From 5e1a59dc2ba9b3f532adf21f79ad0f51b514c08f Mon Sep 17 00:00:00 2001 From: Brad King Date: Mon, 23 Sep 2024 14:47:04 -0400 Subject: file(DOWNLOAD/UPLOAD): Require minimum TLS 1.2 by default Fixes: #25701 --- Help/command/file.rst | 4 ++++ Help/release/dev/curl-tls-version.rst | 6 ++++++ Help/variable/CMAKE_TLS_VERSION.rst | 5 +++++ Source/cmFileCommand.cxx | 17 +++++++++++++++++ .../file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt | 2 +- .../file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt | 2 +- Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt | 1 + Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake | 10 ++++------ 8 files changed, 39 insertions(+), 8 deletions(-) create mode 100644 Help/release/dev/curl-tls-version.rst diff --git a/Help/command/file.rst b/Help/command/file.rst index 40689c9..890bdf4 100644 --- a/Help/command/file.rst +++ b/Help/command/file.rst @@ -811,6 +811,10 @@ Transfer environment variable will be used instead. See :variable:`CMAKE_TLS_VERSION` for allowed values. + .. versionchanged:: 3.31 + The default is TLS 1.2. + Previously, no minimum version was enforced by default. + ``TLS_VERIFY `` Specify whether to verify the server certificate for ``https://`` URLs. If this option is not specified, the value of the diff --git a/Help/release/dev/curl-tls-version.rst b/Help/release/dev/curl-tls-version.rst new file mode 100644 index 0000000..0f3cc3a --- /dev/null +++ b/Help/release/dev/curl-tls-version.rst @@ -0,0 +1,6 @@ +curl-tls-version +---------------- + +* The :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands now + require TLS 1.2 or higher for connections to ``https://`` URLs by default. + See the :variable:`CMAKE_TLS_VERSION` variable for details. diff --git a/Help/variable/CMAKE_TLS_VERSION.rst b/Help/variable/CMAKE_TLS_VERSION.rst index 3e7f2ce..ff0918b 100644 --- a/Help/variable/CMAKE_TLS_VERSION.rst +++ b/Help/variable/CMAKE_TLS_VERSION.rst @@ -7,6 +7,11 @@ Specify the default value for the :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands' ``TLS_VERSION`` option. If this variable is not set, the commands check the :envvar:`CMAKE_TLS_VERSION` environment variable. +If neither is set, the default is TLS 1.2. + +.. versionchanged:: 3.31 + The default is TLS 1.2. + Previously, no minimum version was enforced by default. The value may be one of: diff --git a/Source/cmFileCommand.cxx b/Source/cmFileCommand.cxx index 30d92ca..92e6b3e 100644 --- a/Source/cmFileCommand.cxx +++ b/Source/cmFileCommand.cxx @@ -1741,6 +1741,7 @@ bool HandleNativePathCommand(std::vector const& args, #if !defined(CMAKE_BOOTSTRAP) const bool TLS_VERIFY_DEFAULT = true; +const std::string TLS_VERSION_DEFAULT = "1.2"; // Stuff for curl download/upload using cmFileCommandVectorOfChar = std::vector; @@ -2128,6 +2129,11 @@ bool HandleDownloadCommand(std::vector const& args, tlsVersionOpt = std::move(v); } } + bool tlsVersionDefaulted = false; + if (!tlsVersionOpt.has_value()) { + tlsVersionOpt = TLS_VERSION_DEFAULT; + tlsVersionDefaulted = true; + } // Can't calculate hash if we don't save the file. // TODO Incrementally calculate hash in the write callback as the file is @@ -2212,6 +2218,9 @@ bool HandleDownloadCommand(std::vector const& args, if (tlsVersionOpt.has_value()) { if (cm::optional v = cmCurlParseTLSVersion(*tlsVersionOpt)) { res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v); + if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) { + res = CURLE_OK; + } check_curl_result(res, cmStrCat("DOWNLOAD cannot set TLS/SSL version ", *tlsVersionOpt, ": ")); @@ -2554,6 +2563,11 @@ bool HandleUploadCommand(std::vector const& args, tlsVersionOpt = std::move(v); } } + bool tlsVersionDefaulted = false; + if (!tlsVersionOpt.has_value()) { + tlsVersionOpt = TLS_VERSION_DEFAULT; + tlsVersionDefaulted = true; + } // Open file for reading: // @@ -2603,6 +2617,9 @@ bool HandleUploadCommand(std::vector const& args, if (tlsVersionOpt.has_value()) { if (cm::optional v = cmCurlParseTLSVersion(*tlsVersionOpt)) { res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v); + if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) { + res = CURLE_OK; + } check_curl_result( res, cmStrCat("UPLOAD cannot set TLS/SSL version ", *tlsVersionOpt, ": ")); diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt index 730cf59..3632a61 100644 --- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt +++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-darwin.txt @@ -1,4 +1,4 @@ --- def-1\.1: 0;"No error" +-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- env-1\.1: 0;"No error" -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt index 730cf59..3632a61 100644 --- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt +++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout-windows.txt @@ -1,4 +1,4 @@ --- def-1\.1: 0;"No error" +-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- env-1\.1: 0;"No error" -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt index 34d99d1..ce313ed 100644 --- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt +++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad-stdout.txt @@ -1,3 +1,4 @@ +-- def-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- env-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- var-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- opt-1\.2: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake index 106fe44..51cb8f2 100644 --- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake +++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERSION-bad.cmake @@ -19,12 +19,10 @@ else() set(TEST_TLSv1_1 0) endif() -if(TEST_TLSv1_1) - # The default is to allow 1.1. - unset(ENV{CMAKE_TLS_VERSION}) - unset(CMAKE_TLS_VERSION) - download(def-1.1) -endif() +# The default is to require 1.2. +unset(ENV{CMAKE_TLS_VERSION}) +unset(CMAKE_TLS_VERSION) +download(def-1.2) # The environment variable overrides the default. set(ENV{CMAKE_TLS_VERSION} 1.2) -- cgit v0.12 From 38390245a2ceebe6ece3859e887442b8cce01297 Mon Sep 17 00:00:00 2001 From: Brad King Date: Mon, 23 Sep 2024 14:48:30 -0400 Subject: ctest: Require minimum TLS 1.2 by default Issue: #25701 --- Help/manual/ctest.1.rst | 4 ++++ Help/release/dev/curl-tls-version.rst | 4 ++++ Source/CTest/cmCTestCurl.cxx | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/Help/manual/ctest.1.rst b/Help/manual/ctest.1.rst index 4793ef5..9281339 100644 --- a/Help/manual/ctest.1.rst +++ b/Help/manual/ctest.1.rst @@ -1560,6 +1560,10 @@ Configuration settings include: * `CTest Script`_ variable: :variable:`CTEST_TLS_VERSION` * :module:`CTest` module variable: ``CTEST_TLS_VERSION`` + .. versionchanged:: 3.31 + The default is TLS 1.2. + Previously, no minimum version was enforced by default. + ``TLSVerify`` .. versionadded:: 3.30 diff --git a/Help/release/dev/curl-tls-version.rst b/Help/release/dev/curl-tls-version.rst index 0f3cc3a..ea142b3 100644 --- a/Help/release/dev/curl-tls-version.rst +++ b/Help/release/dev/curl-tls-version.rst @@ -4,3 +4,7 @@ curl-tls-version * The :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands now require TLS 1.2 or higher for connections to ``https://`` URLs by default. See the :variable:`CMAKE_TLS_VERSION` variable for details. + +* The :command:`ctest_submit` command and :option:`ctest -T Submit ` + step now require TLS 1.2 or higher for connections to ``https://`` URLs by + default. See the :variable:`CTEST_TLS_VERSION` variable for details. diff --git a/Source/CTest/cmCTestCurl.cxx b/Source/CTest/cmCTestCurl.cxx index d9dc3b2..b203a51 100644 --- a/Source/CTest/cmCTestCurl.cxx +++ b/Source/CTest/cmCTestCurl.cxx @@ -16,6 +16,7 @@ namespace { const bool TLS_VERIFY_DEFAULT = true; +const int TLS_VERSION_DEFAULT = CURL_SSLVERSION_TLSv1_2; } cmCTestCurl::cmCTestCurl(cmCTest* ctest) @@ -65,6 +66,9 @@ cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest) { this->TLSVersionOpt = cmCurlParseTLSVersion(ctest->GetCTestConfiguration("TLSVersion")); + if (!this->TLSVersionOpt.has_value()) { + this->TLSVersionOpt = TLS_VERSION_DEFAULT; + } std::string tlsVerify = ctest->GetCTestConfiguration("TLSVerify"); if (!tlsVerify.empty()) { -- cgit v0.12