winhttp: enable TLS 1.2 on Windows 7 and earlierethomson/winhttp

Versions of Windows prior to Windows 8 do not enable TLS 1.2 by default,
though support may exist.  Try to enable TLS 1.2 support explicitly on
connections.

This request may fail if the operating system does not have TLS 1.2
support - the initial release of Vista lacks TLS 1.2 support (though
it is available as a software update) and XP completely lacks TLS 1.2
support.  If this request does fail, the HTTP context is still valid,
and still maintains the original protocol support.  So we ignore the
failure from this operation.

1 files changed, 14 insertions, 0 deletions

diff --git a/src/transports/winhttp.c b/src/transports/winhttp.c
index 07e8163e1..e52d54b6d 100644
--- a/src/transports/winhttp.c
+++ b/src/transports/winhttp.c
@@ -752,6 +752,10 @@ static int winhttp_connect(
 	int error = -1;
 	int default_timeout = TIMEOUT_INFINITE;
 	int default_connect_timeout = DEFAULT_CONNECT_TIMEOUT;
+	DWORD protocols =
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
 
 	t->session = NULL;
 	t->connection = NULL;
@@ -794,6 +798,16 @@ static int winhttp_connect(
 		goto on_error;
 	}
 
+	/*
+	 * Do a best-effort attempt to enable TLS 1.2 but allow this to
+	 * fail; if TLS 1.2 support is not available for some reason,
+	 * ignore the failure (it will keep the default protocols).
+	 */
+	WinHttpSetOption(t->session,
+		WINHTTP_OPTION_SECURE_PROTOCOLS,
+		&protocols,
+		sizeof(protocols));
+
 	if (!WinHttpSetTimeouts(t->session, default_timeout, default_connect_timeout, default_timeout, default_timeout)) {
 		giterr_set(GITERR_OS, "failed to set timeouts for WinHTTP");
 		goto on_error;