|
40 | 40 | #define WINHTTP_IGNORE_REQUEST_TOTAL_LENGTH 0 |
41 | 41 | #endif |
42 | 42 |
|
| 43 | +#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_1 |
| 44 | +# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 0x00000200 |
| 45 | +#endif |
| 46 | + |
| 47 | +#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_2 |
| 48 | +# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 0x00000800 |
| 49 | +#endif |
| 50 | + |
43 | 51 | static const char *prefix_https = "https://"; |
44 | 52 | static const char *upload_pack_service = "upload-pack"; |
45 | 53 | static const char *upload_pack_ls_service_url = "/info/refs?service=git-upload-pack"; |
@@ -744,6 +752,10 @@ static int winhttp_connect( |
744 | 752 | int error = -1; |
745 | 753 | int default_timeout = TIMEOUT_INFINITE; |
746 | 754 | int default_connect_timeout = DEFAULT_CONNECT_TIMEOUT; |
| 755 | + DWORD protocols = |
| 756 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | |
| 757 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | |
| 758 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2; |
747 | 759 |
|
748 | 760 | t->session = NULL; |
749 | 761 | t->connection = NULL; |
@@ -786,6 +798,16 @@ static int winhttp_connect( |
786 | 798 | goto on_error; |
787 | 799 | } |
788 | 800 |
|
| 801 | + /* |
| 802 | + * Do a best-effort attempt to enable TLS 1.2 but allow this to |
| 803 | + * fail; if TLS 1.2 support is not available for some reason, |
| 804 | + * ignore the failure (it will keep the default protocols). |
| 805 | + */ |
| 806 | + WinHttpSetOption(t->session, |
| 807 | + WINHTTP_OPTION_SECURE_PROTOCOLS, |
| 808 | + &protocols, |
| 809 | + sizeof(protocols)); |
| 810 | + |
789 | 811 | if (!WinHttpSetTimeouts(t->session, default_timeout, default_connect_timeout, default_timeout, default_timeout)) { |
790 | 812 | giterr_set(GITERR_OS, "failed to set timeouts for WinHTTP"); |
791 | 813 | goto on_error; |
|
0 commit comments