Auto merge of #11307 - ehuss:update-curl, r=epage

bors · bors · commit 9e0b10f5cdb2 · 2022-10-28T01:53:51.000Z
Update libcurl This updates to the latest libcurl from 7.83.1 to 7.86.0. There are extensive changes documented thoroughly at https://curl.se/changes.html. There are 5 CVEs as documented at https://curl.se/docs/security.html, though none of them look particularly serious for our use case. This adds a limit of TLS 1.2 for Windows. There have been some issues with TLS 1.3 (which was recently added), and I'm not confident enabling it, yet. Perhaps some day in the future when it looks like it is more reliable, the limit can be removed.
diff --git a/Cargo.toml b/Cargo.toml
@@ -21,8 +21,8 @@ bytesize = "1.0"
 cargo-platform = { path = "crates/cargo-platform", version = "0.1.2" }
 cargo-util = { path = "crates/cargo-util", version = "0.2.1" }
 crates-io = { path = "crates/crates-io", version = "0.34.0" }
-curl = { version = "0.4.43", features = ["http2"] }
-curl-sys = "0.4.55"
+curl = { version = "0.4.44", features = ["http2"] }
+curl-sys = "0.4.58"
 env_logger = "0.9.0"
 pretty_env_logger = { version = "0.4", optional = true }
 anyhow = "1.0"
diff --git a/src/cargo/ops/registry.rs b/src/cargo/ops/registry.rs
@@ -678,6 +678,24 @@ pub fn configure_http_handle(config: &Config, handle: &mut Easy) -> CargoResult<
                 handle.ssl_min_max_version(min_version, max_version)?;
             }
         }
+    } else if cfg!(windows) {
+        // This is a temporary workaround for some bugs with libcurl and
+        // schannel and TLS 1.3.
+        //
+        // Our libcurl on Windows is usually built with schannel.
+        // On Windows 11 (or Windows Server 2022), libcurl recently (late
+        // 2022) gained support for TLS 1.3 with schannel, and it now defaults
+        // to 1.3. Unfortunately there have been some bugs with this.
+        // https://github.com/curl/curl/issues/9431 is the most recent. Once
+        // that has been fixed, and some time has passed where we can be more
+        // confident that the 1.3 support won't cause issues, this can be
+        // removed.
+        //
+        // Windows 10 is unaffected. libcurl does not support TLS 1.3 on
+        // Windows 10. (Windows 10 sorta had support, but it required enabling
+        // an advanced option in the registry which was buggy, and libcurl
+        // does runtime checks to prevent it.)
+        handle.ssl_min_max_version(SslVersion::Default, SslVersion::Tlsv12)?;
     }
 
     if let Some(true) = http.debug {
