- mbed-tls - lists.trustedfirmware.org

Updated invitation with note: MBed-TLS Technical Forum - Asia @ Every 4 weeks from 10am to 10:50am on Monday (GMT) (mbed-tls@lists.trustedfirmware.org)

by Shaun Longhorn

This event has been updated with a note: "Pushing meeting link" Changed: location MBed-TLS Technical Forum - Asia Every 4 weeks from 10am to 10:50am on Monday United Kingdom Time Location https://linaro-org.zoom.us/j/97758661706?pwd=baMjUvnWbY20z3ignQca7QVahhozkI… https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9775866… Join Zoom Meeting https://linaro-org.zoom.us/j/99853938085?pwd=D3au597hb9J1veo1W74pIqkvY6VaDI… Join by phone (US) +1 833-548-0282 passcode: 12278212 Joining instructions https://www.google.com/url?q=https://applications.zoom.us/addon/invitation/… Joining notes Meeting host: shaun.longhorn(a)linaro.org Join Zoom Meeting: https://linaro-org.zoom.us/j/99853938085?pwd=D3au597hb9J1veo1W74pIqkvY6VaDI… ──────────https://linaro-org.zoom.us/j/99853938085?pwd=D3au597hb9J1veo1W74pIqkvY6VaDI.1&jst=2Joining Instructions────────── Guests mbed-tls(a)lists.trustedfirmware.org psa-crypto(a)lists.trustedfirmware.org View all guest info https://calendar.google.com/calendar/event?action=VIEW&eid=NjI4c3NnYjFoZHRh… Reply for mbed-tls(a)lists.trustedfirmware.org and view more details https://calendar.google.com/calendar/event?action=VIEW&eid=NjI4c3NnYjFoZHRh… Your attendance is optional. ~~//~~ Invitation from Google Calendar: https://calendar.google.com/calendar/ You are receiving this email because you are an attendee on the event. Forwarding this invitation could allow any recipient to send a response to the organizer, be added to the guest list, invite others regardless of their own invitation status, or modify your RSVP. Learn more https://support.google.com/calendar/answer/37135#forwarding

1 hour, 13 minutes

1
0
0 0

Synced invitation: MBed-TLS Technical Forum - Asia @ Every 4 weeks from 10am to 10:50am on Monday (BST) (mbed-tls@lists.trustedfirmware.org)

by Shaun Longhorn

This email keeps the event up to date in your calendar. MBed-TLS Technical Forum - Asia Every 4 weeks from 10am to 10:50am on Monday United Kingdom Time Location https://linaro-org.zoom.us/j/97758661706?pwd=baMjUvnWbY20z3ignQca7QVahhozkI… https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9775866… Trusted Firmware is inviting you to a scheduled Zoom meeting.Topic: MBed-TLS Technical Forum - AsiaTime: Jun 16, 2025 10:00 AM London Every 4 weeks on Mon, 39 occurrence(s)Please download and import the following iCalendar (.ics) files to your calendar system.Weekly: https://linaro-org.zoom.us/meeting/tJMqcuGuqDotGtIbACm498ytl0ZhydWKdu1b/ics… Zoom Meetinghttps://linaro-org.zoom.us/j/97758661706?pwd=baMjUvnWbY20z3ignQca7QVahhozkI.1Meeting ID: 977 5866 1706Passcode: 577208---One tap mobile+16892781000,,97758661706# US+17193594580,,97758661706# US---Dial by your location• +1 689 278 1000 US• +1 719 359 4580 US• +1 253 205 0468 US• +1 253 215 8782 US (Tacoma)• +1 301 715 8592 US (Washington DC)• +1 305 224 1968 US• +1 309 205 3325 US• +1 312 626 6799 US (Chicago)• +1 346 248 7799 US (Houston)• +1 360 209 5623 US• +1 386 347 5053 US• +1 507 473 4847 US• +1 564 217 2000 US• +1 646 558 8656 US (New York)• +1 646 931 3860 US• +1 669 444 9171 US• +1 669 900 9128 US (San Jose)• 833 548 0282 US Toll-free• 833 928 4608 US Toll-free• 833 928 4609 US Toll-free• 833 928 4610 US Toll-free• 877 853 5247 US Toll-free• 888 788 0099 US Toll-free• 833 548 0276 US Toll-freeMeeting ID: 977 5866 1706Find your local number: https://linaro-org.zoom.us/u/acdtApJNbc Guests mbed-tls(a)lists.trustedfirmware.org psa-crypto(a)lists.trustedfirmware.org ~~//~~ Invitation from Google Calendar: https://calendar.google.com/calendar/ You are receiving this email because you are an attendee on the event. Forwarding this invitation could allow any recipient to send a response to the organizer, be added to the guest list, invite others regardless of their own invitation status, or modify your RSVP. Learn more https://support.google.com/calendar/answer/37135#forwarding

