Merge topic 'ctest-tls-options'

aeb8bcc055 ctest: Fall back to CMake options for TLS version
56e319ce4a ctest: Fall back to CMake options for TLS server verification
6671f17f65 ctest: Add explicit options for TLS version
0aba13a2f3 ctest: Add explicit options for TLS server verification
51728a6dd3 CTest: Create scope to isolate defaults for DartConfiguration.tcl
8a3a486fb5 cmCTestCurl: Factor out helper struct for curl options
7f668bb94f cmCTestCurl: Use inline member initialization
add81210df cmCurl: Assert that we cover all TLS versions supported by our vendored curl
...

Acked-by: Kitware Robot <[email protected]>
Acked-by: buildbot <[email protected]>
Merge-request: !9318

Help/manual/cmake-variables.7.rst

@@ -728,6 +728,8 @@ Variables for CTest
    /variable/CTEST_SVN_UPDATE_OPTIONS
    /variable/CTEST_TEST_LOAD
    /variable/CTEST_TEST_TIMEOUT
+   /variable/CTEST_TLS_VERIFY
+   /variable/CTEST_TLS_VERSION
    /variable/CTEST_UPDATE_COMMAND
    /variable/CTEST_UPDATE_OPTIONS
    /variable/CTEST_UPDATE_VERSION_ONLY

Help/manual/ctest.1.rst

@@ -1452,14 +1452,25 @@ Configuration settings include:
   * :module:`CTest` module variable: ``CTEST_SUBMIT_RETRY_DELAY``
 
 ``CurlOptions``
+  .. deprecated:: 3.30
+
+    Use ``TLSVerify`` instead.
+
   Specify a semicolon-separated list of options to control the
   Curl library that CTest uses internally to connect to the
-  server.  Possible options are ``CURLOPT_SSL_VERIFYPEER_OFF``
-  and ``CURLOPT_SSL_VERIFYHOST_OFF``.
+  server.
 
   * `CTest Script`_ variable: :variable:`CTEST_CURL_OPTIONS`
   * :module:`CTest` module variable: ``CTEST_CURL_OPTIONS``
 
+  Possible options are:
+
+  ``CURLOPT_SSL_VERIFYPEER_OFF``
+    Disable the ``CURLOPT_SSL_VERIFYPEER`` curl option.
+
+  ``CURLOPT_SSL_VERIFYHOST_OFF``
+    Disable the ``CURLOPT_SSL_VERIFYHOST`` curl option.
+
 ``DropLocation``
   Legacy option.  When ``SubmitURL`` is not set, it is constructed from
   ``DropMethod``, ``DropSiteUser``, ``DropSitePassword``, ``DropSite``, and
@@ -1540,6 +1551,24 @@ Configuration settings include:
   * `CTest Script`_ variable: :variable:`CTEST_SUBMIT_INACTIVITY_TIMEOUT`
   * :module:`CTest` module variable: ``CTEST_SUBMIT_INACTIVITY_TIMEOUT``
 
+``TLSVersion``
+  .. versionadded:: 3.30
+
+  Specify a minimum TLS version allowed when submitting to a dashboard
+  via ``https://`` URLs.
+
+  * `CTest Script`_ variable: :variable:`CTEST_TLS_VERSION`
+  * :module:`CTest` module variable: ``CTEST_TLS_VERSION``
+
+``TLSVerify``
+  .. versionadded:: 3.30
+
+  Specify a boolean value indicating whether to verify the server
+  certificate when submitting to a dashboard via ``https://`` URLs.
+
+  * `CTest Script`_ variable: :variable:`CTEST_TLS_VERIFY`
+  * :module:`CTest` module variable: ``CTEST_TLS_VERIFY``
+
 ``TriggerSite``
   Legacy option.  Not used.
 

Help/release/dev/curl-tls-version.rst

@@ -15,3 +15,8 @@ curl-tls-version
   :variable:`CMAKE_TLS_VERSION` variable and :envvar:`CMAKE_TLS_VERSION`
   environment variable, to specify the minimum TLS version for connections
   to ``https://`` URLs.
+
+* The :command:`ctest_submit` command and :option:`ctest -T Submit <ctest -T>`
+  step gained ``TLSVersion`` and ``TLSVerify`` options to control negotiation
+  with ``https://`` URLs.  See the :variable:`CTEST_TLS_VERSION` and
+  :variable:`CTEST_TLS_VERIFY` variables.

