Merge pull request #4550 from libgit2/ethomson/winhttp

winhttp: enable TLS 1.2

Merge pull request #4550 from libgit2/ethomson/winhttp
winhttp: enable TLS 1.2
b4dde78a · Edward Thomson · GitHub · 7d906370 · 5ecb6220 · b4dde78a
Unverified Commit b4dde78a authored Feb 27, 2018 by Edward Thomson Committed by GitHub Feb 27, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 4 deletions

deps/winhttp/winhttp.h
+6 -4

src/transports/winhttp.c
+22 -0

No files found.
--- a/deps/winhttp/winhttp.h
+++ b/deps/winhttp/winhttp.h
@@ -437,10 +437,12 @@ typedef int INTERNET_SCHEME, *LPINTERNET_SCHEME;
 #define WINHTTP_CALLBACK_STATUS_FLAG_CERT_WRONG_USAGE        0x00000040
 #define WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR  0x80000000
-#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL2  0x00000008
+#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL2    0x00000008
-#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL3  0x00000020
+#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL3    0x00000020
-#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1  0x00000080
+#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1    0x00000080
-#define WINHTTP_FLAG_SECURE_PROTOCOL_ALL   (WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1)
+#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1  0x00000200
+#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2  0x00000800
+#define WINHTTP_FLAG_SECURE_PROTOCOL_ALL     (WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1)
 #define WINHTTP_AUTH_SCHEME_BASIC      0x00000001
 #define WINHTTP_AUTH_SCHEME_NTLM       0x00000002

--- a/src/transports/winhttp.c
+++ b/src/transports/winhttp.c
@@ -40,6 +40,14 @@
 #define WINHTTP_IGNORE_REQUEST_TOTAL_LENGTH 0
 #endif
+#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_1
+# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 0x00000200
+#endif
+#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_2
+# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 0x00000800
+#endif
 static const char *prefix_https = "https://";
 static const char *upload_pack_service = "upload-pack";
 static const char *upload_pack_ls_service_url = "/info/refs?service=git-upload-pack";
@@ -744,6 +752,10 @@ static int winhttp_connect(
 	int error = -1;
 	int default_timeout = TIMEOUT_INFINITE;
 	int default_connect_timeout = DEFAULT_CONNECT_TIMEOUT;
+	DWORD protocols =
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
 	t->session = NULL;
 	t->connection = NULL;
@@ -786,6 +798,16 @@ static int winhttp_connect(
 		goto on_error;
 	}
+	/*
+	 * Do a best-effort attempt to enable TLS 1.2 but allow this to
+	 * fail; if TLS 1.2 support is not available for some reason,
+	 * ignore the failure (it will keep the default protocols).
+	 */
+	WinHttpSetOption(t->session,
+		WINHTTP_OPTION_SECURE_PROTOCOLS,
+		&protocols,
+		sizeof(protocols));
 	if (!WinHttpSetTimeouts(t->session, default_timeout, default_connect_timeout, default_timeout, default_timeout)) {
 		giterr_set(GITERR_OS, "failed to set timeouts for WinHTTP");
 		goto on_error;