diff options
| author | Brad King <brad.king@kitware.com> | 2024-09-27 12:02:13 (GMT) |
|---|---|---|
| committer | Kitware Robot <kwrobot@kitware.com> | 2024-09-27 12:03:01 (GMT) |
| commit | f7e2422c3e4361053d1ad9f1e009d3f078aa7b03 (patch) | |
| tree | 7a117808bbfcf9bc2b5cd1751e4c831c5bc635d7 | |
| parent | 5701ba7484a917c11e256e0a7a95ccad1ee1acbc (diff) | |
| parent | 38390245a2ceebe6ece3859e887442b8cce01297 (diff) | |
| download | CMake-f7e2422c3e4361053d1ad9f1e009d3f078aa7b03.zip CMake-f7e2422c3e4361053d1ad9f1e009d3f078aa7b03.tar.gz CMake-f7e2422c3e4361053d1ad9f1e009d3f078aa7b03.tar.bz2 | |
Merge topic 'curl-tls-version'
38390245a2 ctest: Require minimum TLS 1.2 by default
5e1a59dc2b file(DOWNLOAD/UPLOAD): Require minimum TLS 1.2 by default
Acked-by: Kitware Robot <kwrobot@kitware.com>
Acked-by: buildbot <buildbot@kitware.com>
Merge-request: !9848
| -rw-r--r-- | Help/command/file.rst | 4 | ||||
| -rw-r--r-- | Help/manual/ctest.1.rst | 4 | ||||
| -rw-r--r-- | Help/release/dev/curl-tls-version.rst | 10 | ||||
| -rw-r--r-- | Help/variable/CMAKE_TLS_VERSION.rst | 5 | ||||
| -rw-r--r-- | Source/CTest/cmCTestCurl.cxx | 4 | ||||
| -rw-r--r-- | Source/cmFileCommand.cxx | 17 | ||||
| -rw-r--r-- | Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt | 2 | ||||
| -rw-r--r-- | Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt | 2 | ||||
| -rw-r--r-- | Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt | 1 | ||||
| -rw-r--r-- | Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake | 10 |
10 files changed, 51 insertions, 8 deletions
diff --git a/Help/command/file.rst b/Help/command/file.rst index 40689c9..890bdf4 100644 --- a/Help/command/file.rst +++ b/Help/command/file.rst @@ -811,6 +811,10 @@ Transfer environment variable will be used instead. See :variable:`CMAKE_TLS_VERSION` for allowed values. + .. versionchanged:: 3.31 + The default is TLS 1.2. + Previously, no minimum version was enforced by default. + ``TLS_VERIFY <ON|OFF>`` Specify whether to verify the server certificate for ``https://`` URLs. If this option is not specified, the value of the diff --git a/Help/manual/ctest.1.rst b/Help/manual/ctest.1.rst index 4793ef5..9281339 100644 --- a/Help/manual/ctest.1.rst +++ b/Help/manual/ctest.1.rst @@ -1560,6 +1560,10 @@ Configuration settings include: * `CTest Script`_ variable: :variable:`CTEST_TLS_VERSION` * :module:`CTest` module variable: ``CTEST_TLS_VERSION`` + .. versionchanged:: 3.31 + The default is TLS 1.2. + Previously, no minimum version was enforced by default. + ``TLSVerify`` .. versionadded:: 3.30 diff --git a/Help/release/dev/curl-tls-version.rst b/Help/release/dev/curl-tls-version.rst new file mode 100644 index 0000000..ea142b3 --- /dev/null +++ b/Help/release/dev/curl-tls-version.rst @@ -0,0 +1,10 @@ +curl-tls-version +---------------- + +* The :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands now + require TLS 1.2 or higher for connections to ``https://`` URLs by default. + See the :variable:`CMAKE_TLS_VERSION` variable for details. + +* The :command:`ctest_submit` command and :option:`ctest -T Submit <ctest -T>` + step now require TLS 1.2 or higher for connections to ``https://`` URLs by + default. See the :variable:`CTEST_TLS_VERSION` variable for details. diff --git a/Help/variable/CMAKE_TLS_VERSION.rst b/Help/variable/CMAKE_TLS_VERSION.rst index 3e7f2ce..ff0918b 100644 --- a/Help/variable/CMAKE_TLS_VERSION.rst +++ b/Help/variable/CMAKE_TLS_VERSION.rst @@ -7,6 +7,11 @@ Specify the default value for the :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands' ``TLS_VERSION`` option. If this variable is not set, the commands check the :envvar:`CMAKE_TLS_VERSION` environment variable. +If neither is set, the default is TLS 1.2. + +.. versionchanged:: 3.31 + The default is TLS 1.2. + Previously, no minimum version was enforced by default. The value may be one of: diff --git a/Source/CTest/cmCTestCurl.cxx b/Source/CTest/cmCTestCurl.cxx index d9dc3b2..b203a51 100644 --- a/Source/CTest/cmCTestCurl.cxx +++ b/Source/CTest/cmCTestCurl.cxx @@ -16,6 +16,7 @@ namespace { const bool TLS_VERIFY_DEFAULT = true; +const int TLS_VERSION_DEFAULT = CURL_SSLVERSION_TLSv1_2; } cmCTestCurl::cmCTestCurl(cmCTest* ctest) @@ -65,6 +66,9 @@ cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest) { this->TLSVersionOpt = cmCurlParseTLSVersion(ctest->GetCTestConfiguration("TLSVersion")); + if (!this->TLSVersionOpt.has_value()) { + this->TLSVersionOpt = TLS_VERSION_DEFAULT; + } std::string tlsVerify = ctest->GetCTestConfiguration("TLSVerify"); if (!tlsVerify.empty()) { diff --git a/Source/cmFileCommand.cxx b/Source/cmFileCommand.cxx index 30d92ca..92e6b3e 100644 --- a/Source/cmFileCommand.cxx +++ b/Source/cmFileCommand.cxx @@ -1741,6 +1741,7 @@ bool HandleNativePathCommand(std::vector<std::string> const& args, #if !defined(CMAKE_BOOTSTRAP) const bool TLS_VERIFY_DEFAULT = true; +const std::string TLS_VERSION_DEFAULT = "1.2"; // Stuff for curl download/upload using cmFileCommandVectorOfChar = std::vector<char>; @@ -2128,6 +2129,11 @@ bool HandleDownloadCommand(std::vector<std::string> const& args, tlsVersionOpt = std::move(v); } } + bool tlsVersionDefaulted = false; + if (!tlsVersionOpt.has_value()) { + tlsVersionOpt = TLS_VERSION_DEFAULT; + tlsVersionDefaulted = true; + } // Can't calculate hash if we don't save the file. // TODO Incrementally calculate hash in the write callback as the file is @@ -2212,6 +2218,9 @@ bool HandleDownloadCommand(std::vector<std::string> const& args, if (tlsVersionOpt.has_value()) { if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) { res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v); + if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) { + res = CURLE_OK; + } check_curl_result(res, cmStrCat("DOWNLOAD cannot set TLS/SSL version ", *tlsVersionOpt, ": ")); @@ -2554,6 +2563,11 @@ bool HandleUploadCommand(std::vector<std::string> const& args, tlsVersionOpt = std::move(v); } } + bool tlsVersionDefaulted = false; + if (!tlsVersionOpt.has_value()) { + tlsVersionOpt = TLS_VERSION_DEFAULT; + tlsVersionDefaulted = true; + } // Open file for reading: // @@ -2603,6 +2617,9 @@ bool HandleUploadCommand(std::vector<std::string> const& args, if (tlsVersionOpt.has_value()) { if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) { res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v); + if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) { + res = CURLE_OK; + } check_curl_result( res, cmStrCat("UPLOAD cannot set TLS/SSL version ", *tlsVersionOpt, ": ")); diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt index 730cf59..3632a61 100644 --- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt +++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt @@ -1,4 +1,4 @@ --- def-1\.1: 0;"No error" +-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- env-1\.1: 0;"No error" -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt index 730cf59..3632a61 100644 --- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt +++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt @@ -1,4 +1,4 @@ --- def-1\.1: 0;"No error" +-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- env-1\.1: 0;"No error" -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt index 34d99d1..ce313ed 100644 --- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt +++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt @@ -1,3 +1,4 @@ +-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake index 106fe44..51cb8f2 100644 --- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake +++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake @@ -19,12 +19,10 @@ else() set(TEST_TLSv1_1 0) endif() -if(TEST_TLSv1_1) - # The default is to allow 1.1. - unset(ENV{CMAKE_TLS_VERSION}) - unset(CMAKE_TLS_VERSION) - download(def-1.1) -endif() +# The default is to require 1.2. +unset(ENV{CMAKE_TLS_VERSION}) +unset(CMAKE_TLS_VERSION) +download(def-1.2) # The environment variable overrides the default. set(ENV{CMAKE_TLS_VERSION} 1.2) |