Also anything you can share around the size and quantity of certificates you are parsing would be useful. 56K does seem very high, though if at the time you are parsing large numbers of large certificates it could get up that far.
Regards
Ben
---------- Forwarded message --------- From: Ben Taylor ben.taylor@linaro.org Date: Tue, 27 Jan 2026 at 11:33 Subject: Re: [mbed-tls] Some problems regarding mbed TLS To: Milorad Podoaba milo@aap.co.nz
Hi Milo, For the second issue the memory allocation problem if you are able to share your mbedtls configuration, that would be useful as customising this could impact how much is allocated. Beyond this anything further you can share about how you are using the library when you encounter high usage would be useful. Ideally a code snippet which reproduces the error, though if not any further information will help us reproduce the error and attempt to assist you.
For the first issue again if you can share your config and any code snippets you have that can reproduce the issue that would be helpful.
Many thanks
Ben
On Mon, 26 Jan 2026 at 20:54, Milorad Podoaba milo@aap.co.nz wrote:
Hi Ben,
Not sure how much code you want me to share. You need to be more specific. There might be a memory problem in our application, it just hard to tell and the mbed TLS seems not able to recover.
At this stage, I only want to reduce the size of the buffer for the alternative memory alloc. Do you know a way to do it?
Thank you and regards, Milo
Milorad Podoaba
Firmware System Engineer
Arrowhead Alarm Products Ltd.
(09) 414 0085 <%2809%29%20414%200085%20%20%20> milo@aap.co.nz www.aap.co.nz <//www.aap.co.nz> 1A Emirali Road, Silverdale, Auckland, New Zealand
[image: linkedin] https://www.linkedin.com/company/arrowhead-alarm-products-ltd-/
[image: instagram] https://instagram.com/aapltd?igshid=1356ehzmruf5r
On 27/01/2026 12:19 am, Ben Taylor wrote:
Hi Milo, Thanks for reporting this issue. Is there any chance you could share some example code that can reproduce the error, so we can investigate it further?
Many thanks
Ben
On Mon, 26 Jan 2026 at 10:28, Milorad Podoaba via mbed-tls < mbed-tls@lists.trustedfirmware.org> wrote:
Hello,
Our devices are connecting to AWS IoT Core. Recently we had few customers with poor connection complaining that the device didn't reconnect.
We are using ARM Keil MDK 8.1.0 + mbed TLS 3.6.4.
On Wireshark logs we have identified 2 errors:
- close notify from server after client hello
- bad certificate or unknown CA from client after server hello
The device was stuck on one of these errors and only a reboot would fix it. I think these 2 errors are not related.
On detail analysis for the first error, we saw that the cipher suites list was missing and that was the reason for close notify from server. Looking at the TLS code saw that the list is being created only one time after reboot. So in ssl_ciphersuites.c just commented out supported_init = 1 and now seems to be good. I do not know the reason why the list was lost during runtime.
For the second error, we were able to reproduce the problem quite consistently. Some logs at IoT client code showed that somehow the TLS lost the ability to parse properly the server certificates. I believe that this was some memory allocation problem, so I've configured the mbed TLS to get allocation from a separate buffer and that seems to fix the problem. This buffer has to be quite large, 56k size. Any smaller size would return memory allocation failure. Any reason why it has to be so big?
Just want to know if someone had before these issues and if I can lower the buffer. Let me know if you need extra details about the problems.
Thank you and regards, Milo
-- Milorad Podoaba
Firmware System Engineer
Arrowhead Alarm Products Ltd.
(09) 414 0085 <%2809%29%20414%200085%20%20%20> milo@aap.co.nz www.aap.co.nz <//www.aap.co.nz> 1A Emirali Road, Silverdale, Auckland, New Zealand
[image: facebook] https://www.facebook.com/ArrowheadAlarmProductsLtd/?hc_ref=ARTrnwMZmLZimX6KHC1J2U2HWEdztNNES-m_Ncck0hUNiUiucg4NapNzAjkb9USxlTw&fref=nf&__xts__[0]=68.ARD73Z3zLqWRinEYq5B3pCmj6K7NTk5T0sHH46rthGKDavHtQLvLoIMW104lK2l12AVotJOMgF7c19VyewhJpKUe_Ta_YpnQH4iDh3wVCYCDLQ91t_6cX6sgP2ihPIf7B81suU5fIc8exObMKGhvh1mR1qPDnj6_vHK0L9caX00cbljhy8pKAMItcGMSu9-b-Rm6hgteHEHIWP-4h3ioM3xWC1oKC8xQcmE_jKSTfGs-pgac2jMz33XsyQgp-JQPFL2umeo6R7yg7nmUrQYwDabtIMDmygcQ6JZw5PgdRB-34OfT4AGyS_wTaDnMFd0nBC7aRpYyJ8mSOY2WNcArkFc&__tn__=kC-R [image: linkedin] https://www.linkedin.com/company/arrowhead-alarm-products-ltd-/ [image: instagram] https://instagram.com/aapltd?igshid=1356ehzmruf5r -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
Hi Ben,
Check our mbdeTLS config in attachment. We are using an old AWS IoT client provide by Keil (see aws_iot_device.zip), a bit modified.
