ctest: Add explicit options for TLS version

Add a dedicated `TLSVersion` ctest option and a `CTEST_TLS_VERSION` variable to control it. Issue: #25701
2025-12-31 19:00:54 -06:00 · 2024-02-29 14:25:04 -05:00
parent 0aba13a2f3
commit 6671f17f65
18 changed files with 62 additions and 2 deletions
--- a/Help/manual/cmake-variables.7.rst
+++ b/Help/manual/cmake-variables.7.rst
@@ -729,6 +729,7 @@ Variables for CTest
   /variable/CTEST_TEST_LOAD
   /variable/CTEST_TEST_TIMEOUT
   /variable/CTEST_TLS_VERIFY
+   /variable/CTEST_TLS_VERSION
   /variable/CTEST_UPDATE_COMMAND
   /variable/CTEST_UPDATE_OPTIONS
   /variable/CTEST_UPDATE_VERSION_ONLY
--- a/Help/manual/ctest.1.rst
+++ b/Help/manual/ctest.1.rst
@@ -1551,6 +1551,15 @@ Configuration settings include:
  * `CTest Script`_ variable: :variable:`CTEST_SUBMIT_INACTIVITY_TIMEOUT`
  * :module:`CTest` module variable: ``CTEST_SUBMIT_INACTIVITY_TIMEOUT``

+``TLSVersion``
+  .. versionadded:: 3.30
+
+  Specify a minimum TLS version allowed when submitting to a dashboard
+  via ``https://`` URLs.
+
+  * `CTest Script`_ variable: :variable:`CTEST_TLS_VERSION`
+  * :module:`CTest` module variable: ``CTEST_TLS_VERSION``
+
 ``TLSVerify``
  .. versionadded:: 3.30

--- a/Help/release/dev/curl-tls-version.rst
+++ b/Help/release/dev/curl-tls-version.rst
@@ -17,5 +17,6 @@ curl-tls-version
  to ``https://`` URLs.

 * The :command:`ctest_submit` command and :option:`ctest -T Submit <ctest -T>`
-  step gained a ``TLSVerify`` option to control negotiation with
-  ``https://`` URLs.  See the :variable:`CTEST_TLS_VERIFY` variable.
+  step gained ``TLSVersion`` and ``TLSVerify`` options to control negotiation
+  with ``https://`` URLs.  See the :variable:`CTEST_TLS_VERSION` and
+  :variable:`CTEST_TLS_VERIFY` variables.
--- a/Help/variable/CTEST_TLS_VERSION.rst
+++ b/Help/variable/CTEST_TLS_VERSION.rst
@@ -0,0 +1,13 @@
+CTEST_TLS_VERSION
+-----------------
+
+.. versionadded:: 3.30
+
+Specify the CTest ``TLSVersion`` setting in a :manual:`ctest(1)`
+:ref:`Dashboard Client` script or in project ``CMakeLists.txt`` code
+before including the :module:`CTest` module.  The value is a minimum
+TLS version allowed when submitting to a dashboard via ``https://`` URLs.
+
+The value may be one of:
+
+.. include:: CMAKE_TLS_VERSION-VALUES.txt
--- a/Modules/DartConfiguration.tcl.in
+++ b/Modules/DartConfiguration.tcl.in
@@ -96,6 +96,7 @@ TimeOut: @DART_TESTING_TIMEOUT@
 TestLoad: @CTEST_TEST_LOAD@

 TLSVerify: @CTEST_TLS_VERIFY@
+TLSVersion: @CTEST_TLS_VERSION@

 UseLaunchers: @CTEST_USE_LAUNCHERS@
 CurlOptions: @CTEST_CURL_OPTIONS@
--- a/Source/CTest/cmCTestCurl.cxx
+++ b/Source/CTest/cmCTestCurl.cxx
@@ -58,6 +58,9 @@ size_t curlDebugCallback(CURL* /*unused*/, curl_infotype /*unused*/,

 cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest)
 {
+  this->TLSVersionOpt =
+    cmCurlParseTLSVersion(ctest->GetCTestConfiguration("TLSVersion"));
+
  std::string tlsVerify = ctest->GetCTestConfiguration("TLSVerify");
  if (!tlsVerify.empty()) {
    this->TLSVerifyOpt = cmIsOn(tlsVerify);
@@ -80,6 +83,10 @@ bool cmCTestCurl::InitCurl()
    return false;
  }
  cmCurlSetCAInfo(this->Curl);
+  if (this->CurlOpts.TLSVersionOpt) {
+    curl_easy_setopt(this->Curl, CURLOPT_SSLVERSION,
+                     *this->CurlOpts.TLSVersionOpt);
+  }
  if (this->CurlOpts.TLSVerifyOpt) {
    curl_easy_setopt(this->Curl, CURLOPT_SSL_VERIFYPEER,
                     *this->CurlOpts.TLSVerifyOpt ? 1 : 0);
--- a/Source/CTest/cmCTestCurl.h
+++ b/Source/CTest/cmCTestCurl.h
@@ -16,6 +16,7 @@ class cmCTest;
 struct cmCTestCurlOpts
 {
  cmCTestCurlOpts(cmCTest* ctest);
+  cm::optional<int> TLSVersionOpt;
  cm::optional<bool> TLSVerifyOpt;
  bool VerifyHostOff = false;
 };
--- a/Source/CTest/cmCTestSubmitCommand.cxx
+++ b/Source/CTest/cmCTestSubmitCommand.cxx
@@ -55,6 +55,8 @@ cmCTestGenericHandler* cmCTestSubmitCommand::InitializeHandler()
      this->Makefile, "DropLocation", "CTEST_DROP_LOCATION", this->Quiet);
  }

