mirror of
https://github.com/Kitware/CMake.git
synced 2026-04-24 07:08:38 -05:00
Merge topic 'curl-tls-version'
38390245a2ctest: Require minimum TLS 1.2 by default5e1a59dc2bfile(DOWNLOAD/UPLOAD): Require minimum TLS 1.2 by default Acked-by: Kitware Robot <kwrobot@kitware.com> Acked-by: buildbot <buildbot@kitware.com> Merge-request: !9848
This commit is contained in:
@@ -811,6 +811,10 @@ Transfer
|
||||
environment variable will be used instead.
|
||||
See :variable:`CMAKE_TLS_VERSION` for allowed values.
|
||||
|
||||
.. versionchanged:: 3.31
|
||||
The default is TLS 1.2.
|
||||
Previously, no minimum version was enforced by default.
|
||||
|
||||
``TLS_VERIFY <ON|OFF>``
|
||||
Specify whether to verify the server certificate for ``https://`` URLs.
|
||||
If this option is not specified, the value of the
|
||||
|
||||
@@ -1560,6 +1560,10 @@ Configuration settings include:
|
||||
* `CTest Script`_ variable: :variable:`CTEST_TLS_VERSION`
|
||||
* :module:`CTest` module variable: ``CTEST_TLS_VERSION``
|
||||
|
||||
.. versionchanged:: 3.31
|
||||
The default is TLS 1.2.
|
||||
Previously, no minimum version was enforced by default.
|
||||
|
||||
``TLSVerify``
|
||||
.. versionadded:: 3.30
|
||||
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
curl-tls-version
|
||||
----------------
|
||||
|
||||
* The :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands now
|
||||
require TLS 1.2 or higher for connections to ``https://`` URLs by default.
|
||||
See the :variable:`CMAKE_TLS_VERSION` variable for details.
|
||||
|
||||
* The :command:`ctest_submit` command and :option:`ctest -T Submit <ctest -T>`
|
||||
step now require TLS 1.2 or higher for connections to ``https://`` URLs by
|
||||
default. See the :variable:`CTEST_TLS_VERSION` variable for details.
|
||||
@@ -7,6 +7,11 @@ Specify the default value for the :command:`file(DOWNLOAD)` and
|
||||
:command:`file(UPLOAD)` commands' ``TLS_VERSION`` option.
|
||||
If this variable is not set, the commands check the
|
||||
:envvar:`CMAKE_TLS_VERSION` environment variable.
|
||||
If neither is set, the default is TLS 1.2.
|
||||
|
||||
.. versionchanged:: 3.31
|
||||
The default is TLS 1.2.
|
||||
Previously, no minimum version was enforced by default.
|
||||
|
||||
The value may be one of:
|
||||
|
||||
|
||||
@@ -16,6 +16,7 @@
|
||||
|
||||
namespace {
|
||||
const bool TLS_VERIFY_DEFAULT = true;
|
||||
const int TLS_VERSION_DEFAULT = CURL_SSLVERSION_TLSv1_2;
|
||||
}
|
||||
|
||||
cmCTestCurl::cmCTestCurl(cmCTest* ctest)
|
||||
@@ -65,6 +66,9 @@ cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest)
|
||||
{
|
||||
this->TLSVersionOpt =
|
||||
cmCurlParseTLSVersion(ctest->GetCTestConfiguration("TLSVersion"));
|
||||
if (!this->TLSVersionOpt.has_value()) {
|
||||
this->TLSVersionOpt = TLS_VERSION_DEFAULT;
|
||||
}
|
||||
|
||||
std::string tlsVerify = ctest->GetCTestConfiguration("TLSVerify");
|
||||
if (!tlsVerify.empty()) {
|
||||
|
||||
@@ -1741,6 +1741,7 @@ bool HandleNativePathCommand(std::vector<std::string> const& args,
|
||||
#if !defined(CMAKE_BOOTSTRAP)
|
||||
|
||||
const bool TLS_VERIFY_DEFAULT = true;
|
||||
const std::string TLS_VERSION_DEFAULT = "1.2";
|
||||
|
||||
// Stuff for curl download/upload
|
||||
using cmFileCommandVectorOfChar = std::vector<char>;
|
||||
@@ -2128,6 +2129,11 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
|
||||
tlsVersionOpt = std::move(v);
|
||||
}
|
||||
}
|
||||
bool tlsVersionDefaulted = false;
|
||||
if (!tlsVersionOpt.has_value()) {
|
||||
tlsVersionOpt = TLS_VERSION_DEFAULT;
|
||||
tlsVersionDefaulted = true;
|
||||
}
|
||||
|
||||
// Can't calculate hash if we don't save the file.
|
||||
// TODO Incrementally calculate hash in the write callback as the file is
|
||||
@@ -2212,6 +2218,9 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
|
||||
if (tlsVersionOpt.has_value()) {
|
||||
if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
|
||||
res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
|
||||
if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
|
||||
res = CURLE_OK;
|
||||
}
|
||||
check_curl_result(res,
|
||||
cmStrCat("DOWNLOAD cannot set TLS/SSL version ",
|
||||
*tlsVersionOpt, ": "));
|
||||
@@ -2554,6 +2563,11 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
|
||||
tlsVersionOpt = std::move(v);
|
||||
}
|
||||
}
|
||||
bool tlsVersionDefaulted = false;
|
||||
if (!tlsVersionOpt.has_value()) {
|
||||
tlsVersionOpt = TLS_VERSION_DEFAULT;
|
||||
tlsVersionDefaulted = true;
|
||||
}
|
||||
|
||||
// Open file for reading:
|
||||
//
|
||||
@@ -2603,6 +2617,9 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
|
||||
if (tlsVersionOpt.has_value()) {
|
||||
if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
|
||||
res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
|
||||
if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
|
||||
res = CURLE_OK;
|
||||
}
|
||||
check_curl_result(
|
||||
res,
|
||||
cmStrCat("UPLOAD cannot set TLS/SSL version ", *tlsVersionOpt, ": "));
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
-- def-1\.1: 0;"No error"
|
||||
-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
|
||||
-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
|
||||
-- env-1\.1: 0;"No error"
|
||||
-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
-- def-1\.1: 0;"No error"
|
||||
-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
|
||||
-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
|
||||
-- env-1\.1: 0;"No error"
|
||||
-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
|
||||
-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
|
||||
-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
|
||||
-- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
|
||||
|
||||
@@ -19,12 +19,10 @@ else()
|
||||
set(TEST_TLSv1_1 0)
|
||||
endif()
|
||||
|
||||
if(TEST_TLSv1_1)
|
||||
# The default is to allow 1.1.
|
||||
unset(ENV{CMAKE_TLS_VERSION})
|
||||
unset(CMAKE_TLS_VERSION)
|
||||
download(def-1.1)
|
||||
endif()
|
||||
# The default is to require 1.2.
|
||||
unset(ENV{CMAKE_TLS_VERSION})
|
||||
unset(CMAKE_TLS_VERSION)
|
||||
download(def-1.2)
|
||||
|
||||
# The environment variable overrides the default.
|
||||
set(ENV{CMAKE_TLS_VERSION} 1.2)
|
||||
|
||||
Reference in New Issue
Block a user