Help/variable/CMAKE_TLS_VERSION-VALUES.txt

@@ -0,0 +1,7 @@
+* ``1.0``
+
+* ``1.1``
+
+* ``1.2``
+
+* ``1.3``

Help/variable/CMAKE_TLS_VERSION.rst

@@ -10,13 +10,7 @@ If this variable is not set, the commands check the
 
 The value may be one of:
 
-* ``1.0``
-
-* ``1.1``
-
-* ``1.2``
-
-* ``1.3``
+.. include:: CMAKE_TLS_VERSION-VALUES.txt
 
 This variable is also used by the :module:`ExternalProject` and
 :module:`FetchContent` modules for internal calls to

Help/variable/CTEST_CURL_OPTIONS.rst

@@ -1,6 +1,10 @@
 CTEST_CURL_OPTIONS
 ------------------
 
+.. deprecated:: 3.30
+
+  Use the :variable:`CTEST_TLS_VERIFY` variable instead.
+
 .. versionadded:: 3.1
 
 Specify the CTest ``CurlOptions`` setting

Help/variable/CTEST_TLS_VERIFY.rst

@@ -0,0 +1,13 @@
+CTEST_TLS_VERIFY
+----------------
+
+.. versionadded:: 3.30
+
+Specify the CTest ``TLSVerify`` setting in a :manual:`ctest(1)`
+:ref:`Dashboard Client` script or in project ``CMakeLists.txt`` code
+before including the :module:`CTest` module.  The value is a boolean
+indicating whether to  verify the server certificate when submitting
+to a dashboard via ``https://`` URLs.
+
+If ``CTEST_TLS_VERIFY`` is not set, :variable:`CMAKE_TLS_VERIFY` is
+used instead.

Help/variable/CTEST_TLS_VERSION.rst

@@ -0,0 +1,16 @@
+CTEST_TLS_VERSION
+-----------------
+
+.. versionadded:: 3.30
+
+Specify the CTest ``TLSVersion`` setting in a :manual:`ctest(1)`
+:ref:`Dashboard Client` script or in project ``CMakeLists.txt`` code
+before including the :module:`CTest` module.  The value is a minimum
+TLS version allowed when submitting to a dashboard via ``https://`` URLs.
+
+The value may be one of:
+
+.. include:: CMAKE_TLS_VERSION-VALUES.txt
+
+If ``CTEST_TLS_VERSION`` is not set, the :variable:`CMAKE_TLS_VERSION` variable
+or :envvar:`CMAKE_TLS_VERSION` environment variable is used instead.

Modules/CTestTargets.cmake

@@ -20,15 +20,27 @@ mark_as_advanced(CMAKE_CTEST_COMMAND)
 # Use CTest
 # configure files
 
-if(CTEST_NEW_FORMAT)
-  configure_file(
-    ${CMAKE_ROOT}/Modules/DartConfiguration.tcl.in
-    ${PROJECT_BINARY_DIR}/CTestConfiguration.ini )
-else()
-  configure_file(
-    ${CMAKE_ROOT}/Modules/DartConfiguration.tcl.in
-    ${PROJECT_BINARY_DIR}/DartConfiguration.tcl )
-endif()
+block()
+  if(NOT DEFINED CTEST_TLS_VERSION)
+    if(DEFINED CMAKE_TLS_VERSION)
+      set(CTEST_TLS_VERSION "${CMAKE_TLS_VERSION}")
+    elseif(DEFINED ENV{CMAKE_TLS_VERSION})
+      set(CTEST_TLS_VERSION "$ENV{CMAKE_TLS_VERSION}")
+    endif()
+  endif()
+  if(NOT DEFINED CTEST_TLS_VERIFY AND DEFINED CMAKE_TLS_VERIFY)
+    set(CTEST_TLS_VERIFY "${CMAKE_TLS_VERIFY}")
+  endif()
+  if(CTEST_NEW_FORMAT)
+    configure_file(
+      ${CMAKE_ROOT}/Modules/DartConfiguration.tcl.in
+      ${PROJECT_BINARY_DIR}/CTestConfiguration.ini )
+  else()
+    configure_file(
+      ${CMAKE_ROOT}/Modules/DartConfiguration.tcl.in
+      ${PROJECT_BINARY_DIR}/DartConfiguration.tcl )
+  endif()
+endblock()
 
 #
 # Section 3:

Modules/DartConfiguration.tcl.in

@@ -95,6 +95,9 @@ TimeOut: @DART_TESTING_TIMEOUT@
 # so would cause the system load to exceed this value.
 TestLoad: @CTEST_TEST_LOAD@
 
+TLSVerify: @CTEST_TLS_VERIFY@
+TLSVersion: @CTEST_TLS_VERSION@
+
 UseLaunchers: @CTEST_USE_LAUNCHERS@
 CurlOptions: @CTEST_CURL_OPTIONS@
 # warning, if you add new options here that have to do with submit,

