Mbed TLS is now part of TrustedFirmware.org.

mbed TLS 2.4.0, 2.1.6 and 1.3.18 released

mbed TLS 2.4.0, 2.1.6 and 1.3.18 released


mbed TLS version 2.4.0 has been released, as well as releases of the maintenance branches, mbed TLS 2.1.6 and 1.3.18.

mbed TLS version 2.4.0 addresses two security issues, one of which cannot be exploited remotely, and the other is not present in the default configuration.


  • (2.4, 2.1, 1.3) Removes the MBEDTLS_SSL_AEAD_RANDOM_IV configuration option, because it was not compliant with RFC-5116 and could lead to session key recovery in very long TLS sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic. This option was not enabled by default.
  • (2.4, 2.1, 1.3) Fixes potential stack corruption in mbedtls_x509write_crt_der() and mbedtls_x509write_csr_der() when the signature is copied to the buffer without checking whether there is enough space in the destination. The issue cannot be triggered remotely. Found by Jethro Beekman.


  • (2.4) Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by NIST SP 800-38B, RFC-4493 and RFC-4615.
  • (2.4) Added hardware entropy self-test to verify that the hardware entropy source is functioning correctly.
  • (2.4) Added a script to print build environment information for diagnostic use in test scripts, which is also now called by all.sh verification script.
  • (2.4) Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to configure the maximum length of a file path that can be buffered when calling mbedtls_x509_crt_parse_path().
  • (2.4) Added a configuration file config-no-entropy.h that configures the subset of library features that do not require an entropy source.
  • (2.4) Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users to configure the minimum number of bytes for entropy sources using the mbedtls_hardware_poll() function.


  • (2.1, 1.3) Fixes an issue that caused valid certificates being rejected whenever an expired or not yet valid version of the trusted certificate was before the valid version in the trusted certificate list.
  • (2.4) Fixes platform time abstraction to avoid dependency issues where a build may need time but not the standard C library abstraction, and added configuration consistency checks to check_config.h.
  • (2.4) Fixes dependency issue in Makefile to allow parallel builds.
  • (2.4, 2.1, 1.3) Fixes incorrect handling of block lengths in crypt_and_hash.c sample program, when GCM is used. Found by udf2457. #441
  • (2.4, 2.1, 1.3) Fixes key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't enabled unless others were also present. Found by David Fernandez. #428
  • (2.4) Fixes for out-of-tree builds using CMake. Found by jwurzer, and fix based on a contribution from Tobias Tangemann. #541
  • (2.4, 2.1, 1.3) Fixes cert_app.c sample program for debug output and for use when no root certificates are provided.
  • (2.4, 2.1, 1.3) Fixes conditional statement that would cause a 1 byte overread in mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
  • (2.4, 2.1) Fixes pthread implementation to avoid unintended double initialisations and double frees. Found by Niklas Amnebratt.
  • (2.4, 2.1, 1.3) Fixes the sample applications gen_key.c, cert_req.c and cert_write.c for builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found by inestlerode. #559.
  • (2.4, 2.1) Fixes mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf data structure until after error checks are successful. Found by subramanyam-c. #622
  • (2.4, 2.1, 1.3) Fixes documentation and implementation mismatch for function arguments of mbedtls_gcm_finish(). Found by cmiatpaar. #602
  • (2.4, 2.1, 1.3) Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
  • (2.4, 2.1) Fixes potential byte overread when verifying malformed SERVER_HELLO in ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
  • (2.4, 2.1) Fixes check for validity of date when parsing in mbedtls_x509_get_time(). Found by subramanyam-c. #626
  • (2.4) Fixes compatibility issue with Internet Explorer client authentication, where the limited hash choices prevented the client from sending its certificate. Found by teumas. #513
  • (2.1, 1.3) Fixes missing return code check after call to mbedtls_md_setup() that could result in usage of invalid md_ctx in mbedtls_rsa_rsaes_oaep_encrypt(), mbedtls_rsa_rsaes_oaep_decrypt(), mbedtls_rsa_rsassa_pss_sign() and mbedtls_rsa_rsassa_pss_verify_ext(). Fixed by Brian J. Murray. #502
  • (2.4) Fixes compilation without MBEDTLS_SELF_TEST enabled.


  • (2.4) Extended test coverage of special cases, and added new timing test suite.
  • (2.4) Removed self-tests from the basic-built-test.sh script, and added all missing self-tests to the test suites, to ensure self-tests are only executed once.
  • (2.4) Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
  • (2.4) Added support for a Yotta specific configuration file - through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
  • (2.4) Added optimisation for code space for X.509/OID based on configured features. Contributed by Aviv Palivoda.
  • (2.4) Renamed source file library/net.c to library/net_sockets.c to avoid naming collision in projects which also have files with the common name net.c. For consistency, the corresponding header file, net.h, is marked as deprecated, and its contents moved to net_sockets.h.
  • (2.4) Changed the strategy for X.509 certificate parsing and validation, to no longer disregard certificates with unrecognised fields.
  • (1.3) Add compile time option for relaxed X.509 time verification to enable accepting certificates with non-standard time format (that is without seconds or with a time zone). Patch provided by James Yonan of OpenVPN.

Who should update

Users affected by one of the issues should update.

Users who want to use the new features should update.

Users of the PolarSSL 1.2 branch are urged to upgrade to one of the maintained branches as 1.2 is now end-of-life and will no longer receive security fixes.

Download links

Get your copy here:


The hashes for files/mbedtls-2.4.0-apache.tgz are:

SHA-1: 20fe40f9f831ca63839967178e3db5aaf77705d3
SHA-256: c1c3559ed39f7a1b1550c4cf4ccb918bf239301a3311d98dda92bed8a25b7f0d

The hashes for files/mbedtls-2.4.0-gpl.tgz are:

SHA-1: b1baeb963df2e05672bb29eb679f2405edb898c0
SHA-256: 80eff0e0028f969355d6e34ffdd3dbf4eb2a9367b07ff2f3f70e6d75beee9e3f

The hashes for files/mbedtls-2.1.6-apache.tgz are:

SHA-1: 3f9ad788a5d3df51781c7d31ffcfc13544459538
SHA-256: 66ad94e417e1d106633c43d37603e4572e4f981c878dae30a5c7ef9285a72a4c

The hashes for files/mbedtls-2.1.6-gpl.tgz are:

SHA-1: 97e08d2c1eb890fc40b964e7c1db16455f0f2bdf
SHA-256: acef0a1d759da6a1aca40520354edfa4d5ccdb520d5215f8ccda57b0350fdfca

The hashes for files/mbedtls-1.3.18-gpl.tgz are:

SHA-1: ff56e258bb264f0ec3c6fd0330e11323848aa9d2
SHA-256: a229217182e024847deba3cb70bdd17e5ff4ffd9ff306cbbccfdbdff41950ea1

Like this?




Last updated:
Mar 11, 2017


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.