From 4e62bc943c74cbc564209a42bb84605f0771bca7 Mon Sep 17 00:00:00 2001
From: Brad King <brad.king@kitware.com>
Date: Fri, 20 Sep 2024 17:40:02 -0400
Subject: ctest: Verify TLS server certificate by default

Issue: #23608
---
 Help/manual/ctest.1.rst              | 5 +++++
 Help/release/dev/curl-tls-verify.rst | 4 ++++
 Help/variable/CTEST_TLS_VERIFY.rst   | 6 ++++++
 Source/CTest/cmCTestCurl.cxx         | 7 +++++++
 4 files changed, 22 insertions(+)

diff --git a/Help/manual/ctest.1.rst b/Help/manual/ctest.1.rst
index c9ab31e..4793ef5 100644
--- a/Help/manual/ctest.1.rst
+++ b/Help/manual/ctest.1.rst
@@ -1569,6 +1569,11 @@ Configuration settings include:
   * `CTest Script`_ variable: :variable:`CTEST_TLS_VERIFY`
   * :module:`CTest` module variable: ``CTEST_TLS_VERIFY``
 
+  .. versionchanged:: 3.31
+    The default is on.  Previously, the default was off.
+    Users may set the :envvar:`CMAKE_TLS_VERIFY` environment
+    variable to ``0`` to restore the old default.
+
 ``TriggerSite``
   Legacy option.  Not used.
 
diff --git a/Help/release/dev/curl-tls-verify.rst b/Help/release/dev/curl-tls-verify.rst
index 73e1837..96ee421 100644
--- a/Help/release/dev/curl-tls-verify.rst
+++ b/Help/release/dev/curl-tls-verify.rst
@@ -8,3 +8,7 @@ curl-tls-verify
   even when building projects that have not been updated.
   Users may set the :envvar:`CMAKE_TLS_VERIFY` environment
   variable to ``0`` to restore the old default.
+
+* The :command:`ctest_submit` command and :option:`ctest -T Submit <ctest -T>`
+  step now verify TLS server certificates for connections to ``https://`` URLs
+  by default.  See the :variable:`CTEST_TLS_VERIFY` variable for details.
diff --git a/Help/variable/CTEST_TLS_VERIFY.rst b/Help/variable/CTEST_TLS_VERIFY.rst
index 9b3d96c..b283842 100644
--- a/Help/variable/CTEST_TLS_VERIFY.rst
+++ b/Help/variable/CTEST_TLS_VERIFY.rst
@@ -11,3 +11,9 @@ to a dashboard via ``https://`` URLs.
 
 If ``CTEST_TLS_VERIFY`` is not set, the :variable:`CMAKE_TLS_VERIFY` variable
 or :envvar:`CMAKE_TLS_VERIFY` environment variable is used instead.
+If neither is set, the default is *on*.
+
+.. versionchanged:: 3.31
+  The default is on.  Previously, the default was off.
+  Users may set the :envvar:`CMAKE_TLS_VERIFY` environment
+  variable to ``0`` to restore the old default.
diff --git a/Source/CTest/cmCTestCurl.cxx b/Source/CTest/cmCTestCurl.cxx
index 6f887f3..d9dc3b2 100644
--- a/Source/CTest/cmCTestCurl.cxx
+++ b/Source/CTest/cmCTestCurl.cxx
@@ -14,6 +14,10 @@
 #include "cmSystemTools.h"
 #include "cmValue.h"
 
+namespace {
+const bool TLS_VERIFY_DEFAULT = true;
+}
+
 cmCTestCurl::cmCTestCurl(cmCTest* ctest)
   : CTest(ctest)
   , CurlOpts(ctest)
@@ -76,6 +80,9 @@ cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest)
       }
     }
   }
+  if (!this->TLSVerifyOpt.has_value()) {
+    this->TLSVerifyOpt = TLS_VERIFY_DEFAULT;
+  }
 }
 
 bool cmCTestCurl::InitCurl()
-- 
cgit v0.12