There is still one open question from the 6th network tutorial. I had written then about the supported DTLS version:
I couldn’t find out yet which version is used by Godot, but as soon as I know, I will tell you.
And now is the time to share this information with you.
When I started to look more closely at DTLS on Godot in early April, I wanted to find out which DTLS versions were supported. I had looked at the source code and found out that mbedtls 2.18.2 was used at Godot 4.0.2. I had also looked at the associated configuration files in Godot, but was unsure if I was interpreting everything correctly, so I had asked in the Godot Contributors Chat at the time:
Security is a very important and (unfortunately) often a very complex topic. Especially if you offer multiplayer servers with their own user database for authentication over the Internet, you should take special care. Therefore I tried to find out which DTLS version with which cipher suites is effectively used when setting up server and client via the usual way for ENet + DTLS
But unfortunately my rudimentary C knowledge is not sufficient to answer my question by reading the source code. I know by now that Godot relies on Mbed TLS for (D)TLS. The documentation is very rudimentary, but as far as I understand, you can make general settings regarding (D)TLS versions and cipher suites via the parameters in
config.hand./thirdparty/mbedtls/include/mbedtls/config.hrespectively. If this is really the case, I am surprised to see thatMBEDTLS_SSL_PROTO_TLS1as well asMBEDTLS_SSL_PROTO_TLS1_1is configured there, since according to RFC7525 from 2015 TLS 1.0 and 1.1 or DTLS 1.0 should not be supported anymore. Especially because with Godot in general you can fortunately influence both client and server and thus can be much less permissive than e.g. browsers, where even the mozilla SSL Configuration Generator in the Intermediate configuration (“recommended for almost all systems”) suggests TLS 1.2 as the oldest version.Long story short: Is there an “easy” way to find out with which security parameters (DTLS version, cipher suite, …) the network connections at Godot 4 are running? Is it possible to influence/restrict these security parameters without having to compile Godot itself?
Unfortunately I never received a reply to this message, it must have gone down somehow. But in my research for the new watch option in ReplicationAPI, which I already covered briefly in the scene-replication article, I came across an interesting commit: mbedTLS: disable weak crypto and TLS versions. The further description reads:
This commit adds a new mbedTLS configuration header to customize the built-in library (and can be optionally replaced by a platform-specific one).
Currently, it disables most weak cryptographic functions (with the notable exceptions of MD5 and SHA-1), along with removing support for TLS versions 1.0 and 1.1 (making TLSv1.2 the only supported one).
This means that as of Godot 4.1, (D)TLS 1.2 is the only supported version by default and most of the weak cryptographic functions have been disabled. In my opinion, this is a big step towards more security in network games with Godot. Since now by default everyone using the precompiled version will benefit from these changes.
As it is, I didn’t get a direct answer, but my comment seems to have been taken note of, at least I can tell myself now 😆.