Source/CTest/cmCTestCurl.cxx

@@ -9,21 +9,18 @@
 
 #include "cmCTest.h"
 #include "cmCurl.h"
+#include "cmList.h"
 #include "cmStringAlgorithms.h"
 #include "cmSystemTools.h"
+#include "cmValue.h"
 
 cmCTestCurl::cmCTestCurl(cmCTest* ctest)
+  : CTest(ctest)
+  , CurlOpts(ctest)
 {
-  this->CTest = ctest;
   this->SetProxyType();
-  this->UseHttp10 = false;
   // In windows, this will init the winsock stuff
   ::curl_global_init(CURL_GLOBAL_ALL);
-  // default is to verify https
-  this->VerifyPeerOff = false;
-  this->VerifyHostOff = false;
-  this->Quiet = false;
-  this->TimeOutSeconds = 0;
   this->Curl = curl_easy_init();
 }
 
@@ -59,14 +56,23 @@ size_t curlDebugCallback(CURL* /*unused*/, curl_infotype /*unused*/,
 }
 }
 
-void cmCTestCurl::SetCurlOptions(std::vector<std::string> const& args)
+cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest)
 {
-  for (std::string const& arg : args) {
-    if (arg == "CURLOPT_SSL_VERIFYPEER_OFF") {
-      this->VerifyPeerOff = true;
-    }
-    if (arg == "CURLOPT_SSL_VERIFYHOST_OFF") {
-      this->VerifyHostOff = true;
+  this->TLSVersionOpt =
+    cmCurlParseTLSVersion(ctest->GetCTestConfiguration("TLSVersion"));
+
+  std::string tlsVerify = ctest->GetCTestConfiguration("TLSVerify");
+  if (!tlsVerify.empty()) {
+    this->TLSVerifyOpt = cmIsOn(tlsVerify);
+  } else {
+    cmList args{ ctest->GetCTestConfiguration("CurlOptions") };
+    for (std::string const& arg : args) {
+      if (arg == "CURLOPT_SSL_VERIFYPEER_OFF") {
+        this->TLSVerifyOpt = false;
+      }
+      if (arg == "CURLOPT_SSL_VERIFYHOST_OFF") {
+        this->VerifyHostOff = true;
+      }
     }
   }
 }
@@ -77,10 +83,15 @@ bool cmCTestCurl::InitCurl()
     return false;
   }
   cmCurlSetCAInfo(this->Curl);
-  if (this->VerifyPeerOff) {
-    curl_easy_setopt(this->Curl, CURLOPT_SSL_VERIFYPEER, 0);
+  if (this->CurlOpts.TLSVersionOpt) {
+    curl_easy_setopt(this->Curl, CURLOPT_SSLVERSION,
+                     *this->CurlOpts.TLSVersionOpt);
+  }
+  if (this->CurlOpts.TLSVerifyOpt) {
+    curl_easy_setopt(this->Curl, CURLOPT_SSL_VERIFYPEER,
+                     *this->CurlOpts.TLSVerifyOpt ? 1 : 0);
   }
-  if (this->VerifyHostOff) {
+  if (this->CurlOpts.VerifyHostOff) {
     curl_easy_setopt(this->Curl, CURLOPT_SSL_VERIFYHOST, 0);
   }
   if (!this->HTTPProxy.empty()) {

Source/CTest/cmCTestCurl.h

@@ -7,10 +7,20 @@
 #include <string>
 #include <vector>
 
+#include <cm/optional>
+
 #include <cm3p/curl/curl.h>
 
 class cmCTest;
 
+struct cmCTestCurlOpts
+{
+  cmCTestCurlOpts(cmCTest* ctest);
+  cm::optional<int> TLSVersionOpt;
+  cm::optional<bool> TLSVerifyOpt;
+  bool VerifyHostOff = false;
+};
+
 class cmCTestCurl
 {
 public:
@@ -22,9 +32,6 @@ public:
                   std::string const& fields, std::string& response);
   bool HttpRequest(std::string const& url, std::string const& fields,
                    std::string& response);
-  // currently only supports CURLOPT_SSL_VERIFYPEER_OFF
-  // and CURLOPT_SSL_VERIFYHOST_OFF
-  void SetCurlOptions(std::vector<std::string> const& args);
   void SetHttpHeaders(std::vector<std::string> const& v)
   {
     this->HttpHeaders = v;
@@ -40,14 +47,13 @@ protected:
 
 private:
   cmCTest* CTest;
-  CURL* Curl;
+  cmCTestCurlOpts CurlOpts;
+  CURL* Curl = nullptr;
   std::vector<std::string> HttpHeaders;
   std::string HTTPProxyAuth;
   std::string HTTPProxy;
   curl_proxytype HTTPProxyType;
-  bool VerifyHostOff;
-  bool VerifyPeerOff;
-  bool UseHttp10;
-  bool Quiet;
-  int TimeOutSeconds;
+  bool UseHttp10 = false;
+  bool Quiet = false;
+  int TimeOutSeconds = 0;
 };

