From 5d2ea8371d4934be1d02542f59659b25682ebaeb Mon Sep 17 00:00:00 2001
From: Brad King <brad.king@kitware.com>
Date: Tue, 24 Sep 2024 12:03:03 -0400
Subject: Tests/RunCMake/file-DOWNLOAD: Add case covering TLS_VERSION values

---
 .gitlab/ci/configure_debian12_aarch64_ninja.cmake  |  1 +
 .gitlab/ci/configure_debian12_ninja_common.cmake   |  1 +
 .gitlab/ci/configure_fedora40_makefiles.cmake      |  1 +
 .gitlab/ci/configure_fedora40_ninja.cmake          |  1 +
 .gitlab/ci/configure_macos_arm64_curl.cmake        |  1 +
 .gitlab/ci/configure_macos_arm64_ninja.cmake       |  1 +
 .gitlab/ci/configure_macos_x86_64_makefiles.cmake  |  1 +
 .gitlab/ci/configure_macos_x86_64_ninja.cmake      |  1 +
 .../ci/configure_windows_arm64_vs2022_ninja.cmake  |  1 +
 .../ci/configure_windows_vs2022_x64_ninja.cmake    |  1 +
 Tests/RunCMake/CMakeLists.txt                      |  1 +
 Tests/RunCMake/file-DOWNLOAD/RunCMakeTest.cmake    |  3 ++
 .../TLS_VERSION-bad-stdout-darwin.txt              |  7 +++
 .../TLS_VERSION-bad-stdout-windows.txt             |  7 +++
 .../file-DOWNLOAD/TLS_VERSION-bad-stdout.txt       |  3 ++
 Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake | 55 ++++++++++++++++++++++
 16 files changed, 86 insertions(+)
 create mode 100644 Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt
 create mode 100644 Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt
 create mode 100644 Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt
 create mode 100644 Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake

diff --git a/.gitlab/ci/configure_debian12_aarch64_ninja.cmake b/.gitlab/ci/configure_debian12_aarch64_ninja.cmake
index 0ebf604..b606e58 100644
--- a/.gitlab/ci/configure_debian12_aarch64_ninja.cmake
+++ b/.gitlab/ci/configure_debian12_aarch64_ninja.cmake
@@ -100,6 +100,7 @@ set(CMake_TEST_Qt5 "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 set(CMake_TEST_UseSWIG "ON" CACHE BOOL "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_external_test.cmake")
diff --git a/.gitlab/ci/configure_debian12_ninja_common.cmake b/.gitlab/ci/configure_debian12_ninja_common.cmake
index 0e2ecce..4a2b27e 100644
--- a/.gitlab/ci/configure_debian12_ninja_common.cmake
+++ b/.gitlab/ci/configure_debian12_ninja_common.cmake
@@ -108,6 +108,7 @@ set(CMake_TEST_Qt5 "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 if (NOT "$ENV{SWIFTC}" STREQUAL "")
   set(CMAKE_Swift_COMPILER "$ENV{SWIFTC}" CACHE FILEPATH "")
diff --git a/.gitlab/ci/configure_fedora40_makefiles.cmake b/.gitlab/ci/configure_fedora40_makefiles.cmake
index 21a5be5..522b371 100644
--- a/.gitlab/ci/configure_fedora40_makefiles.cmake
+++ b/.gitlab/ci/configure_fedora40_makefiles.cmake
@@ -111,6 +111,7 @@ set(CMake_TEST_Qt5 "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 set(CMake_TEST_UseSWIG "ON" CACHE BOOL "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_external_test.cmake")
diff --git a/.gitlab/ci/configure_fedora40_ninja.cmake b/.gitlab/ci/configure_fedora40_ninja.cmake
index 85c4614..dc28483 100644
--- a/.gitlab/ci/configure_fedora40_ninja.cmake
+++ b/.gitlab/ci/configure_fedora40_ninja.cmake
@@ -6,6 +6,7 @@ set(CMake_TEST_MODULE_COMPILATION "named,compile_commands,collation,partitions,i
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 # "Release" flags without "-DNDEBUG" so we get assertions.
