pico-sdk icon indicating copy to clipboard operation
pico-sdk copied to clipboard
verified publisher icon raspberrypi

Enable TLS1.3

Open martijnvwezel opened this issue 1 month ago • 2 comments

TLS1.2 can be seen as insecure, or better said, not secure enough, and more and more servers are running only TLS 1.3. Yes, it is possible to break the encryption in TLS 1.2 with enough computational power or advanced attacks, which makes it unsuitable for long-term security.

Therefore, I would like to add the source files for TLS 1.3 to the main RPi Pico mbedTLS CMake file.

martijnvwezel avatar Oct 29 '25 12:10 martijnvwezel

Added these files to get TLS1.3 actually working: handshake/session handling + data transfer, and the crypto the PSA bits TLS1.3 needs.

TLS1.3 flow

  • ssl_tls13_client.c — client-side TLS1.3 handshake & state machine (connect, key schedule, etc).
  • ssl_tls13_server.c — server-side TLS1.3 handshake & state machine (accept, resume, keys).
  • ssl_tls13_generic.c — shared TLS1.3 code used by client+server (common handshake steps, key derivation, cipher handling).

Needed crypto stuffc for TLS1.3

  • psa_crypto_driver_wrappers_no_static.c — PSA driver wrapper glue so mbedtls can call platform crypto implementations without static binding.
  • psa_crypto_ffdh.c — finite-field Diffie-Hellman PSA glue (for any non-ECC FFDH needs).
  • psa_crypto_pake.c — PAKE support via PSA (if you need password-authenticated key exchange helpers).
  • psa_util.c — helper utils for PSA integration (common conversions, checks).
  • sha3.c — SHA-3 family implementation — some profiles / ciphersuites or future proofing.

martijnvwezel avatar Oct 29 '25 12:10 martijnvwezel

I hope this can be merged to develop soon, so my pipeline builds will work 🥇

martijnvwezel avatar Oct 31 '25 09:10 martijnvwezel