Source/CTest/cmCTestSubmitCommand.cxx

@@ -55,6 +55,41 @@ cmCTestGenericHandler* cmCTestSubmitCommand::InitializeHandler()
       this->Makefile, "DropLocation", "CTEST_DROP_LOCATION", this->Quiet);
   }
 
+  if (!this->CTest->SetCTestConfigurationFromCMakeVariable(
+        this->Makefile, "TLSVersion", "CTEST_TLS_VERSION", this->Quiet)) {
+    if (cmValue tlsVersionVar =
+          this->Makefile->GetDefinition("CMAKE_TLS_VERSION")) {
+      cmCTestOptionalLog(
+        this->CTest, HANDLER_VERBOSE_OUTPUT,
+        "SetCTestConfiguration from CMAKE_TLS_VERSION:TLSVersion:"
+          << *tlsVersionVar << std::endl,
+        this->Quiet);
+      this->CTest->SetCTestConfiguration("TLSVersion", *tlsVersionVar,
+                                         this->Quiet);
+    } else if (cm::optional<std::string> tlsVersionEnv =
+                 cmSystemTools::GetEnvVar("CMAKE_TLS_VERSION")) {
+      cmCTestOptionalLog(
+        this->CTest, HANDLER_VERBOSE_OUTPUT,
+        "SetCTestConfiguration from ENV{CMAKE_TLS_VERSION}:TLSVersion:"
+          << *tlsVersionEnv << std::endl,
+        this->Quiet);
+      this->CTest->SetCTestConfiguration("TLSVersion", *tlsVersionEnv,
+                                         this->Quiet);
+    }
+  }
+  if (!this->CTest->SetCTestConfigurationFromCMakeVariable(
+        this->Makefile, "TLSVerify", "CTEST_TLS_VERIFY", this->Quiet)) {
+    if (cmValue tlsVerifyVar =
+          this->Makefile->GetDefinition("CMAKE_TLS_VERIFY")) {
+      cmCTestOptionalLog(
+        this->CTest, HANDLER_VERBOSE_OUTPUT,
+        "SetCTestConfiguration from CMAKE_TLS_VERIFY:TLSVerify:"
+          << *tlsVerifyVar << std::endl,
+        this->Quiet);
+      this->CTest->SetCTestConfiguration("TLSVerify", *tlsVerifyVar,
+                                         this->Quiet);
+    }
+  }
   this->CTest->SetCTestConfigurationFromCMakeVariable(
     this->Makefile, "CurlOptions", "CTEST_CURL_OPTIONS", this->Quiet);
   this->CTest->SetCTestConfigurationFromCMakeVariable(

Source/CTest/cmCTestSubmitHandler.cxx

@@ -8,6 +8,7 @@
 #include <sstream>
 
 #include <cm/iomanip>
+#include <cm/optional>
 #include <cmext/algorithm>
 
 #include <cm3p/curl/curl.h>
@@ -22,7 +23,6 @@
 #include "cmCurl.h"
 #include "cmDuration.h"
 #include "cmGeneratedFileStream.h"
-#include "cmList.h"
 #include "cmState.h"
 #include "cmStringAlgorithms.h"
 #include "cmSystemTools.h"
@@ -172,30 +172,32 @@ bool cmCTestSubmitHandler::SubmitUsingHTTP(
 