 set(CMAKE_C_FLAGS_RELEASE "-O3" CACHE STRING "")
diff --git a/.gitlab/ci/configure_macos_arm64_curl.cmake b/.gitlab/ci/configure_macos_arm64_curl.cmake
index b9aa59a..5c4f951 100644
--- a/.gitlab/ci/configure_macos_arm64_curl.cmake
+++ b/.gitlab/ci/configure_macos_arm64_curl.cmake
@@ -4,6 +4,7 @@ set(CMAKE_USE_SYSTEM_CURL "OFF" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")
diff --git a/.gitlab/ci/configure_macos_arm64_ninja.cmake b/.gitlab/ci/configure_macos_arm64_ninja.cmake
index de0ffc0..9c4c34a 100644
--- a/.gitlab/ci/configure_macos_arm64_ninja.cmake
+++ b/.gitlab/ci/configure_macos_arm64_ninja.cmake
@@ -9,6 +9,7 @@ set(CMake_TEST_GUI "ON" CACHE BOOL "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")
diff --git a/.gitlab/ci/configure_macos_x86_64_makefiles.cmake b/.gitlab/ci/configure_macos_x86_64_makefiles.cmake
index 43505db..b746212 100644
--- a/.gitlab/ci/configure_macos_x86_64_makefiles.cmake
+++ b/.gitlab/ci/configure_macos_x86_64_makefiles.cmake
@@ -9,6 +9,7 @@ endif()
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")
diff --git a/.gitlab/ci/configure_macos_x86_64_ninja.cmake b/.gitlab/ci/configure_macos_x86_64_ninja.cmake
index 83d1e2c..86be3b3 100644
--- a/.gitlab/ci/configure_macos_x86_64_ninja.cmake
+++ b/.gitlab/ci/configure_macos_x86_64_ninja.cmake
@@ -12,6 +12,7 @@ endif()
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")
diff --git a/.gitlab/ci/configure_windows_arm64_vs2022_ninja.cmake b/.gitlab/ci/configure_windows_arm64_vs2022_ninja.cmake
index 64a8913..383758d 100644
--- a/.gitlab/ci/configure_windows_arm64_vs2022_ninja.cmake
+++ b/.gitlab/ci/configure_windows_arm64_vs2022_ninja.cmake
@@ -6,6 +6,7 @@ set(CMAKE_PREFIX_PATH "" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_msvc_cxx_modules_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_wix_common.cmake")
diff --git a/.gitlab/ci/configure_windows_vs2022_x64_ninja.cmake b/.gitlab/ci/configure_windows_vs2022_x64_ninja.cmake
index c75884d..daf61b1 100644
--- a/.gitlab/ci/configure_windows_vs2022_x64_ninja.cmake
+++ b/.gitlab/ci/configure_windows_vs2022_x64_ninja.cmake
@@ -12,6 +12,7 @@ endif()
 set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
 set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION_URL_BAD "https://tls-v1-1.badssl.com:1011" CACHE STRING "")
 
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_msvc_cxx_modules_common.cmake")
 include("${CMAKE_CURRENT_LIST_DIR}/configure_windows_wix_common.cmake")
diff --git a/Tests/RunCMake/CMakeLists.txt b/Tests/RunCMake/CMakeLists.txt
index 29351eb..d45d70a 100644
--- a/Tests/RunCMake/CMakeLists.txt
+++ b/Tests/RunCMake/CMakeLists.txt
@@ -599,6 +599,7 @@ foreach(var
     CMake_TEST_TLS_VERIFY_URL
     CMake_TEST_TLS_VERIFY_URL_BAD
     CMake_TEST_TLS_VERSION
+    CMake_TEST_TLS_VERSION_URL_BAD
     )
   if(DEFINED ${var})
     list(APPEND file-DOWNLOAD_ARGS -D${var}=${${var}})
diff --git a/Tests/RunCMake/file-DOWNLOAD/RunCMakeTest.cmake b/Tests/RunCMake/file-DOWNLOAD/RunCMakeTest.cmake
index 2dc2de0..3fe2090 100644
--- a/Tests/RunCMake/file-DOWNLOAD/RunCMakeTest.cmake
+++ b/Tests/RunCMake/file-DOWNLOAD/RunCMakeTest.cmake
@@ -30,6 +30,9 @@ endif()
 if(CMake_TEST_TLS_VERIFY_URL_BAD)
   run_cmake_with_options(TLS_VERIFY-bad -Durl=${CMake_TEST_TLS_VERIFY_URL_BAD})
