For macOS developers using Homebrew (possibly other package managers too) there is a TLS v1.3 bug where system cURL was used by build servers and cURL had a bug. One package impacted is CMake, though it’s not a CMake bug as Kitware CMake binaries using newer cURL are fine.

The bug causes some TLS v1.3 download/upload internet operations to fail with code 35. This was due to a bug in macOS system cURL. macOS has already updated cURL for end users. Updating Homebrew CMake fixes this issue.

If stuck, one can set an environment variable per command to disable TLS v1.3 as a temporary workaround:

CURL_SSL_BACKEND=SecureTransport cmake ...

However, it is better to upgrade Homebrew CMake to a fixed cURL version:

brew upgrade cmake

This is not a CMake bug, as the CMake binaries downloaded from Kitware work since they are built with a more recent non-macOS-system cURL. This is a Homebrew packaging bug that can impact other programs distributed by Homebrew (or Macports) due to the cloud build servers using not-yet-updated macOS for the new cURL.

Diagnose: the version of cURL compiled into CMake may be obtained by UserAgent.cmake:

cmake -P UserAgent.cmake

If the cURL version is less than 8.4.0 this macOS SSL 35 bug may exist with TLS v1.3 connections.

To help debug CMake SSL operations, I use BadSSL and TLS check.