Any mbed TLS efforts yet?

Has anyone gone down the path of trying to build mbed TLS for Photon yet? I’ve seen a few passing mentions here, but nothing concrete. Before I start messing with it, I want to make sure I’m not reinventing the wheel…

1 Like

Not that I’m aware of. I would love to use that if you got it working.

Hi @sharding

I wanted to make sure you saw this as well:

1 Like

Thanks @bko. Yeah, I saw that, and have been experimenting with it a bit. I’m just looking for another options (partially due to the licensing issue discussed in that thread).


We are working internally on DTLS for the Electron and will be looking to port TLS back into the Photon at a later date.


Does DTLS will only work with Particle Cloud protocol or can be used with TCP client protocol?
Because as I know DTSL which is used for Electron is based on UDP protocol. Will there be support for standard client class? I think if it is achieved to allow TSL communication with any server by keeping the the same syntax as with TCP client library will be a huge jump which refers to MCU based embedded systems especially when it comes to GPRS, 3G or WIFI.

DTLS is a datagram protocol, and it will layer on top of UDP to provide secure datagram communication between two UDP peers.

TLS is a stream protocol, and it will layer on top of TCP to provide a secure streaming connection between a TCP Client and a TCP Server.

The syntax of using DTLS/TLS will be the same as the underlying protocol - UDP or TCP, with possibly a few changes at setup time to specify the encryption parameters needed.


It is really great :slight_smile:
In the future, do you plan to develop a library that will have class TLSTCPClient client?

Would you guys ever switch the photon to use UDP CoAP if you get the DTLS working reliably.

I’ve been using no sec CoAP over UDP pretty reliably to communicate between my devices/server.

We’d certainly like to if possible. There’s quite a long road to getting there so it’s not our first stop, but on our radar for sure.

No time lately, been investigating other paths for now, working on the TLS library @mdma (and/or others) mentioned at this point would just slow me down too much. I might use a central host (beaglebone?) that would relay the unencrypted local MQTT connections from the photons to aws… I know you’re working on something similar, we should maybe start a new thread about that since it’s not pure Particle stuff… (Pretty sure there will be particle users interested in relaying MQTT anyway)

I’ve got the same issue with that development’s license. I plan to sell my solution and have still not decided if I want it to be completely open. Probably more in favor of publishing open APIs or allowing extensions, but not opening the core of the solution.

I cross compiled mbedtls for the particle. I never finished getting an HTTPS client, but this post offers some details, after you follow my instructions: (see Nov 11 2015 entry)

This is what I did (as best remembered from memory):

  • Get mbedtls :

  • Get the spark firmware:

  • Compile Spark’s firmware locally:

  • Create your application directory: APPDIR. I kept APPDIR our of the Spark firmware hierarchy because I like don’t want to accidentally erase or mess-up one code archive

    • Create a directory for it {APPDIR}
    • Create a src dir {APPDIR}/src
    • place your source code in the src directory
    • Create a mbedtlsinc directory {APPDIR}/mbedtlsinc
    • link your source to the {SPARKCODE}/firmware/main directory
      ln -s {APPNAME}/src {SPARKCODE}/firmware/main/{APPNAME}
  • Cross compile mbedtls’s libraries:

    • Create a config-photon.h header in {APPDIR}/mbedtlsinc. The config-photon.h is the “mbedtls/configs/config-mini-tls1_1.h” file, with three lines commented out: MBEDTLS_ENTROPY_C, MBEDTLS_NET_C, MBEDTLS_FS_IO.
    • Run the command:
      make CFLAGS="-I/{ROOT_MBEDTLSINC}/ -DMBEDTLS_CONFIG_FILE='<mbedtlsinc/config-photon.h>'" CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld lib
      • NOTE: on copy and past, make sure the hyphen is next to “DMBEDTLS_CONFIG_FILE”
      • This uses the modified config-photon.h header to cut out much of mbedtls’s functionality. Also, it switches the compiler, linker and archiver to arm’s.
  • Prepare to compile our project by adding additional compile instructions

