CMake TLS VERIFY global

TLS verification defaults to OFF in CMake. Assuming the user system certificates are working, there can be a security benefit from a a global option for project TLS verification via CMake variable CMAKE_TLS_VERIFY. Meson build system uses TLS verification by default, warning if verification fails.

TLS verification is part of CMake’s internal nightly testing. This helps catch problems with the underlying cURL library early on, as we’ve done twice before.

CMAKE_TLS_VERIFY allows a user to globally configure certificate verification. In case of suspected broken certificates, verification can then be easily switched off temporarily.

We suggest near the beginning of the CMake project:

option(CMAKE_TLS_VERIFY "Verify TLS certificates" ON)

The user can override this default by:

cmake -Bbuild -DCMAKE_TLS_VERIFY=OFF

The example uses badssl.com, that purposefully has a variety of certificate problem URLs.