github Mbed-TLS/mbedtls mbedtls-3.6.3
Mbed TLS 3.6.3
on GitHub

6 days ago

Description

This release of Mbed TLS provides the fix for a tls compatibility issue of handling fragmented handshake messages. This release includes fixes for security issues.

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Security Advisories

For full details, please see the following links:

Release Notes

Default behavior changes

  • In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
    mbedtls_ssl_handshake() now fails with
    MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
    if certificate-based authentication of the server is attempted.
    This is because authenticating a server without knowing what name
    to expect is usually insecure. To restore the old behavior, either
    call mbedtls_ssl_set_hostname() with NULL as the hostname, or
    enable the new compile-time option
    MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.

Features

  • Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which
    uses static storage for keys, enabling malloc-less use of key slots.
    The size of each buffer is given by the option
    MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the
    largest PSA key enabled in the build.
  • MD module can now perform PSA dispatching also when
    MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C, even though this
    configuration is not officially supported. This requires that a
    PSA Crypto provider library which:
    • supports the required PSA_WANT_ALG_xxx and
    • implements psa_can_do_hash() on the client interface
      is linked against Mbed TLS and that psa_crypto_init() is called before
      performing any PSA call.

Security

  • Note that TLS clients should generally call mbedtls_ssl_set_hostname()
    if they use certificate authentication (i.e. not pre-shared keys).
    Otherwise, in many scenarios, the server could be impersonated.
    The library will now prevent the handshake and return
    MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
    if mbedtls_ssl_set_hostname() has not been called.
    Reported by Daniel Stenberg.
    CVE-2025-27809
  • Zeroize a temporary heap buffer used in psa_key_derivation_output_key()
    when deriving an ECC key pair.
  • Zeroize temporary heap buffers used in PSA operations.
  • Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
    or there was a cryptographic hardware failure when calculating the
    Finished message, it could be calculated incorrectly. This would break
    the security guarantees of the TLS handshake.
    CVE-2025-27810

Bugfix

  • When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with
    peers that have middlebox compatibility enabled, as long as no
    problematic middlebox is in the way. Fixes #9551.
  • Fix invalid JSON schemas for driver descriptions used by
    generate_driver_wrappers.py.
  • Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
    and 'mbedtls_net_connect' to prevent possible double close fd
    problems. Fixes #9711.
  • Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or
    mbedtls_psa_der_to_raw() is called with bits=0.
  • Fix compilation on MS-DOS DJGPP. Fixes #9813.
  • Fix missing constraints on the AES-NI inline assembly which is used on
    GCC-like compilers when building AES for generic x86_64 targets. This
    may have resulted in incorrect code with some compilers, depending on
    optimizations. Fixes #9819.
  • Support re-assembly of fragmented handshake messages in TLS (both
    1.2 and 1.3). The lack of support was causing handshake failures with
    some servers, especially with TLS 1.3 in practice. There are a few
    limitations, notably a fragmented ClientHello is only supported when
    TLS 1.3 support is enabled. See the documentation of
    mbedtls_ssl_handshake() for details.
  • Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
    occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
    with Visual Studio 2013 or MinGW.
    Fixes #10017.
  • Remove Everest Visual Studio 2010 compatibility headers, which could
    shadow standard CRT headers inttypes.h and stdbool.h with incomplete
    implementatios if placed on the include path, eg. when building Mbed TLS
    with the .sln file shipped with the project.
  • Fix issue where psa_key_derivation_input_integer() is not detecting
    bad state after an operation has been aborted.

Changes

  • Improve performance of PSA key generation with ECC keys: it no longer
    computes the public key (which was immediately discarded). Fixes #9732.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

mbedtls-3.6.3.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external dependencies, and can't be configured

Checksum

The SHA256 hashes for the archives are:
64cd73842cdc05e101172f7b437c65e7312e476206e1dbfd644433d11bc56327 mbedtls-3.6.3.tar.bz2

Check out latest releases or
releases around Mbed-TLS/mbedtls mbedtls-3.6.3

Don't miss a new mbedtls release

NewReleases is sending notifications on new releases.

Get notifications