1 year ago · f7e2422c3e
--- a/Help/command/file.rst
+++ b/Help/command/file.rst
@@ -811,6 +811,10 @@ Transfer
 
				       environment variable will be used instead.
			
 
				       See :variable:`CMAKE_TLS_VERSION` for allowed values.
			
 
				 
			
 
				+      .. versionchanged:: 3.31
			
 
				+        The default is TLS 1.2.
			
 
				+        Previously, no minimum version was enforced by default.
			
 
				+
			
 
				     ``TLS_VERIFY <ON|OFF>``
			
 
				       Specify whether to verify the server certificate for ``https://`` URLs.
			
 
				       If this option is not specified, the value of the
			
--- a/Help/manual/ctest.1.rst
+++ b/Help/manual/ctest.1.rst
@@ -1560,6 +1560,10 @@ Configuration settings include:
 
				   * `CTest Script`_ variable: :variable:`CTEST_TLS_VERSION`
			
 
				   * :module:`CTest` module variable: ``CTEST_TLS_VERSION``
			
 
				 
			
 
				+  .. versionchanged:: 3.31
			
 
				+    The default is TLS 1.2.
			
 
				+    Previously, no minimum version was enforced by default.
			
 
				+
			
 
				 ``TLSVerify``
			
 
				   .. versionadded:: 3.30
			
 
				 
			
--- a/Help/release/dev/curl-tls-version.rst
+++ b/Help/release/dev/curl-tls-version.rst
@@ -0,0 +1,10 @@
 
				+curl-tls-version
			
 
				+----------------
			
 
				+
			
 
				+* The :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands now
			
 
				+  require TLS 1.2 or higher for connections to ``https://`` URLs by default.
			
 
				+  See the :variable:`CMAKE_TLS_VERSION` variable for details.
			
 
				+
			
 
				+* The :command:`ctest_submit` command and :option:`ctest -T Submit <ctest -T>`
			
 
				+  step now require TLS 1.2 or higher for connections to ``https://`` URLs by
			
 
				+  default.  See the :variable:`CTEST_TLS_VERSION` variable for details.
			
--- a/Help/variable/CMAKE_TLS_VERSION.rst
+++ b/Help/variable/CMAKE_TLS_VERSION.rst
@@ -7,6 +7,11 @@ Specify the default value for the :command:`file(DOWNLOAD)` and
 
				 :command:`file(UPLOAD)` commands' ``TLS_VERSION`` option.
			
 
				 If this variable is not set, the commands check the
			
 
				 :envvar:`CMAKE_TLS_VERSION` environment variable.
			
 
				+If neither is set, the default is TLS 1.2.
			
 
				+
			
 
				+.. versionchanged:: 3.31
			
 
				+  The default is TLS 1.2.
			
 
				+  Previously, no minimum version was enforced by default.
			
 
				 
			
 
				 The value may be one of:
			
 
				 
			
--- a/Source/CTest/cmCTestCurl.cxx
+++ b/Source/CTest/cmCTestCurl.cxx
@@ -16,6 +16,7 @@
 
				 
			
 
				 namespace {
			
 
				 const bool TLS_VERIFY_DEFAULT = true;
			
 
				+const int TLS_VERSION_DEFAULT = CURL_SSLVERSION_TLSv1_2;
			
 
				 }
			
 
				 
			
 
				 cmCTestCurl::cmCTestCurl(cmCTest* ctest)
			
@@ -65,6 +66,9 @@ cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest)
 
				 {
			
 
				   this->TLSVersionOpt =
			
 
				     cmCurlParseTLSVersion(ctest->GetCTestConfiguration("TLSVersion"));
			
 
				+  if (!this->TLSVersionOpt.has_value()) {
			
 
				+    this->TLSVersionOpt = TLS_VERSION_DEFAULT;
			
 
				+  }
			
 
				 
