Any third-party software component facing a hostile environment, such as the Internet, has a fundamental requirement to be continuously maintained, and this is especially true of a security and cryptographic component such as Mbed TLS. As new security issues arise in the standards or in the implementation, it is essential they are fixed and patches be made available.
Mbed TLS 2.7
As such, we are pleased to announce that Mbed TLS 2.7 will now become our next LTS (Long Term Support) branch, and that we will continue to maintain it for the next 3 years, until at least February 2021.
During that period, we will maintain the API (Application Programming Interface) to be source code compatible, and as far as we are able, maintain the ABI (Application Binary Interface), to ensure that users of the library can make the minimum of changes to their own software to ensure against regressions being introduced into their application software. Wherever possible, the interface will remain the same. No new features will be introduced, and the API will not be extended, unless required by significant security issues, or issues of interoperability with other vendors TLS stacks.
Given we plan to add no new features into the Mbed TLS 2.7 branch, those designing Mbed TLS into embedded systems, should be assured that your design can accept newer versions of the library on this branch without significant changes in its code or RAM requirements.
Mbed TLS 2.1
In addition, we are also pleased to confirm that the Mbed TLS 2.1 branch will continue to be maintained until at least November 2018, when it will be three years old. Again, we will continue the policy of maintaining the API and ABI as far as possible, and of adding no new features, to ensure against regressions and to maintain a similar code and RAM footprint.
Mbed TLS 1.3
Mbed TLS 1.3.0 was first released in October 2013, and over the last 4 years has been designed into many different products and open source projects. In that time, the API has changed a lot and the library has been enhanced with many new features and improvements.
However, Mbed TLS 1.3 has now reached its end of life and will not be maintained any further. We recommend all users of Mbed TLS 1.3 to upgrade to a later version of Mbed TLS wherever possible.
We will tag in github all submitted issues and pull requests relating to this branch as ‘Mbed TLS 1.3’, so users continuing to use this branch can be aware of new issues or available fixes as they arise, but users should be aware that no further pull requests to the Mbed TLS 1.3 branch can be accepted Users seeking assistance in upgrading to later versions of Mbed TLS are recommended to read the 'Upgrade to 2.0 Knowledgebase article'.
We will also continue to extend and expand Mbed TLS from version 2.8.0 onwards. Future versions of Mbed TLS outside the LTS (Long Term Support) branches will continue to receive new features and capabilities.
What do you think about this? We’d love to hear your feedback. Let us and other users of the library know your views through the Mbed TLS forum here.