MBedTLS + PSA cannot connect because RSA is default on (v3.1.0 -> v3.1.1)

RE: MBedTLS + PSA cannot connect because RSA is default on (v3.1.0 -> v3.1.1)

pcspets — Mon, 29 Sep 2025 12:28:22 GMT

OK, fair enough. But most peculiar is that when RSA stays on (CONFIG_MBEDTLS_RSA_C=y), I actually can connect to a server that has RSA certificate :).

RE: MBedTLS + PSA cannot connect because RSA is default on (v3.1.0 -> v3.1.1)

Einar Thorsrud — Mon, 29 Sep 2025 12:09:53 GMT

I see. The dependency I mentionnedin my previous post was there to signal that RSA is not supported for TLS/DTLS and X.509 for PSA, and while that was removed it is still the case. I recommend that you set MBEDTLS_RSA_C=n as from what I understand you have no need for RSA.

RE: MBedTLS + PSA cannot connect because RSA is default on (v3.1.0 -> v3.1.1)

pcspets — Mon, 29 Sep 2025 11:36:57 GMT

Yes, exactly. I can turn RSA off on v3.1.1 and then connecting to ECDSA-cert server works again.

RE: MBedTLS + PSA cannot connect because RSA is default on (v3.1.0 -> v3.1.1)

Einar Thorsrud — Mon, 29 Sep 2025 10:36:20 GMT

Hi,

I see. But you can turn it off with 3.1.1? In 3.1.0 and before you had a dependency on !MBEDTLS_USE_PSA_CRYPTO for MBEDTLS_RSA_C here, but this was removed in 3.1.1. I will look more into this.

RE: MBedTLS + PSA cannot connect because RSA is default on (v3.1.0 -> v3.1.1)

pcspets — Mon, 29 Sep 2025 10:16:49 GMT

Unfortunately I cannot turn CONFIG_MBEDTLS_RSA_C on when usind SDK v3.1.0, because I'm using PSA crypto:

CONFIG_MBEDTLS_RSA_C was assigned the value y, but got the value n. Missing dependencies:
OPENTHREAD || (!MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_LEGACY_CRYPTO_C && NRF_SECURITY) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-mbedtls.h" && MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-mbedtls.h" && MBEDTLS && 0)

So, I attached two config files. One with v3.1.0 (RSA off) and one with v.3.1.1 (RSA on by default). The latter doesn't work with ECDSA certificates but it can be fixed by CONFIG_MBEDTLS_RSA_C=n.

devzone.nordicsemi.com/.../config_5F00_files.zip

RE: MBedTLS + PSA cannot connect because RSA is default on (v3.1.0 -> v3.1.1)

Einar Thorsrud — Mon, 29 Sep 2025 08:05:15 GMT

Hi,

I would expect you should be able to use both yes, and I have not been able to find any references to this issue from before (though I must admit I have also not come across SHA384withECDSA before).

Is it so that you see the same issue in 3.1.0 and 3.1.1 where it does not work with CONFIG_MBEDTLS_RSA_C=y in the build, and it works in both cases with it not in the build? Can you share the generated .config for your project both with and without it?