diff options
author | Edward Thomson <ethomson@edwardthomson.com> | 2018-02-27 12:43:47 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-27 12:43:47 +0000 |
commit | b4dde78a776f3dca8eb21c9028ecd161291c78c0 (patch) | |
tree | 0c00fbb6d5b234b6ef7482f1df9a570acc0c1ab2 | |
parent | 7d90637069e03567a07b57ccbe4cf728ab823644 (diff) | |
parent | 5ecb62206a9cdb6cb2105f5ef6cfcd3b9f5bab3a (diff) | |
download | libgit2-b4dde78a776f3dca8eb21c9028ecd161291c78c0.tar.gz |
Merge pull request #4550 from libgit2/ethomson/winhttp
winhttp: enable TLS 1.2
-rw-r--r-- | deps/winhttp/winhttp.h | 10 | ||||
-rw-r--r-- | src/transports/winhttp.c | 22 |
2 files changed, 28 insertions, 4 deletions
diff --git a/deps/winhttp/winhttp.h b/deps/winhttp/winhttp.h index dd1986a66..b7fef1c4b 100644 --- a/deps/winhttp/winhttp.h +++ b/deps/winhttp/winhttp.h @@ -437,10 +437,12 @@ typedef int INTERNET_SCHEME, *LPINTERNET_SCHEME; #define WINHTTP_CALLBACK_STATUS_FLAG_CERT_WRONG_USAGE 0x00000040 #define WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR 0x80000000 -#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 0x00000008 -#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 0x00000020 -#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 0x00000080 -#define WINHTTP_FLAG_SECURE_PROTOCOL_ALL (WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1) +#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 0x00000008 +#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 0x00000020 +#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 0x00000080 +#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 0x00000200 +#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 0x00000800 +#define WINHTTP_FLAG_SECURE_PROTOCOL_ALL (WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1) #define WINHTTP_AUTH_SCHEME_BASIC 0x00000001 #define WINHTTP_AUTH_SCHEME_NTLM 0x00000002 diff --git a/src/transports/winhttp.c b/src/transports/winhttp.c index 46a8fcddc..e52d54b6d 100644 --- a/src/transports/winhttp.c +++ b/src/transports/winhttp.c @@ -40,6 +40,14 @@ #define WINHTTP_IGNORE_REQUEST_TOTAL_LENGTH 0 #endif +#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_1 +# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 0x00000200 +#endif + +#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_2 +# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 0x00000800 +#endif + static const char *prefix_https = "https://"; static const char *upload_pack_service = "upload-pack"; static const char *upload_pack_ls_service_url = "/info/refs?service=git-upload-pack"; @@ -744,6 +752,10 @@ static int winhttp_connect( int error = -1; int default_timeout = TIMEOUT_INFINITE; int default_connect_timeout = DEFAULT_CONNECT_TIMEOUT; + DWORD protocols = + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2; t->session = NULL; t->connection = NULL; @@ -786,6 +798,16 @@ static int winhttp_connect( goto on_error; } + /* + * Do a best-effort attempt to enable TLS 1.2 but allow this to + * fail; if TLS 1.2 support is not available for some reason, + * ignore the failure (it will keep the default protocols). + */ + WinHttpSetOption(t->session, + WINHTTP_OPTION_SECURE_PROTOCOLS, + &protocols, + sizeof(protocols)); + if (!WinHttpSetTimeouts(t->session, default_timeout, default_connect_timeout, default_timeout, default_timeout)) { giterr_set(GITERR_OS, "failed to set timeouts for WinHTTP"); goto on_error; |