   /* In windows, this will init the winsock stuff */
   ::curl_global_init(CURL_GLOBAL_ALL);
-  std::string curlopt(this->CTest->GetCTestConfiguration("CurlOptions"));
-  cmList args{ curlopt };
-  bool verifyPeerOff = false;
-  bool verifyHostOff = false;
-  for (std::string const& arg : args) {
-    if (arg == "CURLOPT_SSL_VERIFYPEER_OFF") {
-      verifyPeerOff = true;
-    }
-    if (arg == "CURLOPT_SSL_VERIFYHOST_OFF") {
-      verifyHostOff = true;
-    }
-  }
+  cmCTestCurlOpts curlOpts(this->CTest);
   for (std::string const& file : files) {
     /* get a curl handle */
     curl = curl_easy_init();
     if (curl) {
       cmCurlSetCAInfo(curl);
-      if (verifyPeerOff) {
+      if (curlOpts.TLSVersionOpt) {
+        cm::optional<std::string> tlsVersionStr =
+          cmCurlPrintTLSVersion(*curlOpts.TLSVersionOpt);
+        cmCTestOptionalLog(
+          this->CTest, HANDLER_VERBOSE_OUTPUT,
+          "  Set CURLOPT_SSLVERSION to "
+            << (tlsVersionStr ? *tlsVersionStr : "unknown value") << "\n",
+          this->Quiet);
+        curl_easy_setopt(curl, CURLOPT_SSLVERSION, *curlOpts.TLSVersionOpt);
+      }
+      if (curlOpts.TLSVerifyOpt) {
         cmCTestOptionalLog(this->CTest, HANDLER_VERBOSE_OUTPUT,
-                           "  Set CURLOPT_SSL_VERIFYPEER to off\n",
+                           "  Set CURLOPT_SSL_VERIFYPEER to "
+                             << (*curlOpts.TLSVerifyOpt ? "on" : "off")
+                             << "\n",
                            this->Quiet);
-        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER,
+                         *curlOpts.TLSVerifyOpt ? 1 : 0);
       }
-      if (verifyHostOff) {
+      if (curlOpts.VerifyHostOff) {
         cmCTestOptionalLog(this->CTest, HANDLER_VERBOSE_OUTPUT,
                            "  Set CURLOPT_SSL_VERIFYHOST to off\n",
                            this->Quiet);
@@ -518,9 +520,6 @@ int cmCTestSubmitHandler::HandleCDashUploadFile(std::string const& file,
   }
   cmCTestCurl curl(this->CTest);
   curl.SetQuiet(this->Quiet);
-  std::string curlopt(this->CTest->GetCTestConfiguration("CurlOptions"));
-  cmList args{ curlopt };
-  curl.SetCurlOptions(args);
   auto submitInactivityTimeout = this->GetSubmitInactivityTimeout();
   if (submitInactivityTimeout != 0) {
     curl.SetTimeOutSeconds(submitInactivityTimeout);

Source/cmCurl.cxx

@@ -34,7 +34,20 @@
     }                                                                         \
   } while (false)
 
-cm::optional<int> cmCurlParseTLSVersion(std::string const& tls_version)
+// curl versions before 7.52.0 did not provide TLS 1.3 support
+#if defined(LIBCURL_VERSION_NUM) && LIBCURL_VERSION_NUM < 0x073400
+#  define CURL_SSLVERSION_TLSv1_3 CURL_SSLVERSION_LAST
+#endif
+
+// Make sure we keep up with new TLS versions supported by curl.
+// Do this only for our vendored curl to avoid breaking builds
+// against external future versions of curl.
+#if !defined(CMAKE_USE_SYSTEM_CURL)
+static_assert(CURL_SSLVERSION_LAST == 8,
+              "A new CURL_SSLVERSION_ may be available!");
+#endif
+
+cm::optional<int> cmCurlParseTLSVersion(cm::string_view tls_version)
 {
   cm::optional<int> v;
   if (tls_version == "1.0"_s) {
@@ -44,16 +57,31 @@ cm::optional<int> cmCurlParseTLSVersion(std::string const& tls_version)
   } else if (tls_version == "1.2"_s) {
     v = CURL_SSLVERSION_TLSv1_2;
   } else if (tls_version == "1.3"_s) {
-    // curl version 7.52.0 introduced TLS 1.3 support
-#if defined(LIBCURL_VERSION_NUM) && LIBCURL_VERSION_NUM >= 0x073400
     v = CURL_SSLVERSION_TLSv1_3;
-#else
-    v = CURL_SSLVERSION_LAST;
-#endif
   }
   return v;
 }
 
+cm::optional<std::string> cmCurlPrintTLSVersion(int curl_tls_version)
+{
+  cm::optional<std::string> s;
+  switch (curl_tls_version) {
+    case CURL_SSLVERSION_TLSv1_0:
+      s = "CURL_SSLVERSION_TLSv1_0"_s;
+      break;
+    case CURL_SSLVERSION_TLSv1_1:
+      s = "CURL_SSLVERSION_TLSv1_1"_s;
+      break;
+    case CURL_SSLVERSION_TLSv1_2:
+      s = "CURL_SSLVERSION_TLSv1_2"_s;
+      break;
+    case CURL_SSLVERSION_TLSv1_3:
+      s = "CURL_SSLVERSION_TLSv1_3"_s;
+      break;
+  }
+  return s;
+}
+
 std::string cmCurlSetCAInfo(::CURL* curl, const std::string& cafile)
 {
   std::string e;

