Hi Team,
my customer has the following question - in the example code of the SSL / TLS (evkmimxrt1160_lwip_httpscli_mbedTLS_freertos_cm7), there is support for version 1.2 of the TLS. On the other hand, there is a macro in the code, which if activated it activates experimental parts of the code that also support TLS 1.3.
Can you please advise if NXP has full support for TLS 1.3 and if there is a newer example code?
This is the macro, in the code, with the explanation:
/ **
* \ def MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
*
* This macro is used to selectively enable experimental parts
* of the code that contribute to the ongoing development of
* the prototype TLS 1.3 and DTLS 1.3 implementation, and provide
* no other purpose.
*
* \ warning TLS 1.3 and DTLS 1.3 are not yet supported in Mbed TLS,
* and no feature exposed through this macro is part of the
* public API. In particular, features under the control
* of this macro are experimental and do not come with any
* stability guarantees.
*
* Uncomment this macro to enable experimental and partial
* functionality specific to TLS 1.3.
* /
// # define MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
Waiting for your kind feedback, Thanks in advance
Regards,
Shai
Hi Sir,
If our customer needs support TLS 1.2 or 1.3 based on RT1062(AES128 only).
Is it possiable? Or, (RT1062 + SE050), or (change platform to RT116x) or (RT1062 + FW AES256 (Merge it to Mbed))?
hI @StephenYeh ,
Any issues, please create your own question post, thanks.
Then our NXP engineer will help you in your own question post.
Best Regards,
Kerry
Hi @shai_b ,
I checked our newest SDK2.11.0 for RT11XX, the supported version still v1.2, v1.3 still not be supported from the code comment.
As I know, we still don't have the plan for the v1.3, so, maybe you still need to folllow the SDK demo code to use v1.2.
Sorry for the inconvenience bring you.
Best Regards,
Kerry
Hi,
Thanks for the answer. I wanted to add a couple of questions to Shai's:
1. Are there any hardware issues that would prevent software developers from supporting TLS 1.3 on RT1160/RT1170? In other words - is software the only thing preventing TLS 1.3 support, and with the right code there would be TLS 1.3 support?
2. If there are no hardware issues that would prevent supporting TLS 1.3:
Can you please recommend on another (possibly third party) library that would support TLS 1.3 on RT11XX (like wolfSSL for example)?
Thanks in advance!
Segev
From the code comment, I think it is software didn't support the TLS 1.3:
TLS 1.3 and DTLS 1.3 are not yet supported in Mbed TLS
I think it is not the hardware issues.
About the detail library that would support TLS 1.3 on RT11XX , we still don't have it.
Could you please tell me why you must need to use TLS1.3 instead of TLS1.2? Any real project requirement? then I will try to find some internal resources to check it?
Best Regards,
Kerry
Hi Kerry,
Thanks for the answer.
TLS 1.3 is a project requirement.
Can you please find some internal resources to check it?
Thanks in advance,
Segev
Hi @segev-amossi ,
Thanks for your patience, I already get the internal quick reply.
Please check the following information:
LwIP examples use mbedTLS for TLS functionality and actual MCUXpresso SDK 2.11.0 contains mbedTLS version 2.27, which does not officially support TLS 1.3.
MbedTLS does not fully/reliably support TLS 1.3 yet. It is in their road map for 2022:
https://developer.trustedfirmware.org/w/mbed-tls/roadmap/
https://github.com/orgs/ARMmbed/projects/18#column-15836319
MbedTLS 3.1 does have a minimum viable implementation based on a prototype implementation, but I think some development still needs to be done. See details here:
https://github.com/ARMmbed/mbedtls/blob/development/docs/architecture/tls13-support.md
MbedTLS 2.28 have only an experimental version:
https://github.com/ARMmbed/mbedtls/blob/v2.28.0/docs/architecture/tls13-experimental.md
SDK will update to 2.28 is planned, detail publish time is not determined in the SDK. Transition to MbedTLS 3.x is still under discussion/planning.
So, maybe after the SDK update to MbedTLS 2.28, you can use the experimental version for TLS1.3.
Wish it helps you!
Best Regards,
kerry
Hi @segev-amossi ,
Please keep patient, I have already helped you check with our SDK lwip owner, the reply needs time.
So, please wait a moment, any updated information, I will let you know, thanks a lot for your understanding.
Best Regards,
Kerry