1 hour, 13 minutes

1
0
0 0

Updated invitation with note: MBed TLS Technical Forum - US @ Every 4 weeks from 4:30pm to 5:30pm on Monday (BST) (mbed-tls@lists.trustedfirmware.org)

by Shaun Longhorn

This event has been updated with a note: "Pushing to fix meeting link issue" Changed: location MBed TLS Technical Forum - US Every 4 weeks from 4:30pm to 5:30pm on Monday United Kingdom Time Location https://linaro-org.zoom.us/j/93546216467?pwd=ja9Nxd0uLBn04jg1Be0NTy17Konzfl… https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9354621… Trusted Firmware is inviting you to a scheduled Zoom meeting.Topic: MBed TLS Technical Forum - USTime: May 4, 2026 04:30 PM LondonEvery 4 weeks on Mon, 38 occurrence(s)Please download and import the following iCalendar (.ics) files to your calendar system.Weekly: https://linaro-org.zoom.us/meeting/tJcoc--qrz0uHNNmuZMtfpylBgIZjC2so7xz/ics… Zoom Meetinghttps://linaro-org.zoom.us/j/93546216467?pwd=ja9Nxd0uLBn04jg1Be0NTy17Konzfl.1Meeting ID: 935 4621 6467Passcode: 683772---One tap mobile+13126266799,,93546216467# US (Chicago)+13462487799,,93546216467# US (Houston)---Dial by your location• +1 312 626 6799 US (Chicago)• +1 346 248 7799 US (Houston)• +1 360 209 5623 US• +1 386 347 5053 US• +1 507 473 4847 US• +1 564 217 2000 US• +1 646 558 8656 US (New York)• +1 646 931 3860 US• +1 669 444 9171 US• +1 669 900 9128 US (San Jose)• +1 689 278 1000 US• +1 719 359 4580 US• +1 253 205 0468 US• +1 253 215 8782 US (Tacoma)• +1 301 715 8592 US (Washington DC)• +1 305 224 1968 US• +1 309 205 3325 US• 833 928 4609 US Toll-free• 833 928 4610 US Toll-free• 877 853 5247 US Toll-free• 888 788 0099 US Toll-free• 833 548 0276 US Toll-free• 833 548 0282 US Toll-free• 833 928 4608 US Toll-freeMeeting ID: 935 4621 6467Find your local number:https://linaro-org.zoom.us/u/azKzC20VI Guests psa-crypto(a)lists.trustedfirmware.org mbed-tls(a)lists.trustedfirmware.org hordijk(a)aurora.tech Ben Taylor cjej65eug(a)gmail.com View all guest info https://calendar.google.com/calendar/event?action=VIEW&eid=dm9wcGhnbnZvMnRh… Reply for mbed-tls(a)lists.trustedfirmware.org and view more details https://calendar.google.com/calendar/event?action=VIEW&eid=dm9wcGhnbnZvMnRh… Your attendance is optional. ~~//~~ Invitation from Google Calendar: https://calendar.google.com/calendar/ You are receiving this email because you are an attendee on the event. Forwarding this invitation could allow any recipient to send a response to the organizer, be added to the guest list, invite others regardless of their own invitation status, or modify your RSVP. Learn more https://support.google.com/calendar/answer/37135#forwarding

1 hour, 14 minutes

1
0
0 0

extract AKI info from cert via mbedtls ?

by Danny Backx

Hi, How can I extract the AKI (Authority Key Identifier) from a certificate using mbedtls ? I could parse the certificate file itself, I guess, but isn't that what mbedtls does? Thanks, Danny https://www.rfc-editor.org/info/rfc5280#section-4.2.1.1 -- Danny Backx - dannybackx(a)telenet.be

1 week, 3 days

3
4
0 0

Proposal to unify tf.org vulnerability referencing in NVD

by sandrine.afsa＠arm.com

The content of this message was lost. It was probably cross-posted to multiple lists and previously handled on another list.

