Mbed TLS 2.7.9

Description

Mbed TLS 2.7.9 is a maintenance release, and contains no new features. This release addresses multiple defects.

Bugfix

• Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
• Fix runtime error in mbedtls_platform_entropy_poll() when run through qemu user emulation. Reported and fix suggested by randombit. Fixes #1212.
• Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659.
• Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170.
• Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.16.0

Description

Mbed TLS 2.16.0 introduces a new feature of optional parameter validation. This feature verifies and validates all parameters passed into the library, to confirm they meet the preconditions of each library function. Normally, the library does not check for invalid parameters which are no risk to the security of the library and will cause an obvious error during execution, as it's assumed this kind of issue will be picked up during development, and are unlikely to occur in normal operation. This new feature can speed up development by identifying and indicating any obvious failure in use of the library if the parameter is invalid, and by allowing users to log such errors, in test, development or usage, rather than have to work through stack traces.

Announcing Mbed TLS 2.16 Long Term Support

We are pleased to announce that Mbed TLS 2.16.0 will be the basis of our next Long Term Support branch, and will be maintained for at least 3 years up until the end of 2021.

During that time, no new features will be added to the branch, the API and ABI will be maintained, and only bug fixes will be made to maintenance releases of 2.16.0.

This is further discussed in our blog posting 'Announcing Long Term Support Branch Mbed TLS 2.16'.

Features

• Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it.

API Changes

• The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798.
  mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
• Extend ECDH interface to enable alternative implementations.
• Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
• Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be.

New deprecations

• Deprecate mbedtls_ctr_drbg_update() and mbedtls_hmac_drbg_update() in favor of functions that can return an error code.

Bugfix

• Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
• Fix runtime error in mbedtls_platform_entropy_poll() when run through qemu user emulation. Reported and fix suggested by randombit. Fixes #1212.
• Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659.
• Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170.
• Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
• Fix double initialization of ECC hardware that made some accelerators hang.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.1.18

Description

Mbed TLS 2.1.18 is a maintenance release, and contains no new features. This release addresses multiple defects.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and has come to the end of its life. This is the last release of the 2.1 branch.

All users of Mbed TLS 2.1 are now advised to upgrade to a later version of Mbed TLS wherever possible. There will now be no further releases of Mbed TLS 2.1.

Bugfix

• Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
• Fix runtime error in mbedtls_platform_entropy_poll() when run through qemu user emulation. Reported and fix suggested by randombit. Fixes #1212.
• Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659.
• Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170.
• Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.15.1

Description

Mbed TLS 2.15.1 is a release of Mbed TLS intended only for Mbed OS, and will not be released as a standalone release on the Mbed TLS website.

This release updates the version of the PSA Crypto library used in Mbed TLS.

Changes

• Update the Mbed Crypto submodule to version 0.1.0b2. This change enables use of Mbed Crypto with Mbed TLS configurations that do not include GCM or CCM.

Who should update

This release is provided for use in Mbed OS only, and is not intended for wider usage outside of Mbed OS.

Mbed TLS 2.7.8

Description

Mbed TLS 2.7.8 is a maintenance release, and contains no new features. It addresses two security issues, one of which we are issuing Security Advisory 18-03 for.

Security

• Fixes timing variations and memory access variations in RSA PKCS#1 v1.5 decryption that could lead to a Bleichenbacher-style padding oracle attack. In TLS, this affects servers that accept ciphersuites based on RSA decryption (i.e. ciphersuites whose name contains RSA but not (EC)DH(E)). The issue was first discovered and raised by Eyal Ronen - Weizmann Institute, Robert Gillham - University of Adelaide, Daniel Genkin - University of Michigan, Adi Shamir - Weizmann Institute, David Wong - NCC Group, and Yuval Yarom - University of Adelaide and Data61. The attack is described in more detail in the paper, The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations. This issue has been allocated CVE-2018-19608.
• Now wipes sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG modules.

API Changes

• The new functions mbedtls_ctr_drbg_update_ret() and mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update() and mbedtls_hmac_drbg_update() respectively, but the new functions report errors whereas the old functions return void. We recommend that applications use the new functions.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Mbed TLS 2.14.1

Description

Mbed TLS 2.14.1 is a maintenance release, and contains no new features. It addresses two security issues, one of which we have issued Security Advisory 18-03 for.

