Fix TLS 1.3#19
Merged
Aksel Mellbye (asmellby) merged 4 commits intoJun 16, 2026
Merged
Conversation
Jérôme Pouiller (jerome-pouiller)
requested a review
from Aksel Mellbye (asmellby)
Handle NewSessionTicket in poll() syscall (via tls_update_pollin() and tls_data_check()) similar as it is handled in recv() / read() syscall (via recv_tls()). This event is semantically the same as "want read" and "want write", since it does not contain any application data or error. This means that we just want to proceed with reading and not treat that as error. Upstream-status: available Fixes: 6be57aa ("net: sockets_tls: add support for TLS 1.3") Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev> Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com> (cherry picked from commit 94bf4c8)
…y data Add MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE and MBEDTLS_SSL_EARLY_DATA as Kconfig options so they can be individually controlled rather than being unconditionally enabled. Place EARLY_DATA after SESSION_TICKETS with a depends on, and COMPATIBILITY_MODE after EARLY_DATA with default y. Wire both into config-mbedtls.h: un-nest MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE from the TLS1_3 proto guard, and consolidate MBEDTLS_SSL_EARLY_DATA to a single standalone block. Upstream-Status: available Signed-off-by: Rithic Chellaram Hariharan <gr8rithic@gmail.com> Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com> (cherry picked from commit 1b8fb5c)
Add MBEDTLS_SSL_ENCRYPT_THEN_MAC as a dedicated Kconfig option inside if MBEDTLS_SSL_PROTO_TLS1_2, with default y. Wire it into config-mbedtls.h replacing the unconditional TLS1_2 && PSA_CRYPTO_C guard. Add MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN Kconfig options to allow independent control of incoming and outgoing TLS buffer sizes. Both default to 1500, with fallback to MBEDTLS_SSL_MAX_CONTENT_LEN if set. This enables constrained devices to use asymmetric buffer sizes to save heap. Deprecate MBEDTLS_SSL_MAX_CONTENT_LEN in Kconfig.deprecated in favor of the independent IN/OUT buffer size controls. Upstream-Status: available Signed-off-by: Rithic Chellaram Hariharan <gr8rithic@gmail.com> Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com> (cherry picked from commit 970058e)
Jérôme Pouiller (jerome-pouiller)
force-pushed
the
fix-tls-1.3
branch
from
3cbdc4f to
684a484
Compare
Aksel Mellbye (asmellby)
previously approved these changes
Jun 16, 2026
Aksel Mellbye (asmellby)
left a comment
Aksel Mellbye (asmellby)
left a comment
There was a problem hiding this comment.
I assume a corresponding zephyr-silabs PR will be opened that takes care of usage of the deprecated option there?
I'm also wondering if we should have aee3630 to get rid of deprecated usage in the main tree.
Author
Yeah, I am waiting for https://github.com/SiliconLabsSoftware/zephyr-silabs-internal/pull/289 and associated. |
Replace CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN with the new CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN and CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN options across all in-tree .conf files, hostap Kconfig defaults, and socket subsystem help text. This completes the deprecation of MBEDTLS_SSL_MAX_CONTENT_LEN in favor of independent incoming/outgoing buffer size control. Upstream-status: available Signed-off-by: Rithic Chellaram Hariharan <gr8rithic@gmail.com> Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com> (cherry picked from commit aee3630)
Aksel Mellbye (asmellby)
approved these changes
Jun 16, 2026
Aksel Mellbye (asmellby)
merged commit d2a1550
into
SiliconLabsSoftware:silabs/dev
2 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I have identified a few commits in the upstream that should be included in the downstream. These fixes did not impact miniperf. I have found the issues with http_client on real life servers.
net: sockets: tls: handle NewSessionTicket in tls_data_check()is required for TLS1.3 (as theFixes:tag mentions).modules: mbedtls: add Kconfig for TLS 1.3 compatibility mode and early dataseems optional, but I believe it improve the memory pressure during TLS handshake.modules: mbedtls: add encrypt-then-MAC and buffer KconfigintroducesMBEDTLS_SSL_IN_CONTENT_LEN.