mbedtls/docs/3.0-migration-guide.md
Manuel Pégourié-Gonnard 3e7ddb2bb6
Merge pull request #4604 from gilles-peskine-arm/default-hashes-curves-3.0
Update the default hash and curve selection for X.509 and TLS
2021-06-22 12:08:37 +02:00

8.4 KiB

Migrating from Mbed TLS 2.x to Mbed TLS 3.0

This guide details the steps required to migrate from Mbed TLS version 2.x to Mbed TLS version 3.0 or greater. Unlike normal releases, Mbed TLS 3.0 breaks compatibility with previous versions, so users (and alt implementors) might need to change their own code in order to make it work with Mbed TLS 3.0.

Here's the list of breaking changes; each entry should help you answer these two questions: (1) am I affected? (2) if yes, what's my migration path?

Some function parameters were made const

Various functions in the PK and ASN.1 modules had a const qualifier added to some of their parameters.

This normally doesn't affect your code, unless you use pointers to reference those functions. In this case, you'll need to update the type of your pointers in order to match the new signature.

Deprecated functions were removed from hashing modules

Modules: MD5, SHA1, SHA256, SHA512, MD.

  • The functions mbedtls_xxx_starts(), mbedtls_xxx_update(), mbedtls_xxx_finish() and mbedtls_xxx() were removed. Please use the function with the same name with _ret appended and check the return value.
  • The function mbedtls_md_init_ctx() was removed; please use mbedtls_md_setup() instead.
  • The functions mbedtls_xxx_process() were removed. You normally don't need to call that from application code. However if you do (or if you want to provide your own version of that function), please use mbedtls_internal_xxx_process() instead, and check the return value.

Deprecated error codes for hardware failures were removed

  • The macros MBEDTLS_ERR_xxx_FEATURE_UNSUPPORTED from various crypto modules were removed; MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED is now used instead.
  • The macros MBEDTLS_ERR_xxx_HW_ACCEL_FAILED from various crypto modules were removed; MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED is now used instead.

Deprecated names for PSA constants and types were removed

Some constants and types that were present in beta versions of the PSA Crypto API were removed from version 1.0 of specification. Please switch to the new names provided by the 1.0 specification instead.

Internal / alt-focused headers were moved to a private location

This shouldn't affect users who took care not to include headers that were documented as internal, despite being in the public include directory.

If you're providing alt implementations of ECP or RSA, you'll need to add our library directory to your include path when building your alt implementations, and note that ecp_internal.h and rsa_internal.h have been renamed to ecp_internal_alt.h and rsa_alt_helpers.h respectively.

If you're a library user and used to rely on having access to a structure or function that's now in a private header, please reach out on the mailing list and explain your need; we'll consider adding a new API in a future version.

Remove the certs module from the library

This should not affect production use of the library, as the certificates and keys included there were never suitable for production use.

However it might affect you if you relied on them for testing purposes. In that case, please embed your own test certificates in your test code; now that certs.c is out of the library there is no longer any stability guaranteed and it may change in incompatible ways at any time.

Remove the HAVEGE module

This doesn't affect people using the default configuration as it was already disabled by default.

This only affects users who called the HAVEGE modules directly (not recommended), or users who used it through the entropy module but had it as the only source of entropy. If you're in that case, please declare OS or hardware RNG interfaces with mbedtls_entropy_add_source() and/or use an entropy seed file created securely during device provisioning. See https://tls.mbed.org/kb/how-to/add-entropy-sources-to-entropy-pool for more information.

Remove support for parsing SSLv2 ClientHello

This doesn't affect people using the default configuration as it was already disabled by default.

This only affects TLS servers that have clients who send an SSLv2 ClientHello. These days clients are very unlikely to do that. If you have a client that does, please try contacting them and encouraging them to upgrade their software.

Remove support for SSL 3.0

This doesn't affect people using the default configuration as it was already disabled by default.

This only affects TLS users who explicitly enabled MBEDTLS_SSL_PROTO_SSL3 and relied on that version in order to communicate with peers that are not up to date. If one of your peers is in that case, please try contacting them and encouraging them to upgrade their software.

Remove support for truncated HMAC

This affects users of truncated HMAC, that is, users who called mbedtls_ssl_conf_truncated_hmac( ..., MBEDTLS_SSL_TRUNC_HMAC_ENABLED), regardless of whether the standard version was used or compatibility version (MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT).

The recommended migration path for people who want minimal overhead is to use a CCM-8 ciphersuite.

Remove support for TLS record-level compression

This doesn't affect people using the default configuration as it was already disabled by default.

This only affects TLS users who enabled MBEDTLS_ZLIB_SUPPORT. This will not cause any failures however if you used to enable TLS record-level compression you may find that your bandwidth usage increases without compression. There's no general solution to this problem; application protocols might have their own compression mechanisms and are in a better position than the TLS stack to avoid variants of the CRIME and BREACH attacks.

Remove support for TLS RC4-based ciphersuites

This does not affect people who used the default config.h and the default list of ciphersuites, as RC4-based ciphersuites were already not negotiated in that case.

Please switch to any of the modern, recommended ciphersuites (based on AES-GCM, AES-CCM or ChachaPoly for example) and if your peer doesn't support any, encourage them to upgrade their software.

Remove support for TLS single-DES ciphersuites

This doesn't affect people using the default configuration as it was already disabled by default.

Please switch to any of the modern, recommended ciphersuites (based on AES-GCM, AES-CCM or ChachaPoly for example) and if your peer doesn't support any, encourage them to upgrade their software.

Remove support for TLS record-level hardware acceleration

This doesn't affect people using the default configuration as it was already disabled by default.

This feature had been broken for a while so we doubt anyone still used it. However if you did, please reach out on the mailing list and let us know about your use case.

Remove wrapper for libpkcs11-helper

This doesn't affect people using the default configuration as it was already disabled by default.

If you used to rely on this module in order to store your private keys securely, please have a look at the key management facilities provided by the PSA crypto API. If you have a use case that's not covered yet by this API, please reach out on the mailing list.

Remove config option MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME

This doesn't affect people using the default configuration.

This option has not had any effect for a long time. Please use the lifetime parameter of mbedtls_ssl_ticket_setup() instead.

Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0

This only affects people who've been using Mbed TLS since before version 2.0 and still relied on compat-1.3.h in their code.

Please use the new names directly in your code; scripts/rename.pl (from any of the 2.x releases - no longer included in 3.0) might help you do that.