[3.6] Cherry-picks for the 3.6 branch (future 3.6.2) - 1st batch

[lawnjelly]

This is primarily to fix the updated google play Android requirements, but there are a few other bug fixes / platform updates.

Let me know if you spot any I missed.

[akien-mga]

Regarding mbedtls, I suggested in #108382 (review) that for 3.6.x we might want to take a more minimal approach and not add support for TLSv1.3. I'm fine adding it anyway but it's a new feature which is not usually what we want in a patch release. But maybe it's considered a bugfix too if some websites start requiring TLSv1.3? CC @Faless

[akien-mga]

Could also be cherry-picked:

• [3.x] Enable builds with miniupnpc API 18 #100389
• [3.x] Batching - Fix MultiRect casting to wrong type #109111
• [3.x] Fix Open Editor Data/Settings Folder menu in self-contained mode #110414
• [iOS, 3.x] Switch window creation to UIScene. #111103
• [3.x] FTI - Fix physics body resets when using sync_to_physics #111069 once merged

[lawnjelly]

Marking as ready for review as there's no reason we can't do #111069 separately when reviewed.

(We're also waiting for a double check that there isn't a 16kb page issue for the APKs but again that can be done separately if changes needed.)

[Faless]

Regarding mbedtls, I suggested in #108382 (review) that for 3.6.x we might want to take a more minimal approach and not add support for TLSv1.3. I'm fine adding it anyway but it's a new feature which is not usually what we want in a patch release. But maybe it's considered a bugfix too if some websites start requiring TLSv1.3? CC @Faless

@akien-mga this is a hard one.

Enabling TLSv1.3 did have consequences in the past, notably breaking some websites due to an improper implementation on the mbedTLS side, and some unannounced breaking changes that caused a race condition in our implementation.

That said, it seems that as of now the situation is stable (we didn't find new issues in a while), and mbedTLS is clearly moving full steam towards a PSA-only world with mbedTLS 4 on the way, which will require PSA, so that's their focus now (i.e. they are more likely to fix PSA issues in 3.6 that "strange" non-PSA issues, at least that's my feeling).

So, I'm really leaning towards keeping the PSA-enabled config, as this will also make maintaining it easier on our side.
What we could maybe do, to avoid enabling a new feature by default in a point release, is swap the enable_tlsv1.3 flag to false in 3.6.

Again, this is a hard choice, and I also fear doing a "partial" update is riskier, so I would try to keep implementations more or less in sync whenever we can, and we can also more promptly release security updates if needed.

[akien-mga]

So, I'm really leaning towards keeping the PSA-enabled config, as this will also make maintaining it easier on our side.
What we could maybe do, to avoid enabling a new feature by default in a point release, is swap the enable_tlsv1.3 flag to false in 3.6.

Sounds good to me. @lawnjelly Can you flip that project setting for 3.6?

[lawnjelly]

Sounds good to me. @lawnjelly Can you flip that project setting for 3.6?

Sure I will take a look (may have to be sunday onward). 👍

[lawnjelly]

Sounds good to me. @lawnjelly Can you flip that project setting for 3.6?

Have added this as the final commit (just to enable easy checking that I have fixed up the right thing). If that's okay let me know and I can combine with the mbedtls commit if we prefer it like that.

From the discussions, I'm guessing we are okay with keeping the default to true in 3.7?

[akien-mga]

Looks great to me. I think a separate commit makes sense so the change is explicit and not hidden in a modified cherry-pick.

From the discussions, I'm guessing we are okay with keeping the default to true in 3.7?

Yeah definitely true for 3.7.

[lawnjelly]

Thanks!