Skip to content

Workflow status is tracked in GitHub: https://github.com/emulebb/emulebb/issues/21. This local document is retained as an engineering spec/evidence record.

REF-028 - Audit current MbedTLS 4.1 integration

Summary

The earlier REF-028 framing said current main still needed an upgrade from a MbedTLS 3.x pin to MbedTLS 4.0. That is stale. Current workspace dependency topology uses the emulebb-mbedtls fork on mbedtls-v4.1.0-emule, with TF-PSA-Crypto present as part of that fork.

There is no selected MbedTLS upgrade for 0.7.3 RC1. This item stays deferred as a future audit/hardening note for the current 4.1 integration only.

Current State

  • Current main still links mbedtls.lib, mbedx509.lib, and tfpsacrypto.lib.
  • Current app code still uses MbedTLS for WebSocket/HTTPS and related certificate/TLS surfaces.
  • The active dependency status document records MbedTLS and TF-PSA-Crypto as current/no-action dependencies.
  • Older docs that say MbedTLS was removed, or that the workspace still needs a 3.x-to-4.x dependency upgrade, are historical/stale for current main.

Deferred Audit Topics

  • If HTTPS/TLS remains instead of being removed, audit MbedTLS runtime ownership: explicit SSL RNG configuration, PSA/threading lifecycle ownership, and session-ticket randomness must be handled as one focused hardening slice.
  • Re-check MBEDTLS_ALLOW_PRIVATE_ACCESS usage and decide whether it remains an acceptable compatibility bridge.
  • Keep the current static-library integration model unless a later explicit dependency-policy pass changes it.
  • Revisit TLS 1.3 configuration only as a future protocol/web hardening task, not as 0.7.3 RC1 release scope.

Acceptance Criteria

  • [x] Stale MbedTLS 3.x-to-4.x upgrade framing is removed from the active backlog.
  • [x] Active dependency docs record the current MbedTLS 4.1-era fork as the selected dependency.
  • [ ] If reopened later, private-access usage is audited against the current MbedTLS public API.
  • [ ] If reopened later, any TLS 1.3 configuration change is handled as a focused behavior change with targeted proof.