arrays, resulting in compilation errors.
  Fixed by disabling the offending code in configurations without PSA
  Crypto, where it never worked. Fixes #9311.
• Fix unintended performance regression when using short RSA public keys.
  Fixes #9232.
• Fixes an issue where some TLS 1.2 clients could not connect to an
  Mbed TLS 3.6.0 server, due to incorrect handling of
  legacy_compression_methods in the ClientHello.
  Fixes #8995, #9243.
• Fix TLS connections failing when the handshake selects TLS 1.3
  in an application that does not call psa_crypto_init().
  Fixes #9072.
• Fix TLS connection failure in applications using an Mbed TLS client in
  the default configuration connecting to a TLS 1.3 server sending tickets.
  See the documentation of
  mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() for more
  information.
  Fixes #8749.
• Fix a memory leak that could occur when failing to process an RSA
  key through some PSA functions due to low memory conditions.
• Fixed a regression introduced in 3.6.0 where the CA callback set with
  mbedtls_ssl_conf_ca_cb() would stop working when connections were...

Mbed TLS 2.28.9

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

• CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG

Release Notes

Security

• Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
  not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
  MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
  CVE-2024-45157

Bugfix

• Fix the build in some configurations when check_config.h is not included.
  Fix #9152.
• Fix issue of redefinition warning messages for _GNU_SOURCE in
  entropy_poll.c and sha_256.c. There was a build warning during
  building for linux platform.
  Resolves #9026
• Fix error handling when creating a key in a dynamic secure element
  (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
  the creation could return PSA_SUCCESS but using or destroying the key
  would not work. Fixes #8537.
• Fix a memory leak that could occur when failing to process an RSA
  key through some PSA functions due to low memory conditions.
• Document and enforce the limitation of mbedtls_psa_register_se_key()
  to persistent keys. Resolves #9253.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

❕ mbedtls-2.28.9.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external dependencies, and can't be configured

Checksum

The SHA256 hashes for the archives are:
e85ea97aaf78dd6c0a5ba2e54dd5932ffa15f39abfc189c26beef7684630c02b mbedtls-2.28.9.tar.bz2

Mbed TLS 3.6.0 LTS

Description

This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.

This release brings in improved multithreaded operations, record-size-limit, and early-data support and other TLS1.3 improvements. TLS1.3 support is now enabled by default.

Long-term support

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Security Advisories

For full details, please see the following link:

• PSA Crypto API with parameters in shared memory
  

❕ Release notes are trunctuated in GitHub's releases page: Please refer to the 3.6.0 release page.

Release Notes

API changes

• Remove tls13_ in mbedtls_ssl_tls13_conf_early_data() and
  mbedtls_ssl_tls13_conf_max_early_data_size() API names. Early data
  feature may not be TLS 1.3 specific in the future. Fixes #6909.

Default behavior changes

• psa_import_key() now only accepts RSA keys in the PSA standard formats.
  The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
  PEM) accepted by the pkparse module has been removed. Applications that
  need these formats can call mbedtls_pk_parse_{public,}key() followed by
  mbedtls_pk_import_into_psa().

Requirement changes

• Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5.

New deprecations

• Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to
  MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still
  be used, but are deprecated.
• In the PSA API, domain parameters are no longer used for anything.
  They are deprecated and will be removed in a future version of the
  library.
• mbedtls_ecp_write_key() is deprecated in favor of
  mbedtls_ecp_write_key_ext().

Removals

• In the PSA API, the experimental way to encode the public exponent of
  an RSA key as a domain parameter is no longer supported. Use
  psa_generate_key_ext() instead.
• Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
  same behavior mbedtls_pk_get_psa_attributes() and
  mbedtls_pk_import_into_psa() can be used to import a PK key into PSA,
  while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque
  PK context.

