[vcpkg] Restrict telemetry uploads to TLS 1.2 (#11213)

* [vcpkg] Restrict telemetry uploads to TLS 1.2, as required by Azure security policy. Co-authored-by: nicole mazzuca <mazzucan@outlook.com>
2025-02-23 02:57:09 +01:00 · 2020-05-07 14:20:14 -07:00 · 2020-05-07 14:20:14 -07:00 · d7d410b50b
commit d7d410b50b
parent b07e46b368
3 changed files with 13 additions and 4 deletions
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@ -100,7 +100,7 @@ vcpkgDownloadFile()
    url=$1; downloadPath=$2 sha512=$3
    vcpkgCheckRepoTool "curl"
    rm -rf "$downloadPath.part"
-    curl -L $url --create-dirs --retry 3 --output "$downloadPath.part" || exit 1
+    curl -L $url --tlsv1.2 --create-dirs --retry 3 --output "$downloadPath.part" || exit 1

    vcpkgCheckEqualFileHash $url "$downloadPath.part" $sha512
    mv "$downloadPath.part" "$downloadPath"
--- a/toolsrc/CMakeLists.txt
+++ b/toolsrc/CMakeLists.txt
@ -114,6 +114,9 @@ file(GLOB_RECURSE VCPKGLIB_SOURCES CONFIGURE_DEPENDS src/vcpkg/*.cpp)
 add_library(vcpkglib OBJECT ${VCPKGLIB_SOURCES})

 add_executable(vcpkg src/vcpkg.cpp $<TARGET_OBJECTS:vcpkglib>)
+if(WIN32)
+    add_executable(vcpkgmetricsuploader WIN32 src/vcpkgmetricsuploader.cpp $<TARGET_OBJECTS:vcpkglib>)
+endif()

 if (BUILD_TESTING)
    file(GLOB_RECURSE VCPKGTEST_SOURCES CONFIGURE_DEPENDS src/vcpkg-test/*.cpp)
@ -154,4 +157,3 @@ if(MSVC)
    target_sources(vcpkglib PRIVATE src/pch.cpp)
    target_compile_options(vcpkglib PRIVATE /Yupch.h /FIpch.h /Zm200)
 endif()
-
--- a/toolsrc/src/vcpkg/metrics.cpp
+++ b/toolsrc/src/vcpkg/metrics.cpp
@ -315,9 +315,15 @@ namespace vcpkg::Metrics

        const HINTERNET session = WinHttpOpen(
            L"vcpkg/1.0", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
-        if (session) connect = WinHttpConnect(session, L"dc.services.visualstudio.com", INTERNET_DEFAULT_HTTPS_PORT, 0);
+
+        unsigned long secure_protocols = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
+        if (session && WinHttpSetOption(session, WINHTTP_OPTION_SECURE_PROTOCOLS, &secure_protocols, sizeof(DWORD)))
+        {
+            connect = WinHttpConnect(session, L"dc.services.visualstudio.com", INTERNET_DEFAULT_HTTPS_PORT, 0);
+        }

        if (connect)
+        {
            request = WinHttpOpenRequest(connect,
                                         L"POST",
                                         L"/v2/track",
@ -325,6 +331,7 @@ namespace vcpkg::Metrics
                                         WINHTTP_NO_REFERER,
                                         WINHTTP_DEFAULT_ACCEPT_TYPES,
                                         WINHTTP_FLAG_SECURE);
+        }

        if (request)
        {
@ -448,7 +455,7 @@ namespace vcpkg::Metrics
 #else
        auto escaped_path = Strings::escape_string(vcpkg_metrics_txt_path.u8string(), '\'', '\\');
        const std::string cmd_line = Strings::format(
-            R"((curl "https://dc.services.visualstudio.com/v2/track" -H "Content-Type: application/json" -X POST --data '@%s' >/dev/null 2>&1; rm '%s') &)",
+            R"((curl "https://dc.services.visualstudio.com/v2/track" -H "Content-Type: application/json" -X POST --tlsv1.2 --data '@%s' >/dev/null 2>&1; rm '%s') &)",
            escaped_path,
            escaped_path);
        System::cmd_execute_clean(cmd_line);