From 5f8b5a34c61c9edcb6d5df8037c554960b75ff93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Verschelde?= <rverschelde@gmail.com>
Date: Mon, 17 Feb 2025 17:51:08 +0100
Subject: [PATCH] mbedtls: Don't set TLS max version on Mbed TLS < 3.0

Relevant for Linux distribution packages which may link against system Mbed TLS.

Fixes #102957.
---
 doc/classes/ProjectSettings.xml         | 1 +
 modules/mbedtls/tls_context_mbedtls.cpp | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/doc/classes/ProjectSettings.xml b/doc/classes/ProjectSettings.xml
index 79bf8975411..94c975b468e 100644
--- a/doc/classes/ProjectSettings.xml
+++ b/doc/classes/ProjectSettings.xml
@@ -2207,6 +2207,7 @@
 		<member name="network/tls/enable_tls_v1.3" type="bool" setter="" getter="" default="false">
 			If [code]true[/code], enable TLSv1.3 negotiation.
 			[b]Note:[/b] This is experimental, and may cause connections to fail in some cases (notably, if the remote server uses TLS handshake fragmentation).
+			[b]Note:[/b] Only supported when using Mbed TLS 3.0 or later (Linux distribution packages may be compiled against older system Mbed TLS packages), otherwise the maximum supported TLS version is always TLSv1.2.
 		</member>
 		<member name="physics/2d/default_angular_damp" type="float" setter="" getter="" default="1.0">
 			The default rotational motion damping in 2D. Damping is used to gradually slow down physical objects over time. RigidBodies will fall back to this value when combining their own damping values and no area damping value is present.
diff --git a/modules/mbedtls/tls_context_mbedtls.cpp b/modules/mbedtls/tls_context_mbedtls.cpp
index 33c4cfd5450..f7d3422f9fa 100644
--- a/modules/mbedtls/tls_context_mbedtls.cpp
+++ b/modules/mbedtls/tls_context_mbedtls.cpp
@@ -147,9 +147,11 @@ Error TLSContextMbedTLS::init_server(int p_transport, Ref<TLSOptions> p_options,
 		mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &(cookies->cookie_ctx));
 	}
 
+#if MBEDTLS_VERSION_MAJOR >= 3
 	if (Engine::get_singleton()->is_editor_hint() || !(bool)GLOBAL_GET("network/tls/enable_tls_v1.3")) {
 		mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
 	}
+#endif
 
 	mbedtls_ssl_setup(&tls, &conf);
 	return OK;
@@ -194,9 +196,11 @@ Error TLSContextMbedTLS::init_client(int p_transport, const String &p_hostname,
 		}
 	}
 
+#if MBEDTLS_VERSION_MAJOR >= 3
 	if (Engine::get_singleton()->is_editor_hint() || !(bool)GLOBAL_GET("network/tls/enable_tls_v1.3")) {
 		mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
 	}
+#endif
 
 	// Set valid CAs
 	mbedtls_ssl_conf_ca_chain(&conf, &(cas->cert), nullptr);