ctest: Require minimum TLS 1.2 by default

Issue: #25701

3 files changed, 12 insertions, 0 deletions

diff --git a/Help/manual/ctest.1.rst b/Help/manual/ctest.1.rst
index 4793ef5..9281339 100644
--- a/Help/manual/ctest.1.rst
+++ b/Help/manual/ctest.1.rst
@@ -1560,6 +1560,10 @@ Configuration settings include:
   * `CTest Script`_ variable: :variable:`CTEST_TLS_VERSION`
   * :module:`CTest` module variable: ``CTEST_TLS_VERSION``
 
+  .. versionchanged:: 3.31
+    The default is TLS 1.2.
+    Previously, no minimum version was enforced by default.
+
 ``TLSVerify``
   .. versionadded:: 3.30
 
diff --git a/Help/release/dev/curl-tls-version.rst b/Help/release/dev/curl-tls-version.rst
index 0f3cc3a..ea142b3 100644
--- a/Help/release/dev/curl-tls-version.rst
+++ b/Help/release/dev/curl-tls-version.rst
@@ -4,3 +4,7 @@ curl-tls-version
 * The :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands now
   require TLS 1.2 or higher for connections to ``https://`` URLs by default.
   See the :variable:`CMAKE_TLS_VERSION` variable for details.
+
+* The :command:`ctest_submit` command and :option:`ctest -T Submit <ctest -T>`
+  step now require TLS 1.2 or higher for connections to ``https://`` URLs by
+  default.  See the :variable:`CTEST_TLS_VERSION` variable for details.
diff --git a/Source/CTest/cmCTestCurl.cxx b/Source/CTest/cmCTestCurl.cxx
index d9dc3b2..b203a51 100644
--- a/Source/CTest/cmCTestCurl.cxx
+++ b/Source/CTest/cmCTestCurl.cxx
@@ -16,6 +16,7 @@
 
 namespace {
 const bool TLS_VERIFY_DEFAULT = true;
+const int TLS_VERSION_DEFAULT = CURL_SSLVERSION_TLSv1_2;
 }
 
 cmCTestCurl::cmCTestCurl(cmCTest* ctest)
@@ -65,6 +66,9 @@ cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest)
 {
   this->TLSVersionOpt =
     cmCurlParseTLSVersion(ctest->GetCTestConfiguration("TLSVersion"));
+  if (!this->TLSVersionOpt.has_value()) {
+    this->TLSVersionOpt = TLS_VERSION_DEFAULT;
+  }
 
   std::string tlsVerify = ctest->GetCTestConfiguration("TLSVerify");
   if (!tlsVerify.empty()) {