Any plans for TLS 1.3 support?

[Yanmei-Liu]

Hi,

I want to know if there are any plans for TLS 1.3 support in the near future?

Thank you in advance, Miao

[pjbakker]

We do have plans to support TLS 1.3.

We don't have dates or a schedule we can share at this point.

[kriskwiatkowski]

@pjbakker Do you have any draft version of TLS 1.3 implementation that you could share?

[eccgecko]

TLS 1.3 has been finalised since March. OpenSSL have recently released 1.1.1 LTS, with official TLS 1.3 support. I hope MbedTLS isn’t far behind, especially as the OpenVPN client app on iOS is dependant on mbed, and so is being held back by it’s lack of support.

[homer6]

If you're working on TLS 1.3, could you please provide a vague estimate? We're trying to gauge whether to adopt mbedTLS as TLS 1.3 is a major requirement in our decision for an SSL library.

Also, please note that a version of the TLS 1.3 specification with readability improvements has been published, along with videos. This may help in the design of mbedTLS's TLS 1.3 implementation.

https://davidwong.fr/tls13/

c/o

https://twitter.com/jedisct1/status/1078806087304994817

[nevercast]

Any update on this? Its almost been 1 year since the spec was available. Just want to get some feedback on if its coming in the next few months.

Update: For those landing here, we at least have this statement: https://tls.mbed.org/tech-updates/blog/working-towards-mbed-tls-3

Kind regards

[patrickkh7788]

Update ?

[HansH111]

An update would be nice.. even if it is not positive.....

[RalphCorderoy]

I realised this issue is closed, but it seems to be the gathering place that Google knows, so I may as well reinforce that.

An update on the expected arrival of TLS 1.3 in mbed TLS > 3.0 would be useful. For context, in the early stages of product development, choosing a TLS library depends not just on what's available now but what will have become available in a 12-18 months' time when nearing production. (With the seeming radio silence, wolfSSL for $5,000 looks attractive.)

[hanno-becker]

Hi,

I cannot comment on the official roadmap of Mbed TLS, but the following is perhaps of interest (adding to what was already described on https://tls.mbed.org/tech-updates/blog/working-towards-mbed-tls-3): @hannestschofenig (who is coauthor of the DTLS 1.3 draft) and I are working on prototypes for TLS 1.3, DTLS 1.3 and cTLS. At the moment, those are still research prototypes and they involve an entire rearchitecture for Mbed TLS' messaging layer (called 'MPS' for message processing stack) aiming to make it more modular, less RAM consuming, and most importantly, amenable for the changes that (D)TLS 1.3 bring -- especially DTLS 1.3 introduces vast changes to the messaging layer and the retransmission state machine that we believe would be difficult to implement on top of the code as we have it now. Another aspect is that with the advent of Post-Quantum Crypto, there's increased need for supporting very large messages and fragmentation, which is also a design goal of the rewrite. The MPS rewrite is public (https://github.com/hanno-arm/mbedtls/tree/mps_implementation/include/mbedtls/mps and https://github.com/hanno-arm/mbedtls/tree/mps_implementation/library/mps - there are also slides and design documents, but they aren't yet public), and I think Hannes' TLS 1.3 prototype could be, too (@hannestschofenig?). However, both still need to be tied together, which is what hopefully we'll find time for soon, ideally leading to some branch to test and ask for feedback against soon. However, it's still an open question if/when/how the work would be upstreamed into the development branch of Mbed TLS, which I hope we gain some clarity on in the near future - given the scale of the changes, that's a non-trivial question.

Kind regards, Hanno

[kriskwiatkowski]

As I understand, there is no concrete plan to support TLSv1.3, right?

[hannestschofenig]

For roadmaps you need to get an answer from the Mbed TLS team, to which Hanno and I don't belong. We are working in research and take an approach to not only get support for TLS 1.3 and DTLS 1.3, but to at the same time prepare for further upcoming challenges such as cTLS, QUIC and PQC. As you can imagine, we are interested to see the results being merged back into upstream Mbed TLS.

[kriskwiatkowski]

Thanks! Indeed, it would be great to get a more detailed view on TLS 1.3 progress. We are also working on PQC. In this case, designing integration for TLSv1.2 just because TLSv1.3 is not supported would be a waste of time.

[hanno-becker]

We are also working on PQC. In this case, designing integration for TLSv1.2 just because TLSv1.3 is not supported would be a waste of time.

Fully agree. And it's not just the protocol level, but also the record layer: As you know, there are PQC primitives which can be implemented in less RAM than the size of their cryptographic material, e.g. SPHINCS, but when used on top of (D)TLS such clever algorithms aren't of any use unless the TLS stack supports in-place (or, for DTLS, out-of-order) message processing, which is one of our design goals. Happy to talk through details and synchronize in case this is of interest to you.

[hannestschofenig]

I have released a rebased version of the Arm-internal TLS 1.3 prototype implementation at https://github.com/hannestschofenig/mbedtls/tree/tls13-prototype

What I have done here is to refactor the code with the intention to integrate it with the MPS, as Hanno explained in this exchange. Additionally, I have rebased on the code to the latest version of the Mbed TLS code.

I wanted to release the code as soon as possible even though some work remains. What has not been refactored yet is (a) DTLS 1.3 and (b) 0-RTT. I focused on the basic TLS 1.3 for now.

The plan is to improve the alignment with the current Mbed TLS code and to make it an official branch in the Mbed TLS repo in about a month from now. Additionally, Hanno and I want to integrate the MPS layer. As a side-effect of refactoring the code for use with MPS, I am also adding going to cTLS (currently this functionality is incomplete).

I hope you find this useful.

PS: I can also release the version (before refactoring and rebasing), if that helps.

[mpg]

By the way since a couple of weeks we have a mailing-list that is now the preferred place for questions and discussions: https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls (github is still used for bug reports and PRs, though).

[dmak]

PR#4963 was merged in Sep 2021, hence I suppose some limited TLS v1.3 support should be present in mbedTLS v3.1.0 released 2021-12-17 (correct me if I am wrong).