macOS: Prefer building with system-provided curl
Our vendored curl only enables the Secure Transport backend by default
(`CURL_SSL_BACKEND=secure-transport`), but it is limited to TLS 1.2.
The macOS SDK provides the curl development components, and the
corresponding `libcurl.4.dylib` runtime library comes with macOS.
On macOS 12 and above, the default `CURL_SSL_BACKEND=openssl`
backend seems to be capable of selecting TLS 1.3 at runtime for
https connections.
Unfortunately the macOS version of curl, even on macOS 14.4, does
not accept `CURL_SSLVERSION_TLSv1_3` at runtime to enforce TLS 1.3.
However, while our vendored curl accepts the option and passes it
to Secure Transport, macOS does not actually enforce it anyway.
Fixes: #25870
Fixes: #23701
diff --git a/.gitlab/ci/configure_macos_arm64_ninja.cmake b/.gitlab/ci/configure_macos_arm64_ninja.cmake
index 9611f0b..de0ffc0 100644
--- a/.gitlab/ci/configure_macos_arm64_ninja.cmake
+++ b/.gitlab/ci/configure_macos_arm64_ninja.cmake
@@ -8,7 +8,7 @@
set(CMake_TEST_GUI "ON" CACHE BOOL "")
set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
-set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")
diff --git a/.gitlab/ci/configure_macos_x86_64_makefiles.cmake b/.gitlab/ci/configure_macos_x86_64_makefiles.cmake
index ed25f68..43505db 100644
--- a/.gitlab/ci/configure_macos_x86_64_makefiles.cmake
+++ b/.gitlab/ci/configure_macos_x86_64_makefiles.cmake
@@ -8,7 +8,7 @@
endif()
set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
-set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")
diff --git a/.gitlab/ci/configure_macos_x86_64_ninja.cmake b/.gitlab/ci/configure_macos_x86_64_ninja.cmake
index 0feafa2..83d1e2c 100644
--- a/.gitlab/ci/configure_macos_x86_64_ninja.cmake
+++ b/.gitlab/ci/configure_macos_x86_64_ninja.cmake
@@ -11,7 +11,7 @@
endif()
set(CMake_TEST_TLS_VERIFY_URL "https://gitlab.kitware.com" CACHE STRING "")
set(CMake_TEST_TLS_VERIFY_URL_BAD "https://badtls-expired.kitware.com" CACHE STRING "")
-set(CMake_TEST_TLS_VERSION "1.3" CACHE STRING "")
+set(CMake_TEST_TLS_VERSION "1.2" CACHE STRING "")
include("${CMAKE_CURRENT_LIST_DIR}/configure_macos_common.cmake")
include("${CMAKE_CURRENT_LIST_DIR}/configure_common.cmake")
diff --git a/CMakeLists.txt b/CMakeLists.txt
index e8537ed..081bd7d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -178,6 +178,9 @@
string(TOLOWER "${util}" lutil)
set(CMAKE_USE_SYSTEM_${util} "${CMAKE_USE_SYSTEM_LIBRARY_${util}}"
CACHE BOOL "Use system-installed ${lutil}" FORCE)
+ elseif(util STREQUAL "CURL" AND APPLE)
+ # macOS provides a curl with backends configured by Apple.
+ set(CMAKE_USE_SYSTEM_LIBRARY_${util} ON)
else()
set(CMAKE_USE_SYSTEM_LIBRARY_${util} OFF)
endif()
diff --git a/bootstrap b/bootstrap
index 60e5638..3abeec6 100755
--- a/bootstrap
+++ b/bootstrap
@@ -684,8 +684,8 @@
(default)
--system-cppdap use system-installed cppdap library
--no-system-cppdap use cmake-provided cppdap library (default)
- --system-curl use system-installed curl library
- --no-system-curl use cmake-provided curl library (default)
+ --system-curl use system-installed curl library (default on macOS)
+ --no-system-curl use cmake-provided curl library (default elsewhere)
--system-expat use system-installed expat library
--no-system-expat use cmake-provided expat library (default)
--system-jsoncpp use system-installed jsoncpp library