5 files changed, 34 insertions, 0 deletions

diff --git a/Source/CTest/cmCTestCurl.cxx b/Source/CTest/cmCTestCurl.cxx
index 3a5806b..b8e5db1 100644
--- a/Source/CTest/cmCTestCurl.cxx
+++ b/Source/CTest/cmCTestCurl.cxx
@@ -19,6 +19,7 @@ cmCTestCurl::cmCTestCurl(cmCTest* ctest)
   , CurlOpts(ctest)
 {
   this->SetProxyType();
+  cmCurlInitOnce();
   // In windows, this will init the winsock stuff
   ::curl_global_init(CURL_GLOBAL_ALL);
   this->Curl = curl_easy_init();
diff --git a/Source/CTest/cmCTestSubmitHandler.cxx b/Source/CTest/cmCTestSubmitHandler.cxx
index e69a7fe..85c77be 100644
--- a/Source/CTest/cmCTestSubmitHandler.cxx
+++ b/Source/CTest/cmCTestSubmitHandler.cxx
@@ -171,6 +171,7 @@ bool cmCTestSubmitHandler::SubmitUsingHTTP(
     headers = ::curl_slist_append(headers, h.c_str());
   }
 
+  cmCurlInitOnce();
   /* In windows, this will init the winsock stuff */
   ::curl_global_init(CURL_GLOBAL_ALL);
   cmCTestCurlOpts curlOpts(this->CTest);
diff --git a/Source/cmCurl.cxx b/Source/cmCurl.cxx
index ddd5f69..65fccd0 100644
--- a/Source/cmCurl.cxx
+++ b/Source/cmCurl.cxx
@@ -39,6 +39,11 @@
 #  define CURL_SSLVERSION_TLSv1_3 CURL_SSLVERSION_LAST
 #endif
 
+// curl versions before 7.64.1 referred to Secure Transport as DarwinSSL
+#if defined(LIBCURL_VERSION_NUM) && LIBCURL_VERSION_NUM < 0x074001
+#  define CURLSSLBACKEND_SECURETRANSPORT CURLSSLBACKEND_DARWINSSL
+#endif
+
 // Make sure we keep up with new TLS versions supported by curl.
 // Do this only for our vendored curl to avoid breaking builds
 // against external future versions of curl.
@@ -47,6 +52,30 @@ static_assert(CURL_SSLVERSION_LAST == 8,
               "A new CURL_SSLVERSION_ may be available!");
 #endif
 
+void cmCurlInitOnce()
+{
+  // curl 7.56.0 introduced curl_global_sslset.
+#if defined(__APPLE__) && defined(CMAKE_USE_SYSTEM_CURL) &&                   \
+  defined(LIBCURL_VERSION_NUM) && LIBCURL_VERSION_NUM >= 0x073800
+  static bool initialized = false;
+  if (initialized) {
+    return;
+  }
+  initialized = true;
+
+  cm::optional<std::string> curl_ssl_backend =
+    cmSystemTools::GetEnvVar("CURL_SSL_BACKEND");
+  if (!curl_ssl_backend || curl_ssl_backend->empty()) {
+    curl_version_info_data* cv = curl_version_info(CURLVERSION_FIRST);
+    // curl 8.3.0 through 8.5.x did not re-initialize LibreSSL correctly,
+    // so prefer the Secure Transport backend by default in those versions.
+    if (cv->version_num >= 0x080300 && cv->version_num < 0x080600) {
+      curl_global_sslset(CURLSSLBACKEND_SECURETRANSPORT, NULL, NULL);
+    }
+  }
+#endif
+}
+
 cm::optional<int> cmCurlParseTLSVersion(cm::string_view tls_version)
 {
   cm::optional<int> v;
diff --git a/Source/cmCurl.h b/Source/cmCurl.h
index 8b8c88b..bb2221f 100644
--- a/Source/cmCurl.h
+++ b/Source/cmCurl.h
@@ -11,6 +11,7 @@
 
 #include <cm3p/curl/curl.h>
 
+void cmCurlInitOnce();
 cm::optional<int> cmCurlParseTLSVersion(cm::string_view tls_version);
 cm::optional<std::string> cmCurlPrintTLSVersion(int curl_tls_version);
 std::string cmCurlSetCAInfo(::CURL* curl, const std::string& cafile = {});
diff --git a/Source/cmFileCommand.cxx b/Source/cmFileCommand.cxx
index ce8cc2a..6265f82 100644
--- a/Source/cmFileCommand.cxx
+++ b/Source/cmFileCommand.cxx
@@ -2115,6 +2115,7 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
   url = cmCurlFixFileURL(url);
 
   ::CURL* curl;
+  cmCurlInitOnce();
   ::curl_global_init(CURL_GLOBAL_DEFAULT);
   curl = ::curl_easy_init();
   if (!curl) {
@@ -2488,6 +2489,7 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
   url = cmCurlFixFileURL(url);
 
   ::CURL* curl;
+  cmCurlInitOnce();
   ::curl_global_init(CURL_GLOBAL_DEFAULT);
   curl = ::curl_easy_init();
   if (!curl) {