Tests/RunCMake/file-DOWNLOAD: Add case covering TLS_VERSION values

.gitlab/ci/configure_debian12_aarch64_ninja.cmake

@@ -100,6 +100,7 @@ set(CMake_TEST_Qt5 "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 set(CMake_TEST_UseSWIG "ON" CACHE BOOL "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_external_test.cmake")

.gitlab/ci/configure_debian12_ninja_common.cmake

@@ -108,6 +108,7 @@ set(CMake_TEST_Qt5 "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 if (NOT "$ENV{SWIFTC}" STREQUAL "")
   set(CMAKE_Swift_COMPILER "$ENV{SWIFTC}" CACHE FILEPATH "")

.gitlab/ci/configure_fedora40_makefiles.cmake

@@ -111,6 +111,7 @@ set(CMake_TEST_Qt5 "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 set(CMake_TEST_UseSWIG "ON" CACHE BOOL "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_external_test.cmake")

.gitlab/ci/configure_fedora40_ninja.cmake

@@ -6,6 +6,7 @@ set(CMake_TEST_MODULE_COMPILATION "named,compile_commands,collation,partitions,i
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 # "Release" flags without "-DNDEBUG" so we get assertions.
 set(CMAKE_C_FLAGS_RELEASE "-O3" CACHE STRING "")

.gitlab/ci/configure_macos_arm64_curl.cmake

@@ -4,6 +4,7 @@ set(CMAKE_USE_SYSTEM_CURL "OFF" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")

.gitlab/ci/configure_macos_arm64_ninja.cmake

@@ -9,6 +9,7 @@ set(CMake_TEST_GUI "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")

.gitlab/ci/configure_macos_x86_64_makefiles.cmake

@@ -9,6 +9,7 @@ endif()
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")

.gitlab/ci/configure_macos_x86_64_ninja.cmake

@@ -12,6 +12,7 @@ endif()
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")

.gitlab/ci/configure_windows_arm64_vs2022_ninja.cmake

@@ -6,6 +6,7 @@ set(CMAKE_PREFIX_PATH "" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_msvc_cxx_modules_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_wix_common.cmake")

.gitlab/ci/configure_windows_vs2022_x64_ninja.cmake

@@ -12,6 +12,7 @@ endif()
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_msvc_cxx_modules_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_wix_common.cmake")

Tests/RunCMake/CMakeLists.txt

@@ -599,6 +599,7 @@ foreach(var
     CMake_TEST_TLS_VERIFY_URL
     CMake_TEST_TLS_VERIFY_URL_BAD
     CMake_TEST_TLS_VERSION
+    CMake_TEST_TLS_VERSION_URL_BAD
     )
   if(DEFINED ${var})
     list(APPEND file-DOWNLOAD_ARGS -D${var}=${${var}})

Tests/RunCMake/file-DOWNLOAD/RunCMakeTest.cmake

@@ -30,6 +30,9 @@ endif()
 if(CMake_TEST_TLS_VERIFY_URL_BAD)
   run_cmake_with_options(TLS_VERIFY-bad -Durl=${CMake_TEST_TLS_VERIFY_URL_BAD})
 endif()
+if(CMake_TEST_TLS_VERSION_URL_BAD)
+  run_cmake_with_options(TLS_VERSION-bad -Durl=${CMake_TEST_TLS_VERSION_URL_BAD})
+endif()
 
 if(CMake_TEST_TLS_VERIFY_URL)
   run_cmake_with_options(TLS_VERIFY-good -Durl=${CMake_TEST_TLS_VERIFY_URL})

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt

@@ -0,0 +1,7 @@
+-- def-1\.1: 0;"No error"
+-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- env-1\.1: 0;"No error"
+-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- var-1\.1: 0;"No error"
+-- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- opt-1\.1: 0;"No error"

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt

@@ -0,0 +1,7 @@
+-- def-1\.1: 0;"No error"
+-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- env-1\.1: 0;"No error"
+-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- var-1\.1: 0;"No error"
+-- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- opt-1\.1: 0;"No error"

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt

@@ -0,0 +1,3 @@
+-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake

@@ -0,0 +1,55 @@
+function(download case)
+  # URL with semantics like https://tls-v1-1.badssl.com:1011 is provided by caller
+  file(DOWNLOAD ${url} ${ARGN} STATUS status LOG log)
+  message(STATUS "${case}: ${status}")
+  if(case MATCHES "1\\.2$" AND NOT status MATCHES "^(35|60);")
+    message("${log}")
+  endif()
+endfunction()
+
+set(CMAKE_TLS_VERIFY 1)
+
+if(CMAKE_HOST_WIN32 OR CMAKE_HOST_APPLE)
+  # The OS-native TLS implementations support TLS 1.1.
+  set(TEST_TLSv1_1 1)
+else()
+  # OpenSSL 3.1+ does not support TLS 1.1 or older without setting
+  # the security level to 0, which curl (correctly) does not do.
+  # https://openssl-library.org/news/openssl-3.1-notes/index.html#major-changes-between-openssl-30-and-openssl-310-14-mar-2023
+  set(TEST_TLSv1_1 0)
+endif()
+
+if(TEST_TLSv1_1)
+  # The default is to allow 1.1.
+  unset(ENV{CMAKE_TLS_VERSION})
+  unset(CMAKE_TLS_VERSION)
+  download(def-1.1)
+endif()
+
+# The environment variable overrides the default.
+set(ENV{CMAKE_TLS_VERSION} 1.2)
+download(env-1.2)
+if(TEST_TLSv1_1)
+  set(ENV{CMAKE_TLS_VERSION} 1.1)
+  download(env-1.1)
+endif()
+
+# The cmake variable overrides the environment variable.
+set(ENV{CMAKE_TLS_VERSION} 1.1)
+set(CMAKE_TLS_VERSION 1.2)
+download(var-1.2)
+if(TEST_TLSv1_1)
+  set(ENV{CMAKE_TLS_VERSION} 1.2)
+  set(CMAKE_TLS_VERSION 1.1)
+  download(var-1.1)
+endif()
+
+# The explicit argument overrides the cmake variable and the environment variable.
+set(ENV{CMAKE_TLS_VERSION} 1.1)
+set(CMAKE_TLS_VERSION 1.1)
+download(opt-1.2 TLS_VERSION 1.2)
+if(TEST_TLSv1_1)
+  set(ENV{CMAKE_TLS_VERSION} 1.2)
+  set(CMAKE_TLS_VERSION 1.2)
+  download(opt-1.1 TLS_VERSION 1.1)
+endif()