Mbed TLS is now part of TrustedFirmware.org.

mbed TLS 2.6.0, 2.1.9 and 1.3.21 released

Mbed TLS 2.6.0, 2.1.9 and 1.3.21 released


Mbed TLS version 2.6.0 has been released, in addition to maintenance branch releases, Mbed TLS 2.1.9 and 1.3.21.

These releases address several security issues, one of which can be remotely exploited, dependent on how application software uses Mbed TLS.

Mbed TLS 2.6.0 provides new features and functions, whilst Mbed TLS 2.1.9 and 1.3.21 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.

Mbed TLS 1.3 approaches its end of life

Mbed TLS 1.3.0 was first shipped on 1st October 2013, and is now approaching its end of life. All users of Mbed TLS 1.3.0 are advised to upgrade to a later version of Mbed TLS wherever possible and should be aware that there will be no further maintenance releases of Mbed TLS after the end of this year. The last release of Mbed TLS 1.3 will be in November 2017.


  • (2.6, 2.1, 1.3) Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional', mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set by mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake was correctly aborted).

  • (2.6, 2.1, 1.3) Added wiping of sensitive data after use in the AES example applications programs/aes/aescrypt2 and programs/aes/crypt_and_hash. Found by Laurent Simon.


  • (2.6) Added the functions mbedtls_platform_setup() and mbedtls_platform_teardown() and the context struct mbedtls_platform_context to perform platform-specific setup and teardown operations. The configuration macro MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden by the user in a platform_alt.h header file. These functions are useful to provide a means to initialise underlying cryptographic acceleration hardware.

API Changes

  • (2.6) Reverted API/ABI changes introduced in Mbed TLS 2.5.1 to restore the API to be compatible with Mbed TLS 2.5.0, removing some minor breaks in the interface. Specifically the inline qualifier was removed from the functions mbedtls_aes_decrypt(), mbedtls_aes_encrypt(), mbedtls_ssl_ciphersuite_uses_ec() and mbedtls_ssl_ciphersuite_uses_psk(). Found by James Cowgill. #978

  • (2.6, 2.1, 1.3) Certificate verification functions now set flags to -1 in case the full chain was not verified due to an internal error (including in the verify callback) or chain length limitations.

  • (2.6, 2.1, 1.3) When the SSL verification mode is set to MBEDTLS_SSL_VERIFY_OPTIONAL the handshake is now aborted if the verification of the peer's certificate failed due to an overly long chain or alternatively if a fatal error was returned in the verification callback.


  • (2.6, 2.1, 1.3) Added a check to confirm iv_len is zero, when using GCM, and return an error if so. Reported by roberto. #716

  • (2.6, 2.1, 1.3) Changed a preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD) to #if defined(MBEDTLS_THREADING_C) as the library cannot assume threading will always be implemented by pthread support. #696

  • (2.6, 2.1, 1.3) Fixed a resource leak on Windows platforms in the function mbedtls_x509_crt_parse_path(), which occured in the event of an error. Found by redplait. #590

  • (2.6, 2.1, 1.3) Added checking for errors in calls to mbedtls_mpi_fill_random(). Reported by and fix proposed by Guido Vranken. #740

  • (2.6) Fixed conditional pre-processor directives in bignum.h to enable 64-bit compilation when using ARM Compiler 6.

  • (2.6, 2.1, 1.3) Fixed a potential integer overflow in the version verification for DER encoded X.509 CRLs and CSRs. The overflow could enable maliciously constructed CRLs to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America

  • (2.6, 2.1, 1.3) Fixed a potential integer overflow in the version verification for DER encoded X.509 certificates. The overflow could enable maliciously constructed certificates to bypass the certificate verification check.

  • (2.6) Fixed a call to the libc function time() to call the platform abstraction function mbedtls_time() instead. Found by wairua. #666

  • (2.6, 2.1, 1.3) Avoided shadowing of time and index functions through Mbed TLS function arguments. Found by inestlerode. #557


  • (2.6) Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of 64-bit division. This is useful on embedded platforms where 64-bit division created a dependency on external libraries. #708

  • (2.6) Removed mutexes from ECP hardware accelerator code. Now all hardware accelerator code in the library leaves concurrency handling to the platform. Reported by Steven Cooreman. #863

  • (2.6) Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file config-no-entropy.h to reduce the RAM footprint.

  • Added a test script that can be hooked into git that verifies commits before they are pushed.

  • Improved documentation of PKCS1 decryption functions.

Who should update

Users affected by one of the issues should update.

Users of the PolarSSL 1.2 branch are urged to upgrade to one of the maintained branches as 1.2 is now end-of-life and will no longer receive security fixes.

Download links

Get your copy here:


The hashes for mbedtls-2.6.0-apache.tgz are:

SHA-1: e914288da50977f541773f9d36e26f14926594a5
SHA-256: 99bc9d4212d3d885eeb96273bcde8ecc649a481404b8d7ea7bb26397c9909687

The hashes for mbedtls-2.6.0-gpl.tgz are:

SHA-1: 0e657805b5dc9777e0e0333a95d7886ae8f0314e
SHA-256: a99959d7360def22f9108d2d487c9de384fe76c349697176b1f22370080d5810

The hashes for mbedtls-2.1.9-apache.tgz are:

SHA-1: 880f1cd07809f902f5db733c8ceea8112eba6586
SHA-256: e098c03583f22a09a078bbb23c6bb9e7143f36b4357964bb481513e819097aa4

The hashes for mbedtls-2.1.9-gpl.tgz are:

SHA-1: 9ef8e90e024a7c731dcf11288344e3b47e707763
SHA-256: 2b0946fd4e9aa02b2461bf0abc121750c8904a26a0eb5593be59fb9e22005be1

The hashes for mbedtls-1.3.21-gpl.tgz are:

SHA-1: de6855b8f9570f22f660552184efa3f42b3b0412
SHA-256: 85ab0ac922e2b254063384fcae8f327acea48079eef8feccd90a4288a9d2ba84

Like this?




Last updated:
Aug 28, 2017


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.