    • append this instruction to the build process in {SPARKCODE}/firmware/main/makefile:
      include ./applications/$(APP)/
    • create {APPDIR}/src/ with the following data (so it includes mbedtls’s libraries)
      CFLAGS += -I{mbedtls}/include LIB_DIRS += {mbedtls}/library LIBS += mbedcrypto mbedtls mbedx509
  • Compile your project.
    cd {SPARKCODE}/firmware/main ; make all APP={APPNAME} PLATFORM={photon|electron}

  • flash to photon|electron

    • The binary is in {SPARK}/firmware/build/target/user-part/platform-{6|10}-m/{APPNAME}.bin
    • Put device into accept mode: press setup/reset. release reset. wait for yellow. release setup.
    • flash --usb {SPARK}/firmware/build/target/user-part/platform-{6|10}-m/{APPNAME}.bin

Hope that helps someone. Let me know if I mixed up a command or two.

This is awesome… I just saw this post.
How much work do you think it would be to convert this into a Particle library? I would love to just drop the source into a project and compile via Particle Dev on my desktop.

Sorry for the delay. I eventually found it was already part of the core-communication-lib of the Particle library. It’s in that rat’s nest of code (sorry devs, just took me a while to find everything in the archive and tracing down makefiles :smile:).

  1. So you need to compile the core communication library:
  • cd ./firmware/core-communication-lib/build
  • make PLATFORM=photon
  1. Modify the standard make files
  • edit firmware/main/makefile
  • append to the file include ./applications/$(APP)/
  1. Add to your ‘src’ directory, where your project code is (assuming 6 = photon). This will allow you to use the headers from the communications library and find the libcommunication.a file.
  • create file (to be included thanks to step 2)
  • this file can modify the CFLAGS and LIB_DIRS compile directives
  • add CFLAGS += -I<your path>/firmware/communication/lib
  • add LIB_DIRS +=<your path>/firmware/build/target/communication/platform-6-prod-6
  1. Include the necessary header files in your source code (ex. application.cpp) :
  • ex. #include <tropicssl/aes.h>
  1. Then make your App:
  • cd ../firmware/main

I did this a bit ago, so I can’t be certain this is all that was needed to be added/changed. Let me know if there is a bug and I’ll update this.



If you want to include mbedtls in your code, you should pull the mbedtls source code from github into your application folder rather than try to reuse the library from system firmware.

The libraries are buried deep simply because they are internal - they are not meant to be used in applications, particularly as they may be changed from the standard releases. By pulling the source yourself into your application, you are then in control of when you update the code, apply any hotfixes, which github branch is used etc…
You’ll also be able to configure mbedtls to your needs, rather than ours. (At present it’s configured for DTLS only, and not TLS.)

So please do not follow the steps sketched out above and instead use your own copy of the mbedtls sources.

1 Like


Just wondering if you are able to provide any update on the road map for a Particle TLS solution (for Photon).
I’m aware of the efforts however the license on the matrixSSL library isn’t ideal for us.

I’m also wondering what the resource requirements are likely to be assuming a 2048 byte key. Will we need to dedicate 50kB of RAM still? Or is there a possibility of storing certificates externally.

I realise it might be a bit down the track but it would be great to have some knowledge of what might be available at a later date as TLS may be a hard requirement for us.


Since 0.5.0, it is possible to include the mbedTLS library in your own app, so you could do that and find out, since I’m afraid I have no details here. (It’s still unclear if this will be part of system firmware, or if we will make it available as a library. Thinking aloud, I think I’d lean towards making it a library so that the same code runs on all our platforms.)

Community! :slight_smile: I know some of you have integrated mbedTLS into your own apps - please let us know how it performs, how much RAM is used, how much flash space is required!

1 Like

Thanks for clearing that up @mdma, I saw in a previous post that you were working on mbedTLS as part of the electron development and were planning on merging this with photon at a later date, is this still a possibility?

If anyone else out there is working on this, I’m quite busy with hardware development at the moment but would be happy to contribute money towards gaining traction in this area! I’m planning on using websockets over TLS so any info on this would be excellent as well!

The system firmware only uses DTLS, not TLS, and only a single type of cipher. For generic TLS use it would be more flexible for application developers to include mbedTLS in their own application, so it can be configured to the application requirements.

1 Like