mbedtls: bump minimum version required to 3.2.0

[vszakats]

3.2.0 was released on July 11, 2022.

Ref: #18161

---

w/o sp https://github.com/curl/curl/pull/18254/files?w=1

• maybe bump minimum to 3.1.0? (Dec 15, 2021)
• maybe bump minimum to 3.2.0? (July 11, 2022)
• cmake: drop 2.x logic
• maybe bump minimum to 3.6.1? Separate PR.
  https://repology.org/project/mbedtls/versions
• version check in cmake? perhaps in autotools? [I skip for autotools]

[bagder]

• 3.2.0 was released July 11, 2023
• 3.0.0 was released July 7, 2021

[vszakats]

• 3.2.0 was released July 11, 2023

2022 looks correct for 3.2.0:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.2.0

and 3.1.0 is Dec 15, 2021:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.1.0

Both need their own branches. I have a patch for 3.1.0, shall we decide
to make it the minimum. Going with 3.2.0 allows dropping some more
code, I'll commit it later, just to see.

[vszakats]

3.1.0 looks like a bugfix release in the same year as 3.0.0.
It seems fine to require as a minimum, and allows dropping
some compatibility logic.

Looking at the distro overview below, a couple of ones stand
at 3.4.0 and 3.5.0, but the vast majority is at 3.6.x:

https://repology.org/project/mbedtls/versions

Based on this, a jump to 3.2.0 seems reasonable. The next
jump that allows dropping code, and also required for TLSv1.3
is 3.6.0. v3.6.1 allows dropping all compatibility code.

TL;DR: IMO going for 3.2.0 seems fine. Maybe even 3.6.1.

[wyattoday]

Thanks for doing this @vszakats , I was just going to make an issue for this, but saw you already did the work. Thanks! I Appreciate it.

[wyattoday]

Also, I'm on board for bumping the minimum version to 3.6.1 because the 3.6.x branch is the only one supported by mbedTLS and the parent organization (other than than the upcoming 4.x branch, currently in beta).

[vszakats]

Just verified the gains with requiring 3.6.1, and it's tiny: it saves 2 interim
macros, and ~10 lines to define them. Because the new features it brings
are guarded with macros anyway.

According to local tests with 3.4.0 (3.2.0, 3.3.0 did not build out of the box
with cmake at least), the interim macros and version guards are fine
to drop without bumping the minimums. Saving the same amount of logic.

This enables building curl with mbedTLS <3.6.0 with explicitly enabled
experimental (also broken in my quick test) TLSv1.3 (and PSA) support,
which I guess no one does, unless they really want to with a custom
mbedTLS build.

[greenrobot]

Just to clarify... Mbed TLS 2.28 was a LTS, with last and final release in March 2025: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.10. So this is not supported with curl 8.16+, correct?

[bagder]

Correct