file(DOWNLOAD/UPLOAD): Require minimum TLS 1.2 by default

Fixes: #25701

Help/command/file.rst

@@ -811,6 +811,10 @@ Transfer
       environment variable will be used instead.
       See :variable:`CMAKE_TLS_VERSION` for allowed values.
 
+      .. versionchanged:: 3.31
+        The default is TLS 1.2.
+        Previously, no minimum version was enforced by default.
+
     ``TLS_VERIFY <ON|OFF>``
       Specify whether to verify the server certificate for ``https://`` URLs.
       If this option is not specified, the value of the

Help/release/dev/curl-tls-version.rst

@@ -0,0 +1,6 @@
+curl-tls-version
+----------------
+
+* The :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands now
+  require TLS 1.2 or higher for connections to ``https://`` URLs by default.
+  See the :variable:`CMAKE_TLS_VERSION` variable for details.

Help/variable/CMAKE_TLS_VERSION.rst

@@ -7,6 +7,11 @@ Specify the default value for the :command:`file(DOWNLOAD)` and
 :command:`file(UPLOAD)` commands' ``TLS_VERSION`` option.
 If this variable is not set, the commands check the
 :envvar:`CMAKE_TLS_VERSION` environment variable.
+If neither is set, the default is TLS 1.2.
+
+.. versionchanged:: 3.31
+  The default is TLS 1.2.
+  Previously, no minimum version was enforced by default.
 
 The value may be one of:
 

Source/cmFileCommand.cxx

@@ -1741,6 +1741,7 @@ bool HandleNativePathCommand(std::vector<std::string> const& args,
 #if !defined(CMAKE_BOOTSTRAP)
 
 const bool TLS_VERIFY_DEFAULT = true;
+const std::string TLS_VERSION_DEFAULT = "1.2";
 
 // Stuff for curl download/upload
 using cmFileCommandVectorOfChar = std::vector<char>;
@@ -2128,6 +2129,11 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
       tlsVersionOpt = std::move(v);
     }
   }
+  bool tlsVersionDefaulted = false;
+  if (!tlsVersionOpt.has_value()) {
+    tlsVersionOpt = TLS_VERSION_DEFAULT;
+    tlsVersionDefaulted = true;
+  }
 
   // Can't calculate hash if we don't save the file.
   // TODO Incrementally calculate hash in the write callback as the file is
@@ -2212,6 +2218,9 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
   if (tlsVersionOpt.has_value()) {
     if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
       res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
+      if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
+        res = CURLE_OK;
+      }
       check_curl_result(res,
                         cmStrCat("DOWNLOAD cannot set TLS/SSL version ",
                                  *tlsVersionOpt, ": "));
@@ -2554,6 +2563,11 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
       tlsVersionOpt = std::move(v);
     }
   }
+  bool tlsVersionDefaulted = false;
+  if (!tlsVersionOpt.has_value()) {
+    tlsVersionOpt = TLS_VERSION_DEFAULT;
+    tlsVersionDefaulted = true;
+  }
 
   // Open file for reading:
   //
@@ -2603,6 +2617,9 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
   if (tlsVersionOpt.has_value()) {
     if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
       res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
+      if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
+        res = CURLE_OK;
+      }
       check_curl_result(
         res,
         cmStrCat("UPLOAD cannot set TLS/SSL version ", *tlsVersionOpt, ": "));

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt

@@ -1,4 +1,4 @@
--- def-1\.1: 0;"No error"
+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.1: 0;"No error"
 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt

@@ -1,4 +1,4 @@
--- def-1\.1: 0;"No error"
+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.1: 0;"No error"
 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt

@@ -1,3 +1,4 @@
+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")

Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake

@@ -19,12 +19,10 @@ else()
   set(TEST_TLSv1_1 0)
 endif()
 
-if(TEST_TLSv1_1)
-  # The default is to allow 1.1.
-  unset(ENV{CMAKE_TLS_VERSION})
-  unset(CMAKE_TLS_VERSION)
-  download(def-1.1)
-endif()
+# The default is to require 1.2.
+unset(ENV{CMAKE_TLS_VERSION})
+unset(CMAKE_TLS_VERSION)
+download(def-1.2)
 
 # The environment variable overrides the default.
 set(ENV{CMAKE_TLS_VERSION} 1.2)