nss: Improve info message when falling back SSL protocol

Use descriptive text strings rather than decimal numbers.

nss: Fall back to latest supported SSL version

NSS may be built without support for the latest SSL/TLS versions,
leading to "SSL version range is not valid" errors when the library
c

nss: Fall back to latest supported SSL version

NSS may be built without support for the latest SSL/TLS versions,
leading to "SSL version range is not valid" errors when the library
code supports a recent version (e.g. TLS v1.3) but it has explicitly
been disabled.

This change adjusts the maximum SSL version requested by libcurl to
be the maximum supported version at runtime, as long as that version
is at least as high as the minimum version required by libcurl.

Fixes #3261

show more ...

travis: enable COPYRIGHTYEAR extended warning

The extended warning for checking incorrect COPYRIGHTYEAR is quite
expensive to run, so rather than expecting every developer to do it
w

travis: enable COPYRIGHTYEAR extended warning

The extended warning for checking incorrect COPYRIGHTYEAR is quite
expensive to run, so rather than expecting every developer to do it
we ensure it's turned on locally for Travis.

show more ...

checksrc: add COPYRIGHTYEAR check

Forgetting to bump the year in the copyright clause when hacking has
been quite common among curl developers, but a traditional checksrc
check isn't

checksrc: add COPYRIGHTYEAR check

Forgetting to bump the year in the copyright clause when hacking has
been quite common among curl developers, but a traditional checksrc
check isn't a good fit as it would penalize anyone hacking on January
1st (among other things). This adds a more selective COPYRIGHTYEAR
check which intends to only cover the currently hacked on changeset.

The check for updated copyright year is currently not enforced on all
files but only on files edited and/or committed locally. This is due to
the amount of files which aren't updated with their correct copyright
year at the time of their respective commit.

To further avoid running this expensive check for every developer, it
adds a new local override mode for checksrc where a .checksrc file can
be used to turn on extended warnings locally.

Closes #3303
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

CHECKSRC.md: document more warnings

Closes #3335
[ci skip]

RELEASE-NOTES: synced

SECURITY-PROCESS: bountygraph shuts down

This backpedals back the documents to the state before bountygraph.

Closes #3311

curl: fix memory leak reading --writeout from file

If another string had been set first, the writout function for reading
the syntax from file would leak the previously allocated memory.

curl: fix memory leak reading --writeout from file

If another string had been set first, the writout function for reading
the syntax from file would leak the previously allocated memory.

Reported-by: Brian Carpenter
Fixes #3322
Closes #3330

show more ...

tool_main: rename function to make it unique and better

... there's already another function in the curl tool named
free_config_fields!

TODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry

Commit 7c5837e79280e6abb3ae143dfc49bca5e74cdd11 deprecated the option
making it a manual code-edit operation to turn it back on. The remov

TODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry

Commit 7c5837e79280e6abb3ae143dfc49bca5e74cdd11 deprecated the option
making it a manual code-edit operation to turn it back on. The removal
process has thus started and is now documented in docs/DEPRECATE.md so
remove from the TODO to avoid anyone looking for something to pick up
spend cycles on an already in-progress entry.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

connect: fix building for recent versions of Minix

EBADIOCTL doesn't exist on more recent Minix.
There have also been substantial changes to the network stack.
Fixes build on Minix 3

connect: fix building for recent versions of Minix

EBADIOCTL doesn't exist on more recent Minix.
There have also been substantial changes to the network stack.
Fixes build on Minix 3.4rc

Closes https://github.com/curl/curl/pull/3323

show more ...

CMake: fix MIT/Heimdal Kerberos detection

- fix syntax error in FindGSS.cmake
- correct krb5 include directory. FindGSS exports
"GSS_INCLUDE_DIR" variable.

Closes https://

CMake: fix MIT/Heimdal Kerberos detection

- fix syntax error in FindGSS.cmake
- correct krb5 include directory. FindGSS exports
"GSS_INCLUDE_DIR" variable.

