Mbed TLS is now part of TrustedFirmware.org.

mbed TLS 2.5.1, 2.1.8 and 1.3.20 released

mbed TLS 2.5.1, 2.1.8 and 1.3.20 released


mbed TLS version 2.5.1 has been released, as well as releases of maintenance branches, mbed TLS 2.1.8 and 1.3.20.

These releases address several security issues.

mbed TLS 2.5.1 provides new features and functions, whilst mbed TLS 2.1.8 and 1.3.20 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface, to allow users to change library versions easily.

mbed TLS 1.3 Approaches its End of Life

mbed TLS 1.3.0 was first shipped on 1st October 2013, and is now approaching its end of life. All users of mbed TLS 1.3 are advised to upgrade to a later version of mbed TLS wherever possible and should be aware that there will be no further maintenance releases of mbed TLS after the end of this year. The last release of mbed TLS 1.3 will be in November 2017.


  • (2.5) Adds hardware acceleration support for the Elliptic Curve Point module. This has involved exposing parts of the internal interface to enable replacing the core functions and adding an alternative, module level replacement to support for enabling the extension of the interface.
  • (2.5) Adds a new configuration option to mbedtls_ssl_config() to enable suppressing the CA list in Certificate Request messages. The default behaviour has not changed, namely every configured CA's name is included.

API Changes

  • (2.5) The following functions in the AES module have been deprecated and replaced by the functions shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_AES_ALT, MBEDTLS_AES_DECRYPT_ALT or MBEDTLS_AES_ENCRYPT_ALT. mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt() mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()


  • (2.5, 2.1, 1.3) Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read(). The issue could only happen client-side with renegotiation enabled. This could result in a Denial of Service (such as crashing the application) or information leak (if the application layer sent data read from mbedtls_ssl_read() back to the server or to a third party). This can be triggered remotely.
  • (2.5, 2.1, 1.3) Adds exponent blinding to RSA private operations as a countermeasure against side-channel attacks like the cache attack described in https://arxiv.org/abs/1702.08719v2. Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss, ClĂ©mentine Maurice and Stefan Mangard.
  • (2.5, 2.1, 1.3) Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()). Found by Laurent Simon.
  • (2.5, 2.1) Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification. SHA-1 can be turned back on with a compile-time option if needed.
  • (2.5, 2.1) Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes. Reported by Hugo Leisink.
  • (2.5, 2.1, 1.3) Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.
  • (1.3) Removes support of X.509 certificates signed with MD5. Issue raised by Harm Verhagen.


  • (1.3) Disables use of extensions for SSLv3, previously causing the "SSLv3 with extensions" test from ssl-opt.sh to fail.
  • (2.5, 2.1) Removes macros from compat-1.3.h that correspond to deleted items from most recent versions of the library. Found by Kyle Keen.
  • (2.5, 2.1) Fixes issue in the Threading module that prevented mutexes from initialising. Found by sznaider. #667 #843
  • (2.5) Removes size zero arrays from ECJPAKE test suite. Size zero arrays are not valid C and they prevented the test from compiling in Visual Studio 2015 and with GCC using the -Wpedantic compilation option.
  • (2.5, 2.1, 1.3) Fixes insufficient support for signature-hash-algorithm extension, resulting in compatibility problems with Chrome. Found by hfloyrd.
  • (2.5) Fixes behaviour that hid the original cause of fatal alerts in some cases when sending the alert failed. The fix makes sure not to hide the original error that triggered the alert.
  • (2.5) Fix SSLv3 renegotiation behaviour and stop processing data received from peer after sending a fatal alert to refuse a renegotiation attempt. Previous behaviour was to keep processing data even after the alert had been sent.
  • (2.5, 2.1, 1.3) Accepts empty trusted CA chain in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL. Found by jethrogb.
  • (2.5, 2.1, 1.3) Fixes implementation of mbedtls_ssl_parse_certificate() to not destroy fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to reflect bad EC curves within verification result.
  • (2.5, 2.1, 1.3) Fixes bug that caused the modular inversion function to accept the invalid modulus 1 and therefore to hang. Found by blaufish. #641.
  • (2.5, 2.1, 1.3) Fixes incorrect sign computation in modular exponentiation when the base is a negative MPI. Previously the result was always negative. Found by Guido Vranken.
  • (2.5, 2.1, 1.3) Fixes a numerical underflow leading to stack overflow in mpi_read_file() that was triggered upon reading an empty line. Found by Guido Vranken.
  • (2.5) Adds checks in the PK module for the RSA functions on 64-bit systems. The PK and RSA modules use different types for passing hash length and without these checks the type cast could lead to data loss. Found by Guido Vranken.


  • (2.5) Sends fatal alerts in many more cases instead of dropping the connection.
  • (2.5, 2.1, 1.3) Clarifies ECDSA documentation and improve the sample code to avoid misunderstanding and potentially dangerous use of the API. Raised by Jean-Philippe Aumasson.
  • (1.3) Adds new config.h flag POLARSSL_X509_MIN_VERIFY_MD_ALG to set the minimum hash accepted when verifying certificate chains. Defaults to SHA1, which means SHA1 is accepted but MD5 and below are rejected.

Who should update

Users affected by one of the issues should update.

Users of the PolarSSL 1.2 branch are urged to upgrade to one of the maintained branches as 1.2 is now end-of-life and will no longer receive security fixes.

Download links

Get your copy here:


The hashes for files/mbedtls-2.5.1-apache.tgz are:

SHA-1: 0e8183e57fed5156bfb03817fedc3cc14a7dc2c4
SHA-256: 559aeb8c8941262d6aad96a0286a230e7ff988ba53efbf609230ca1f81cc81f9

The hashes for files/mbedtls-2.5.1-gpl.tgz are:

SHA-1: 3ca5e25d4e131d845e3fc7db5003b15de294013f
SHA-256: 312f020006f0d8e9ede3ed8e73d907a629baf6475229703941769372ab0adee2

The hashes for files/mbedtls-2.1.8-apache.tgz are:

SHA-1: 6fe5b219c50c5961312b6fe01aece2681be3dd4f
SHA-256: 9cd2b1af2cd1c66fb44b8aa366b158684c12ff802721a63ab1d652ffea6b3090

The hashes for files/mbedtls-2.1.8-gpl.tgz are:

SHA-1: f684f95094c5295b71bde0db8e3c7c67a7a7d55f
SHA-256: 948c045d177084b5d6db056421ed21f6908a28c52d6e5a2377e96572b70f8afb

The hashes for files/mbedtls-1.3.20-gpl.tgz are:

SHA-1: 973bc304e6e85c9beaa354d3881a84f7cf0fc9e1
SHA-256: 00fc54f9838120cb0c13d07e79417af1f5e89633a0efc8399327e7c2024b666f

Like this?




Last updated:
Jul 6, 2017


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.