Security

• Fixes timing variations and memory access variations in RSA PKCS#1 v1.5 decryption that could lead to a Bleichenbacher-style padding oracle attack. In TLS, this affects servers that accept ciphersuites based on RSA decryption (i.e. ciphersuites whose name contains RSA but not (EC)DH(E)). The issue was first discovered and raised by Eyal Ronen - Weizmann Institute, Robert Gillham - University of Adelaide, Daniel Genkin - University of Michigan, Adi Shamir - Weizmann Institute, David Wong - NCC Group, and Yuval Yarom - University of Adelaide and Data61. The attack is described in more detail in the paper, The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations. This issue has been allocated CVE-2018-19608.
• Now wipes sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG modules.

API Changes

• The new functions mbedtls_ctr_drbg_update_ret() and mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update() and mbedtls_hmac_drbg_update() respectively, but the new functions report errors whereas the old functions return void. We recommend that applications use the new functions.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Mbed TLS 2.1.17

Description

Mbed TLS 2.1.17 is a maintenance release, and contains no new features. It addresses two security issues, one of which we have issued Security Advisory 18-03 for.

Security

• Fixes timing variations and memory access variations in RSA PKCS#1 v1.5 decryption that could lead to a Bleichenbacher-style padding oracle attack. In TLS, this affects servers that accept ciphersuites based on RSA decryption (i.e. ciphersuites whose name contains RSA but not (EC)DH(E)). The issue was first discovered and raised by Eyal Ronen - Weizmann Institute, Robert Gillham - University of Adelaide, Daniel Genkin - University of Michigan, Adi Shamir - Weizmann Institute, David Wong - NCC Group, and Yuval Yarom - University of Adelaide and Data61. The attack is described in more detail in the paper, The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations. This issue has been allocated CVE-2018-19608.
• Now wipes sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG modules.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Mbed TLS 2.15.0

Description

Mbed TLS 2.15.0 is a release of Mbed TLS intended only for Mbed OS, and will not be released as a standalone release on the Mbed TLS website.

The release introduces an initial version of PSA Crypto and integration of Mbed TLS into that.

Security

• (2.15.0) This release contains no security fixes.

Features

• (2.15.0) Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of Mbed Crypto as the source of the cryptography implementation.
• (2.15.0) Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable the PSA Crypto API from Mbed Crypto when additionally used with the USE_CRYPTO_SUBMODULE build option.

API Changes

• (2.15.0) There are no API Changes in this release in the default configuration. When PSA Crypto is enabled, there are some changes to expected behaviour of the API.

New deprecations

• (2.15.0) There are no new deprecations in this release.

Bugfix

• (2.15.0) There are no new bug fixes in this release.

Changes

• (2.15.0) Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx() from the cipher abstraction layer. Fixes #2198.

Who should update

This release is provided for use in Mbed OS only, and is not intended for wider usage outside of Mbed OS.

Mbed TLS 2.7.7

Description

Mbed TLS 2.7.7 is a maintenance release, and contains no new features. It addresses three security issues and resolves multiple defects.

Security

• Fixed overly strict comparison of the X.509 DN field when searching for CRLs belonging to a particular Certificate Authority (CA). This previously lead to ignoring CRLs when the issuer's name and the Certificate Authority's subject name differed in their string encoding, such as one using PrintableString and the other using UTF8String, or in the choice of upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue #1784.
• Fixed a flawed bounds check in the server PSK hint parsing. When the incoming message buffer was placed within the first 64kB of address space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker to trigger a memory access up to 64kB beyond the incoming message buffer, potentially leading to application crash or information disclosure.
• Fixed mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The previous settings for the number of rounds made it practical for an adversary to construct non-primes that would be erroneously accepted with a high probability as primes. This does not have an impact on the security of TLS, but can matter in other contexts with numbers chosen potentially by an adversary that should be prime and can be validated. For example, the number of rounds was enough to securely generate RSA key pairs or Diffie-Hellman parameters, but was insufficient to validate Diffie-Hellman parameters properly. See "Prime and Prejudice" by Martin R. Albrecht and Jake Massimo and Kenneth G. Paterson and Juraj Somorovsky.

