ctest: Add explicit options for TLS version

Add a dedicated `TLSVersion` ctest option and a `CTEST_TLS_VERSION`
variable to control it.

Issue: #25701

Help/manual/cmake-variables.7.rst

@@ -729,6 +729,7 @@ Variables for CTest
    /variable/CTEST_TEST_LOAD
    /variable/CTEST_TEST_TIMEOUT
    /variable/CTEST_TLS_VERIFY
+   /variable/CTEST_TLS_VERSION
    /variable/CTEST_UPDATE_COMMAND
    /variable/CTEST_UPDATE_OPTIONS
    /variable/CTEST_UPDATE_VERSION_ONLY

Help/manual/ctest.1.rst

@@ -1551,6 +1551,15 @@ Configuration settings include:
   * `CTest Script`_ variable: :variable:`CTEST_SUBMIT_INACTIVITY_TIMEOUT`
   * :module:`CTest` module variable: ``CTEST_SUBMIT_INACTIVITY_TIMEOUT``
 
+``TLSVersion``
+  .. versionadded:: 3.30
+
+  Specify a minimum TLS version allowed when submitting to a dashboard
+  via ``https://`` URLs.
+
+  * `CTest Script`_ variable: :variable:`CTEST_TLS_VERSION`
+  * :module:`CTest` module variable: ``CTEST_TLS_VERSION``
+
 ``TLSVerify``
   .. versionadded:: 3.30
 

Help/release/dev/curl-tls-version.rst

@@ -17,5 +17,6 @@ curl-tls-version
   to ``https://`` URLs.
 
 * The :command:`ctest_submit` command and :option:`ctest -T Submit <ctest -T>`
-  step gained a ``TLSVerify`` option to control negotiation with
-  ``https://`` URLs.  See the :variable:`CTEST_TLS_VERIFY` variable.
+  step gained ``TLSVersion`` and ``TLSVerify`` options to control negotiation
+  with ``https://`` URLs.  See the :variable:`CTEST_TLS_VERSION` and
+  :variable:`CTEST_TLS_VERIFY` variables.

Help/variable/CTEST_TLS_VERSION.rst

@@ -0,0 +1,13 @@
+CTEST_TLS_VERSION
+-----------------
+
+.. versionadded:: 3.30
+
+Specify the CTest ``TLSVersion`` setting in a :manual:`ctest(1)`
+:ref:`Dashboard Client` script or in project ``CMakeLists.txt`` code
+before including the :module:`CTest` module.  The value is a minimum
+TLS version allowed when submitting to a dashboard via ``https://`` URLs.
+
+The value may be one of:
+
+.. include:: CMAKE_TLS_VERSION-VALUES.txt

Modules/DartConfiguration.tcl.in

@@ -96,6 +96,7 @@ TimeOut: @DART_TESTING_TIMEOUT@
 TestLoad: @CTEST_TEST_LOAD@
 
 TLSVerify: @CTEST_TLS_VERIFY@
+TLSVersion: @CTEST_TLS_VERSION@
 
 UseLaunchers: @CTEST_USE_LAUNCHERS@
 CurlOptions: @CTEST_CURL_OPTIONS@

Source/CTest/cmCTestCurl.cxx

@@ -58,6 +58,9 @@ size_t curlDebugCallback(CURL* /*unused*/, curl_infotype /*unused*/,
 
 cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest)
 {
+  this->TLSVersionOpt =
+    cmCurlParseTLSVersion(ctest->GetCTestConfiguration("TLSVersion"));
+
   std::string tlsVerify = ctest->GetCTestConfiguration("TLSVerify");
   if (!tlsVerify.empty()) {
     this->TLSVerifyOpt = cmIsOn(tlsVerify);
@@ -80,6 +83,10 @@ bool cmCTestCurl::InitCurl()
     return false;
   }
   cmCurlSetCAInfo(this->Curl);
+  if (this->CurlOpts.TLSVersionOpt) {
+    curl_easy_setopt(this->Curl, CURLOPT_SSLVERSION,
+                     *this->CurlOpts.TLSVersionOpt);
+  }
   if (this->CurlOpts.TLSVerifyOpt) {
     curl_easy_setopt(this->Curl, CURLOPT_SSL_VERIFYPEER,
                      *this->CurlOpts.TLSVerifyOpt ? 1 : 0);

