Mbed TLS is now part of TrustedFirmware.org.

mbed TLS 1.3.11 released


mbed 1.3.11 has been released!

This release is mainly fixing a number of outstanding issues and security fixes.

Minor features have been added to enhance functionality and usability.


Handling of the SSL_VERIFY_OPTIONAL authmode was changed to make sure that information about keyUsage and extendedKeyUsage was properly propagated and accessible to the calling function. Just as a reminder, SSL_VERIFY_REQUIRED is the recommended security setting for authmode.

A team of security researchers dove back into the Lucky 13 issue and found potential weaknesses in SSL implementations when the attacker can execute code on the same physical machine. mbed TLS was modified to always generate a cache miss and make sure that attackers gain no information from that event. More can be read in the paper Lucky 13 strikes back.


General improvements were made in the platform layer to allow abstracting more platform-dependent functions and allow them to be replaced by macros.

Contributions were taken to improve ECC performance, and add support for Diffie-Hellman parameters that encode private value lengths.

More features can be found in the ChangeLog.


Important changes in this release include:

  • Remove bias in mpi_gen_prime (contributed by Pascal Junod).
  • Remove potential sources of timing variations (some contributed by Pascal Junod).
  • Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
  • Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
  • compat-1.2.h and openssl.h are deprecated.
  • Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev).
  • ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10).
  • Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder).
  • Remove some unneeded inclusions of header files from the standard library "minimize" others (e.g. use stddef.h if only size_t is needed).
  • Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code.
  • Remove dependency on sscanf() in X.509 parsing modules.

Bug fixes

Fixes include:

  • Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.
  • Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
  • Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara).
  • Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context.
  • Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape).
  • Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan).
  • mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic).
  • Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time.
  • Fix handling of symlinks by "make install" (found by Gaël PORTAY).
  • Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl).
  • Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected.
  • Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
  • Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
  • Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele).
  • Fix warnings from mingw64 in timing.c (found by kxjklele).
  • Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms.
  • Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
  • Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10).
  • Add missing extern "C" guard in aesni.h (reported by amir zamani).
  • Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai).
  • Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed.

More details can be found in the ChangeLog.

Who should update

We advise users of mbed TLS (and PolarSSL) to update.

Download links

Get your copy here: mbedtls-1.3.11-gpl.tgz


The hashes for mbedtls-1.3.11-gpl.tgz are:

SHA-1  : 3948084c9d3312b381d458b06d9a2066c3cc0184
SHA-256: 67a593027b6a442a4fa5b6c224c4ac8cdae5be721f5a28a11d34f10dcda441cb

Like this?




Last updated:
Aug 11, 2015


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.