Bugfix

• Fixed the wrong order of memory deallocation in the example program programs/ssl/ssl_server2 leading to a memory leak in case both MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set. Fixes #2069.
• Fixed a bug in the update function for SSL ticket keys which previously invalidated keys of a lifetime of less than a 1s. Fixes #1968.
• Fixed a failure in HMAC-DRBG in the benchmark sample application, when MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
• Fixed a bug in the record decryption routine ssl_decrypt_buf() which lead to accepting properly authenticated but improperly padded records in case of CBC ciphersuites using Encrypt-then-MAC.
• Fixed a memory leak and freeing without initialization in the example program programs/x509/cert_write. Fixes #1422.
• Now ignores the IV in mbedtls_cipher_set_iv() when the cipher mode is MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
• Zeroizes memory used for buffering or reassembling handshake messages after use.
• Uses mbedtls_platform_zeroize() instead of memset() for zeroization of sensitive data in the example programs aescrypt2 and crypt_and_hash.
• Fixed a compilation failure for configurations which use compile time replacements of the standard calloc/free functions through the macros MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO. Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.

Changes

• Added tests for session resumption in DTLS.
• Closed a test gap in (D)TLS between the client side and the server side, to test the handling of large packets and small packets on the client side in the same way as on the server side.
• Changed the dtls_client and dtls_server examples to work by default over IPv6 and optionally by a build option over IPv4.
• Changed the use of Windows threading to use Microsoft Visual C++ runtime calls, rather than Win32 API calls directly. This is necessary to avoid conflict with C runtime usage. Found and fixed by irwir.
• Improved documentation of mbedtls_ssl_get_verify_result(). Fixes #517 reported by github-monoculture.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Mbed TLS 2.14.0

Description

Mbed TLS 2.14.0 introduces several new features:

• Support for non-blocking ECC operations has been introduced with this release. This allows users of Mbed TLS on single-threaded systems to perform elliptic curve cryptographic operations inbetween other critical operations, (such as resetting a watchdog timer), without the use of a pre-emptive scheduler or RTOS. This is explained more fully in the knowledge base article 'Non-blocking ECC operations'.
• Support for CTR-DRBG using only AES-128 cipher operations. On some devices, AES-128 cryptographic accelerators may be available, but not acceleration of AES-256. On such devices, only AES-128 may be required in designs, and by using only the AES-128 accelerator support on the device, code size can be reduced, operations made faster, and power reduced.
• Support for smaller salt sizes for RSASSA-PSS signatures, enabling compliance with FIPS 186-4.

This release also addresses three security issues and resolves multiple defects.

Security

• Fixed overly strict comparison of the X.509 DN field when searching for CRLs belonging to a particular Certificate Authority (CA). This previously lead to ignoring CRLs when the issuer's name and the Certificate Authority's subject name differed in their string encoding, such as one using PrintableString and the other using UTF8String, or in the choice of upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue #1784.
• Fixed a flawed bounds check in the server PSK hint parsing. When the incoming message buffer was placed within the first 64kB of address space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker to trigger a memory access up to 64kB beyond the incoming message buffer, potentially leading to application crash or information disclosure.
• Fixed mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The previous settings for the number of rounds made it practical for an adversary to construct non-primes that would be erroneously accepted with a high probability as primes. This does not have an impact on the security of TLS, but can matter in other contexts with numbers chosen potentially by an adversary that should be prime and can be validated. For example, the number of rounds was enough to securely generate RSA key pairs or Diffie-Hellman parameters, but was insufficient to validate Diffie-Hellman parameters properly. See "Prime and Prejudice" by Martin R. Albrecht and Jake Massimo and Kenneth G. Paterson and Juraj Somorovsky.

