From 1caa7db5e85981c5a2f8f931a674c6c884568248 Mon Sep 17 00:00:00 2001
From: Valerio Setti <valerio.setti@nordicsemi.no>
Date: Tue, 21 Apr 2026 12:12:17 +0200
Subject: [PATCH 1/2] check_config: add check for TLS 1.3 key exchanges

When MBEDTLS_SSL_PROTO_TLS1_3 is enabled ensure that at least one of the
related key exchanges is also enabled.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
---
 library/mbedtls_check_config.h | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/library/mbedtls_check_config.h b/library/mbedtls_check_config.h
index f6ca813a37..bf0e35787c 100644
--- a/library/mbedtls_check_config.h
+++ b/library/mbedtls_check_config.h
@@ -142,6 +142,15 @@
         "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
 #endif
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) &&                                    \
+    !(defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) ||    \
+      defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) ||          \
+      defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) )
+#error "TLS 1.3 protocol is enabled but no key exchange method is defined" \
+        "with MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxxx"
+#endif
+
+
 #if defined(MBEDTLS_SSL_EARLY_DATA) && \
     ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \
       ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \

From f2ab1073924b469a0488983f618c03df2aeaaf7e Mon Sep 17 00:00:00 2001
From: Valerio Setti <valerio.setti@nordicsemi.no>
Date: Tue, 21 Apr 2026 12:14:01 +0200
Subject: [PATCH 2/2] check_config: fix error message for missing TLS 1.2 key
 exchanges

Align the error message to the one used for the same check in TLS 1.3.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
---
 library/mbedtls_check_config.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/mbedtls_check_config.h b/library/mbedtls_check_config.h
index bf0e35787c..629e6a1909 100644
--- a/library/mbedtls_check_config.h
+++ b/library/mbedtls_check_config.h
@@ -138,8 +138,8 @@
       defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ||                          \
       defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                    \
       defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) )
-#error "One or more versions of the TLS protocol are enabled " \
-        "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
+#error "TLS 1.2 protocol is enabled but no key exchange method is defined" \
+        "with MBEDTLS_KEY_EXCHANGE_xxxx"
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) &&                                    \