Mbed TLS is now part of TrustedFirmware.org.

mbed TLS 1.3.10 released


mbed 1.3.10 has been released!

Wait, what? mbed TLS? Yes!

As part of the acquisition by ARM, PolarSSL has been rebranded as of today to mbed TLS to better show its fit inside the mbed ecosystem. You can read more about that in my blog post on the mbed Community site and in the official press release.

On the security front this release fixes the (mis-numbered) Security Advisory 2014-04. In addition it fixes two related memory leaks also found by Codenomicon Defensics and a theoretical timing based Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges.

New features include support for the new TLS extensions FALLBACK_SCSV, Extended Master Secret and Encrypt-Than-MAC.

In addition a number of bugs were fixed and default behaviour of the library was changed to provide more secure defaults.


Security Advisory 2014-04 was published two weeks ago to release a one-line fix for a potential remote code execution issue. In that same run Codenomicon Defensics found a potential remote memory leak (mind you, not a data leak), and a remote stack overflow (not a stack-based buffer overflow).

Sebastian Schinzel pointed us to a paper he co-authored describing a Bleichenbacher-style attack on the RSA and RSA-PSK key exchanges. The attack builds on top of a timing difference in the handshake when decrypting the PreMasterSecret. Since we carefully check for full PKCS#1 v1.5 and TLS compliance, the oracle provided by our timing difference is actually too weak to be exploitable in practice (would require upwards of 10^12 interactions in an ideal environment). Furthermore, our timings show that our side-channel is quite small (specifically, it is less than 3 microseconds) which means even more interactions would be required in a production environment. Then again, the potential is there, so we modified our code to now have a constant-time process.


This release primarily adds support for the FALLBACK_SCSV extension, the Extended Master Secret extension and the Encrypt-then-MAC extension.

In addition, to limit the attack surface, you can now at compile time disable support for renegotiation and limit the length of an X.509 verification chain.

For specific situation, you can now use 1/n-1 record splitting and the server now selects certificates based on signature hash, prefering SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available.

More features can be found in the ChangeLog.


Important changes in this release include:

  • Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
  • Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
  • ssl_set_own_cert() now returns an error on key-certificate mismatch.
  • Forbid repeated extensions in X.509 certificates.
  • debug_print_buf() now prints a text view in addition to hexadecimal.
  • A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set.
  • It is now possible to disable negotiation of truncated HMAC server-side at runtime with ssl_set_truncated_hmac().
  • Example programs for SSL client and server now disable SSLv3 by default.
  • Example programs for SSL client and server now disable RC4 by default.
  • Use platform.h in all test suites and programs.

Bug fixes

Fixes include:

  • Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
  • Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely).
  • User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald).
  • Fix potential undefined behaviour in Camellia.
  • Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai).
  • Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic).
  • Fix assembly selection for MIPS64 (thanks to James Cowgill).
  • ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson).
  • Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.)
  • On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard).

More details can be found in the ChangeLog.

Who should update

We advise users of PolarSSL to update if they:

  • use any version of the earlier PolarSSL library

Download links

Get your copy here: mbedtls-1.3.10-gpl.tgz


The hashes for mbedtls-1.3.10-gpl.tgz are:

SHA-1  : a3a94c7fd70ed173543a6024961407336a03b838
SHA-256: 746fd88e0c6623691fc56c4eed52e40a57b2da0ac80f6dd8995094aa6adb407e

Note: these hashes are for the current tarball (released 2015-02-16), which fixes the soname that had not been properly updated in the original tarball with make (cmake had the correct version). For reference, the original hashes were:

SHA-1  : 9eddfd8cfd5e6e05f78d7890852620d7c1f21baf
SHA-256: d221b02acc96fda8259d9e57798dee9de72977902afb0c63e552b5510c6503a3

Like this?




Last updated:
Feb 16, 2015


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.