ctest: Verify TLS server certificate by default

Issue: #23608

Help/manual/ctest.1.rst

@@ -1569,6 +1569,11 @@ Configuration settings include:
   * `CTest Script`_ variable: :variable:`CTEST_TLS_VERIFY`
   * :module:`CTest` module variable: ``CTEST_TLS_VERIFY``
 
+  .. versionchanged:: 3.31
+    The default is on.  Previously, the default was off.
+    Users may set the :envvar:`CMAKE_TLS_VERIFY` environment
+    variable to ``0`` to restore the old default.
+
 ``TriggerSite``
   Legacy option.  Not used.
 

Help/release/dev/curl-tls-verify.rst

@@ -8,3 +8,7 @@ curl-tls-verify
   even when building projects that have not been updated.
   Users may set the :envvar:`CMAKE_TLS_VERIFY` environment
   variable to ``0`` to restore the old default.
+
+* The :command:`ctest_submit` command and :option:`ctest -T Submit <ctest -T>`
+  step now verify TLS server certificates for connections to ``https://`` URLs
+  by default.  See the :variable:`CTEST_TLS_VERIFY` variable for details.

Help/variable/CTEST_TLS_VERIFY.rst

@@ -11,3 +11,9 @@ to a dashboard via ``https://`` URLs.
 
 If ``CTEST_TLS_VERIFY`` is not set, the :variable:`CMAKE_TLS_VERIFY` variable
 or :envvar:`CMAKE_TLS_VERIFY` environment variable is used instead.
+If neither is set, the default is *on*.
+
+.. versionchanged:: 3.31
+  The default is on.  Previously, the default was off.
+  Users may set the :envvar:`CMAKE_TLS_VERIFY` environment
+  variable to ``0`` to restore the old default.

Source/CTest/cmCTestCurl.cxx

@@ -14,6 +14,10 @@
 #include "cmSystemTools.h"
 #include "cmValue.h"
 
+namespace {
+const bool TLS_VERIFY_DEFAULT = true;
+}
+
 cmCTestCurl::cmCTestCurl(cmCTest* ctest)
   : CTest(ctest)
   , CurlOpts(ctest)
@@ -76,6 +80,9 @@ cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest)
       }
     }
   }
+  if (!this->TLSVerifyOpt.has_value()) {
+    this->TLSVerifyOpt = TLS_VERIFY_DEFAULT;
+  }
 }
 
 bool cmCTestCurl::InitCurl()