For years, we used an old ARM Keil compiler, Keil MDK 7.16.0 and mbedTLS 1.8.0. The customer with poor connection had that setup in the firmware and occasionally had problem with device not reconnecting(bad certificate issue).
Recently we moved to latest ARM Keil compiler, MDK 8.1.0 and mbedTLS 3.6.4. After that we have started to see the first problem(close notify - cipher suites list missing). This problem cannot be reproduced. Sometimes it happened twice a day and sometimes went fine for days. I've checked the memory map and saw that supported_ciphersuites array is next to a string buffer used to build mqtt payload. I've increased the size of that but its really hard to say if that one is the culprit. Also modified the mbedtls_ssl_list_ciphersuites function to create the cipher list at every call. Now the problem seems to be gone.
The second problem was reproducible but it took some time. We had to change between networks(change routers) approx 20 times. In between, the device would try to reconnect several times and after that would reinitialize the TCP stack, acquire new DHCP address and try to connect. Switching to alternative memory alloc solve the problem. I know its a bit crazy but these are the facts.
Our certificates(cert and keys) are less that 2kB in size. For me 56k it does not make any sense.
Regards, Milo
MiloradPodoaba
Firmware System Engineer
Arrowhead Alarm Products Ltd.
(09) 414 0085 tel:%2809%29%20414%200085%20%20%20
milo@aap.co.nz mailto:milo@aap.co.nz
www.aap.co.nz <//www.aap.co.nz>
1A Emirali Road, Silverdale, Auckland, New Zealand
linkedin https://www.linkedin.com/company/arrowhead-alarm-products-ltd-/
instagram https://instagram.com/aapltd?igshid=1356ehzmruf5r
On 28/01/2026 12:40 am, Ben Taylor wrote:
Also anything you can share around the size and quantity of certificates you are parsing would be useful. 56K does seem very high, though if at the time you are parsing large numbers of large certificates it could get up that far.
Regards
Ben
---------- Forwarded message --------- From: *Ben Taylor* ben.taylor@linaro.org Date: Tue, 27 Jan 2026 at 11:33 Subject: Re: [mbed-tls] Some problems regarding mbed TLS To: Milorad Podoaba milo@aap.co.nz
Hi Milo, For the second issue the memory allocation problem if you are able to share your mbedtls configuration, that would be useful as customising this could impact how much is allocated. Beyond this anything further you can share about how you are using the library when you encounter high usage would be useful. Ideally a code snippet which reproduces the error, though if not any further information will help us reproduce the error and attempt to assist you.
For the first issue again if you can share your config and any code snippets you have that can reproduce the issue that would be helpful.
