fetcher,winhttp: force TLS 1.2 on Win 8.0 and 7

On ancient Windows, we must opt-in to using TLS 1.2. Otherwise it only
allows for TLS 1.0. And of course there's no TLS 1.3 support there at
all.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

3 files changed, 14 insertions, 0 deletions

diff --git a/installer/fetcher/fetcher.c b/installer/fetcher/fetcher.c
index 8253b16d..7392fb59 100644
--- a/installer/fetcher/fetcher.c
+++ b/installer/fetcher/fetcher.c
@@ -114,6 +114,12 @@ static DWORD __stdcall download_thread(void *param)
 	if (!session)
 		goto out;
 	WinHttpSetOption(session, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, &enable_http2, sizeof(enable_http2)); // Don't check return value, in case of old Windows
+	if (is_win8dotzero_or_below()) {
+		DWORD enable_tls12 = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
+		if (!WinHttpSetOption(session, WINHTTP_OPTION_SECURE_PROTOCOLS, &enable_tls12, sizeof(enable_tls12)))
+			goto out;
+	}
+
 	connection = WinHttpConnect(session, L(server), port, 0);
 	if (!connection)
 		goto out;
diff --git a/installer/fetcher/systeminfo.c b/installer/fetcher/systeminfo.c
index 0132196a..3753965e 100644
--- a/installer/fetcher/systeminfo.c
+++ b/installer/fetcher/systeminfo.c
@@ -65,3 +65,10 @@ bool is_win7(void)
 	RtlGetNtVersionNumbers(&maj, &min, &build);
 	return maj == 6 && min == 1;
 }
+
+bool is_win8dotzero_or_below(void)
+{
+	DWORD maj, min, build;
+	RtlGetNtVersionNumbers(&maj, &min, &build);
+	return maj == 6 && min <= 2;
+}
diff --git a/installer/fetcher/systeminfo.h b/installer/fetcher/systeminfo.h
index 12c3444a..bcb2ab9e 100644
--- a/installer/fetcher/systeminfo.h
+++ b/installer/fetcher/systeminfo.h
@@ -11,5 +11,6 @@
 const char *architecture(void);
 const char *useragent(void);
 bool is_win7(void);
+bool is_win8dotzero_or_below(void);
 
 #endif