Commit 298b01ab513bd9fa2b5aba1a3773b02295526892
2020-09-15T09:26:08
Merge pull request #5633 from csware/winhttp1.3 WinHTTP: Try to use TLS1.3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
diff --git a/src/transports/winhttp.c b/src/transports/winhttp.c
index ee8cb15..3fb8fc5 100644
--- a/src/transports/winhttp.c
+++ b/src/transports/winhttp.c
@@ -49,6 +49,10 @@
# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 0x00000800
#endif
+#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3
+# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3 0x00002000
+#endif
+
#ifndef HTTP_STATUS_PERMANENT_REDIRECT
# define HTTP_STATUS_PERMANENT_REDIRECT 308
#endif
@@ -743,7 +747,8 @@ static int winhttp_connect(
DWORD protocols =
WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
- WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
+ WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 |
+ WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
t->session = NULL;
t->connection = NULL;
@@ -788,14 +793,20 @@ static int winhttp_connect(
}
/*
- * Do a best-effort attempt to enable TLS 1.2 but allow this to
- * fail; if TLS 1.2 support is not available for some reason,
+ * Do a best-effort attempt to enable TLS 1.3 and 1.2 but allow this to
+ * fail; if TLS 1.2 or 1.3 support is not available for some reason,
* ignore the failure (it will keep the default protocols).
*/
- WinHttpSetOption(t->session,
+ if (WinHttpSetOption(t->session,
WINHTTP_OPTION_SECURE_PROTOCOLS,
&protocols,
- sizeof(protocols));
+ sizeof(protocols)) == FALSE) {
+ protocols &= ~WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
+ WinHttpSetOption(t->session,
+ WINHTTP_OPTION_SECURE_PROTOCOLS,
+ &protocols,
+ sizeof(protocols));
+ }
if (!WinHttpSetTimeouts(t->session, default_timeout, default_connect_timeout, default_timeout, default_timeout)) {
git_error_set(GIT_ERROR_OS, "failed to set timeouts for WinHTTP");