winhttp: enable TLS 1.2 on Windows 7 and earlier

ethomson · ethomson · commit 5ecb62206a9c · 2018-02-27T11:25:32.000Z
Versions of Windows prior to Windows 8 do not enable TLS 1.2 by default,
though support may exist.  Try to enable TLS 1.2 support explicitly on
connections.

This request may fail if the operating system does not have TLS 1.2
support - the initial release of Vista lacks TLS 1.2 support (though
it is available as a software update) and XP completely lacks TLS 1.2
support.  If this request does fail, the HTTP context is still valid,
and still maintains the original protocol support.  So we ignore the
failure from this operation.
diff --git a/src/transports/winhttp.c b/src/transports/winhttp.c
@@ -752,6 +752,10 @@ static int winhttp_connect(
 	int error = -1;
 	int default_timeout = TIMEOUT_INFINITE;
 	int default_connect_timeout = DEFAULT_CONNECT_TIMEOUT;
+	DWORD protocols =
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
 
 	t->session = NULL;
 	t->connection = NULL;
@@ -794,6 +798,16 @@ static int winhttp_connect(
 		goto on_error;
 	}
 
+	/*
+	 * Do a best-effort attempt to enable TLS 1.2 but allow this to
+	 * fail; if TLS 1.2 support is not available for some reason,
+	 * ignore the failure (it will keep the default protocols).
+	 */
+	WinHttpSetOption(t->session,
+		WINHTTP_OPTION_SECURE_PROTOCOLS,
+		&protocols,
+		sizeof(protocols));
+
 	if (!WinHttpSetTimeouts(t->session, default_timeout, default_connect_timeout, default_timeout, default_timeout)) {
 		giterr_set(GITERR_OS, "failed to set timeouts for WinHTTP");
 		goto on_error;
