Mbed TLS is now part of TrustedFirmware.org.

Mbed TLS 2.8.0, 2.7.2 and 2.1.11 released


Mbed TLS 2.8.0 has been released!

Maintenance releases for the Mbed TLS 2.7 and 2.1 branches have also been released.

These releases mainly fix a number of outstanding issues and security fixes. Minor features have been added to enhance functionality and usability.

Default behavior changes

Andres Walz (ivESK, Offenburg University of Applied Sciences) looked into our truncated HMAC extension implementation and discovered it was non-compliant with RFC 6066. Well, good news! All maintained branches of Mbed TLS are now compliant with RFC 6066 and can interoperate with other compliant implementations. (The old non-compliant behavior is available with the MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT configuration option in config.h.)


  • (2.8, 2.7, 2.1) Defend against Bellcore glitch attacks by verifying the results of RSA private key operations.
  • (2.8, 2.7, 2.1) Fix implementation of the truncated HMAC extension. The previous implementation allowed an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted connection (with no resumption of the session).
  • (2.8, 2.7, 2.1) Reject CRLs containing unsupported critical extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
  • (2.8, 2.7, 2.1) Fix a buffer overread in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
  • (2.8, 2.7, 2.1) Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a crash on invalid input.


  • (2.8, 2.7, 2.1) Enable reading encrypted PEM files produced by software that uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, OpenVPN Inc. Fixes #1339
  • (2.8) Support public keys encoded in PKCS#1 format. #1122

New deprecations

  • (2.8) Compression and crypto don't mix. We don't recommend using compression and cryptography, and have deprecated support for record compression (configuration option MBEDTLS_ZLIB_SUPPORT).


Fixes include the following:

  • (2.1) Fix assembly sequences in bn_mul.h and aesni.c to avoid segmentation faults and errors when building for the 64-bit ILP32 ABI. Found and fixed by James Cowgill.
  • (2.8, 2.7, 2.1) Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct. In the context of SSL, this resulted in handshake failure. Reported by daniel in the Mbed TLS forum. #1351
  • (2.8, 2.7, 2.1) Fix setting version TLSv1 as minimal version, even if TLS 1 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION and MBEDTLS_SSL_MIN_MINOR_VERSION instead of MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
  • (2.8, 2.7, 2.1) Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE only if __MINGW32__ is not defined. Fix suggested by Thomas Glanzmann and Nick Wilson on issue #355
  • (2.8, 2.7, 2.1) Fix memory allocation corner cases in memory_buffer_alloc.c module. Found by Guido Vranken. #639
  • (2.8, 2.7, 2.1) Don't accept an invalid tag when parsing X.509 subject alternative names in some circumstances.
  • (2.1) Initialize the context structure before use in entropy.c. Found by ccli8 on Github.
  • (2.1) Fix memory leak in RSA self test.
  • (2.8, 2.7, 2.1) Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() that could cause a key exchange to fail on valid data.
  • (2.8, 2.7, 2.1) Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that could cause a key exchange to fail on valid data.
  • (2.8, 2.7, 2.1) Fix a 1-byte heap buffer overflow (read-only) during private key parsing. Found through fuzz testing.

More fixes and additional detail can be found in the ChangeLog.


  • (2.8, 2.7) Fix tag lengths and value ranges in the documentation of CCM encryption. Contributed by Mathieu Briand.
  • (2.8, 2.7) Fix a typo in a comment in ctr_drbg.c. Contributed by Paul Sokolovsky.
  • (2.8) Remove support for the library reference configuration for picocoin.
  • (2.8, 2.7) MD functions deprecated in 2.7.0 are no longer inline, to provide a migration path for those depending on the library's ABI.
  • (2.8) Use (void) when defining functions with no parameters. Contributed by Joris Aerts. #678

More changes and additional detail can be found in the ChangeLog.

Who should update

We advise users of Mbed TLS to update.

Users of Mbed TLS 1.3 or any earlier version are urged to upgrade to one of the maintained releases as Mbed TLS 1.3 has reached its end-of-life. Please refer to our KB on Migrating from Mbed TLS 1.3 to Mbed TLS 2.x for assistance in upgrading.

Download links

Get your copy here:


The hashes for files/mbedtls-2.8.0-apache.tgz are:

SHA-1: 52bee3a021f6e26c2a50842729aea2dd68a8e494
SHA-256: ab8b62b995781bcf22e87a265ed06267f87c3041198e996b44441223d19fa9c3

The hashes for files/mbedtls-2.8.0-gpl.tgz are:

SHA-1: 71f6882bcaf454561c522ed9e1650b48aa38dc7f
SHA-256: 649eb27187154590edda52943a7f468e740ec08807e5bf68ff45f4e8ffd68923

The hashes for files/mbedtls-2.7.2-apache.tgz are:

SHA-1: e36d7cbdc2ed0a5d5659385840e8fbb4d351234e
SHA-256: fd38c2bb5fbe1ffd3e7fdcdd71130986f2010f25b3a5575eb8ded0dd3bc573d7

The hashes for files/mbedtls-2.7.2-gpl.tgz are:

SHA-1: cba43e8012f58d7f825ffd88e0b0ebf5c10efb0d
SHA-256: 638a21d6a148bdb55d86e6de313d3e6aef1326a0f9d541aa6ac31617f2f96d91

The hashes for files/mbedtls-2.1.11-apache.tgz are:

SHA-1: d1bd5d6534f818d0596ddcfac89c5cd823c9d5e5
SHA-256: 88ff09bbf1c08f5992f72e1361edd991987351efac23229e93a8a2fb61d6761c

The hashes for files/mbedtls-2.1.11-gpl.tgz are:

SHA-1: 3d4ff498585651e8291ec2819fdbca097aa46359
SHA-256: 430f1984c240d3f1011f34671647e5aadd161fc76ef419ccad62c3c7d57f1a56

Like this?




Last updated:
May 1, 2018


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.