Merge topic 'curl-tls-version'

5d2ea8371d Tests/RunCMake/file-DOWNLOAD: Add case covering TLS_VERSION values
c864ffceb7 Tests/RunCMake/file-DOWNLOAD: Clarify name of invalid TLS_VERSION case

Acked-by: Kitware Robot <[email protected]>
Acked-by: buildbot <[email protected]>
Merge-request: !9845

.gitlab/ci/configure_debian12_aarch64_ninja.cmake

@@ -100,6 +100,7 @@ set(CMake_TEST_Qt5 "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 set(CMake_TEST_UseSWIG "ON" CACHE BOOL "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_external_test.cmake")

.gitlab/ci/configure_debian12_ninja_common.cmake

@@ -108,6 +108,7 @@ set(CMake_TEST_Qt5 "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 if (NOT "$ENV{SWIFTC}" STREQUAL "")
   set(CMAKE_Swift_COMPILER "$ENV{SWIFTC}" CACHE FILEPATH "")

.gitlab/ci/configure_fedora40_makefiles.cmake

@@ -111,6 +111,7 @@ set(CMake_TEST_Qt5 "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 set(CMake_TEST_UseSWIG "ON" CACHE BOOL "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_external_test.cmake")

.gitlab/ci/configure_fedora40_ninja.cmake

@@ -6,6 +6,7 @@ set(CMake_TEST_MODULE_COMPILATION "named,compile_commands,collation,partitions,i
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 # "Release" flags without "-DNDEBUG" so we get assertions.
 set(CMAKE_C_FLAGS_RELEASE "-O3" CACHE STRING "")

.gitlab/ci/configure_macos_arm64_curl.cmake

@@ -4,6 +4,7 @@ set(CMAKE_USE_SYSTEM_CURL "OFF" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")

.gitlab/ci/configure_macos_arm64_ninja.cmake

@@ -9,6 +9,7 @@ set(CMake_TEST_GUI "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")

.gitlab/ci/configure_macos_x86_64_makefiles.cmake

@@ -9,6 +9,7 @@ endif()
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")

.gitlab/ci/configure_macos_x86_64_ninja.cmake

@@ -12,6 +12,7 @@ endif()
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")

.gitlab/ci/configure_windows_arm64_vs2022_ninja.cmake

@@ -6,6 +6,7 @@ set(CMAKE_PREFIX_PATH "" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_msvc_cxx_modules_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_wix_common.cmake")

.gitlab/ci/configure_windows_vs2022_x64_ninja.cmake

@@ -12,6 +12,7 @@ endif()
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_msvc_cxx_modules_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_wix_common.cmake")

Tests/RunCMake/CMakeLists.txt

@@ -599,6 +599,7 @@ foreach(var
     CMake_TEST_TLS_VERIFY_URL
     CMake_TEST_TLS_VERIFY_URL_BAD
     CMake_TEST_TLS_VERSION
+    CMake_TEST_TLS_VERSION_URL_BAD
     )
   if(DEFINED ${var})
     list(APPEND file-DOWNLOAD_ARGS -D${var}=${${var}})

Tests/RunCMake/file-DOWNLOAD/RunCMakeTest.cmake

@@ -11,6 +11,7 @@ run_cmake(httpheader-not-set)
 run_cmake(netrc-bad)
 run_cmake(tls-cainfo-not-set)
 run_cmake(tls-verify-not-set)
+run_cmake(TLS_VERSION-invalid)
 run_cmake(TLS_VERSION-missing)
 run_cmake(pass-not-set)
 run_cmake(no-save-hash)
@@ -26,10 +27,12 @@ if(NOT CMake_TEST_NO_NETWORK)
   run_cmake(bad-hostname)
 endif()
 
-run_cmake_with_options(TLS_VERSION-bad)
 if(CMake_TEST_TLS_VERIFY_URL_BAD)
   run_cmake_with_options(TLS_VERIFY-bad -Durl=${CMake_TEST_TLS_VERIFY_URL_BAD})
 endif()
+if(CMake_TEST_TLS_VERSION_URL_BAD)
+  run_cmake_with_options(TLS_VERSION-bad -Durl=${CMake_TEST_TLS_VERSION_URL_BAD})
+endif()
 
 if(CMake_TEST_TLS_VERIFY_URL)
   run_cmake_with_options(TLS_VERIFY-good -Durl=${CMake_TEST_TLS_VERIFY_URL})

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt

@@ -0,0 +1,7 @@
+-- def-1\.1: 0;"No error"
+-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- env-1\.1: 0;"No error"
+-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- var-1\.1: 0;"No error"
+-- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- opt-1\.1: 0;"No error"

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt

@@ -0,0 +1,7 @@
+-- def-1\.1: 0;"No error"
+-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- env-1\.1: 0;"No error"
+-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- var-1\.1: 0;"No error"
+-- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- opt-1\.1: 0;"No error"