Source/cmCurl.h

@@ -7,10 +7,12 @@
 #include <string>
 
 #include <cm/optional>
+#include <cm/string_view>
 
 #include <cm3p/curl/curl.h>
 
-cm::optional<int> cmCurlParseTLSVersion(std::string const& tls_version);
+cm::optional<int> cmCurlParseTLSVersion(cm::string_view tls_version);
+cm::optional<std::string> cmCurlPrintTLSVersion(int curl_tls_version);
 std::string cmCurlSetCAInfo(::CURL* curl, const std::string& cafile = {});
 std::string cmCurlSetNETRCOption(::CURL* curl, const std::string& netrc_level,
                                  const std::string& netrc_file);

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVerify-OFF-ctest-result.txt

@@ -0,0 +1 @@
+[^0]

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVerify-OFF-ctest-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVerify-OFF-ctest-stdout.txt

@@ -0,0 +1 @@
+  Set CURLOPT_SSL_VERIFYPEER to off

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVerify-OFF.cmake

@@ -0,0 +1 @@
+include(FailDrop-common.cmake)

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVerify-ON-ctest-result.txt

@@ -0,0 +1 @@
+[^0]

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVerify-ON-ctest-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVerify-ON-ctest-stdout.txt

@@ -0,0 +1 @@
+  Set CURLOPT_SSL_VERIFYPEER to on

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVerify-ON.cmake

@@ -0,0 +1 @@
+include(FailDrop-common.cmake)

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-cmake-ctest-result.txt

@@ -0,0 +1 @@
+[^0]

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-cmake-ctest-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-cmake-ctest-stdout.txt

@@ -0,0 +1 @@
+  Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-cmake.cmake

@@ -0,0 +1 @@
+include(FailDrop-common.cmake)

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-result.txt

@@ -0,0 +1 @@
+[^0]

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-stdout.txt

@@ -0,0 +1 @@
+  Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-env-ctest-result.txt

@@ -0,0 +1 @@
+[^0]

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-env-ctest-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-env-ctest-stdout.txt

@@ -0,0 +1 @@
+  Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-env.cmake

@@ -0,0 +1 @@
+include(FailDrop-common.cmake)

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1.cmake

@@ -0,0 +1 @@
+include(FailDrop-common.cmake)

Tests/RunCMake/CTestCommandLine/FailDrop-common.cmake

@@ -0,0 +1,3 @@
+set(SUBMIT_URL "https://badhostname.invalid")
+set(CTEST_SUBMIT_RETRY_COUNT 0 CACHE STRING "")
+include(CTest)

Tests/RunCMake/CTestCommandLine/RunCMakeTest.cmake

@@ -1,6 +1,10 @@
 include(RunCMake)
 include(RunCTest)
 
+# Do not use any proxy for lookup of an invalid site.
+# DNS failure by proxy looks different than DNS failure without proxy.
+set(ENV{no_proxy} "$ENV{no_proxy},badhostname.invalid")
+
 set(RunCMake_TEST_TIMEOUT 60)
 
 run_cmake_command(repeat-opt-bad1
@@ -484,6 +488,23 @@ run_NoTests()
 # Check the configuration type variable is passed
 run_ctest(check-configuration-type)
 
+function(run_FailDrop case)
+  set(RunCMake_TEST_BINARY_DIR ${RunCMake_BINARY_DIR}/FailDrop-${case}-build)
+  run_cmake_with_options(FailDrop-${case} ${ARGN})
+  unset(ENV{CMAKE_TLS_VERSION}) # Test that env variable is saved in ctest config file.
+  set(RunCMake_TEST_NO_CLEAN 1)
+  run_cmake_command(FailDrop-${case}-ctest
+    ${CMAKE_CTEST_COMMAND} -M Experimental -T Submit -VV
+    )
+endfunction()
+run_FailDrop(TLSVersion-1.1 -DCTEST_TLS_VERSION=1.1)
+run_FailDrop(TLSVersion-1.1-cmake -DCMAKE_TLS_VERSION=1.1) # Test fallback to CMake variable.
+set(ENV{CMAKE_TLS_VERSION} 1.1) # Test fallback to env variable.
+run_FailDrop(TLSVersion-1.1-env)
+unset(ENV{CMAKE_TLS_VERSION})
+run_FailDrop(TLSVerify-ON -DCTEST_TLS_VERIFY=ON)
+run_FailDrop(TLSVerify-OFF -DCMAKE_TLS_VERIFY=OFF) # Test fallback to CMake variable.
+
 run_cmake_command(EmptyDirCoverage-ctest
   ${CMAKE_CTEST_COMMAND} -C Debug -M Experimental -T Coverage
   )

