https://devzone.nordicsemi.com/f/nordic-q-a/127259/unable-to-change-mbedtls_cfg_file-in-ncs-3-2With NCS 3.2.1 I can&#39;t make use of custom mbed TLS config headers anymore, the MBEDTLS_CFG_FILE KConfig option always get overwritten. Previously setting CONFIG_CUSTOM_MBEDTLS_CFG_FILE=y would allow for overriding the config header. The documentationen-USTelligent Community 13Thu, 05 Mar 2026 18:00:30 GMThttps://devzone.nordicsemi.com/thread/562678?ContentTypeID=1Thu, 05 Mar 2026 18:00:30 GMT137ad170-7792-4731-bb38-c0d22fbe4515:646966cb-2f41-4233-b0f0-6be7961490c9timonsku<p>Thanks for clarifying, thats what I figured after reading further into the upstream Zephyr plans on this and what happened in mbed TLS itself. It wasn&#39;t quite clear that only portions of mbed TLS has changed upstream and that this reflects those changes by the upstream project.<br />When I read &quot;crypto APIs&quot; in my head that extended to just refer to &quot;mbed TLS&quot; as in the past it was just &quot;the crypto library&quot; in projects.<br />I was able to resolve not being able to set the custom header. There was another config (CONFIG_MBEDTLS_BUILTIN) set to =y elsewhere that was a dependency of =n in order to be able to set a custom config</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/562608?ContentTypeID=1Thu, 05 Mar 2026 07:26:46 GMT137ad170-7792-4731-bb38-c0d22fbe4515:d5a84924-1089-4fc2-be1a-386a4fbd2e22Einar Thorsrud<p>Hi,</p> <p>I am sorry for being confusing. It is not that mbed TLS is being removed, but the legacy mbedTLS crypto APIs will be removed. This is removed from mbedTLS itself in <a href="https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.0.0">mbed TLS 4.0</a>, so as a consequence, support will be removed when we integrate mbed TLS 4.0.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/562595?ContentTypeID=1Thu, 05 Mar 2026 00:28:30 GMT137ad170-7792-4731-bb38-c0d22fbe4515:6fbbb041-f206-4b6c-b8a4-a71e22ed2a9atimonsku<p>Especially as mbed TLS seems to still be very much needed. The PSA APIs would not cover X.509 or TLS related functionality. From the mbed TLS project:&nbsp;<a id="" href="https://github.com/Mbed-TLS/mbedtls/blob/development/docs/4.0-migration-guide.md">https://github.com/Mbed-TLS/mbedtls/blob/development/docs/4.0-migration-guide.md</a><br />&quot;Mbed TLS has been split between two products: TF-PSA-Crypto for cryptography, and Mbed TLS for X.509 and (D)TLS.&quot;<br />Which means needing to configure mbed TLS is still necessary but right now I get circular dependencies with anything related to setting a custom header file for mbed TLS.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/562594?ContentTypeID=1Wed, 04 Mar 2026 23:41:30 GMT137ad170-7792-4731-bb38-c0d22fbe4515:2fa1170f-522e-42ca-8527-b7718ffbe1c8timonsku<p>Just to be clear, when you say legacy mbed TLS crypto APIs that means the entirety of mbed TLS is deprecated?<br />It is not quite clear from the docs if that just means certain parts of it or all of it. mbed TLS is still around in the SDK and there are not deprecation warnings when you make use of mbed TLS functions so its a bit confusing whether its just unsupported now or going to be fully deprecated.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/562567?ContentTypeID=1Wed, 04 Mar 2026 15:11:49 GMT137ad170-7792-4731-bb38-c0d22fbe4515:482b4a3a-5179-4448-8649-71cb72f3c442Einar Thorsrud<p>Hi,</p> <p>As you note, legacy mbed TLS crypto API&#39;s have been deprecated for a while, and will soon be removed. I&nbsp;would strongly advice that you migrate to PSA crypto APIs. Regarding samples you should refer to the <a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/crypto.html">crypto samples under nrf</a>. I do not believe we have a specific migration guide for migrating from legacy APIs to PSA crypto APIs, but I suggest referring to the samples to see how PSA crypto is used.</p><div style="clear:both;"></div>