From 292754eb8ab9d2b361b088ff16ba0afad54d87f3 Mon Sep 17 00:00:00 2001
From: Sander Maijers <contact+github.com@sandermaijers.nl>
Date: Sun, 17 Mar 2019 12:45:43 +0100
Subject: [PATCH] Force highest TLS version supported

The integrity and confidentiality of the installer script hinges currently on TLS. It is important to enforce the highest version of TLS in the instructions. Also, enforce the `https` scheme. Should redirects occur in the future, then each URL redirected to must be accessed using TLS 1.2 with HTTP, rather than allowing a plain HTTP link in the chain.
---
 rustup-init.sh | 4 ++--
 www/index.html | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/rustup-init.sh b/rustup-init.sh
index 0df9fc3f84..67db937396 100755
--- a/rustup-init.sh
+++ b/rustup-init.sh
@@ -376,9 +376,9 @@ downloader() {
     if [ "$1" = --check ]; then
         need_cmd "$_dld"
     elif [ "$_dld" = curl ]; then
-        curl -sSfL "$1" -o "$2"
+        curl --proto =https --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2"
     elif [ "$_dld" = wget ]; then
-        wget "$1" -O "$2"
+        wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2"
     else
         err "Unknown downloader"   # should not reach here
     fi
diff --git a/www/index.html b/www/index.html
index d9372df965..536b826496 100644
--- a/www/index.html
+++ b/www/index.html
@@ -36,7 +36,7 @@
     then follow the onscreen instructions.
   </p>
   <p>If you're a Windows Subsystem for Linux user run the following in your terminal, then follow the onscreen instructions to install Rust.</p>
-  <pre>curl https://sh.rustup.rs -sSf | sh</pre>
+  <pre>curl --proto =https --tlsv1.2 -sSf https://sh.rustup.rs | sh</pre>
   <p class="other-platforms-help">You appear to be running Windows 32-bit. If not, <a class="default-platform-button" href="#">display all supported installers</a>.</p>
 </div>