PolarSSL is now part of ARM Official announcement and rebranded as mbed TLS.

Mbed TLS 2.14.0, 2.7.7 and 2.1.16 released


Mbed TLS version 2.14.0 has now been released, in addition to maintenance releases for Mbed TLS 2.7 and Mbed TLS 2.1.

Mbed TLS 2.14.0 introduces several new features:

  • Support for non-blocking ECC operations has been introduced with this release. This allows users of Mbed TLS on single-threaded systems to perform elliptic curve cryptographic operations inbetween other critical operations, (such as resetting a watchdog timer), without the use of a pre-emptive scheduler or RTOS. This is explained more fully in the knowledge base article 'Non-blocking ECC operations'.
  • Support for CTR-DRBG using only AES-128 cipher operations. On some devices, AES-128 cryptographic accelerators may be available, but not acceleration of AES-256. On such devices, only AES-128 may be required in designs, and by using only the AES-128 accelerator support on the device, code size can be reduced, operations made faster, and power reduced.
  • Support for smaller salt sizes for RSASSA-PSS signatures, enabling compliance with FIPS 186-4.

This release also addresses three security issues and resolves multiple defects. Mbed TLS 2.7.7 and 2.1.16 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.


  • (2.14.0, 2.7.7, 2.1.16) Fixed overly strict comparison of the X.509 DN field when searching for CRLs belonging to a particular Certificate Authority (CA). This previously lead to ignoring CRLs when the issuer's name and the Certificate Authority's subject name differed in their string encoding, such as one using PrintableString and the other using UTF8String, or in the choice of upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue #1784.
  • (2.14.0, 2.7.7, 2.1.16) Fixed a flawed bounds check in the server PSK hint parsing. When the incoming message buffer was placed within the first 64kB of address space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker to trigger a memory access up to 64kB beyond the incoming message buffer, potentially leading to application crash or information disclosure.
  • (2.14.0, 2.7.7, 2.1.16) Fixed mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The previous settings for the number of rounds made it practical for an adversary to construct non-primes that would be erroneously accepted with a high probability as primes. This does not have an impact on the security of TLS, but can matter in other contexts with numbers chosen potentially by an adversary that should be prime and can be validated. For example, the number of rounds was enough to securely generate RSA key pairs or Diffie-Hellman parameters, but was insufficient to validate Diffie-Hellman parameters properly. See "Prime and Prejudice" by Martin R. Albrecht and Jake Massimo and Kenneth G. Paterson and Juraj Somorovsky.


  • (2.14.0) Added support for temporarily suspending expensive ECC computations after some configurable amount of operations. This is intended to be used in constrained, single-threaded systems where ECC operations can be time consuming and can block other operations until they complete. This feature is enabled by defining MBEDTLS_ECP_RESTARTABLE in the configuration file config.h and is configured by mbedtls_ecp_set_max_ops() at runtime. It is disabled by default. It applies to the new xxx_restartable functions in ECP, ECDSA, PK and X.509, and to existing functions in ECDH and SSL. It is currently only implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2, including client authentication, and there is no support for CRL files.
  • (2.14.0) Added support for the Arm CPU DSP extensions to accelerate asymmetric key operations. On CPUs where the extensions are available, they can accelerate the MPI multiplications used in ECC and RSA cryptography. Contributed by Aurelien Jarno.
  • (2.14.0) Extended RSASSA-PSS signature support to allow a smaller salt size. Previously, the PSS signature always used a salt with the same length as the hash, and returned an error if this was not possible. Now the salt size may be up to two bytes shorter. This allows the library to support all hash and signature sizes that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
  • (2.14.0) Added support for 128 bit keys in CTR-DRBG. Note that using keys shorter than 256 bits limits the security of generated material to 128 bits.

API Changes

  • (2.14.0) Added a common error code of MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED for features that are not supported by third party implementations of cryptographic primitives. This is useful for hardware accelerators that do not implement all options or features, such as those that support AES-128 but not AES-192 or AES-256.

New deprecations

  • (2.14.0) All module specific errors following the form MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not supported are now deprecated and are now replaced by the new equivalent platform error.
  • (2.14.0) All module specific generic hardware acceleration errors following the form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED are now deprecated and replaced by the equivalent plaform error.
  • (2.14.0) The function mbedtls_mpi_is_prime() is now deprecated in favor of mbedtls_mpi_is_prime_ext() which allows specifying the number of Miller-Rabin rounds.


