1 files changed, 17 insertions, 2 deletions

diff --git a/updater/winhttp/winhttp.go b/updater/winhttp/winhttp.go
index ac390a4f..cb19f194 100644
--- a/updater/winhttp/winhttp.go
+++ b/updater/winhttp/winhttp.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: MIT
  *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved.
  */
 
 package winhttp
@@ -21,11 +21,13 @@ import (
 type Session struct {
 	handle _HINTERNET
 }
+
 type Connection struct {
 	handle  _HINTERNET
 	session *Session
 	https   bool
 }
+
 type Response struct {
 	handle     _HINTERNET
 	connection *Connection
@@ -48,6 +50,11 @@ func isWin7() bool {
 	return maj < 6 || (maj == 6 && min <= 1)
 }
 
+func isWin8DotZeroOrBelow() bool {
+	maj, min, _ := windows.RtlGetNtVersionNumbers()
+	return maj < 6 || (maj == 6 && min <= 2)
+}
+
 func NewSession(userAgent string) (session *Session, err error) {
 	session = new(Session)
 	defer convertError(&err)
@@ -69,9 +76,17 @@ func NewSession(userAgent string) (session *Session, err error) {
 	if err != nil {
 		return
 	}
-	var enableHttp2 uint32 = 1
+	var enableHttp2 uint32 = _WINHTTP_PROTOCOL_FLAG_HTTP2
 	_ = winHttpSetOption(session.handle, _WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, unsafe.Pointer(&enableHttp2), uint32(unsafe.Sizeof(enableHttp2))) // Don't check return value, in case of old Windows
 
+	if isWin8DotZeroOrBelow() {
+		var enableTLS12 uint32 = _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2
+		err = winHttpSetOption(session.handle, _WINHTTP_OPTION_SECURE_PROTOCOLS, unsafe.Pointer(&enableTLS12), uint32(unsafe.Sizeof(enableTLS12)))
+		if err != nil {
+			return
+		}
+	}
+
 	runtime.SetFinalizer(session, func(session *Session) {
 		session.Close()
 	})