From b311197d413f2952e87f66fa94f338ff0f29730f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Commaille?= <zecakeh@tedomum.fr>
Date: Sat, 8 Feb 2025 12:23:43 +0100
Subject: [PATCH] feat(sdk): Only allow TLS 1.2 or newer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As recommended by BCP 195.

It shouldn't be a problem with rustls that only supports TLS 1.2 and 1.3, but with native-tls it depends on the implementation.

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
---
 crates/matrix-sdk/CHANGELOG.md              |  1 +
 crates/matrix-sdk/src/http_client/native.rs | 10 +++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/crates/matrix-sdk/CHANGELOG.md b/crates/matrix-sdk/CHANGELOG.md
index d34a1fe7e..19099d0fb 100644
--- a/crates/matrix-sdk/CHANGELOG.md
+++ b/crates/matrix-sdk/CHANGELOG.md
@@ -18,6 +18,7 @@ All notable changes to this project will be documented in this file.
 - The `MediaRetentionPolicy` can now trigger regular cleanups with its new
   `cleanup_frequency` setting.
   ([#4603](https://github.com/matrix-org/matrix-rust-sdk/pull/4603))
+- The HTTP client only allows TLS 1.2 or newer, as recommended by BCP 195.
 
 ### Bug Fixes
 
diff --git a/crates/matrix-sdk/src/http_client/native.rs b/crates/matrix-sdk/src/http_client/native.rs
index 55ccb4da3..102c2d7e8 100644
--- a/crates/matrix-sdk/src/http_client/native.rs
+++ b/crates/matrix-sdk/src/http_client/native.rs
@@ -24,7 +24,7 @@ use bytes::Bytes;
 use bytesize::ByteSize;
 use eyeball::SharedObservable;
 use http::header::CONTENT_LENGTH;
-use reqwest::Certificate;
+use reqwest::{tls, Certificate};
 use ruma::api::{error::FromHttpResponseError, IncomingResponse, OutgoingRequest};
 use tracing::{debug, info, warn};
 
@@ -148,8 +148,12 @@ impl HttpSettings {
     /// Build a client with the specified configuration.
     pub(crate) fn make_client(&self) -> Result<reqwest::Client, HttpError> {
         let user_agent = self.user_agent.clone().unwrap_or_else(|| "matrix-rust-sdk".to_owned());
-        let mut http_client =
-            reqwest::Client::builder().user_agent(user_agent).timeout(self.timeout);
+        let mut http_client = reqwest::Client::builder()
+            .user_agent(user_agent)
+            .timeout(self.timeout)
+            // As recommended by BCP 195.
+            // See: https://datatracker.ietf.org/doc/bcp195/
+            .min_tls_version(tls::Version::TLS_1_2);
 
         if self.disable_ssl_verification {
             warn!("SSL verification disabled in the HTTP client!");