3 weeks, 4 days

1
0
0 0

CI infrastructure scheduled maintenance: 4th June Sep 2026

by Saheer Babu

Hi all, We will be upgrading Cloudbees CI and clusters hosting review.trustedfirmware.org and ci.trustedfirmware.org on Wednesday, 3rd June 2025 at 16:00 GMT+1. During this maintenance window, both services will be unavailable for approximately 8 hours. A follow-up email will be sent once the services are fully restored. Best regards, Saheer [LOGO SMALL] Saheer Babu Principal Software Engineer CESW – Engineering Infrastructure

3 weeks, 5 days

1
2
0 0

need help migrating to mbedtls 4.0 (esp32)

by Danny Backx

I got into trouble with migrating to the latest (v6.0) version of esp-idf, because it implies a migration to mbedtls 4.0. I had a working application (library really) to obtain ACME certificates from letsencrypt.org. I tried porting, but ran into trouble. So please help. To debug, I try to mimic the example in Appendix A.2 of RFC 7515. Where this should obviously succeed, the current output I get is : I (12:57:46.067) main_task: Calling app_main() I (12:57:46.088) Crypto: Acme standalone client example © 2026 by Danny Backx I (12:57:46.089) Crypto: checkRfc7515_a21 Base64({"alg":"RS256"}) -> eyJhbGciOiJSUzI1NiJ9 is correct I (12:57:46.094) Crypto: checkRfc7515_a21 Base64({"iss":"joe", "exp":1300819380, "http://example.com/is_root":true}) -> eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ is correct I (12:57:46.121) Crypto: checkRfc7515_a21 importPrivateKey() -> 1073741825 E (12:57:46.122) psa_crypto: psa_get_and_lock_key_slot_with_policy psa_key_policy_permits -> -133 E (12:57:46.129) psa_crypto: psa_sign_internal psa_get_and_lock_key_slot_with_policy -> -133 E (12:57:46.137) Crypto: psa_sign_hash (key 1073741825) failed (not permitted, -133 0x0085) I (12:57:46.145) Crypto: checkRfc7515_a21 Signature(eyJhbGciOiJSUzI1NiJ9,eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ) -> (null) E (12:57:46.161) Crypto: Signature 0, fail E (12:57:46.165) Crypto: RFC 7515 A.2.1 : validation failed Some of the "psa_crypto" lines come from debug statements I added in the library. The whole source for this is in one file at https://sourceforge.net/p/esp32-acme-client/code/HEAD/tree/trunk/examples/s… . Obviously it's the hashing step which I had under control with a previous library which I don't call correctly (or I don't know how to import the right key). What am I doing wrong ? Thanks, Danny -- Danny Backx - dannybackx(a)telenet.be

1 month, 1 week

2
2
0 0

mbedtls_ssl_read() return code MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET

