Request: make CMAKE_TLS_VERIFY "on" by default
Most internet resources have been HTTPS for a couple years and browsers have gotten noisy about bad certificates etc. It would nice to make the default CMAKE_TLS_VERIFY=true by policy for an upcoming CMake release.
Meson build system by default uses TLS if the system is capable of it, and warns if TLS is not available on the system.
Checklist:
-
all commands file(DOWNLOAD) file(UPLOAD) ExternalProject FetchContent
and underlying Git operations respect globalCMAKE_TLS_VERIFY
variable. -
environment variable CMAKE_TLS_VERIFY
andCMAKE_TLS_VERSION
-
environment variable CMAKE_TLS_CAINFO
to default variableCMAKE_TLS_CAINFO
-- for HPC and servers with faulty defaults -- could this just be current environment variableSSL_CERT_FILE
?
Expected end user impacts:
- Self-signed certificate servers without users having the trust chain will fail by definition
- HPC/servers with broken/outdated trust chain will fail by definition
This is a good thing. For some time, web browsers verify by default so the end users won't be totally surprised.
Edited by scivision