Skip to content

Remove support for static ECDH cipher suites #10294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 40 commits into from
Sep 12, 2025
Merged

Remove support for static ECDH cipher suites #10294

merged 40 commits into from
Sep 12, 2025

Conversation

bjwtaylor
Copy link

@bjwtaylor bjwtaylor commented Jul 10, 2025
edited by mpg
Loading

Description

Remove support for static ECDH cipher suites, depends Mbed-TLS/TF-PSA-Crypto#377 (merged)
resolves #9201

This PR is part of a chain which needs to be merged in the following order:

  1. Remove support for static ECDH cipher suites mbedtls-framework#182 (merged)
  2. Remove support for static ECDH cipher suites #10294 (this one)

PR checklist

@bjwtaylor bjwtaylor added the needs-ci Needs to pass CI tests label Jul 10, 2025
@bjwtaylor bjwtaylor force-pushed the remove-static-ecdh branch from 375cc45 to 87b15cf Compare July 10, 2025 13:42
@bjwtaylor bjwtaylor added needs-review Every commit must be reviewed by at least two team members, needs-preceding-pr Requires another PR to be merged first needs-reviewer This PR needs someone to pick it up for review and removed needs-ci Needs to pass CI tests labels Jul 11, 2025
@bjwtaylor bjwtaylor marked this pull request as ready for review July 11, 2025 07:25
@bjwtaylor bjwtaylor mentioned this pull request Jul 11, 2025
Merged
3 tasks
@valeriosetti valeriosetti self-requested a review July 15, 2025 11:13
valeriosetti
valeriosetti requested changes Jul 15, 2025
View reviewed changes
@gilles-peskine-arm gilles-peskine-arm added needs-work size-s Estimated task size: small (~2d) priority-high High priority - will be reviewed soon and removed needs-review Every commit must be reviewed by at least two team members, needs-preceding-pr Requires another PR to be merged first needs-reviewer This PR needs someone to pick it up for review labels Jul 15, 2025
@gilles-peskine-arm
Copy link
Contributor

Mbed-TLS/mbedtls-framework#182 is now merged.

@bjwtaylor bjwtaylor mentioned this pull request Jul 16, 2025
Merged
4 tasks
@bjwtaylor bjwtaylor force-pushed the remove-static-ecdh branch from d4c04cf to 615dd82 Compare July 16, 2025 13:02
@bjwtaylor bjwtaylor mentioned this pull request Jul 17, 2025
Closed
4 tasks
@bjwtaylor bjwtaylor force-pushed the remove-static-ecdh branch 2 times, most recently from 521bd12 to d9e5c71 Compare July 23, 2025 08:24
valeriosetti
valeriosetti previously approved these changes Jul 23, 2025
View reviewed changes
@bjwtaylor bjwtaylor marked this pull request as draft July 30, 2025 10:04
@bjwtaylor bjwtaylor force-pushed the remove-static-ecdh branch 3 times, most recently from 40aeb7e to a739096 Compare August 4, 2025 10:22
Ben Taylor added 18 commits September 11, 2025 13:22
reverted change to MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED, as it a…
a7b3f26 
…ppears it could be causing issues

Signed-off-by: Ben Taylor <[email protected]>
Reverting TLS_VERSION derivation improvement, as it appear to be caus…
7b14d82 
…ing issues

Signed-off-by: Ben Taylor <[email protected]>
Remove MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED as it appears to be ca…
c8823a2 
…using issues

Signed-off-by: Ben Taylor <[email protected]>
change MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED to MBEDTLS_KEY_EXCHA…
4766a23 
…NGE_PSK_ENABLED

Signed-off-by: Ben Taylor <[email protected]>
Revert change to Everest test message back to ECDH
f572936 
Signed-off-by: Ben Taylor <[email protected]>
re-add TLS_VERSION derivation
8371674 
Signed-off-by: Ben Taylor <[email protected]>
add filter to component_full_without_ecdhe_ecdsa
120bd86 
Signed-off-by: Ben Taylor <[email protected]>
Add filter to test_tls13_only_ephemeral_ffdh to remove ffdh tests
1a4f4b3 
Signed-off-by: Ben Taylor <[email protected]>
Add bug link to test modifications
a47fd0f 
Signed-off-by: Ben Taylor <[email protected]>
Remove MBEDTLS_RSA_C from depends.py
9e360b8 
Signed-off-by: Ben Taylor <[email protected]>
replace MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED with MBEDTLS_KEY_EX…
5cdbe30 
…CHANGE_PSK_ENABLED

After the ECDH keyexchange removal the two became synonyms so the former can
be removed.

Signed-off-by: Ben Taylor <[email protected]>
Re-instate test for correctness of sent single supported algorithm
df3e595 
Signed-off-by: Ben Taylor <[email protected]>
Remove comment referencing ECDH
337161e 
Signed-off-by: Ben Taylor <[email protected]>
Re-instate MBEDTLS_PKCS1_V15 unset
5947440 
Signed-off-by: Ben Taylor <[email protected]>
Add ChangeLog
2f35233 
Signed-off-by: Ben Taylor <[email protected]>
Re-adding tests for ECDH
26cdf6e 
Signed-off-by: Ben Taylor <[email protected]>
reverting last commit as the tests cause failures
485d4c1 
Signed-off-by: Ben Taylor <[email protected]>
Improved the text in the Changelog
486ec6e 
Signed-off-by: Ben Taylor <[email protected]>
mpg
mpg approved these changes Sep 12, 2025
View reviewed changes
Copy link
Contributor

@mpg mpg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@github-project-automation github-project-automation bot moved this from In Development to Has Approval in Roadmap pull requests (new board) Sep 12, 2025
@mpg mpg added approved Design and code approved - may be waiting for CI or backports and removed needs-work labels Sep 12, 2025
@mpg mpg enabled auto-merge September 12, 2025 08:21
@mpg mpg added this pull request to the merge queue Sep 12, 2025
Merged via the queue into Mbed-TLS:development with commit 0d530d1 Sep 12, 2025
7 of 8 checks passed
@github-project-automation github-project-automation bot moved this from Has Approval to Done in Roadmap pull requests (new board) Sep 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mpg mpg mpg approved these changes

@valeriosetti valeriosetti valeriosetti approved these changes

@gilles-peskine-arm gilles-peskine-arm Awaiting requested review from gilles-peskine-arm

Assignees
No one assigned
Labels
approved Design and code approved - may be waiting for CI or backports priority-high High priority - will be reviewed soon size-s Estimated task size: small (~2d)
Projects
Roadmap pull requests (new board)
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove static ECDH cipher suites
4 participants
@bjwtaylor @gilles-peskine-arm @mpg @valeriosetti