Many thanks
Ben
On Mon, 26 Jan 2026 at 20:54, Milorad Podoaba milo@aap.co.nz wrote:
Hi Ben, Not sure how much code you want me to share. You need to be more specific. There might be a memory problem in our application, it just hard to tell and the mbed TLS seems not able to recover. At this stage, I only want to reduce the size of the buffer for the alternative memory alloc. Do you know a way to do it? Thank you and regards, Milo MiloradPodoaba Firmware System Engineer Arrowhead Alarm Products Ltd. (09) 414 0085 <tel:%2809%29%20414%200085%20%20%20> milo@aap.co.nz <mailto:milo@aap.co.nz> www.aap.co.nz <//www.aap.co.nz> 1A Emirali Road, Silverdale, Auckland, New Zealand facebook <https://www.facebook.com/ArrowheadAlarmProductsLtd/?hc_ref=ARTrnwMZmLZimX6KHC1J2U2HWEdztNNES-m_Ncck0hUNiUiucg4NapNzAjkb9USxlTw&fref=nf&__xts__[0]=68.ARD73Z3zLqWRinEYq5B3pCmj6K7NTk5T0sHH46rthGKDavHtQLvLoIMW104lK2l12AVotJOMgF7c19VyewhJpKUe_Ta_YpnQH4iDh3wVCYCDLQ91t_6cX6sgP2ihPIf7B81suU5fIc8exObMKGhvh1mR1qPDnj6_vHK0L9caX00cbljhy8pKAMItcGMSu9-b-Rm6hgteHEHIWP-4h3ioM3xWC1oKC8xQcmE_jKSTfGs-pgac2jMz33XsyQgp-JQPFL2umeo6R7yg7nmUrQYwDabtIMDmygcQ6JZw5PgdRB-34OfT4AGyS_wTaDnMFd0nBC7aRpYyJ8mSOY2WNcArkFc&__tn__=kC-R> linkedin <https://www.linkedin.com/company/arrowhead-alarm-products-ltd-/> instagram <https://instagram.com/aapltd?igshid=1356ehzmruf5r> On 27/01/2026 12:19 am, Ben Taylor wrote:Hi Milo, Thanks for reporting this issue. Is there any chance you could share some example code that can reproduce the error, so we can investigate it further? Many thanks Ben On Mon, 26 Jan 2026 at 10:28, Milorad Podoaba via mbed-tls <mbed-tls@lists.trustedfirmware.org> wrote: Hello, Our devices are connecting to AWS IoT Core. Recently we had few customers with poor connection complaining that the device didn't reconnect. We are using ARM Keil MDK 8.1.0 + mbed TLS 3.6.4. On Wireshark logs we have identified 2 errors: 1. close notify from server after client hello 2. bad certificate or unknown CA from client after server hello The device was stuck on one of these errors and only a reboot would fix it. I think these 2 errors are not related. On detail analysis for the first error, we saw that the cipher suites list was missing and that was the reason for close notify from server. Looking at the TLS code saw that the list is being created only one time after reboot. So in ssl_ciphersuites.c just commented out supported_init = 1 and now seems to be good. I do not know the reason why the list was lost during runtime. For the second error, we were able to reproduce the problem quite consistently. Some logs at IoT client code showed that somehow the TLS lost the ability to parse properly the server certificates. I believe that this was some memory allocation problem, so I've configured the mbed TLS to get allocation from a separate buffer and that seems to fix the problem. This buffer has to be quite large, 56k size. Any smaller size would return memory allocation failure. Any reason why it has to be so big? Just want to know if someone had before these issues and if I can lower the buffer. Let me know if you need extra details about the problems. Thank you and regards, Milo -- MiloradPodoaba Firmware System Engineer Arrowhead Alarm Products Ltd. (09) 414 0085 <tel:%2809%29%20414%200085%20%20%20> milo@aap.co.nz <mailto:milo@aap.co.nz> www.aap.co.nz <//www.aap.co.nz> 1A Emirali Road, Silverdale, Auckland, New Zealand facebook <https://www.facebook.com/ArrowheadAlarmProductsLtd/?hc_ref=ARTrnwMZmLZimX6KHC1J2U2HWEdztNNES-m_Ncck0hUNiUiucg4NapNzAjkb9USxlTw&fref=nf&__xts__[0]=68.ARD73Z3zLqWRinEYq5B3pCmj6K7NTk5T0sHH46rthGKDavHtQLvLoIMW104lK2l12AVotJOMgF7c19VyewhJpKUe_Ta_YpnQH4iDh3wVCYCDLQ91t_6cX6sgP2ihPIf7B81suU5fIc8exObMKGhvh1mR1qPDnj6_vHK0L9caX00cbljhy8pKAMItcGMSu9-b-Rm6hgteHEHIWP-4h3ioM3xWC1oKC8xQcmE_jKSTfGs-pgac2jMz33XsyQgp-JQPFL2umeo6R7yg7nmUrQYwDabtIMDmygcQ6JZw5PgdRB-34OfT4AGyS_wTaDnMFd0nBC7aRpYyJ8mSOY2WNcArkFc&__tn__=kC-R> linkedin <https://www.linkedin.com/company/arrowhead-alarm-products-ltd-/> instagram <https://instagram.com/aapltd?igshid=1356ehzmruf5r> -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
mbed-tls@lists.trustedfirmware.org
-
Ben Taylor -
Milorad Podoaba