From 488cdbacdb6e391a0eeaa456f3c5dd9f06aa3380 Mon Sep 17 00:00:00 2001 From: Fabio Alessandrelli Date: Wed, 12 Feb 2025 16:34:43 +0100 Subject: [PATCH] [TLS] Disable TLSv1.3 support by default --- doc/classes/ProjectSettings.xml | 4 ++++ modules/mbedtls/register_types.cpp | 4 ++++ modules/mbedtls/tls_context_mbedtls.cpp | 11 +++++++++++ 3 files changed, 19 insertions(+) diff --git a/doc/classes/ProjectSettings.xml b/doc/classes/ProjectSettings.xml index b27665548f4b..79bf8975411b 100644 --- a/doc/classes/ProjectSettings.xml +++ b/doc/classes/ProjectSettings.xml @@ -2204,6 +2204,10 @@ The CA certificates bundle to use for TLS connections. If this is set to a non-empty value, this will [i]override[/i] Godot's default [url=https://github.com/godotengine/godot/blob/master/thirdparty/certs/ca-certificates.crt]Mozilla certificate bundle[/url]. If left empty, the default certificate bundle will be used. If in doubt, leave this setting empty. + + If [code]true[/code], enable TLSv1.3 negotiation. + [b]Note:[/b] This is experimental, and may cause connections to fail in some cases (notably, if the remote server uses TLS handshake fragmentation). + The default rotational motion damping in 2D. Damping is used to gradually slow down physical objects over time. RigidBodies will fall back to this value when combining their own damping values and no area damping value is present. Suggested values are in the range [code]0[/code] to [code]30[/code]. At value [code]0[/code] objects will keep moving with the same velocity. Greater values will stop the object faster. A value equal to or greater than the physics tick rate ([member physics/common/physics_ticks_per_second]) will bring the object to a stop in one iteration. diff --git a/modules/mbedtls/register_types.cpp b/modules/mbedtls/register_types.cpp index bf65dfb0b76a..c0eca6ee18e0 100644 --- a/modules/mbedtls/register_types.cpp +++ b/modules/mbedtls/register_types.cpp @@ -35,6 +35,8 @@ #include "packet_peer_mbed_dtls.h" #include "stream_peer_mbedtls.h" +#include "core/config/project_settings.h" + #if MBEDTLS_VERSION_MAJOR >= 3 #include #endif @@ -50,6 +52,8 @@ void initialize_mbedtls_module(ModuleInitializationLevel p_level) { return; } + GLOBAL_DEF("network/tls/enable_tls_v1.3", false); + #if MBEDTLS_VERSION_MAJOR >= 3 int status = psa_crypto_init(); ERR_FAIL_COND_MSG(status != PSA_SUCCESS, "Failed to initialize psa crypto. The mbedTLS modules will not work."); diff --git a/modules/mbedtls/tls_context_mbedtls.cpp b/modules/mbedtls/tls_context_mbedtls.cpp index f5c196596eb2..33c4cfd5450e 100644 --- a/modules/mbedtls/tls_context_mbedtls.cpp +++ b/modules/mbedtls/tls_context_mbedtls.cpp @@ -30,6 +30,8 @@ #include "tls_context_mbedtls.h" +#include "core/config/project_settings.h" + static void my_debug(void *ctx, int level, const char *file, int line, const char *str) { @@ -144,6 +146,11 @@ Error TLSContextMbedTLS::init_server(int p_transport, Ref p_options, cookies = p_cookies; mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &(cookies->cookie_ctx)); } + + if (Engine::get_singleton()->is_editor_hint() || !(bool)GLOBAL_GET("network/tls/enable_tls_v1.3")) { + mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); + } + mbedtls_ssl_setup(&tls, &conf); return OK; } @@ -187,6 +194,10 @@ Error TLSContextMbedTLS::init_client(int p_transport, const String &p_hostname, } } + if (Engine::get_singleton()->is_editor_hint() || !(bool)GLOBAL_GET("network/tls/enable_tls_v1.3")) { + mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); + } + // Set valid CAs mbedtls_ssl_conf_ca_chain(&conf, &(cas->cert), nullptr); mbedtls_ssl_setup(&tls, &conf);