summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEdward Thomson <ethomson@edwardthomson.com>2018-02-27 12:43:47 +0000
committerGitHub <noreply@github.com>2018-02-27 12:43:47 +0000
commitb4dde78a776f3dca8eb21c9028ecd161291c78c0 (patch)
tree0c00fbb6d5b234b6ef7482f1df9a570acc0c1ab2
parent7d90637069e03567a07b57ccbe4cf728ab823644 (diff)
parent5ecb62206a9cdb6cb2105f5ef6cfcd3b9f5bab3a (diff)
downloadlibgit2-b4dde78a776f3dca8eb21c9028ecd161291c78c0.tar.gz
Merge pull request #4550 from libgit2/ethomson/winhttp
winhttp: enable TLS 1.2
Diffstat
-rw-r--r--deps/winhttp/winhttp.h10
-rw-r--r--src/transports/winhttp.c22
2 files changed, 28 insertions, 4 deletions
diff --git a/deps/winhttp/winhttp.h b/deps/winhttp/winhttp.h
index dd1986a66..b7fef1c4b 100644
--- a/deps/winhttp/winhttp.h
+++ b/deps/winhttp/winhttp.h
@@ -437,10 +437,12 @@ typedef int INTERNET_SCHEME, *LPINTERNET_SCHEME;
#define WINHTTP_CALLBACK_STATUS_FLAG_CERT_WRONG_USAGE 0x00000040
#define WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR 0x80000000
-#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 0x00000008
-#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 0x00000020
-#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 0x00000080
-#define WINHTTP_FLAG_SECURE_PROTOCOL_ALL (WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1)
+#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 0x00000008
+#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 0x00000020
+#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 0x00000080
+#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 0x00000200
+#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 0x00000800
+#define WINHTTP_FLAG_SECURE_PROTOCOL_ALL (WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1)
#define WINHTTP_AUTH_SCHEME_BASIC 0x00000001
#define WINHTTP_AUTH_SCHEME_NTLM 0x00000002
diff --git a/src/transports/winhttp.c b/src/transports/winhttp.c
index 46a8fcddc..e52d54b6d 100644
--- a/src/transports/winhttp.c
+++ b/src/transports/winhttp.c
@@ -40,6 +40,14 @@
#define WINHTTP_IGNORE_REQUEST_TOTAL_LENGTH 0
#endif
+#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_1
+# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 0x00000200
+#endif
+
+#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_2
+# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 0x00000800
+#endif
+
static const char *prefix_https = "https://";
static const char *upload_pack_service = "upload-pack";
static const char *upload_pack_ls_service_url = "/info/refs?service=git-upload-pack";
@@ -744,6 +752,10 @@ static int winhttp_connect(
int error = -1;
int default_timeout = TIMEOUT_INFINITE;
int default_connect_timeout = DEFAULT_CONNECT_TIMEOUT;
+ DWORD protocols =
+ WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
+ WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
+ WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
t->session = NULL;
t->connection = NULL;
@@ -786,6 +798,16 @@ static int winhttp_connect(
goto on_error;
}
+ /*
+ * Do a best-effort attempt to enable TLS 1.2 but allow this to
+ * fail; if TLS 1.2 support is not available for some reason,
+ * ignore the failure (it will keep the default protocols).
+ */
+ WinHttpSetOption(t->session,
+ WINHTTP_OPTION_SECURE_PROTOCOLS,
+ &protocols,
+ sizeof(protocols));
+
if (!WinHttpSetTimeouts(t->session, default_timeout, default_connect_timeout, default_timeout, default_timeout)) {
giterr_set(GITERR_OS, "failed to set timeouts for WinHTTP");
goto on_error;
View Lorry Controller Status