file(DOWNLOAD/UPLOAD): Require minimum TLS 1.2 by default

Fixes: #25701
2025-12-31 19:00:54 -06:00 · 2024-09-23 14:47:04 -04:00
parent 0acff8e622
commit 5e1a59dc2b
8 changed files with 39 additions and 8 deletions
--- a/Help/command/file.rst
+++ b/Help/command/file.rst
@@ -811,6 +811,10 @@ Transfer
      environment variable will be used instead.
      See :variable:`CMAKE_TLS_VERSION` for allowed values.

+      .. versionchanged:: 3.31
+        The default is TLS 1.2.
+        Previously, no minimum version was enforced by default.
+
    ``TLS_VERIFY <ON|OFF>``
      Specify whether to verify the server certificate for ``https://`` URLs.
      If this option is not specified, the value of the
--- a/Help/release/dev/curl-tls-version.rst
+++ b/Help/release/dev/curl-tls-version.rst
@@ -0,0 +1,6 @@
+curl-tls-version
+----------------
+
+* The :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands now
+  require TLS 1.2 or higher for connections to ``https://`` URLs by default.
+  See the :variable:`CMAKE_TLS_VERSION` variable for details.
--- a/Help/variable/CMAKE_TLS_VERSION.rst
+++ b/Help/variable/CMAKE_TLS_VERSION.rst
@@ -7,6 +7,11 @@ Specify the default value for the :command:`file(DOWNLOAD)` and
 :command:`file(UPLOAD)` commands' ``TLS_VERSION`` option.
 If this variable is not set, the commands check the
 :envvar:`CMAKE_TLS_VERSION` environment variable.
+If neither is set, the default is TLS 1.2.
+
+.. versionchanged:: 3.31
+  The default is TLS 1.2.
+  Previously, no minimum version was enforced by default.

 The value may be one of:

--- a/Source/cmFileCommand.cxx
+++ b/Source/cmFileCommand.cxx
@@ -1741,6 +1741,7 @@ bool HandleNativePathCommand(std::vector<std::string> const& args,
 #if !defined(CMAKE_BOOTSTRAP)

 const bool TLS_VERIFY_DEFAULT = true;
+const std::string TLS_VERSION_DEFAULT = "1.2";

 // Stuff for curl download/upload
 using cmFileCommandVectorOfChar = std::vector<char>;
@@ -2128,6 +2129,11 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
      tlsVersionOpt = std::move(v);
    }
  }
+  bool tlsVersionDefaulted = false;
+  if (!tlsVersionOpt.has_value()) {
+    tlsVersionOpt = TLS_VERSION_DEFAULT;
+    tlsVersionDefaulted = true;
+  }

  // Can't calculate hash if we don't save the file.
  // TODO Incrementally calculate hash in the write callback as the file is
@@ -2212,6 +2218,9 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
  if (tlsVersionOpt.has_value()) {
    if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
      res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
+      if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
+        res = CURLE_OK;
+      }
      check_curl_result(res,
                        cmStrCat("DOWNLOAD cannot set TLS/SSL version ",
                                 *tlsVersionOpt, ": "));
@@ -2554,6 +2563,11 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
      tlsVersionOpt = std::move(v);
    }
  }
+  bool tlsVersionDefaulted = false;
+  if (!tlsVersionOpt.has_value()) {
+    tlsVersionOpt = TLS_VERSION_DEFAULT;
+    tlsVersionDefaulted = true;
+  }

  // Open file for reading:
  //
@@ -2603,6 +2617,9 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
  if (tlsVersionOpt.has_value()) {
    if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
      res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
+      if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
+        res = CURLE_OK;
+      }
      check_curl_result(
        res,
        cmStrCat("UPLOAD cannot set TLS/SSL version ", *tlsVersionOpt, ": "));
--- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt
@@ -1,4 +1,4 @@
-- def-1\.1: 0;"No error"
+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.1: 0;"No error"
 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
--- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt
@@ -1,4 +1,4 @@
-- def-1\.1: 0;"No error"
+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.1: 0;"No error"
 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
--- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt
@@ -1,3 +1,4 @@
+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
--- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake
@@ -19,12 +19,10 @@ else()
  set(TEST_TLSv1_1 0)
 endif()

-if(TEST_TLSv1_1)
-  # The default is to allow 1.1.
-  unset(ENV{CMAKE_TLS_VERSION})
-  unset(CMAKE_TLS_VERSION)
-  download(def-1.1)
-endif()
+# The default is to require 1.2.
+unset(ENV{CMAKE_TLS_VERSION})
+unset(CMAKE_TLS_VERSION)
+download(def-1.2)

 # The environment variable overrides the default.
 set(ENV{CMAKE_TLS_VERSION} 1.2)