Quality RTOS & Embedded Software

NOTE: The HTTPS library and documentation are part of the FreeRTOS LTS Roadmap. These libraries are fully functional, but undergoing optimizations or refactoring to improve memory usage, modularity, documentation, demo usability, or test coverage. They are available on GitHub or part of the LTS Development Snapshot download

TLS Terminology

Basic TLS Handshake

The basic TLS Handshake is negotiation between the client and server to verify the server’s authentication and negotiate the details on how to communicate. During this handshake process, the client and the server decide on the TLS version (the highest mutually supported) and cipher suite.  Only the server is authenticated in the basic TLS handshake.  

TLS Handshake

The full TLS Handshake requires mutual authentication between the client and the server.  During this process, the client must also prove the authenticity of its identity to the server before a connection can be established.

Cipher Suite

A cipher suite is a an algorithm that encrypts the data being exchanged between the client and server.  The client and server must agree on the cipher suite before proceeding to communicate past the handshake.  


PKI (Public Key Infrastructure) defines a set of roles and procedures for the management of digital certificates.  This system is responsible for ensuring the authenticity of each certificate issued by the server and client.  Within PKI, the CA (Certificate Authority) is responsible for issuing digital certificates.  These certificates are used to verify the authenticity of the owner (server/client). 

Public and Private Key

A public keys is disseminated widely while private keys are known only to the owner to maintain security across the system. Messages that are transmitted are signed by the public key, but once received, the messages are decrypted by the user’s private key to read the message contents. A robust secure system will have use the private key with the public key to sign the message prior to transmission.

Root CA Certificate

The root CA certificate establishes the authenticity of the Certificate Authority. This root certificate is the top-most certificate and is used to the sign the certificates issued by the certificate authority.  In the MQTT with TLS demo, the root CA certificate is provided by the Mosquitto MQTT broker (test.mosquitto.org).  

mbed TLS

mbed TLS is an implementation of TLS that is specifically designed for memory constrained embedded devices.  It utilizes a minimal subset of the TLS stack.  

Copyright (C) Amazon Web Services, Inc. or its affiliates. All rights reserved.