Major release mbed TLS 2.0.0

Our first major release of mbed TLS after the acquisition into ARM has been released today.

This release incorporates a number of larger architectural improvements that we wanted to include for a while now. That does mean that mbed TLS 2.0 is not a drop-in replacement for your current version, even if you use the latest mbed TLS 1.3.11 version.

In order to help everybody with the migration we have already released a guide to preparing for the 2.0 upgrade last month.

A more detailed Knowledge Base article on migrating from mbed TLS 1.3 to mbed TLS 2.0 has been published now as well.

For a detailed overview of all changes, please check out the ChangeLog for 2.0.0.

New Features

This is the first full release that includes support for for DTLS 1.0 and 1.2 (RFC 6347). We already did a preview release earlier this year. We have incorporated the feedback received on that release.

In order to better support hardware acceleration in platforms we run on, it's now easier to override core functions from MDx, SHAx, AES and DES modules with custom implementation, complementing the ability to override the whole module.

As mbed TLS is now used more and more on larger server side deployments as well, we have improved our server-side implementation of session tickets to now support key rotation to preserve forward secrecy. This also allows sharing across multiple contexts.

Security Profiles

In order to better support developers and users to tie down security of their applications, this version introduces security profiles. As such mbed TLS now support X.509 cerificate verification profiles that control which algorithms and key sizes (curves for ECDSA) are acceptable in certificates. In addition SSL connections now have presets for SSL security-relevant configuration parameters.

The mbed TLS configuration defaults have been further strengthened compared to the previous 1.3 branch, e.g. RC4 and SSLv3 are disabled by default.

Full rename

This release makes the full migration from our old PolarSSL name to the new mbed TLS name. This is reflected in the way files, directories, variables, etc are all named.

As a result every function name and most defines have changed. As indicated in the KB article, we provide a file with all the mappings and a script that can do most of the changes for you.

API / architecture changes

Just renaming is not enough though. There have been a number of API and architecture changes. Please review the ChangeLog and KB article for all the details.

Semantic versioning

As of this version, mbed TLS will move to semantic versioning. This means 2.0.1 will be the first bugfix release (if needed); the first round of new features will be in 2.1.0 and the next major branch (breaking API compatibility) will be 3.0.0.

Branch status changes

With the release of TLS 2.0.0, the 1.2 branch will now be declared End of Life (EOL) at the end of this year (December 31st 2015).

The 1.3 branch now moves into Maintenance Mode and will become End of Life at the end of next year (December 31st 2016).

Who should update

We advise all users that still use the 1.2 branch to migrate away from that branch before security support ends at the end of this year.

All new products / developments should use the 2.0 branch.

Download links

Get your copy here: mbedtls-2.0.0-gpl.tgz

Hashes

The hashes for mbedtls-2.0.0-gpl.tgz are:

SHA-1 : a456be169003b4644931a90613fdaa0429af06a7 SHA-256: 149a06621368540b7e1cef1b203c268439c2edbf29e2e9471d8021125df34952

Like this?