diff --git a/deps/winhttp/winhttp.h b/deps/winhttp/winhttp.h index dd1986a6613..b7fef1c4b47 100644 --- a/deps/winhttp/winhttp.h +++ b/deps/winhttp/winhttp.h @@ -437,10 +437,12 @@ typedef int INTERNET_SCHEME, *LPINTERNET_SCHEME; #define WINHTTP_CALLBACK_STATUS_FLAG_CERT_WRONG_USAGE 0x00000040 #define WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR 0x80000000 -#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 0x00000008 -#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 0x00000020 -#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 0x00000080 -#define WINHTTP_FLAG_SECURE_PROTOCOL_ALL (WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1) +#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 0x00000008 +#define WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 0x00000020 +#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 0x00000080 +#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 0x00000200 +#define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 0x00000800 +#define WINHTTP_FLAG_SECURE_PROTOCOL_ALL (WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1) #define WINHTTP_AUTH_SCHEME_BASIC 0x00000001 #define WINHTTP_AUTH_SCHEME_NTLM 0x00000002 diff --git a/src/transports/winhttp.c b/src/transports/winhttp.c index 46a8fcddcd6..e52d54b6d70 100644 --- a/src/transports/winhttp.c +++ b/src/transports/winhttp.c @@ -40,6 +40,14 @@ #define WINHTTP_IGNORE_REQUEST_TOTAL_LENGTH 0 #endif +#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_1 +# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 0x00000200 +#endif + +#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_2 +# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 0x00000800 +#endif + static const char *prefix_https = "https://"; static const char *upload_pack_service = "upload-pack"; static const char *upload_pack_ls_service_url = "/info/refs?service=git-upload-pack"; @@ -744,6 +752,10 @@ static int winhttp_connect( int error = -1; int default_timeout = TIMEOUT_INFINITE; int default_connect_timeout = DEFAULT_CONNECT_TIMEOUT; + DWORD protocols = + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2; t->session = NULL; t->connection = NULL; @@ -786,6 +798,16 @@ static int winhttp_connect( goto on_error; } + /* + * Do a best-effort attempt to enable TLS 1.2 but allow this to + * fail; if TLS 1.2 support is not available for some reason, + * ignore the failure (it will keep the default protocols). + */ + WinHttpSetOption(t->session, + WINHTTP_OPTION_SECURE_PROTOCOLS, + &protocols, + sizeof(protocols)); + if (!WinHttpSetTimeouts(t->session, default_timeout, default_connect_timeout, default_timeout, default_timeout)) { giterr_set(GITERR_OS, "failed to set timeouts for WinHTTP"); goto on_error;