Source/CTest/cmCTestCurl.h

@@ -16,6 +16,7 @@ class cmCTest;
 struct cmCTestCurlOpts
 {
   cmCTestCurlOpts(cmCTest* ctest);
+  cm::optional<int> TLSVersionOpt;
   cm::optional<bool> TLSVerifyOpt;
   bool VerifyHostOff = false;
 };

Source/CTest/cmCTestSubmitCommand.cxx

@@ -55,6 +55,8 @@ cmCTestGenericHandler* cmCTestSubmitCommand::InitializeHandler()
       this->Makefile, "DropLocation", "CTEST_DROP_LOCATION", this->Quiet);
   }
 
+  this->CTest->SetCTestConfigurationFromCMakeVariable(
+    this->Makefile, "TLSVersion", "CTEST_TLS_VERSION", this->Quiet);
   this->CTest->SetCTestConfigurationFromCMakeVariable(
     this->Makefile, "TLSVerify", "CTEST_TLS_VERIFY", this->Quiet);
   this->CTest->SetCTestConfigurationFromCMakeVariable(

Source/CTest/cmCTestSubmitHandler.cxx

@@ -178,6 +178,16 @@ bool cmCTestSubmitHandler::SubmitUsingHTTP(
     curl = curl_easy_init();
     if (curl) {
       cmCurlSetCAInfo(curl);
+      if (curlOpts.TLSVersionOpt) {
+        cm::optional<std::string> tlsVersionStr =
+          cmCurlPrintTLSVersion(*curlOpts.TLSVersionOpt);
+        cmCTestOptionalLog(
+          this->CTest, HANDLER_VERBOSE_OUTPUT,
+          "  Set CURLOPT_SSLVERSION to "
+            << (tlsVersionStr ? *tlsVersionStr : "unknown value") << "\n",
+          this->Quiet);
+        curl_easy_setopt(curl, CURLOPT_SSLVERSION, *curlOpts.TLSVersionOpt);
+      }
       if (curlOpts.TLSVerifyOpt) {
         cmCTestOptionalLog(this->CTest, HANDLER_VERBOSE_OUTPUT,
                            "  Set CURLOPT_SSL_VERIFYPEER to "

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-result.txt

@@ -0,0 +1 @@
+[^0]

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1-ctest-stdout.txt

@@ -0,0 +1 @@
+  Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1

Tests/RunCMake/CTestCommandLine/FailDrop-TLSVersion-1.1.cmake

@@ -0,0 +1 @@
+include(FailDrop-common.cmake)

Tests/RunCMake/CTestCommandLine/RunCMakeTest.cmake

@@ -496,6 +496,7 @@ function(run_FailDrop case)
     ${CMAKE_CTEST_COMMAND} -M Experimental -T Submit -VV
     )
 endfunction()
+run_FailDrop(TLSVersion-1.1 -DCTEST_TLS_VERSION=1.1)
 run_FailDrop(TLSVerify-ON -DCTEST_TLS_VERIFY=ON)
 run_FailDrop(TLSVerify-OFF -DCTEST_TLS_VERIFY=OFF)
 

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-result.txt

@@ -0,0 +1 @@
+(-1|255)

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-stderr.txt

@@ -0,0 +1,2 @@
+Error message was: ([Cc]ould *n.t resolve host:? '?badhostname.invalid'?|The requested URL returned error:|Protocol "https" (not supported or disabled|not supported|disabled)|.* was built with SSL disabled).*
+   Problems when submitting via HTTP

Tests/RunCMake/ctest_submit/FailDrop-TLSVersion-1.1-stdout.txt

@@ -0,0 +1,4 @@
+SetCTestConfigurationFromCMakeVariable:TLSVersion:CTEST_TLS_VERSION
+SetCTestConfiguration:TLSVersion:1\.1
+.*
+  Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1_1

Tests/RunCMake/ctest_submit/RunCMakeTest.cmake

@@ -57,6 +57,8 @@ run_ctest_submit_FailDrop(http)
 run_ctest_submit_FailDrop(https)
 block()
   set(CASE_DROP_METHOD "https")
+  set(CASE_TEST_PREFIX_CODE "set(CTEST_TLS_VERSION 1.1)")
+  run_ctest(FailDrop-TLSVersion-1.1 -VV)
   set(CASE_TEST_PREFIX_CODE "set(CTEST_TLS_VERIFY ON)")
   run_ctest(FailDrop-TLSVerify-ON -VV)
   set(CASE_TEST_PREFIX_CODE "set(CTEST_TLS_VERIFY OFF)")