Features

• Added an example program showing how to hash with the PSA API.
• Support Armv8-A Crypto Extension acceleration for SHA-256
  when compiling for Thumb (T32) or 32-bit Arm (A32).
• AES-NI is now supported in Windows builds with clang and clang-cl.
  Resolves #8372.
• Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows
  parsing unsupported certificate extensions via user provided callback.
• Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit
  the decryption direction of block ciphers (AES, ARIA, Camellia).
  This affects both the low-level modules and the high-level APIs
  (the cipher and PSA interfaces). This option is incompatible with modes
  that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
• Support use of Armv8-A Cryptographic Extensions for hardware acclerated
  AES when compiling for Thumb (T32) or 32-bit Arm (A32).
• If a cipher or AEAD mechanism has a PSA driver, you can now build the
  library without the corresponding built-in implementation. Generally
  speaking that requires both the key type and algorithm to be accelerated
  or they'll both be built in. However, for CCM and GCM the built-in
  implementation is able to take advantage of a driver that only
  accelerates the key type (that is, the block cipher primitive). See
  docs/driver-only-builds.md for full details and current limitations.
• The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
  disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
  MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
• Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
  size by disabling it in more circumstances. In particular, the CCM and
  GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
  MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all
  unauthenticated (non-AEAD) ciphers are disabled, or if they're all
  fully provided by drivers. See docs/driver-only-builds.md for full
  details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
  decryption still unconditionally depend on MBEDTLS_CIPHER_C.
• Add support for record size limit extension as defined by RFC 8449
  and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT.
  Application data sent and received will be fragmented according to
  Record size limits negotiated during handshake.
• Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
  hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
• Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa()
  to convert between Mbed TLS and PSA curve identifiers.
• Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
  gaps made by making its fields private: mbedtls_ecp_set_public_key(),
  mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(),
  mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652.
• Add functions mbedtls_md_psa_alg_from_type() and
  mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
  psa_algorithm_t.
• Add partial platform support for z/OS.
• Improve performance for gcc (versions older than 9.3.0) and IAR.
• Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to
  convert ECDSA signatures between raw and DER (ASN.1) formats.
• Add support for using AES-CBC 128, 192, and 256 bit schemes
  with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse.
• The new function mbedtls_rsa_get_bitlen() returns the length of the modulus
  in bits, i.e. the key size for an RSA key.
• Add pc files for pkg-config, e.g.:
  pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
• Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access
  mbedtls_ssl_session.ticket_creation_time.
• The new functions mbedtls_pk_get_psa_attributes() and
  mbedtls_pk_import_into_psa() provide a uniform way to create a PSA
  key from a PK key.
• The benchmark program now reports times for both ephemeral and static
  ECDH in all ECDH configurations.
• Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
  operations when hardware accelerated AES is not present. Improves
  performance by around 30% on 64-bit Intel; 125% on Armv7-M.
• The new function psa_generate_key_ext() allows generating an RSA
  key pair with a custom public exponent.
• The new function mbedtls_ecp_write_key_ext() is similar to
  mbedtls_ecp_write_key(), but can be used without separately calculating
  the output length.
• Add new accessor to expose the private group id member of
  mbedtls_ecdh_context structure.
• Add new accessor to expose the MBEDTLS_PRIVATE(ca_istrue) member of
  mbedtls_x509_crt structure. This requires setting
  the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's
  ext_types field.
• mbedtls_psa_get_random() is always available as soon as
  MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is
  called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be
  used as random number generator function (f_rng) and context (p_rng) in
  legacy functions.
• The new functions mbedtls_pk_copy_from_psa() and
  mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context
  with the same content as a PSA key.
• Add new accessors to expose the private session-id,
  session-id length, and ciphersuite-id members of
  mbedtls_ssl_session structure.
  Add new accessor to expose the ciphersuite-id of
  mbedtls_ssl_ciphersuite_t structure.Design ref: #8529
• Mbed TLS now supports the writing and reading of TLS 1.3 early data (see
  docs/tls13-early-data.md). The support enablement is controlled at build
  time by the MBEDTLS_SSL_EARLY_DATA configuration option and at runtime by
  the mbedtls_ssl_conf_early_data() API (by default disabled in both cases).
• Add protection for multithreaded access to the PSA keystore and protection
  for multithreaded access to the the PSA global state, including
  concurrently calling psa_crypto_init() when MBEDTLS_THREADING_C and
  MBEDTLS_THREADING_PTHREAD are defined. See
  docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
  Resolves issues #3263 and #7945.

Security

• Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3
  ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A
  malicious client could cause information disclosure or a denial of service.
• Passing buffers that are stored in untrusted memory as arguments
  to PSA functions is now secure by default.
  The PSA core now protects against modification of inputs or exposure
  of intermediate outputs during operations. This is currently implemented
  by copying buffers.
  This feature increases code size and memory usage. If buffers passed to
  PSA functions are owned exclusively by the PSA core for the duration of
  the function call (i.e. no buffer parameters are in shared memory),
  copying...

Mbed TLS 2.28.8

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

• PSA Crypto API with parameters in shared memory

Release Notes

Features

• AES-NI is now supported in Windows builds with clang and clang-cl.
  Resolves #8372.
• Add pc files for pkg-config, e.g.:
  pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)

Security

• Passing buffers that are stored in untrusted memory as arguments
  to PSA functions is now secure by default.
  The PSA core now protects against modification of inputs or exposure
  of intermediate outputs during operations. This is currently implemented
  by copying buffers.
  This feature increases code size and memory usage. If buffers passed to
  PSA functions are owned exclusively by the PSA core for the duration of
  the function call (i.e. no buffer parameters are in shared memory),
  copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
  Note that setting this option will cause input-output buffer overlap to
  be only partially supported (#3266).
  Fixes CVE-2024-28960.

Bugfix

• Fix the build with CMake when Everest is enabled through
  a user configuration file or the compiler command line. Fixes #8165.
• Fix an inconsistency between implementations and usages of __cpuid,
  which mainly causes failures when building Windows target using
  mingw or clang. Fixes #8334 & #8332.
• Correct initial capacities for key derivation algorithms: TLS12_PRF,
  TLS12_PSK_TO_MS.
• Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
  multiple of 8. Fixes #868.
• Avoid segmentation fault caused by releasing not initialized
  entropy resource in gen_key example. Fixes #8809.
• Fix missing bitflags in SSL session serialization headers. Their absence
  allowed SSL sessions saved in one configuration to be loaded in a
  different, incompatible configuration.
• Fix the restoration of the ALPN when loading serialized connection with
  the mbedtls_ssl_context_load() API.
• Fully support arbitrary overlap between inputs and outputs of PSA
  functions. Note that overlap is still only partially supported when
  MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).

Changes

• Use heap memory to allocate DER encoded public/private key.
  This reduces stack usage significantly for writing a public/private
  key to a PEM string.
• cmake: Use GnuInstallDirs to customize install directories
  Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
  variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
  LIB_INSTALL_DIR is set.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

❕ mbedtls-2.28.8.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external depedencies, and can't be configured

Checksum

The SHA256 hashes for the archives are:
241c68402cef653e586be3ce28d57da24598eb0df13fcdea9d99bfce58717132 mbedtls-2.28.8.tar.bz2