by Fabian Keil

I'm currently working on adding MbedTLS 4.x support for Privoxy [0] and noticed that mbedtls_ssl_read() frequently returns MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. Apparently the error code was added in f8a4994ec7 and marked experimental in da13072c5b. It doesn't seem explicitly documented at [1], but of course it's covered by "or another negative error code". My current solution is to simply continue reading: extern int ssl_recv_data(struct ssl_attr *ssl_attr, unsigned char *buf, size_t max_length) { [...] do { ret = mbedtls_ssl_read(ssl, buf, max_length); #if MBEDTLS_VERSION_MAJOR > 3 if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) { log_error(LOG_LEVEL_CONNECT, "mbedtls_ssl_read() reported new session ticket for " "the connection on socket %d.", ssl_attr->mbedtls_attr.socket_fd.fd); } #endif } while (ret == MBEDTLS_ERR_SSL_WANT_READ #if MBEDTLS_VERSION_MAJOR > 3 || ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET #endif || ret == MBEDTLS_ERR_SSL_WANT_WRITE); When using MbedTLS 4.1.0 on ElectroBSD 14.4-STABLE this seems to work. For some connections the log message is emitted once, for others it's emitted twice: 09:20:58.982 024 Connect: Connected to 127.0.1.2[127.0.1.2]:9050. 09:20:59.222 024 Connect: Created new connection to www.electrobsd.org:443 on socket 9. 09:20:59.243 024 Connect: Performing the TLS handshake with the server. 09:20:59.583 024 Connect: Server successfully connected over TLSv1.3 (TLS1-3-CHACHA20-POLY1305-SHA256). 09:20:59.583 024 Connect: Encrypted request sent. 09:20:59.809 024 Connect: mbedtls_ssl_read() reported new session ticket for the connection on socket 9. 09:20:59.902 024 Connect: mbedtls_ssl_read() reported new session ticket for the connection on socket 9. 09:21:00.041 024 Header: scan: HTTP/1.1 200 OK I noticed that there's already an open ticket [2] which contains the sentence: | For client side, mbedtls_ssl_{read,write} might return the error also, | we should process it in the error handler also. I haven't seen mbedtls_ssl_write() return MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET yet, though. Can you confirm that handling MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET by continuing reading is currently the best option? Thanks. Fabian [0]: <https://www.privoxy.org/> [1]: <https://os.mbed.com/teams/sandbox/code/mbedtls/docs/tip/ssl_8h.html#aa2c29e…> [2]: <https://github.com/Mbed-TLS/mbedtls/issues/6640>

2 months

2
2
0 0

Could anyone please handle this PR?

by Elsa zz

Hi, Could anyone please handle this PR? Fix build warning/error using llvm-mingw: - https://github.com/Mbed-TLS/mbedtls/pull/10695 Thanks!

2 months, 2 weeks

1
0
0 0

Max. heap size for X509 certificate chain verification

by Huber, Ralf

Dear Mbed TLS contributors, I am working on an embedded project where we need to verify an X509 certificate chain with up to 4 certificates (root cert + 2 intermediates + client cert) and a CRL. The certificates contain public keys for ECDSA for the SECP_R1_256 curve. We are using mbedTLS 4.x. There is no heap memory in this project. It is a vehicle control ECU and all RAM is normally statically allocated for safety reasons. However, the certificate verification is not safety critical. It is OK for us to use mbedtls_memory_buffer_alloc_init() as a heap replacement for mbedTLS. I will refer to this as the "heap" for the rest of this mail. I would like to find out how large the heap needs to be for the chain verification. The system requirements state that it shall support certificates and CRL in DER format with a size of up to 2 kB each. There are 10 kB of static RAM buffer to store 4 certificates and the CRL. The certificates are parsed with mbedtls_x509_crt_parse_der_nocopy(), so the certificate raw data is not duplicated on the heap. The CRL is parsed with mbedtls_x509_crl_parse_der(), so I am expecting that the CRL raw data will be copied to the heap. Thus, it needs to be at least 2 kB. Unfortunately, there seems to be no "_nocopy()" function for CRLs. 8 kB heap was enough in my tests to verify a chain of 3 test certificates with sizes of ca. 0.5 kB each. 6 kB heap wasn't enough to do this. Is there a way to calculate or at least estimate the maximum required heap for the given maximum certificate and CRL sizes, such that a call of mbedtls_x509_crt_verify() for the chain will never fail due to insufficient memory? Is the required heap size fixed for a given number of certificates, or does it depend on the content of the certificates? If it does depend on the content, is there some way to construct "worst case certificates" that result in maximum heap usage, so I could use them to measure the heap consumption? Any help on this topic is kindly appreciated! Best regards, Ralf Huber KION Supply Chain Solutions Linde Material Handling GmbH, Sitz der Gesellschaft: Aschaffenburg, Registergericht: Aschaffenburg HRB9963, Ust-IdNr. DE814809128, Gesch?ftsf?hrung: Andreas Krinninger (Vorsitzender), Dr. Karoline Jung-Senssfelder, Ulrike Just, Dr. Frank Schepp, Vorsitzende des Aufsichtsrats: Valeria Gargiulo

2 months, 2 weeks

2
3
0 0

2026

2025

2024

2023

2022

2021

2020

mbed-tls