Mbed TLS is now part of TrustedFirmware.org.

mbed TLS 2.2.0, 2.1.3, 1.3.15 and PolarSSL 1.2.18 released


mbed TLS version 2.2.0 has been released, as well as maintenance releases of mbed TLS 2.1.3, and 1.3.15 and PolarSSL 1.2.18.

The mbed TLS 2.2.0 release adds experimental support for EC J-PAKE and fixes a number of security issues and bugs, as well as a performance issue. The maintenance releases contain fixes for the security issues as well as other bugs.

Security (all branches)

Guido Vranken of Intelworks has found 3 new security weaknesses, none of which are exploitable remotely in the context of TLS. In addition, Nicholas Wilson found a missing check in the X.509 chain verification.

  • Fixes a potential double free if mbedtls_ssl_conf_psk() is called more than once and an allocation fails. This cannot be forced remotely. Found by Guido Vranken, Intelworks. (No fix required for the PolarSSL 1.2.18 release)
  • Fixes a potential heap corruption on Windows when mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. This cannot be triggered remotely. Found by Guido Vranken, Intelworks.
  • Fixes a potential buffer overflow in some asn1_write_xxx() functions. This cannot be triggered remotely unless you create X.509 certificates based on untrusted input or write keys of untrusted origin. Found by Guido Vranken, Intelworks.
  • The X509 max_pathlen constraint was not enforced on intermediate certificates. Found by Nicholas Wilson, and fix and tests provided by Janos Follath.

Features (2.2.0 only)

  • Experimental support for EC J-PAKE as defined in the new Thread 1.0.0 standard has been added. This is disabled by default as the specification is still under development.
  • Added a key extraction callback to access the master secret and key block. (Potential uses include EAP-TLS and Thread.)

Bugfix (all branches)

  • Self-signed certificates were not excluded from pathlen counting, resulting in some valid X.509 being incorrectly rejected. Found and fixed by Janos Follath.
  • Fixes a build error with configurations where ECDHE-PSK is the only key exchange. Found and fixed by Chris Hammond.
  • Fixes a build error with configurations where RSA, RSA-PSK, ECDH-RSA or ECHD-ECDSA are the only key exchanges. Multiple reports.
  • Fixes a bug causing some handshakes to fail due to some non-fatal alerts not being properly ignored. Found by mancha and Kasom Koht-arsa.
  • mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and size/curve against the profile. Before that, there was no way to set a minimum key size for end-entity certificates with RSA keys. Found by Matthew Page of Scannex Electronics Ltd.
  • Fixes failures in MPI on Sparc64 due to use of bad assembly code. Found by Kurt Danielson.
  • Fixes a typo in the name of the extKeyUsage OID. Found by inestlerode.
  • Fixes a bug in ASN.1 encoding of booleans that causes generated CA certificates to be rejected by some applications, including the OS X Keychain. Found and fixed by Jonathan Leroy, Inikup.

Changes (2.2.0 and 2.1.3)

  • Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1 or -1.

Who should update

Users affected by one of the fixed issues or wanting to use the new features should update.

Users of the 1.2 branch are reminded that support for 1.2 will stop on December 31, 2015 and encouraged to move to a maintained branch before that date.

The 2.1 branch will be maintained as a stable branch (security and bug fixes, low-impact changes, no new feature) for two years (until December 31, 2017), while the 2.x branch will receive new features and improvements.

Download links

Get your copy here:


The hashes for mbedtls-2.2.0-apache.tgz are:

SHA-1  : eceecfc82cbdea8f91ce416489e0f6fee964049c
SHA-256 : 3c6d3487ab056da94450cf907afc84f026aff7880182baffe137c98e3d00fb55

The hashes for mbedtls-2.2.0-gpl.tgz are:

SHA-1  : 69eb876cbdd8a3dc5122be2234d0cfe187437e95
SHA-256 : 451c1b864b5d07df9830f67af600ea6d53629df4484d38e86b2edc7a7526077c

The hashes for mbedtls-2.1.3-apache.tgz are:

SHA-1  : 87fe738c749e9f55e97ede50f0b00f77f338fdfc
SHA-256 : 2f01cfd0d6760726c87c244109fc6917c0ed0d96da4dc10ab8b7e6237532fc90

The hashes for mbedtls-2.1.3-gpl.tgz are:

SHA-1  : a68b8b68646f242bdd792a99f8ad14e175fb68ba
SHA-256 : 59d37b3f11ed2f95751dae4de18f6ce8bb33b1ea3053632c1ec4784fdb0e7dbb

The hashes for mbedtls-1.3.15-gpl.tgz are:

SHA-1  : 718fca315e84d7c23ce81e36870ce34493cac0f5
SHA-256 : ed0be9905ba08f614772ac2b6dcce0c65cf3fb235cab7e6894838efc19518da3

The hashes for polarssl-1.2.18-gpl.tgz are:

SHA-1 : a7448c0f7d9d3a1ea520df12aeea21381e05c37f
SHA-256 : 63c4ed4d9f6a241088e2287958f265403f874248d6a98b98f27cd3aa2f90f030

Like this?




Last updated:
Nov 9, 2015


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.