Mbed TLS is now part of TrustedFirmware.org.

Mbed TLS 2.16.2 and 2.7.11 released


Maintenance releases for Mbed TLS 2.16 and Mbed TLS 2.7 are now available.


  • (2.16, 2.7) Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key.


  • (2.16, 2.7) Server's RSA certificate in certs.c was SHA-1 signed. In the default Mbed TLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk.
  • (2.16, 2.7) Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239.
  • (2.16, 2.7) Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106.
  • (2.16) Reduce stack usage of HKDF tests. Fixes #2195.
  • (2.16, 2.7) Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz.
  • (2.16, 2.7) Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd.
  • (2.16, 2.7) Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337
  • (2.16, 2.7) Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter.
  • (2.16, 2.7) Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560.
  • (2.16, 2.7) Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
  • (2.16, 2.7) Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431.
  • (2.16) Add DER-encoded test CRTs to library/certs.c, allowing the example programs ssl_server2 and ssl_client2 to be run if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.


  • (2.16, 2.7) Return from various debugging routines immediately if the provided SSL context is unset.
  • (2.16, 2.7) Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309.
  • (2.16, 2.7) Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin).
  • (2.16, 2.7) Change wording in the mbedtls_ssl_conf_max_frag_len()'s documentation to improve clarity. Fixes #2258.
  • (2.16, 2.7) Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
  • (2.7) Improve debug output of ssl_client2 and ssl_server2 in case suitable test CRTs are available because MBEDTLS_PEM_PARSE_C is disabled. Fixes #2254.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Download links

Get your copy here:


The hashes for mbedtls-2.16.2-apache.tgz are:

SHA-1: ba809acfd4b41b86895b92e98d936695b5b62b73
SHA-256: a6834fcd7b7e64b83dfaaa6ee695198cb5019a929b2806cb0162e049f98206a4

The hashes for mbedtls-2.16.2-gpl.tgz are:

SHA-1: d8d65bf01ae7015a50f4b103f064a4379eff9115
SHA-256: 40d18965dd36ce0158a2b037c8c54401bad54f683f4311502518ee1a1a0b622c

The hashes for mbedtls-2.7.11-apache.tgz are:

SHA-1: 6bb5da4ed18bbdb5518e133315b63c1263f86eb2
SHA-256: da82b5959cf56b82dc70142e2b669a9f68cc76f5542739dbc7039ebcf6831d23

The hashes for mbedtls-2.7.11-gpl.tgz are:

SHA-1: 5814a00323bbfa0e8a7e19ae92ad07c42b52d3cf
SHA-256: 2271090e66fae39d23d8d2361a78e34a3b27692793b491c91efe40d11452e908

Like this?




Last updated:
Jun 18, 2019


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.