Unpin Mbed TLS from version 2.24

[mkitti]

Currently Mbed TLS is pinned to 2.24, including in some julia dependencies:

1. LibSSH2
2. LibGit2
3. Curl

This creates an issue when trying to update Mbed TLS in Julia: JuliaLang/julia#42311

We need to remove the pin, which should be possible with Julia 1.6.

This should allow Mbed TLS to be upgraded to 2.27 or 2.28 in response to security advisories.

Note that GDAL and NetCDF use a configure function that I'm not familiar with. Perhaps these need a Julia 1.6 compat declaration.

[giordano]

I'm not sure what's your point, but mbedtls regularly breaks ABI, fixing the compat bounds is necessary

[giordano]

And mbedtls 2.28 in #4179 broke again the ABI, libmbedtls has soversion 14, 2.27 had 13

[nalimilan]

Why do they keep breaking the API so often?! They versioning scheme seems... original. :-/

[mkitti]

@nalimilan , apparently they did not like the order of the fields:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0

Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
different order. This only affects applications that define such
structures directly or serialize them.

[jeremiahpslewis]

@mkitti @nalimilan Anyone have a rough guess as to how hard it will be to go to v3.1? Kind of wonder whether 2.28 is a porous fix, given that they promise "Removal of many insecure or obsolete features". On the other hand, v3.0 was affected by the same CVEs as 2.2x

[mkitti]

In conda-forge, we currently have Julia 1.7.1 that was built with Mbed TLS 3.1, so it builds:

julia                     1.7.1                h989b2f6_1    conda-forge
mbedtls                   3.1.0                h9c3ff4c_0    conda-forge

There is likely an issue with a good portion of Yggdrasil based on the reverse depends. It's possible though.