			
 
				   std::string tlsVerify = ctest->GetCTestConfiguration("TLSVerify");
			
 
				   if (!tlsVerify.empty()) {
			
--- a/Source/cmFileCommand.cxx
+++ b/Source/cmFileCommand.cxx
@@ -1741,6 +1741,7 @@ bool HandleNativePathCommand(std::vector<std::string> const& args,
 
				 #if !defined(CMAKE_BOOTSTRAP)
			
 
				 
			
 
				 const bool TLS_VERIFY_DEFAULT = true;
			
 
				+const std::string TLS_VERSION_DEFAULT = "1.2";
			
 
				 
			
 
				 // Stuff for curl download/upload
			
 
				 using cmFileCommandVectorOfChar = std::vector<char>;
			
@@ -2128,6 +2129,11 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
 
				       tlsVersionOpt = std::move(v);
			
 
				     }
			
 
				   }
			
 
				+  bool tlsVersionDefaulted = false;
			
 
				+  if (!tlsVersionOpt.has_value()) {
			
 
				+    tlsVersionOpt = TLS_VERSION_DEFAULT;
			
 
				+    tlsVersionDefaulted = true;
			
 
				+  }
			
 
				 
			
 
				   // Can't calculate hash if we don't save the file.
			
 
				   // TODO Incrementally calculate hash in the write callback as the file is
			
@@ -2212,6 +2218,9 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
 
				   if (tlsVersionOpt.has_value()) {
			
 
				     if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
			
 
				       res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
			
 
				+      if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
			
 
				+        res = CURLE_OK;
			
 
				+      }
			
 
				       check_curl_result(res,
			
 
				                         cmStrCat("DOWNLOAD cannot set TLS/SSL version ",
			
 
				                                  *tlsVersionOpt, ": "));
			
@@ -2554,6 +2563,11 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
 
				       tlsVersionOpt = std::move(v);
			
 
				     }
			
 
				   }
			
 
				+  bool tlsVersionDefaulted = false;
			
 
				+  if (!tlsVersionOpt.has_value()) {
			
 
				+    tlsVersionOpt = TLS_VERSION_DEFAULT;
			
 
				+    tlsVersionDefaulted = true;
			
 
				+  }
			
 
				 
			
 
				   // Open file for reading:
			
 
				   //
			
@@ -2603,6 +2617,9 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
 
				   if (tlsVersionOpt.has_value()) {
			
 
				     if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
			
 
				       res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
			
 
				+      if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
			
 
				+        res = CURLE_OK;
			
 
				+      }
			
 
				       check_curl_result(
			
 
				         res,
			
 
				         cmStrCat("UPLOAD cannot set TLS/SSL version ", *tlsVersionOpt, ": "));
			
--- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt
@@ -1,4 +1,4 @@
 
				--- def-1\.1: 0;"No error"
			
 
				+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
			
 
				 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
			
 
				 -- env-1\.1: 0;"No error"
			
 
				 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
			
--- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt
@@ -1,4 +1,4 @@
 
				--- def-1\.1: 0;"No error"
			
 
				+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
			
 
				 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
			
 
				 -- env-1\.1: 0;"No error"
			
 
				 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
			
--- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt
@@ -1,3 +1,4 @@
 
				+-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
			
 
				 -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
			
 
				 -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
			
 
				 -- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
			
--- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake
@@ -19,12 +19,10 @@ else()
 
				   set(TEST_TLSv1_1 0)
			
 
				 endif()
			
 
				 
			
 
				-if(TEST_TLSv1_1)
			
 
				-  # The default is to allow 1.1.
			
 
				-  unset(ENV{CMAKE_TLS_VERSION})
			
 
				-  unset(CMAKE_TLS_VERSION)
			
 
				-  download(def-1.1)
			
 
				-endif()
			
 
				+# The default is to require 1.2.
			
 
				+unset(ENV{CMAKE_TLS_VERSION})
			
 
				+unset(CMAKE_TLS_VERSION)
			
 
				+download(def-1.2)
			
 
				 
			
 
				 # The environment variable overrides the default.
			
 
				 set(ENV{CMAKE_TLS_VERSION} 1.2)