From d224c018fe807a733b82973214782e5c24c1ce76 Mon Sep 17 00:00:00 2001 From: Brad King Date: Thu, 9 May 2024 08:54:56 -0400 Subject: [PATCH 1/3] nghttp2: Skip "Using system-installed" message if using system curl We only use the system nghttp2 when `CMAKE_USE_SYSTEM_NGHTTP2` is ON and `CMAKE_USE_SYSTEM_CURL` is OFF. --- CMakeLists.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5f661a9a71..e8537eded2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -215,6 +215,10 @@ macro(CMAKE_HANDLE_SYSTEM_LIBRARIES) mark_as_advanced(CMAKE_USE_SYSTEM_KWIML) # Mention to the user what system libraries are being used. + if(CMAKE_USE_SYSTEM_CURL) + # Avoid messaging about curl-only dependencies. + list(REMOVE_ITEM UTILITIES NGHTTP2) + endif() foreach(util IN LISTS UTILITIES ITEMS KWIML) if(CMAKE_USE_SYSTEM_${util}) message(STATUS "Using system-installed ${util}") From d3cbee99e3c998d5821add091b426661f09f19f8 Mon Sep 17 00:00:00 2001 From: Brad King Date: Thu, 9 May 2024 09:01:46 -0400 Subject: [PATCH 2/3] macOS: Prefer building with system-provided curl Our vendored curl only enables the Secure Transport backend by default (`CURL_SSL_BACKEND=secure-transport`), but it is limited to TLS 1.2. The macOS SDK provides the curl development components, and the corresponding `libcurl.4.dylib` runtime library comes with macOS. On macOS 12 and above, the default `CURL_SSL_BACKEND=openssl` backend seems to be capable of selecting TLS 1.3 at runtime for https connections. Unfortunately the macOS version of curl, even on macOS 14.4, does not accept `CURL_SSLVERSION_TLSv1_3` at runtime to enforce TLS 1.3. However, while our vendored curl accepts the option and passes it to Secure Transport, macOS does not actually enforce it anyway. Fixes: #25870 Fixes: #23701 --- .gitlab/ci/configure_macos_arm64_ninja.cmake | 2 +- .gitlab/ci/configure_macos_x86_64_makefiles.cmake | 2 +- .gitlab/ci/configure_macos_x86_64_ninja.cmake | 2 +- CMakeLists.txt | 3 +++ bootstrap | 4 ++-- 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.gitlab/ci/configure_macos_arm64_ninja.cmake b/.gitlab/ci/configure_macos_arm64_ninja.cmake index 9611f0b1f3..de0ffc0aaf 100644 --- a/.gitlab/ci/configure_macos_arm64_ninja.cmake +++ b/.gitlab/ci/configure_macos_arm64_ninja.cmake @@ -8,7 +8,7 @@ set(CMake_TEST_FindOpenMP_CXX "ON" CACHE BOOL "") set(CMake_TEST_GUI "ON" CACHE BOOL "") set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "") set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "") -set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "") +set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "") include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake") include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake") diff --git a/.gitlab/ci/configure_macos_x86_64_makefiles.cmake b/.gitlab/ci/configure_macos_x86_64_makefiles.cmake index ed25f68c43..43505dbdc4 100644 --- a/.gitlab/ci/configure_macos_x86_64_makefiles.cmake +++ b/.gitlab/ci/configure_macos_x86_64_makefiles.cmake @@ -8,7 +8,7 @@ if (NOT "$ENV{CMAKE_CI_NIGHTLY}" STREQUAL "") endif() set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "") set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "") -set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "") +set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "") include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake") include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake") diff --git a/.gitlab/ci/configure_macos_x86_64_ninja.cmake b/.gitlab/ci/configure_macos_x86_64_ninja.cmake index 0feafa2f8c..83d1e2c304 100644 --- a/.gitlab/ci/configure_macos_x86_64_ninja.cmake +++ b/.gitlab/ci/configure_macos_x86_64_ninja.cmake @@ -11,7 +11,7 @@ if (NOT "$ENV{CMAKE_CI_NIGHTLY}" STREQUAL "") endif() set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "") set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "") -set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "") +set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "") include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake") include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake") diff --git a/CMakeLists.txt b/CMakeLists.txt index e8537eded2..081bd7d1d8 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -178,6 +178,9 @@ macro(CMAKE_HANDLE_SYSTEM_LIBRARIES) string(TOLOWER "${util}" lutil) set(CMAKE_USE_SYSTEM_${util} "${CMAKE_USE_SYSTEM_LIBRARY_${util}}" CACHE BOOL "Use system-installed ${lutil}" FORCE) + elseif(util STREQUAL "CURL" AND APPLE) + # macOS provides a curl with backends configured by Apple. + set(CMAKE_USE_SYSTEM_LIBRARY_${util} ON) else() set(CMAKE_USE_SYSTEM_LIBRARY_${util} OFF) endif() diff --git a/bootstrap b/bootstrap index 60e5638171..3abeec66b9 100755 --- a/bootstrap +++ b/bootstrap @@ -684,8 +684,8 @@ Configuration: (default) --system-cppdap use system-installed cppdap library --no-system-cppdap use cmake-provided cppdap library (default) - --system-curl use system-installed curl library - --no-system-curl use cmake-provided curl library (default) + --system-curl use system-installed curl library (default on macOS) + --no-system-curl use cmake-provided curl library (default elsewhere) --system-expat use system-installed expat library --no-system-expat use cmake-provided expat library (default) --system-jsoncpp use system-installed jsoncpp library From 31884a714645c866438ed26999661db51b3e743d Mon Sep 17 00:00:00 2001 From: Brad King Date: Thu, 9 May 2024 09:26:43 -0400 Subject: [PATCH 3/3] ci: Add nightly job to build CMake with vendored curl on macOS We now build with the system curl on macOS by default. Explicitly test that the vendored curl still works. --- .gitlab-ci.yml | 23 +++++++++++++++++++++ .gitlab/ci/configure_macos_arm64_curl.cmake | 12 +++++++++++ .gitlab/os-macos.yml | 7 +++++++ 3 files changed, 42 insertions(+) create mode 100644 .gitlab/ci/configure_macos_arm64_curl.cmake diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a3d959c417..e2e0959425 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -821,6 +821,16 @@ b:macos-arm64-ninja-symlinked: variables: CMAKE_CI_JOB_NIGHTLY: "true" +b:macos-arm64-curl: + extends: + - .macos_arm64_curl + - .cmake_build_macos + - .cmake_build_artifacts + - .macos_arm64_tags + - .run_manually + variables: + CMAKE_CI_JOB_NIGHTLY: "true" + b:macos-arm64-pch: extends: - .macos_arm64_pch @@ -874,6 +884,19 @@ t:macos-arm64-ninja-symlinked: CMAKE_CI_JOB_NIGHTLY: "true" CMAKE_CI_JOB_NIGHTLY_NINJA: "true" +t:macos-arm64-curl: + extends: + - .macos_arm64_curl + - .cmake_test_macos + - .macos_arm64_tags + - .run_dependent + dependencies: + - b:macos-arm64-curl + needs: + - b:macos-arm64-curl + variables: + CMAKE_CI_JOB_NIGHTLY: "true" + b:macos-x86_64-makefiles: extends: - .macos_x86_64_makefiles diff --git a/.gitlab/ci/configure_macos_arm64_curl.cmake b/.gitlab/ci/configure_macos_arm64_curl.cmake new file mode 100644 index 0000000000..af49873680 --- /dev/null +++ b/.gitlab/ci/configure_macos_arm64_curl.cmake @@ -0,0 +1,12 @@ +# Build with our vendored curl instead of the default system version. +set(CMAKE_USE_SYSTEM_CURL "OFF" CACHE BOOL "") + +set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "") +set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "") + +# Test that our vendored curl accepts CURL_SSLVERSION_TLSv1_3. It is passed +# through to Secure Transport, but macOS does not actually enforce it. +set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "") + +include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake") +include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake") diff --git a/.gitlab/os-macos.yml b/.gitlab/os-macos.yml index 894d6242cf..2b265ea490 100644 --- a/.gitlab/os-macos.yml +++ b/.gitlab/os-macos.yml @@ -47,6 +47,13 @@ CMAKE_CI_IN_SYMLINK_TREE: 1 CMAKE_CI_BUILD_DIR: "real_work/work/build" +.macos_arm64_curl: + extends: .macos_build + + variables: + CMAKE_CONFIGURATION: macos_arm64_curl + CTEST_NO_WARNINGS_ALLOWED: 1 + .macos_arm64_pch: extends: .macos_arm64_ninja