WebSocketPeer uses TLSv1.2 and can't change to TLSv1.3

[DjSapsan]

Tested versions

v4.2.1.stable.official [15073afe3] ... Godot_v4.3-dev6_linux

System information

Godot v4.2.2.stable - Ubuntu 23.10 23.10 - X11 - GLES3 (Compatibility) - llvmpipe (LLVM 15.0.7, 256 bits) () - AMD Ryzen 9 5900X 12-Core Processor (24 Threads)

Issue description

I'm connecting to a WSS source from Godot. Wireshark shows that it uses TLSv1.2 protocol. The connection is STATE_OPEN, but packets are not sent from server to me.

When I'm testing the same WSS address in Postman everything works perfectly and Wireshark shows that TLSv1.3 is used. Also there are some other differences.

Also, the documentation is absolutely useless. So nobody knows if this is a Godot bug, or just outdated version or something that is possible to fix in code, but unclear how!

I asked about the problem 4 times in discord and literally 0 answers.

Steps to reproduce

connect to any websocket that is uses TLSv1.3

Minimal reproduction project (MRP)

Archive.zip

For some unclear reason this MRP can't even connect with 100% the same code as original. The original can at least connect, although doesn't receive anything

[akien-mga]

Also, the documentation is absolute shit (i'm sorry, I just frustrated).

Please don't do that, this is a breach of our Code of Conduct.

We can understand frustration, but we shouldn't have to put up with it in our bug tracker. This doesn't make contributors want to help solve your issue.

Now, if you could provide links to the documentation you're talking about and details in what you think is lacking, that would be constructive and actionable.

[DjSapsan]

Now, if you could provide links to the documentation you're talking about and details in what you think is lacking, that would be constructive and actionable.

This whole article is useless - https://docs.godotengine.org/cs/4.x/classes/class_websocketpeer.html Also this part in it:

[akien-mga]

Please define "useless", that's not in any way constructive or actionable criticism.

I see a lot of useful information there myself. Some descriptions might be lacking, and to know in what way they are lacking, we would benefit from you explaining what you were expecting to find and couldn't.

[DjSapsan]

I'm expecting to find how to change TLS version at least

[DjSapsan]

Ok, I heard that TLSv1.3 is due to be added soon. If it's true, then the issue can be closed. I will just update my version

[Calinou]

Ok, I heard that TLSv1.3 is due to be added soon. If it's true, then the issue can be closed. I will just update my version

Where did you hear this? I don't know if Godot uses a recent enough mbedTLS version to support TLS 1.3 (it probably does already).

[DjSapsan]

Maybe it's wrong. So idk what to do with TLSv1.3

[bruvzg]

TLSv1.3 is supported by the used version of mbedTLS, but it is disabled:

https://github.com/godotengine/godot/blob/8e2141eac534f6984bb0bdbcefbd17de27ae0993/thirdparty/mbedtls/include/godot_module_mbedtls_config.h#L62-L65

[akien-mga]

So some actionables:

• Clarify docs on the used TLS version, and that 1.3 isn't supported yet.
• Clarify docs on how to use the supported_protocols property (what's the syntax, what are valid values)
• Network team to open a new issue about enabling TLSv1.3 support in mbedTLS for 4.4.

@godotengine/network

[Faless]

Clarify docs on how to use the supported_protocols property (what's the syntax, what are valid values)

The documentation states supported_protocols specifies the WebSocket sub-protocol(s) to advertise during handshake.

This is part of the WebSocket standard (should we add this link in the docs?) and has nothing to do with the TLS version (which is not part of WebSocket itself).

The TLS version supported is explained in the HTTPClient, we should link to it from the websocket docs (like we do in the HTTPRequest class), and probably update it because AFAIR support for TLSv1.0/1.1 has been dropped (they have long been deprecated as insecure), so only TLSv1.2 is supported right now (98% of the web).