mbedtls icon indicating copy to clipboard operation
mbedtls copied to clipboard

Published 20 hours ago verified publisher icon Mbed-TLS

CA callback not called in TLS 1.3

Open gilles-peskine-arm opened this issue 2 years ago • 3 comments

Configuring a CA callback with mbedtls_ssl_conf_ca_cb() has no effect in TLS 1.3. This is not documented as a limitation, and there is no reason not to support it. See https://github.com/Mbed-TLS/mbedtls/issues/7075#issuecomment-1425604707

The goal of this task is to support a CA callback in TLS 1.3, the same way as in TLS 1.2.

This should be tested both from the server side and the client side.

gilles-peskine-arm avatar Feb 10 '23 11:02 gilles-peskine-arm

Related: TLS currently doesn't support the X.509 certificate extension callback (only available via mbedtls_x509_crt_parse_der_with_ext_cb). Whatever method we add to make it support this, should work both for TLS 1.2 and TLS 1.3.

gilles-peskine-arm avatar Feb 28 '23 15:02 gilles-peskine-arm

Is there a workaround for this bug? Our product requires it because the CA database cannot fit in RAM of the embedded device.

adambvidex avatar Mar 28 '24 17:03 adambvidex

Is there a workaround for this bug? Our product requires it because the CA database cannot fit in RAM of the embedded device.

#9002 fixes this issue.

ronald-cron-arm avatar Apr 03 '24 07:04 ronald-cron-arm

Closing this issue as we have rather decided to address this more generally with #9018.

ronald-cron-arm avatar Jul 19 '24 12:07 ronald-cron-arm