Features

• Added support for temporarily suspending expensive ECC computations after some configurable amount of operations. This is intended to be used in constrained, single-threaded systems where ECC operations can be time consuming and can block other operations until they complete. This feature is enabled by defining MBEDTLS_ECP_RESTARTABLE in the configuration file config.h and is configured by mbedtls_ecp_set_max_ops() at runtime. It is disabled by default. It applies to the new xxx_restartable functions in ECP, ECDSA, PK and X.509, and to existing functions in ECDH and SSL. It is currently only implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2, including client authentication, and there is no support for CRL files.
• Added support for the Arm CPU DSP extensions to accelerate asymmetric key operations. On CPUs where the extensions are available, they can accelerate the MPI multiplications used in ECC and RSA cryptography. Contributed by Aurelien Jarno.
• Extended RSASSA-PSS signature support to allow a smaller salt size. Previously, the PSS signature always used a salt with the same length as the hash, and returned an error if this was not possible. Now the salt size may be up to two bytes shorter. This allows the library to support all hash and signature sizes that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
• Added support for 128 bit keys in CTR-DRBG. Note that using keys shorter than 256 bits limits the security of generated material to 128 bits.

API Changes

• Added a common error code of MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED for features that are not supported by third party implementations of cryptographic primitives. This is useful for hardware accelerators that do not implement all options or features, such as those that support AES-128 but not AES-192 or AES-256.

New deprecations

• All module specific errors following the form MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not supported are now deprecated and are now replaced by the new equivalent platform error.
• All module specific generic hardware acceleration errors following the form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED are now deprecated and replaced by the equivalent plaform error.
• The function mbedtls_mpi_is_prime() is now deprecated in favor of mbedtls_mpi_is_prime_ext() which allows specifying the number of Miller-Rabin rounds.

Bugfix

• Changed the default string format used for various X.509 DN attributes was changed to UTF8String. Previously, the use of the PrintableString format led to wildcards and non-ASCII characters being unusable in some DN attributes. Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by Thomas-Dee.
• Fixed the wrong order of memory deallocation in the example program programs/ssl/ssl_server2 leading to a memory leak in case both MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set. Fixes #2069.
• Fixed a bug in the update function for SSL ticket keys which previously invalidated keys of a lifetime of less than a 1s. Fixes #1968.
• Fixed a failure in HMAC-DRBG in the benchmark sample application, when MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
• Fixed a bug in the record decryption routine ssl_decrypt_buf() which lead to accepting properly authenticated but improperly padded records in case of CBC ciphersuites using Encrypt-then-MAC.
• Fixed a memory leak and freeing without initialization in the example program programs/x509/cert_write. Fixes #1422.
• Now ignores the IV in mbedtls_cipher_set_iv() when the cipher mode is MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
• Zeroizes memory used for buffering or reassembling handshake messages after use.
• Uses mbedtls_platform_zeroize() instead of memset() for zeroization of sensitive data in the example programs aescrypt2 and crypt_and_hash.
• Fixed a compilation failure for configurations which use compile time replacements of the standard calloc/free functions through the macros MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO. Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.

Changes

• Now remembers the string format of X.509 DN attributes when replicating X.509 DN attributes. Previously, DN attributes were always written in their default string format, which was PrintableString in most instances. This could lead to certificates being created which used PrintableString in the issuer field even though the signing Certificate Authority used UTF8Strings in its subject field. Whilst being compliant with X.509, such certificates were rejected in some applications, such as some versions of Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by Thomas-Dee.
• Added MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and used it to reduce error probability in RSA key generation to levels mandated by FIPS-186-4..
• Removed support for Yotta as a build tool.
• Added tests for session resumption in DTLS.
• Closed a test gap in (D)TLS between the client side and the server side, to test the handling of large packets and small packets on the client side in the same way as on the server side.
• Changed the dtls_client and dtls_server examples to work by default over IPv6 and optionally by a build option over IPv4.
• Changed the use of Windows threading to use Microsoft Visual C++ runtime calls, rather than Win32 API calls directly. This is necessary to avoid conflict with C runtime usage. Found and fixed by irwir.
• Improved documentation of mbedtls_ssl_get_verify_result(). Fixes #517 reported by github-monoculture.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.