mbedTLS: Update to mbedTLS 3.6.4

mbedTLS 2.28 is now EOL, and will no longer receive security updates.

This commit backports from Godot 4 the changes needed to update to
mbedTLS 3.6 (new LTS), including TLSv1.3 support.

(cherry picked from commit 0770c9a4a3)

modules/mbedtls/ssl_context_mbedtls.cpp

@@ -30,6 +30,12 @@
 
 #include "ssl_context_mbedtls.h"
 
+#include "core/project_settings.h"
+
+#ifdef TOOLS_ENABLED
+#include "editor/editor_settings.h"
+#endif
+
 static void my_debug(void *ctx, int level,
 		const char *file, int line,
 		const char *str) {
@@ -147,6 +153,22 @@ Error SSLContextMbedTLS::init_server(int p_transport, int p_authmode, Ref<Crypto
 		cookies = p_cookies;
 		mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &(cookies->cookie_ctx));
 	}
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+#ifdef TOOLS_ENABLED
+	if (EditorSettings::get_singleton()) {
+		if (!EditorSettings::get_singleton()->get_setting("network/ssl/enable_tls_v1.3").operator bool()) {
+			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
+		}
+	} else
+#endif
+	{
+		if (!GLOBAL_GET("network/ssl/enable_tls_v1.3").operator bool()) {
+			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
+		}
+	}
+#endif
+
 	mbedtls_ssl_setup(&ssl, &conf);
 	return OK;
 }
@@ -173,6 +195,22 @@ Error SSLContextMbedTLS::init_client(int p_transport, int p_authmode, Ref<X509Ce
 
 	// Set valid CAs
 	mbedtls_ssl_conf_ca_chain(&conf, &(cas->cert), nullptr);
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+#ifdef TOOLS_ENABLED
+	if (EditorSettings::get_singleton()) {
+		if (!EditorSettings::get_singleton()->get_setting("network/ssl/enable_tls_v1.3").operator bool()) {
+			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
+		}
+	} else
+#endif
+	{
+		if (!GLOBAL_GET("network/ssl/enable_tls_v1.3").operator bool()) {
+			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
+		}
+	}
+#endif
+
 	mbedtls_ssl_setup(&ssl, &conf);
 	return OK;
 }