Mbed TLS 4.0 no longer supports key exchange methods that rely on finite-field Diffie-Hellman (DHE) in TLS 1.2 and DTLS 1.2. (Only ephemeral Diffie-Hellman was ever supported, Mbed TLS 3.x already did not support static Diffie-Hellman.) Finite-field Diffie-Hellman remains supported in TLS 1.3.
Mbed TLS 4.0 no longer supports key exchange methods that rely on RSA decryption (without forward secrecy). RSA signatures remain supported. This affects TLS 1.2 and DTLS 1.2 (TLS 1.3 does not have key exchanges using RSA decryption).
That is, the following key exchange types are no longer supported:
The full list of removed cipher suites is:
TLS-DHE-PSK-WITH-AES-128-CBC-SHA TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 TLS-DHE-PSK-WITH-AES-128-CCM TLS-DHE-PSK-WITH-AES-128-CCM-8 TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 TLS-DHE-PSK-WITH-AES-256-CBC-SHA TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 TLS-DHE-PSK-WITH-AES-256-CCM TLS-DHE-PSK-WITH-AES-256-CCM-8 TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 TLS-DHE-PSK-WITH-NULL-SHA TLS-DHE-PSK-WITH-NULL-SHA256 TLS-DHE-PSK-WITH-NULL-SHA384 TLS-DHE-RSA-WITH-AES-128-CBC-SHA TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 TLS-DHE-RSA-WITH-AES-128-CCM TLS-DHE-RSA-WITH-AES-128-CCM-8 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-RSA-WITH-AES-256-CCM TLS-DHE-RSA-WITH-AES-256-CCM-8 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 TLS-ECDH-ECDSA-WITH-NULL-SHA TLS-ECDH-RSA-WITH-AES-128-CBC-SHA TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256 TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384 TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256 TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256 TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384 TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384 TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256 TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256 TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384 TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384 TLS-ECDH-RSA-WITH-NULL-SHA TLS-RSA-PSK-WITH-AES-128-CBC-SHA TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 TLS-RSA-PSK-WITH-AES-256-CBC-SHA TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 TLS-RSA-PSK-WITH-NULL-SHA TLS-RSA-PSK-WITH-NULL-SHA256 TLS-RSA-PSK-WITH-NULL-SHA384 TLS-RSA-WITH-AES-128-CBC-SHA TLS-RSA-WITH-AES-128-CBC-SHA256 TLS-RSA-WITH-AES-128-CCM TLS-RSA-WITH-AES-128-CCM-8 TLS-RSA-WITH-AES-128-GCM-SHA256 TLS-RSA-WITH-AES-256-CBC-SHA TLS-RSA-WITH-AES-256-CBC-SHA256 TLS-RSA-WITH-AES-256-CCM TLS-RSA-WITH-AES-256-CCM-8 TLS-RSA-WITH-AES-256-GCM-SHA384 TLS-RSA-WITH-ARIA-128-CBC-SHA256 TLS-RSA-WITH-ARIA-128-GCM-SHA256 TLS-RSA-WITH-ARIA-256-CBC-SHA384 TLS-RSA-WITH-ARIA-256-GCM-SHA384 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 TLS-RSA-WITH-NULL-MD5 TLS-RSA-WITH-NULL-SHA TLS-RSA-WITH-NULL-SHA256
As a consequence of the removal of support for DHE in (D)TLS 1.2, the following functions are no longer useful and have been removed:
mbedtls_ssl_conf_dh_param_bin() mbedtls_ssl_conf_dh_param_ctx() mbedtls_ssl_conf_dhm_min_bitlen()
Following their removal from the crypto library, elliptic curves of less than 250 bits (secp192r1, secp192k1, secp224r1, secp224k1) are no longer supported in certificates and in TLS.
The deprecated functions mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version(), and the associated constants MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_4 have been removed. Use mbedtls_ssl_conf_min_tls_version() and mbedtls_ssl_conf_max_tls_version() with MBEDTLS_SSL_VERSION_TLS1_2 or MBEDTLS_SSL_VERSION_TLS1_3 instead.
The deprecated function mbedtls_ssl_conf_sig_hashes() has been removed. Use mbedtls_ssl_conf_sig_algs() instead.