Closes https://github.com/curl/curl/pull/3316

show more ...

test328: verify Content-Encoding: none

Because of issue #3315

Closes #3317

configure: include all libraries in ssl-libs fetch

When compiling a collection of SSL libraries to link against (SSL_LIBS),
ensure all libraries are included. The call `--libs-only-l` ca

configure: include all libraries in ssl-libs fetch

When compiling a collection of SSL libraries to link against (SSL_LIBS),
ensure all libraries are included. The call `--libs-only-l` can produce
only a subset of found in a `--libs` call (e.x. pthread may be excluded).
Adding `--libs-only-other` ensures other libraries are also included in
the list. This corrects select build environments compiling against a
static version of OpenSSL. Before the change, the following could be
observed:

checking for openssl options with pkg-config... found
configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -lcrypto -lz -ldl "
configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
checking for HMAC_Update in -lcrypto... no
checking for HMAC_Init_ex in -lcrypto... no
checking OpenSSL linking with -ldl... no
checking OpenSSL linking with -ldl and -lpthread... no
configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this.
...
SSL support: no (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl} )
...

And include the other libraries when compiling SSL_LIBS succeeds with:

checking for openssl options with pkg-config... found
configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -pthread -lcrypto -lz -ldl -pthread "
configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
checking for HMAC_Update in -lcrypto... yes
checking for SSL_connect in -lssl... yes
...
SSL support: enabled (OpenSSL)
...

Signed-off-by: James Knight <james.d.knight@live.com>
Closes #3193

show more ...

doh: fix typo in infof call

Reviewed-by: Daniel Stenberg <daniel@haxx.se>

cmdline-opts/gen.pl: define the correct varname

The variable definition had a small typo making it declare another
variable then the intended.

Closes #3304
Reviewed-by: Dani

cmdline-opts/gen.pl: define the correct varname

The variable definition had a small typo making it declare another
variable then the intended.

Closes #3304
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

RELEASE-NOTES: synced

curl_easy_perform: fix timeout handling

curl_multi_wait() was erroneously used from within
curl_easy_perform(). It could lead to it believing there was no socket
to wait for and then

curl_easy_perform: fix timeout handling

curl_multi_wait() was erroneously used from within
curl_easy_perform(). It could lead to it believing there was no socket
to wait for and then instead sleep for a while instead of monitoring the
socket and then miss acting on that activity as swiftly as it should
(causing an up to 1000 ms delay).

Reported-by: Antoni Villalonga
Fixes #3305
Closes #3306
Closes #3308

show more ...

CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times

cookies: create the cookiejar even if no cookies to save

Important for when the file is going to be read again and thus must not
contain old contents!

Adds test 327 to verify.

cookies: create the cookiejar even if no cookies to save

Important for when the file is going to be read again and thus must not
contain old contents!

Adds test 327 to verify.

Reported-by: daboul on github
Fixes #3299
Closes #3300

show more ...

checksrc: ban snprintf use, add command line flag to override warns

snprintf: renamed and we now only use msnprintf()

The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differen

snprintf: renamed and we now only use msnprintf()

The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297

show more ...

test: update test20/1322 for eglibc bug workaround

The tests 20 and 1322 are using getaddrinfo of libc for resolving. In
eglibc-2.19 there is a memory leakage and invalid free bug which

test: update test20/1322 for eglibc bug workaround

The tests 20 and 1322 are using getaddrinfo of libc for resolving. In
eglibc-2.19 there is a memory leakage and invalid free bug which
surfaces in some special circumstances (PF_UNSPEC hint with invalid or
non-existent names). The valgrind runs in testing fail in these
situations.

As the tests 20/1322 are not specific on either protocol (IPv4/IPv6)
this commit changes the hints to IPv4 protocol by passing `--ipv4` flag
on the tests' command line. This prevents the valgrind failures.

show more ...

host names: allow trailing dot in name resolve, then strip it

Delays stripping of trailing dots to after resolving the hostname.

Fixes #3022
Closes #3222

CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description

Closes #3295