change

steffengy · Sep 21, 2024 · c5017d2 · c5017d2
1 parent 45ff647
commit c5017d2
Showing 1 changed file with 11 additions and 9 deletions.
diff --git a/src/schannel_cred.rs b/src/schannel_cred.rs
@@ -244,15 +244,15 @@ impl Builder {
 
     /// Creates a new `SchannelCred`.
     pub fn acquire(&self, direction: Direction) -> io::Result<SchannelCred> {
+        let mut enabled_protocols: u32 = 0;
+        if let Some(ref enable_list) = self.enabled_protocols {
+            enabled_protocols = enable_list
+                .iter()
+                .map(|p| p.dword(direction))
+                .fold(0, |acc, p| acc | p);
+        }
+
         unsafe {
-            let mut enabled_protocols: u32 = 0;
-            if let Some(ref enable_list) = self.enabled_protocols {
-                enabled_protocols = enable_list
-                    .iter()
-                    .map(|p| p.dword(direction))
-                    .fold(0, |acc, p| acc | p);
-            }
-
             let mut cred_data: Identity::SCHANNEL_CRED = mem::zeroed();
             cred_data.dwVersion = Identity::SCHANNEL_CRED_VERSION;
             cred_data.dwFlags = Identity::SCH_USE_STRONG_CRYPTO | Identity::SCH_CRED_NO_DEFAULT_CREDS;
@@ -271,7 +271,9 @@ impl Builder {
             } else if verify_min_os_build(10, 17763).is_some() {
                 // If no algorithms specified and should be supported, use new SCH_CREDENTIALS interface which supports TLS1.3.
                 // Although we check for win10 build 17763 above, I have only seen this work on win 11.
-                tls_param.grbitDisabledProtocols = !enabled_protocols;
+                if enabled_protocols != 0 {
+                    tls_param.grbitDisabledProtocols = !enabled_protocols;
+                }
                 // TODO: support something to select tls13-ciphers
                 cred_data2.dwVersion = Identity::SCH_CREDENTIALS_VERSION;
                 cred_data2.dwFlags = Identity::SCH_USE_STRONG_CRYPTO | Identity::SCH_CRED_NO_DEFAULT_CREDS;