 endif()
+if(CMake_TEST_TLS_VERSION_URL_BAD)
+  run_cmake_with_options(TLS_VERSION-bad -Durl=${CMake_TEST_TLS_VERSION_URL_BAD})
+endif()
 
 if(CMake_TEST_TLS_VERIFY_URL)
   run_cmake_with_options(TLS_VERIFY-good -Durl=${CMake_TEST_TLS_VERIFY_URL})
diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt
new file mode 100644
index 0000000..730cf59
--- /dev/null
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt
@@ -0,0 +1,7 @@
+-- def-1\.1: 0;"No error"
+-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- env-1\.1: 0;"No error"
+-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- var-1\.1: 0;"No error"
+-- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- opt-1\.1: 0;"No error"
diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt
new file mode 100644
index 0000000..730cf59
--- /dev/null
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt
@@ -0,0 +1,7 @@
+-- def-1\.1: 0;"No error"
+-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- env-1\.1: 0;"No error"
+-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- var-1\.1: 0;"No error"
+-- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- opt-1\.1: 0;"No error"
diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt
new file mode 100644
index 0000000..34d99d1
--- /dev/null
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt
@@ -0,0 +1,3 @@
+-- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
+-- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake
new file mode 100644
index 0000000..106fe44
--- /dev/null
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake
@@ -0,0 +1,55 @@
+function(download case)
+  # URL with semantics like https://tls-v1-1.badssl.com:1011 is provided by caller
+  file(DOWNLOAD ${url} ${ARGN} STATUS status LOG log)
+  message(STATUS "${case}: ${status}")
+  if(case MATCHES "1\\.2$" AND NOT status MATCHES "^(35|60);")
+    message("${log}")
+  endif()
+endfunction()
+
+set(CMAKE_TLS_VERIFY 1)
+
+if(CMAKE_HOST_WIN32 OR CMAKE_HOST_APPLE)
+  # The OS-native TLS implementations support TLS 1.1.
+  set(TEST_TLSv1_1 1)
+else()
+  # OpenSSL 3.1+ does not support TLS 1.1 or older without setting
+  # the security level to 0, which curl (correctly) does not do.
+  # https://openssl-library.org/news/openssl-3.1-notes/index.html#major-changes-between-openssl-30-and-openssl-310-14-mar-2023
+  set(TEST_TLSv1_1 0)
+endif()
+
+if(TEST_TLSv1_1)
+  # The default is to allow 1.1.
+  unset(ENV{CMAKE_TLS_VERSION})
+  unset(CMAKE_TLS_VERSION)
+  download(def-1.1)
+endif()
+
+# The environment variable overrides the default.
+set(ENV{CMAKE_TLS_VERSION} 1.2)
+download(env-1.2)
+if(TEST_TLSv1_1)
+  set(ENV{CMAKE_TLS_VERSION} 1.1)
+  download(env-1.1)
+endif()
+
+# The cmake variable overrides the environment variable.
+set(ENV{CMAKE_TLS_VERSION} 1.1)
+set(CMAKE_TLS_VERSION 1.2)
+download(var-1.2)
+if(TEST_TLSv1_1)
+  set(ENV{CMAKE_TLS_VERSION} 1.2)
+  set(CMAKE_TLS_VERSION 1.1)
+  download(var-1.1)
+endif()
+
+# The explicit argument overrides the cmake variable and the environment variable.
+set(ENV{CMAKE_TLS_VERSION} 1.1)
+set(CMAKE_TLS_VERSION 1.1)
+download(opt-1.2 TLS_VERSION 1.2)
+if(TEST_TLSv1_1)
+  set(ENV{CMAKE_TLS_VERSION} 1.2)
+  set(CMAKE_TLS_VERSION 1.2)
+  download(opt-1.1 TLS_VERSION 1.1)
+endif()
-- 
cgit v0.12