summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGELOG.md1
-rw-r--r--mullvad-rpc/src/https_client_with_sni.rs3
2 files changed, 3 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c89daa4b0e..e0714f35fe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ Line wrap the file at 100 chars. Th
security patches.
- Allow provider constraint to specify multiple hosting providers.
- Only download a new relay list if it has been modified.
+- Connect to the API only via TLS 1.3
#### Android
- WireGuard key is now rotated sooner: every four days instead of seven.
diff --git a/mullvad-rpc/src/https_client_with_sni.rs b/mullvad-rpc/src/https_client_with_sni.rs
index b80b2db95b..c8ac8e833d 100644
--- a/mullvad-rpc/src/https_client_with_sni.rs
+++ b/mullvad-rpc/src/https_client_with_sni.rs
@@ -25,7 +25,7 @@ use std::{
};
use tokio::{net::TcpStream as TokioTcpStream, runtime::Handle, time::timeout};
-use tokio_rustls::rustls;
+use tokio_rustls::rustls::{self, ProtocolVersion};
use webpki::DNSNameRef;
// Old LetsEncrypt root certificate
@@ -65,6 +65,7 @@ impl HttpsConnectorWithSni {
let mut config = rustls::ClientConfig::new();
config.enable_sni = true;
config.root_store = Self::read_cert_store();
+ config.versions = vec![ProtocolVersion::TLSv1_3];
HttpsConnectorWithSni {
next_socket_id: 0,
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.