Full support for RFC 6066 max fragment length

Hello all,

Our team is working on a memory-constrained device which is connected to the internet. Being able to reduce MBEDTLS_SSL_MAX_CONTENT_LEN to 4096 would tremendously help us fitting everything we want on the chip. We know up front to which servers our device opens a connection, and which clients open a connection towards our device, so we will ensure that they will be able to deal with the smaller buffer sizes. The servers with which our device connects support the RFC 6066 max fragment length extension.

However, mbedTLS is not able to cope with fragmented handshake messages, which is a problem for us, since the certificates presented by the server are too large to be handled within frames of 4096 bytes.

I am aware that there is an MPS branch in the mbedTLS repository, and if I correctly understood, the code in this branch would support fragmented handshakes. Is there something you can say about the MPS branch? e.g. what is its status, will it indeed solve the fragmented handshake problems, what is needed before it is released? Is there something that our team can contribute to that branch, how much work would be needed to get it into a releasable status?

Best regards,
Richard Peters

Hi Richard,

thank you for your message and your interest in Mbed TLS and MPS.

I am not in the position to comment on the roadmap for integration into upstream Mbed TLS, but have been writing MPS and can comment on its state: MPS is still in development and hosted on the local branch https://github.com/hanno-arm/mbedtls/tree/mps_implementation. The goal of MPS is to provide a strong abstraction boundary between the low-level messaging details of [D]TLS and the logic of the protocol, plus being space and bandwidth efficient through thorough fragmentation support, and the first implementation of the corresponding API https://github.com/hanno-arm/mbedtls/blob/mps_implementation/include/mbedtls/mps/mps.h is almost ready (what’s missing is some finishing off for the DTLS retransmission logic). In particular, TLS handshake fragmentation, which is the feature you’re after, is fully implemented, and works down to 1-byte contents.

Once the standalone implementation of MPS is done, however, it needs to be integrated into upstream Mbed TLS, which requires a significant restructuring of some handshake logic, and I don’t know when this will happen and how long it would take. As I am no longer part of the Mbed TLS team, I’ll leave it to my colleague Ron Eldor to potentially comment on that. In any case, it is very helpful to hear that there’s need for TLS fragmentation, which gives some more incentive to follow up on MPS - so thank you for letting us know!

Kind regards,