CMake TLS VERIFY global

TLS verification defaults to OFF in CMake, yet there is a significant security benefit from globally setting projects’ TLS verification ON via CMake variable CMAKE_TLS_VERIFY. Meson build system uses TLS verification by default, warning if verification fails.

We added TLS verification to CMake’s internal nightly testing. This helps catch problems with the underlying cURL library early on, as we’ve done twice before.

CMAKE_TLS_VERIFY allows a user to globally configure certificate verification. TLS verification can be an important part of cybersecurity. It’s often better to not have to worry about commands missing this parameter–just set it once. In case of suspected broken certificates, verification can then be easily switched off temporarily.

We suggest near the beginning of the CMake project:

set(CMAKE_TLS_VERIFY true)

The example uses badssl.com, that purposefully has a variety of certificate problem URLs.