Merge topic 'curl-tls-version'

38390245a2 ctest: Require minimum TLS 1.2 by default 5e1a59dc2b file(DOWNLOAD/UPLOAD): Require minimum TLS 1.2 by default Acked-by: Kitware Robot <kwrobot@kitware.com> Acked-by: buildbot <buildbot@kitware.com> Merge-request: !9848
2026-04-24 07:08:38 -05:00 · 2024-09-27 12:02:13 +00:00
parent 5701ba7484 38390245a2
commit f7e2422c3e
10 changed files with 51 additions and 8 deletions
@@ -811,6 +811,10 @@ Transfer
      environment variable will be used instead.
      See :variable:`CMAKE_TLS_VERSION` for allowed values.

+      .. versionchanged:: 3.31
+        The default is TLS 1.2.
+        Previously, no minimum version was enforced by default.
+
    ``TLS_VERIFY <ON|OFF>``
      Specify whether to verify the server certificate for ``https://`` URLs.
      If this option is not specified, the value of the
@@ -1560,6 +1560,10 @@ Configuration settings include:
  * `CTest Script`_ variable: :variable:`CTEST_TLS_VERSION`
  * :module:`CTest` module variable: ``CTEST_TLS_VERSION``

+  .. versionchanged:: 3.31
+    The default is TLS 1.2.
+    Previously, no minimum version was enforced by default.
+
 ``TLSVerify``
  .. versionadded:: 3.30

@@ -0,0 +1,10 @@
+curl-tls-version
+----------------
+
+* The :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands now
+  require TLS 1.2 or higher for connections to ``https://`` URLs by default.
+  See the :variable:`CMAKE_TLS_VERSION` variable for details.
+
+* The :command:`ctest_submit` command and :option:`ctest -T Submit <ctest -T>`
+  step now require TLS 1.2 or higher for connections to ``https://`` URLs by
+  default.  See the :variable:`CTEST_TLS_VERSION` variable for details.
@@ -7,6 +7,11 @@ Specify the default value for the :command:`file(DOWNLOAD)` and
 :command:`file(UPLOAD)` commands' ``TLS_VERSION`` option.
 If this variable is not set, the commands check the
 :envvar:`CMAKE_TLS_VERSION` environment variable.
+If neither is set, the default is TLS 1.2.
+
+.. versionchanged:: 3.31
+  The default is TLS 1.2.
+  Previously, no minimum version was enforced by default.

 The value may be one of:

@@ -16,6 +16,7 @@

 namespace {
 const bool TLS_VERIFY_DEFAULT = true;
+const int TLS_VERSION_DEFAULT = CURL_SSLVERSION_TLSv1_2;
 }

 cmCTestCurl::cmCTestCurl(cmCTest* ctest)
@@ -65,6 +66,9 @@ cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest)
 {
  this->TLSVersionOpt =
    cmCurlParseTLSVersion(ctest->GetCTestConfiguration("TLSVersion"));
+  if (!this->TLSVersionOpt.has_value()) {
+    this->TLSVersionOpt = TLS_VERSION_DEFAULT;
+  }

  std::string tlsVerify = ctest->GetCTestConfiguration("TLSVerify");
  if (!tlsVerify.empty()) {
@@ -1741,6 +1741,7 @@ bool HandleNativePathCommand(std::vector<std::string> const& args,
 #if !defined(CMAKE_BOOTSTRAP)

 const bool TLS_VERIFY_DEFAULT = true;
+const std::string TLS_VERSION_DEFAULT = "1.2";

 // Stuff for curl download/upload
 using cmFileCommandVectorOfChar = std::vector<char>;
@@ -2128,6 +2129,11 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
      tlsVersionOpt = std::move(v);
    }
  }
+  bool tlsVersionDefaulted = false;
+  if (!tlsVersionOpt.has_value()) {
+    tlsVersionOpt = TLS_VERSION_DEFAULT;
+    tlsVersionDefaulted = true;
+  }

  // Can't calculate hash if we don't save the file.
  // TODO Incrementally calculate hash in the write callback as the file is
@@ -2212,6 +2218,9 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
  if (tlsVersionOpt.has_value()) {
    if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
      res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
+      if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
+        res = CURLE_OK;
+      }
      check_curl_result(res,
                        cmStrCat("DOWNLOAD cannot set TLS/SSL version ",
                                 *tlsVersionOpt, ": "));
@@ -2554,6 +2563,11 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
      tlsVersionOpt = std::move(v);
    }
  }
+  bool tlsVersionDefaulted = false;
+  if (!tlsVersionOpt.has_value()) {
+    tlsVersionOpt = TLS_VERSION_DEFAULT;
+    tlsVersionDefaulted = true;
+  }

  // Open file for reading:
  //
@@ -2603,6 +2617,9 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
  if (tlsVersionOpt.has_value()) {
    if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
      res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
+      if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
+        res = CURLE_OK;
+      }
      check_curl_result(
        res,
        cmStrCat("UPLOAD cannot set TLS/SSL version ", *tlsVersionOpt, ": "));
@@ -1,4 +1,4 @@
-- def-1\.1: 0;"No error"
+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.1: 0;"No error"
 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
@@ -1,4 +1,4 @@
-- def-1\.1: 0;"No error"
+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.1: 0;"No error"
 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
@@ -1,3 +1,4 @@
+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
@@ -19,12 +19,10 @@ else()
  set(TEST_TLSv1_1 0)
 endif()

-if(TEST_TLSv1_1)
-  # The default is to allow 1.1.
-  unset(ENV{CMAKE_TLS_VERSION})
-  unset(CMAKE_TLS_VERSION)
-  download(def-1.1)
-endif()
+# The default is to require 1.2.
+unset(ENV{CMAKE_TLS_VERSION})
+unset(CMAKE_TLS_VERSION)
+download(def-1.2)

 # The environment variable overrides the default.
 set(ENV{CMAKE_TLS_VERSION} 1.2)