Tests/RunCMake/ctest_submit/CDashSubmitHeaders-stderr.txt

@@ -1 +1 @@
- *Error message was: ([Cc]ould *n.t resolve host:? '?-no-site-'?.*|The requested URL returned error:.*)
+ *Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?.*|The requested URL returned error:.*)

Tests/RunCMake/ctest_submit/CDashSubmitQuiet-stderr.txt

@@ -1,3 +1,3 @@
  *Error when uploading file: .*/Configure.xml
- *Error message was: ([Cc]ould *n.t resolve host:? '?-no-site-'?.*|The requested URL returned error:.*)
+ *Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?.*|The requested URL returned error:.*)
  *Problems when submitting via HTTP

Tests/RunCMake/ctest_submit/CDashSubmitVerbose-stderr.txt

@@ -1 +1 @@
- *Error message was: ([Cc]ould *n.t resolve host:? '?-no-site-'?.*|The requested URL returned error:.*)
+ *Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?.*|The requested URL returned error:.*)

Tests/RunCMake/ctest_submit/CDashSubmitVerbose-stdout.txt

@@ -1 +1 @@
-Upload file: .* to http:\/\/-no-site-\?FileName=test-site___test-build-name___.*-Experimental___XML___Configure.xml&build=test-build-name&site=test-site&stamp=.*-Experimental&subproject=mysubproj&MD5=.* Size: .*
+Upload file: .* to http:\/\/badhostname.invalid\?FileName=test-site___test-build-name___.*-Experimental___XML___Configure.xml&build=test-build-name&site=test-site&stamp=.*-Experimental&subproject=mysubproj&MD5=.* Size: .*

Tests/RunCMake/ctest_submit/CTestConfig.cmake.in

@@ -3,7 +3,3 @@
 # so that any ctest_submit calls fail with an error message.
 set(CTEST_DROP_METHOD "@CASE_DROP_METHOD@")
 set(CTEST_DROP_SITE "@CASE_DROP_SITE@")
-
-# do not use proxy for lookup of invalid site (DNS failure by proxy looks
-# different than DNS failure without proxy)
-set(ENV{no_proxy} "$ENV{no_proxy},@CASE_DROP_SITE@")

Tests/RunCMake/ctest_submit/FILESNoBuildId-stderr.txt

@@ -1 +1 @@
- *Error message was: ([Cc]ould *n.t resolve host:? '?-no-site-'?.*|The requested URL returned error:.*)
+ *Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?.*|The requested URL returned error:.*)

Tests/RunCMake/ctest_submit/FILESNoBuildId-stdout.txt

@@ -1 +1 @@
-Upload file: .* to http:\/\/-no-site-\?FileName=test-site___test-build-name___.*-Experimental___XML___RunCMakeTest.cmake&MD5=.* Size: .*
+Upload file: .* to http:\/\/badhostname.invalid\?FileName=test-site___test-build-name___.*-Experimental___XML___RunCMakeTest.cmake&MD5=.* Size: .*

Tests/RunCMake/ctest_submit/FailDrop-TLSVerify-OFF-result.txt

@@ -0,0 +1 @@
+(-1|255)

Tests/RunCMake/ctest_submit/FailDrop-TLSVerify-OFF-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/ctest_submit/FailDrop-TLSVerify-OFF-stdout.txt

@@ -0,0 +1,4 @@
+SetCTestConfiguration from CMAKE_TLS_VERIFY:TLSVerify:OFF
+SetCTestConfiguration:TLSVerify:OFF
+.*
+  Set CURLOPT_SSL_VERIFYPEER to off

Tests/RunCMake/ctest_submit/FailDrop-TLSVerify-ON-result.txt

@@ -0,0 +1 @@
+(-1|255)

Tests/RunCMake/ctest_submit/FailDrop-TLSVerify-ON-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/ctest_submit/FailDrop-TLSVerify-ON-stdout.txt

@@ -0,0 +1,4 @@
+SetCTestConfigurationFromCMakeVariable:TLSVerify:CTEST_TLS_VERIFY
+SetCTestConfiguration:TLSVerify:ON
+.*
+  Set CURLOPT_SSL_VERIFYPEER to on

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-cmake-result.txt

@@ -0,0 +1 @@
+(-1|255)

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-cmake-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-cmake-stdout.txt

@@ -0,0 +1,4 @@
+SetCTestConfiguration from CMAKE_TLS_VERSION:TLSVersion:1\.1
+SetCTestConfiguration:TLSVersion:1\.1
+.*
+  Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-env-result.txt

