[mbedTLS] Enable TLS 1.3 support

[Faless]

Move library initialization to module registration functions.

Only set library debug threshold when verbose output is enabled.

TLSv1.3 functions seems to be a bit more verbose then expected, and generate a lot of noise. Yet, some level of debugging without recompiling the engine would be nice. We should discuss this upstream.

Draft status:

• Depends on [mbedTLS] Update to 3.6.1 #96385
• Depends on [SCons] Remove MAXLINELENGTH override for MSVC #97458

Fixes #92101

Test:

# main.gd
extends Node

var http : HTTPRequest

func _ready() -> void:
	http = HTTPRequest.new()
	add_child(http)
	http.request_completed.connect(_completed)
	if http.request("https://tls13.akamai.io/") != OK:
		_exit()

func _completed(result: int, code: int, headers: PackedStringArray, body: PackedByteArray):
	if code != 200:
		print("Request failed, result: %d, code: %d" % [result, code])
		_exit()
		return
	var str_body := body.get_string_from_utf8()
	var tls13 := "Your client negotiated TLS 1.3" in str_body
	var tls12 := "Your client negotiated TLS 1.2" in str_body
	if tls13:
		print("TLS 1.3 supported :)")
	elif tls12:
		print("TLS 1.3 **NOT** supported :(")
		print("TLS 1.2 supported :)")
	else:
		print("Can't determine TLS version... Check yourself: %s" % str_body)
	_exit()

func _exit():
	get_tree().quit.call_deferred()

Note for package maintainers: When using builtin_mbedtls=no TLS 1.3 support will depend on the system library version and configuration.

[fire]

The cicd check is failing on The command line is too long..

[Faless]

The cicd check is failing on The command line is too long..

Yes, seems like a build system issue on Windows + MSVC (not MinGW apparently).

I don't know how to fix that and I currently can't easily test MSVC builds, so help is welcome.

[akien-mga]

The cicd check is failing on The command line is too long..

Yes, seems like a build system issue on Windows + MSVC (not MinGW apparently).

I don't know how to fix that and I currently can't easily test MSVC builds, so help is welcome.

CC @bruvzg @Repiteo

[bruvzg]

I don't know how to fix that and I currently can't easily test MSVC builds, so help is welcome.

Probably in the same way as ar - #96407, MSVC lib do support running with response file - https://learn.microsoft.com/en-us/cpp/build/reference/running-lib?view=msvc-170#lib-command-files

[Faless]

Probably in the same way as ar - #96407, MSVC lib do support running with response file

I remember trying it but it didn't work. I added 3c66820 and indeed it's still failing (doesn't seem to use the tempfile).

Am I doing something wrong?

[bruvzg]

Am I doing something wrong?

It's actually already is using TEMPFILE by default, the issue is env["MAXLINELENGTH"] = 8192 line in our config (added in #87154), removing it fixes the build.

[bruvzg]

For the reference, max length seems to be 8191 - https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/command-line-string-limitation#more-information, but it's not working either. 8000 seems to working, so not sure what's the real limit is. Scons default is 2048.

[Faless]

Opened #97458 with the windows fix.

Thanks for the help, this was driving me crazy

[DjSapsan]

OMG you are hero!
I'm testing this change right now and it's already looks promising.
As it's just a commit I needed to compile Godot from scratch, so not sure if everything will work 100% but I hope all good.

[fire]

I expect small tests to work but I don’t think anyone in the godot developer community would be able to test the obscure browser combinations.

My vote is to send the branch into to a pre-release asap.

Edited:

Since @Faless is the web maintainer I don’t know who else can really review it.

[DjSapsan]

I tested it in my project. My application was finally loading data for a period but then started failing.
Sadly, I can't 100% confirm why it worked.
After it started failing I checked Wireshark and it's showing TLS 1.2 again. Not sure if it used 1.3 during successes.
No amount of reboots and code changes make it 1.3.

[akien-mga]

Tested on Linux, seems to work for me:

TLS 1.3 supported :)

[akien-mga]

Good catch to update the docs too.

[akien-mga]

Thanks!

[DjSapsan]

Testing again (Kubuntu btw).
It's showing the correct TLS 1.3, though I still have problems with loading data.
After first packet it stops refreshing

[DjSapsan]

I tested the issue deeper with Wireshark. I need to figure out if this problem with my code or the Godot's code.
I removed everything from my code and just receiving packets without any computation.
After a short working period it shows errors of ZeroWindow and sometimes others. It means that the client (Godot app) can't receive data fast enough. The Browser and Postman still loading the same data perfectly fine.
I think it has something to do with the buffers or maybe something else.
P.S. for understanding - in this case server sends a LOT of data in one burst and then small periodic updates. That's why it may not appear during small tests.

[Faless]

@DjSapsan please open a dedicated issue with a minimal reproduction project. It's not really possible to understand what's going on otherwise.

[DjSapsan]

@DjSapsan please open a dedicated issue with a minimal reproduction project. It's not really possible to understand what's going on otherwise.

#97899