Mbed TLS is now part of TrustedFirmware.org.

PolarSSL 1.3.6 released


Fresh from the oven: PolarSSL 1.3.6 is here!

This release contains a number of smaller changes and bug fixes, which don't affect the existing API. Primarily, support for the ALPN extension is added, and extra checks are introduced to mitigate some semantic discrepancies that were reported. In addition a security issue introduced in 1.3.5 has been fixed.


On the feature-front this release introduces support for:

  • ALPN extension support
  • verification of keyUsage and extendedKeyUsage extensions
  • Enabling /dev/random in gen_key

In addition outstanding bugs were fixed.

ALPN extension support

Although the RFC is not yet an official standard, more and more applications are starting to use ALPN support. We have added ALPN in this release to help those projects.

Support for ALPN (POLARSSL_SSL_ALPN) is enabled by default and allows you to set the list of acceptable protocols with ssl_set_alpn_protocols() and retrieve the negotiated protocol with ssl_get_alpn_protocol().

Cerification of keyUsage and extendedKeyUsage extensions

The so-called Frankencert report revealed some semantic discrepancies between libraries and standards. PolarSSL 1.3.5 already fixed some of those affecting PolarSSL. This release adds support for automatically verifying the keyUsage extension in certificates (POLARSSL_X509_CHECK_KEY_USAGE) and the extendedKeyUsage extension in certificates (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE).

This fixes all the possible security issues revealed in the report. One issue (a false negative not affecting security) is still left and we are working with the authors of the report to clarify it.

/dev/random in gen_key

Because of the Heartbleed bug, a lot of people are re-issuing keys, generating certificate requests and certificates.

In some cases you might want to add /dev/random to your entropy sources. This was always an option for users, but we now provided it built-in into the programs/pkey/gen_key application.

If you use use_dev_random=1 with programs/pkey/gen_key on a system it will add /dev/random to the entropy sources for the entropy pool.

Warning: /dev/random is not always able to provide enough entropy, so this can be blocking in your app!

Bug fixes

Fixes include:

  • The length of various ClientKeyExchange messages was not properly checked.
  • Some example server programs were not sending the close_notify alert.
  • Potential memory leak in mpi_exp_mod() when error occurs during calculation of RR.
  • Fixed malloc/free default #define in platform.c (found by Gergely Budai).
  • Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by Gergely Budai).
  • Fix #include path in ecdsa.h which wasn't accepted by some compilers. (found by Gergely Budai)
  • Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by Shuo Chen).
  • oid_get_numeric_string() used to truncate the output without returning an error if the output buffer was just 1 byte too small.
  • dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
  • Calling pk_debug() on an RSA-alt key would segfault.
  • pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
  • Potential buffer overwrite in pem_write_buffer() because of low length indication (found by Thijs Alkemade)
  • EC curves constants, which should be only in ROM since 1.3.3, were also stored in RAM due to missing 'const's (found by Gergely Budai).

More details can be found in the ChangeLog.


In the last release, we introduced a new issue with checking the time validity for certificates (except the top certificate). If the user-supplied chain contains only one certificates, it is not affected by this issue.

In addition a potential timing leak in ecdsa_sign() was reported by Watson Ladd and fixed by blinding the modular division.

And a potential NULL pointer dereference in ssl_read_record() was eliminated that was found by TrustInSoft.

Who should update

We advise users of PolarSSL to update if they:

  • use PolarSSL version 1.3.5
  • use ECDSA in a high-risk environment
  • want to use one of the new features

Download links

Get your copy here: polarssl-1.3.6-gpl.tgz


The hashes for polarssl-1.3.6-gpl.tgz are:

SHA-1  : 0f76709a1679ba91d929891db2e60d5bcf1388eb
SHA-256: b97965c1a052df41201d35e01f91c4ac0bf28e443a56ddf461be63b20c85ae09

Like this?




Last updated:
Apr 11, 2014


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.