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt

@@ -0,0 +1,3 @@
+-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake

@@ -1,10 +1,55 @@
-# The environment variable provides a default.
-set(ENV{CMAKE_TLS_VERSION} bad-env)
-file(DOWNLOAD "" TLS_VERIFY 1 STATUS status LOG log)
+function(download case)
+  # URL with semantics like https://tls-v1-1.badssl.com:1011 is provided by caller
+  file(DOWNLOAD ${url} ${ARGN} STATUS status LOG log)
+  message(STATUS "${case}: ${status}")
+  if(case MATCHES "1\\.2$" AND NOT status MATCHES "^(35|60);")
+    message("${log}")
+  endif()
+endfunction()
+
+set(CMAKE_TLS_VERIFY 1)
+
+if(CMAKE_HOST_WIN32 OR CMAKE_HOST_APPLE)
+  # The OS-native TLS implementations support TLS 1.1.
+  set(TEST_TLSv1_1 1)
+else()
+  # OpenSSL 3.1+ does not support TLS 1.1 or older without setting
+  # the security level to 0, which curl (correctly) does not do.
+  # https://openssl-library.org/news/openssl-3.1-notes/index.html#major-changes-between-openssl-30-and-openssl-310-14-mar-2023
+  set(TEST_TLSv1_1 0)
+endif()
+
+if(TEST_TLSv1_1)
+  # The default is to allow 1.1.
+  unset(ENV{CMAKE_TLS_VERSION})
+  unset(CMAKE_TLS_VERSION)
+  download(def-1.1)
+endif()
+
+# The environment variable overrides the default.
+set(ENV{CMAKE_TLS_VERSION} 1.2)
+download(env-1.2)
+if(TEST_TLSv1_1)
+  set(ENV{CMAKE_TLS_VERSION} 1.1)
+  download(env-1.1)
+endif()
 
 # The cmake variable overrides the environment variable.
-set(CMAKE_TLS_VERSION bad-var)
-file(DOWNLOAD "" TLS_VERIFY 1 STATUS status LOG log)
+set(ENV{CMAKE_TLS_VERSION} 1.1)
+set(CMAKE_TLS_VERSION 1.2)
+download(var-1.2)
+if(TEST_TLSv1_1)
+  set(ENV{CMAKE_TLS_VERSION} 1.2)
+  set(CMAKE_TLS_VERSION 1.1)
+  download(var-1.1)
+endif()
 
-# The explicit argument overrides the cmake variable.
-file(DOWNLOAD "" TLS_VERSION bad-arg TLS_VERIFY 1 STATUS status LOG log)
+# The explicit argument overrides the cmake variable and the environment variable.
+set(ENV{CMAKE_TLS_VERSION} 1.1)
+set(CMAKE_TLS_VERSION 1.1)
+download(opt-1.2 TLS_VERSION 1.2)
+if(TEST_TLSv1_1)
+  set(ENV{CMAKE_TLS_VERSION} 1.2)
+  set(CMAKE_TLS_VERSION 1.2)
+  download(opt-1.1 TLS_VERSION 1.1)
+endif()

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stderr.txt → Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-invalid-stderr.txt

@@ -1,14 +1,14 @@
-^CMake Error at TLS_VERSION-bad\.cmake:[0-9]+ \(file\):
+^CMake Error at TLS_VERSION-invalid\.cmake:[0-9]+ \(file\):
   file DOWNLOAD given unknown TLS/SSL version bad-env
 Call Stack \(most recent call first\):
   CMakeLists\.txt:[0-9]+ \(include\)
 +
-CMake Error at TLS_VERSION-bad\.cmake:[0-9]+ \(file\):
+CMake Error at TLS_VERSION-invalid\.cmake:[0-9]+ \(file\):
   file DOWNLOAD given unknown TLS/SSL version bad-var
 Call Stack \(most recent call first\):
   CMakeLists\.txt:[0-9]+ \(include\)
 +
-CMake Error at TLS_VERSION-bad\.cmake:[0-9]+ \(file\):
+CMake Error at TLS_VERSION-invalid\.cmake:[0-9]+ \(file\):
   file DOWNLOAD given unknown TLS/SSL version bad-arg
 Call Stack \(most recent call first\):
   CMakeLists\.txt:[0-9]+ \(include\)$

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-invalid.cmake

@@ -0,0 +1,10 @@
+# The environment variable provides a default.
+set(ENV{CMAKE_TLS_VERSION} bad-env)
+file(DOWNLOAD "" TLS_VERIFY 1 STATUS status LOG log)
+
+# The cmake variable overrides the environment variable.
+set(CMAKE_TLS_VERSION bad-var)
+file(DOWNLOAD "" TLS_VERIFY 1 STATUS status LOG log)
+
+# The explicit argument overrides the cmake variable.
+file(DOWNLOAD "" TLS_VERSION bad-arg TLS_VERIFY 1 STATUS status LOG log)