add an option to specify ssl version

Guanqun Lu · Guanqun Lu · commit 05d88bf4dc95 · 2019-09-26T23:05:09.000+08:00
Fixes #6684
diff --git a/Cargo.toml b/Cargo.toml
@@ -25,8 +25,8 @@ cargo-platform = { path = "crates/cargo-platform", version = "0.1" }
 crates-io = { path = "crates/crates-io", version = "0.28" }
 crossbeam-utils = "0.6"
 crypto-hash = "0.3.1"
-curl = { version = "0.4.21", features = ['http2'] }
-curl-sys = "0.4.18"
+curl = { version = "0.4.23", features = ['http2'] }
+curl-sys = "0.4.21"
 env_logger = "0.7.0"
 pretty_env_logger = { version = "0.3", optional = true }
 failure = "0.1.5"
diff --git a/src/cargo/ops/registry.rs b/src/cargo/ops/registry.rs
@@ -7,7 +7,7 @@ use std::time::Duration;
 use std::{cmp, env};
 
 use crates_io::{NewCrate, NewCrateDependency, Registry};
-use curl::easy::{Easy, InfoType, SslOpt};
+use curl::easy::{Easy, InfoType, SslOpt, SslVersion};
 use failure::{bail, format_err};
 use log::{log, Level};
 use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
@@ -413,12 +413,14 @@ pub fn needs_custom_http_transport(config: &Config) -> CargoResult<bool> {
     let cainfo = config.get_path("http.cainfo")?;
     let check_revoke = config.get_bool("http.check-revoke")?;
     let user_agent = config.get_string("http.user-agent")?;
+    let ssl_version = config.get_string("http.ssl-version")?;
 
     Ok(proxy_exists
         || timeout
         || cainfo.is_some()
         || check_revoke.is_some()
-        || user_agent.is_some())
+        || user_agent.is_some()
+        || ssl_version.is_some())
 }
 
 /// Configure a libcurl http handle with the defaults options for Cargo
@@ -438,6 +440,21 @@ pub fn configure_http_handle(config: &Config, handle: &mut Easy) -> CargoResult<
         handle.useragent(&version().to_string())?;
     }
 
+    if let Some(ssl_version) = config.get_string("http.ssl-version")? {
+        let version = match ssl_version.val.as_str() {
+            "default" => SslVersion::Default,
+            "sslv2" => SslVersion::Sslv2,
+            "sslv3" => SslVersion::Sslv3,
+            "tlsv1" => SslVersion::Tlsv1,
+            "tlsv1.0" => SslVersion::Tlsv10,
+            "tlsv1.1" => SslVersion::Tlsv11,
+            "tlsv1.2" => SslVersion::Tlsv12,
+            "tlsv1.3" => SslVersion::Tlsv13,
+            _ => bail!("Invalid ssl version `{}`, choose from 'default', 'sslv2', 'sslv3', 'tlsv1', 'tlsv1.0', 'tlsv1.1', 'tlsv1.2', 'tlsv1.3'.", &ssl_version.val),
+        };
+        handle.ssl_min_max_version(version, version)?;
+    }
+
     if let Some(true) = config.get::<Option<bool>>("http.debug")? {
         handle.verbose(true)?;
         handle.debug_function(|kind, data| {
diff --git a/src/doc/src/reference/config.md b/src/doc/src/reference/config.md
@@ -107,6 +107,9 @@ proxy = "host:port" # HTTP proxy to use for HTTP requests (defaults to none)
 timeout = 30        # Timeout for each HTTP request, in seconds
 cainfo = "cert.pem" # Path to Certificate Authority (CA) bundle (optional)
 check-revoke = true # Indicates whether SSL certs are checked for revocation
+ssl-version = "tlsv1.3"  # Indicates which SSL version to use (defaults to
+                         # "default", "sslv2", "sslv3", "tlsv1", "tlsv1.0",
+                         # "tlsv1.1", "tlsv1.2", "tlsv1.3")
 low-speed-limit = 5 # Lower threshold for bytes/sec (10 = default, 0 = disabled)
 multiplexing = true # whether or not to use HTTP/2 multiplexing where possible
 