@@ -0,0 +1 @@
+(-1|255)

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-env-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-env-stdout.txt

@@ -0,0 +1,4 @@
+SetCTestConfiguration from ENV{CMAKE_TLS_VERSION}:TLSVersion:1\.1
+SetCTestConfiguration:TLSVersion:1\.1
+.*
+  Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-result.txt

@@ -0,0 +1 @@
+(-1|255)

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-stdout.txt

@@ -0,0 +1,4 @@
+SetCTestConfigurationFromCMakeVariable:TLSVersion:CTEST_TLS_VERSION
+SetCTestConfiguration:TLSVersion:1\.1
+.*
+  Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1

Tests/RunCMake/ctest_submit/FailDrop-http-stderr.txt

@@ -1,2 +1,2 @@
-Error message was: ([Cc]ould *n.t resolve host:? '?-no-site-'?.*|The requested URL returned error:.*)
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?.*|The requested URL returned error:.*)
    Problems when submitting via HTTP

Tests/RunCMake/ctest_submit/FailDrop-http-stdout.txt

@@ -1,2 +1,2 @@
 Submit files
-   SubmitURL: http://-no-site-
+   SubmitURL: http://badhostname.invalid

Tests/RunCMake/ctest_submit/FailDrop-https-stderr.txt

@@ -1,2 +1,2 @@
-Error message was: ([Cc]ould *n.t resolve host:? '?-no-site-'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
    Problems when submitting via HTTP

Tests/RunCMake/ctest_submit/FailDrop-https-stdout.txt

@@ -1,2 +1,2 @@
 Submit files
-   SubmitURL: https://-no-site-
+   SubmitURL: https://badhostname.invalid

Tests/RunCMake/ctest_submit/PARTSDone-stderr.txt

@@ -1,3 +1,3 @@
  *Error when uploading file: .*/Done.xml
- *Error message was: ([Cc]ould *n.t resolve host:? '?-no-site-'?.*|The requested URL returned error:.*)
+ *Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?.*|The requested URL returned error:.*)
  *Problems when submitting via HTTP

Tests/RunCMake/ctest_submit/RunCMakeTest.cmake

@@ -2,9 +2,13 @@ include(RunCTest)
 
 # Default case parameters.
 set(CASE_DROP_METHOD "http")
-set(CASE_DROP_SITE "-no-site-")
+set(CASE_DROP_SITE "badhostname.invalid")
 set(CASE_CTEST_SUBMIT_ARGS "")
+set(CASE_TEST_PREFIX_CODE "")
 
+# Do not use any proxy for lookup of an invalid site.
+# DNS failure by proxy looks different than DNS failure without proxy.
+set(ENV{no_proxy} "$ENV{no_proxy},badhostname.invalid")
 
 function(run_ctest_submit CASE_NAME)
   set(CASE_CTEST_SUBMIT_ARGS "${ARGN}")
@@ -51,3 +55,18 @@ endfunction()
 
 run_ctest_submit_FailDrop(http)
 run_ctest_submit_FailDrop(https)
+block()
+  set(CASE_DROP_METHOD "https")
+  set(CASE_TEST_PREFIX_CODE "set(CTEST_TLS_VERSION 1.1)")
+  run_ctest(FailDrop-TLSVersion-1.1 -VV)
+  set(CASE_TEST_PREFIX_CODE "set(CMAKE_TLS_VERSION 1.1)") # Test fallback to CMake variable.
+  run_ctest(FailDrop-TLSVersion-1.1-cmake -VV)
+  set(ENV{CMAKE_TLS_VERSION} 1.1) # Test fallback to env variable.
+  set(CASE_TEST_PREFIX_CODE "")
+  run_ctest(FailDrop-TLSVersion-1.1-env -VV)
+  unset(ENV{CMAKE_TLS_VERSION})
+  set(CASE_TEST_PREFIX_CODE "set(CTEST_TLS_VERIFY ON)")
+  run_ctest(FailDrop-TLSVerify-ON -VV)
+  set(CASE_TEST_PREFIX_CODE "set(CMAKE_TLS_VERIFY OFF)") # Test fallback to CMake variable.
+  run_ctest(FailDrop-TLSVerify-OFF -VV)
+endblock()

Tests/RunCMake/ctest_submit/test.cmake.in

@@ -1,4 +1,5 @@
 cmake_minimum_required(VERSION 3.5)
+@CASE_TEST_PREFIX_CODE@
 
 set(CTEST_SITE                          "test-site")
 set(CTEST_BUILD_NAME                    "test-build-name")