  • (2.14.0) Changed the default string format used for various X.509 DN attributes was changed to UTF8String. Previously, the use of the PrintableString format led to wildcards and non-ASCII characters being unusable in some DN attributes. Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by Thomas-Dee.
  • (2.14.0, 2.7.7, 2.1.16) Fixed the wrong order of memory deallocation in the example program programs/ssl/ssl_server2 leading to a memory leak in case both MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set. Fixes #2069.
  • (2.14.0, 2.7.7, 2.1.16) Fixed a bug in the update function for SSL ticket keys which previously invalidated keys of a lifetime of less than a 1s. Fixes #1968.
  • (2.14.0, 2.7.7, 2.1.16) Fixed a failure in HMAC-DRBG in the benchmark sample application, when MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
  • (2.14.0, 2.7.7, 2.1.16) Fixed a bug in the record decryption routine ssl_decrypt_buf() which lead to accepting properly authenticated but improperly padded records in case of CBC ciphersuites using Encrypt-then-MAC.
  • (2.14.0, 2.7.7, 2.1.16) Fixed a memory leak and freeing without initialization in the example program programs/x509/cert_write. Fixes #1422.
  • (2.14.0, 2.7.7, 2.1.16) Now ignores the IV in mbedtls_cipher_set_iv() when the cipher mode is MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
  • (2.14.0, 2.7.7, 2.1.16) Zeroizes memory used for buffering or reassembling handshake messages after use.
  • (2.14.0, 2.7.7, 2.1.16) Uses mbedtls_platform_zeroize() instead of memset() for zeroization of sensitive data in the example programs aescrypt2 and crypt_and_hash.
  • (2.14.0, 2.7.7, 2.1.16) Fixed a compilation failure for configurations which use compile time replacements of the standard calloc/free functions through the macros MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO. Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
  • (2.1.16) Fixed a potential build failure related to the apidoc target, introduced in the previous patch release. Found by Robert Scheck. #390 #391
  • (2.1.16) Fixed programs/pkey/dh_server.c so that it works correctly with dh_client.c. Found and fixed by Martijn de Milliano.


  • (2.14.0) Now remembers the string format of X.509 DN attributes when replicating X.509 DN attributes. Previously, DN attributes were always written in their default string format, which was PrintableString in most instances. This could lead to certificates being created which used PrintableString in the issuer field even though the signing Certificate Authority used UTF8Strings in its subject field. Whilst being compliant with X.509, such certificates were rejected in some applications, such as some versions of Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by Thomas-Dee.
  • (2.14.0) Added MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and used it to reduce error probability in RSA key generation to levels mandated by FIPS-186-4..
  • (2.14.0) Removed support for Yotta as a build tool.
  • (2.14.0, 2.7.7, 2.1.16) Added tests for session resumption in DTLS.
  • (2.14.0, 2.7.7, 2.1.16) Closed a test gap in (D)TLS between the client side and the server side, to test the handling of large packets and small packets on the client side in the same way as on the server side.
  • (2.14.0, 2.7.7, 2.1.16) Changed the dtls_client and dtls_server examples to work by default over IPv6 and optionally by a build option over IPv4.
  • (2.14.0, 2.7.7, 2.1.16) Changed the use of Windows threading to use Microsoft Visual C++ runtime calls, rather than Win32 API calls directly. This is necessary to avoid conflict with C runtime usage. Found and fixed by irwir.
  • (2.14.0, 2.7.7, 2.1.16) Improved documentation of mbedtls_ssl_get_verify_result(). Fixes #517 reported by github-monoculture.
  • (2.1.16) make apidoc now generates the documentation for the current configuration. Run scripts/apidoc_full.sh to generate the full documentation. This aligns the behavior with Mbed TLS versions 2.2 and later and reverts it back to how it behaved in version 2.1.3.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Download links

Get your copy here:


The hashes for files/mbedtls-2.14.0-apache.tgz are:

SHA-1: 8956b0f78e01dc07f53a750087539a3d4d4d5a70
SHA-256: 82f8541ecb7f2e1074c334aa7b665306010a627b9d4d76f99ad1b7c291abc82d

The hashes for files/mbedtls-2.14.0-gpl.tgz are:

SHA-1: 93af9545904551167e67a75cfe2022a2303ae04b
SHA-256: 7c62ec02a577e3cca01ee8cd161e1e369537714a148efaafe79887b9d955a691

The hashes for files/mbedtls-2.7.7-apache.tgz are:

SHA-1: c70a73774ccf5393d5c325e981136978ee2ce92e
SHA-256: 7bcd05d3a7897ddce4ffe9e74e53634690ce5eb80bbbe358f87cbc7b67ee2f8c

The hashes for files/mbedtls-2.7.7-gpl.tgz are:

SHA-1: f3eacb2cf0c03e279c7ac7f85604fae47b3c3f36
SHA-256: 4a5529cca1d85e3bb64f1aa3976dfe9274a7a79a1642d67f9d69c8fb241c7c96

The hashes for files/mbedtls-2.1.16-apache.tgz are:

SHA-1: 37cee52213eb4f456df98aac4e1d21a41faf2788
SHA-256: d0af5b8181941141017ffc101465a7ef5cccdca7794014d02e39bb55a5abd866

The hashes for files/mbedtls-2.1.16-gpl.tgz are:

SHA-1: 96ef8fa08c241407361d901044e13b568824c5cf
SHA-256: 289ac62a508f380e09de87d31c9186c2acf2a5c48db1c7929b345b973c0af018

Like this?




Last updated:
Nov 21, 2018


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.