Polish up new secure options

src/helpers.rs

@@ -6,7 +6,7 @@ use cargo_toml::Manifest;
 use futures_util::stream::Stream;
 use log::debug;
 use once_cell::sync::OnceCell;
-use reqwest::{Client, ClientBuilder, Method, Response};
+use reqwest::{Client, ClientBuilder, Method, Response, tls};
 use serde::Serialize;
 use tinytemplate::TinyTemplate;
 use tokio::task::block_in_place;
@@ -32,8 +32,14 @@ pub use path_ext::*;
 mod tls_version;
 pub use tls_version::TLSVersion;
 
-/// (enable https only mode, min TLS version_option)
+#[derive(Debug)]
-pub static REQWESTGLOBALCONFIG: OnceCell<(bool, Option<TLSVersion>)> = OnceCell::new();
+pub struct ReqwestConfig {
+    pub secure: bool,
+    pub min_tls: Option<tls::Version>,
+}
+
+/// (secure mode, min TLS version)
+pub static REQWESTGLOBALCONFIG: OnceCell<ReqwestConfig> = OnceCell::new();
 
 /// Load binstall metadata from the crate `Cargo.toml` at the provided path
 pub fn load_manifest_path<P: AsRef<Path>>(
@@ -53,15 +59,15 @@ pub fn load_manifest_path<P: AsRef<Path>>(
 pub fn new_reqwest_client_builder() -> ClientBuilder {
     let mut builder = ClientBuilder::new();
 
-    if let Some((https_only, min_tls_ver_opt)) = REQWESTGLOBALCONFIG.get() {
+    if let Some(ReqwestConfig { secure, min_tls }) = REQWESTGLOBALCONFIG.get() {
-        builder = builder.https_only(*https_only);
+        if *secure {
-
+            builder = builder
-        if *https_only {
+                .https_only(true)
-            builder = builder.min_tls_version(reqwest::tls::Version::TLS_1_2);
+                .min_tls_version(tls::Version::TLS_1_2)
         }
 
-        if let Some(min_tls_ver) = *min_tls_ver_opt {
+        if let Some(ver) = *min_tls {
-            builder = builder.min_tls_version(min_tls_ver.into());
+            builder = builder.min_tls_version(ver);
         }
     }
 

src/helpers/tls_version.rs

@@ -3,7 +3,9 @@ use reqwest::tls::Version;
 
 #[derive(Debug, Copy, Clone, ArgEnum)]
 pub enum TLSVersion {
+    #[clap(name = "1.2")]
     Tls1_2,
+    #[clap(name = "1.3")]
     Tls1_3,
 }
 

src/main.rs

@@ -88,15 +88,22 @@ struct Options {
     #[clap(long)]
     no_cleanup: bool,
 
-    /// Enable https only mode.
+    /// Enforce downloads over secure transports only.
     ///
-    /// When https only mode is enabled, it will also set
+    /// Insecure HTTP downloads will be removed completely in the future; in the meantime this
-    /// minimum TLS version to tls1_2.
+    /// option forces a fail when the remote endpoint uses plaintext HTTP or insecure TLS suites.
+    ///
+    /// Without this option, plain HTTP will warn.
+    ///
+    /// Implies `--min-tls-version=1.2`.
     #[clap(long)]
-    https_only_mode: bool,
+    secure: bool,
 
-    /// Decide which TLS version to use.
+    /// Require a minimum TLS version from remote endpoints.
-    #[clap(long, arg_enum)]
+    ///
+    /// The default is not to require any minimum TLS version, and use the negotiated highest
+    /// version available to both this client and the remote server.
+    #[clap(long, arg_enum, value_name = "VERSION")]
     min_tls_version: Option<TLSVersion>,
 
     /// Override manifest source.
@@ -194,7 +201,7 @@ async fn entry() -> Result<()> {
 
     // Initialize REQWESTGLOBALCONFIG
     REQWESTGLOBALCONFIG
-        .set((opts.https_only_mode, opts.min_tls_version))
+        .set(ReqwestConfig { secure: opts.secure, min_tls: opts.min_tls_version.map(|v| v.into()) })
         .unwrap();
 
     // Setup logging