+  this->CTest->SetCTestConfigurationFromCMakeVariable(
+    this->Makefile, "TLSVersion", "CTEST_TLS_VERSION", this->Quiet);
  this->CTest->SetCTestConfigurationFromCMakeVariable(
    this->Makefile, "TLSVerify", "CTEST_TLS_VERIFY", this->Quiet);
  this->CTest->SetCTestConfigurationFromCMakeVariable(
--- a/Source/CTest/cmCTestSubmitHandler.cxx
+++ b/Source/CTest/cmCTestSubmitHandler.cxx
@@ -178,6 +178,16 @@ bool cmCTestSubmitHandler::SubmitUsingHTTP(
    curl = curl_easy_init();
    if (curl) {
      cmCurlSetCAInfo(curl);
+      if (curlOpts.TLSVersionOpt) {
+        cm::optional<std::string> tlsVersionStr =
+          cmCurlPrintTLSVersion(*curlOpts.TLSVersionOpt);
+        cmCTestOptionalLog(
+          this->CTest, HANDLER_VERBOSE_OUTPUT,
+          "  Set CURLOPT_SSLVERSION to "
+            << (tlsVersionStr ? *tlsVersionStr : "unknown value") << "\n",
+          this->Quiet);
+        curl_easy_setopt(curl, CURLOPT_SSLVERSION, *curlOpts.TLSVersionOpt);
+      }
      if (curlOpts.TLSVerifyOpt) {
        cmCTestOptionalLog(this->CTest, HANDLER_VERBOSE_OUTPUT,
                           "  Set CURLOPT_SSL_VERIFYPEER to "
--- a/Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-result.txt
+++ b/Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-result.txt
@@ -0,0 +1 @@
+[^0]
--- a/Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-stderr.txt
+++ b/Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-stderr.txt
@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP
--- a/Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-stdout.txt
+++ b/Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-stdout.txt
@@ -0,0 +1 @@
+  Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1
--- a/Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1.cmake
+++ b/Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1.cmake
@@ -0,0 +1 @@
+include(FailDrop-common.cmake)
--- a/Tests/RunCMake/CTestCommandLine/RunCMakeTest.cmake
+++ b/Tests/RunCMake/CTestCommandLine/RunCMakeTest.cmake
@@ -496,6 +496,7 @@ function(run_FailDrop case)
    ${CMAKE_CTEST_COMMAND} -M Experimental -T Submit -VV
    )
 endfunction()
+run_FailDrop(TLSVersion-1.1 -DCTEST_TLS_VERSION=1.1)
 run_FailDrop(TLSVerify-ON -DCTEST_TLS_VERIFY=ON)
 run_FailDrop(TLSVerify-OFF -DCTEST_TLS_VERIFY=OFF)

--- a/Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-result.txt
+++ b/Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-result.txt
@@ -0,0 +1 @@
+(-1|255)
--- a/Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-stderr.txt
+++ b/Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-stderr.txt
@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP
--- a/Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-stdout.txt
+++ b/Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-stdout.txt
@@ -0,0 +1,4 @@
+SetCTestConfigurationFromCMakeVariable:TLSVersion:CTEST_TLS_VERSION
+SetCTestConfiguration:TLSVersion:1\.1
+.*
+  Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1
--- a/Tests/RunCMake/ctest_submit/RunCMakeTest.cmake
+++ b/Tests/RunCMake/ctest_submit/RunCMakeTest.cmake
@@ -57,6 +57,8 @@ run_ctest_submit_FailDrop(http)
 run_ctest_submit_FailDrop(https)
 block()
  set(CASE_DROP_METHOD "https")
+  set(CASE_TEST_PREFIX_CODE "set(CTEST_TLS_VERSION 1.1)")
+  run_ctest(FailDrop-TLSVersion-1.1 -VV)
  set(CASE_TEST_PREFIX_CODE "set(CTEST_TLS_VERIFY ON)")
  run_ctest(FailDrop-TLSVerify-ON -VV)
  set(CASE_TEST_PREFIX_CODE "set(CTEST_TLS_VERIFY OFF)")
				`@@ -0,0 +1 @@`
				`Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1`