docs: fix a typo in some cipher options

GHA: update ngtcp2/ngtcp2 and awslabs/aws-lc

- update ngtcp2/ngtcp2 to v1.8.1
- update awslabs/aws-lc to v1.37.0

Closes #15318
Closes #15329

Dockerfile: update Docker digest to d830561

Closes #15315

winbuild: add initial wolfSSL support

Ref: https://datagirl.xyz/posts/wolfssl_curl_w2k.html

Closes #15264

KNOWN_BUGS: LDFLAGS passed too late

Makes linking fail on some (ancient) platforms.

Closes #14893
Closes #15306

hsts: support "implied LWS" properly around max-age

Adjust test 780 to verify.

Reported-by: newfunction
Closes #15330

RELEASE-NOTES: synced

cmake: set version for `project()` and add CPack support

Note: the version like `8.11.0-DEV` is not a valid version for
`project()`, so need to extract the major, minor and patch parts.

cmake: set version for `project()` and add CPack support

Note: the version like `8.11.0-DEV` is not a valid version for
`project()`, so need to extract the major, minor and patch parts.

Previous, manual, `CURL_VERSION` macro is defined by `project()`
after this patch, so rename existing `CURL_VERSION*` variables to
`_curl_version*`.

Closes #15281

show more ...

tool_operate: reuse the schannel backend check

The transfer_per_config is called once per new transfer. It now saves
the result of the first TLS backend check done so that subsequent

tool_operate: reuse the schannel backend check

The transfer_per_config is called once per new transfer. It now saves
the result of the first TLS backend check done so that subsequent
invokes are more efficient and reuses the existing knowledge.

This change also splits the logic into several smaller functions.

Closes #15323

show more ...

libcurl/opts: improve phrasing for connection cap related options

Unify, clarify.

Closes #15324

http2: auto reset stream on server eos

When a server signals EOS from its side and the curl upload is
unfinished and the server has not given a positive HTTP status response,
auto RS

http2: auto reset stream on server eos

When a server signals EOS from its side and the curl upload is
unfinished and the server has not given a positive HTTP status response,
auto RST the stream to signal that the upload is incomplete and that the
whole transfer can be stopped.

Fixes the case where the server responds with 413 on an upload but does
not RST the stream from its side, as httpd and others do.

Reported-by: jkamp-aws on github
Fixes #15316
Closes #15325

show more ...

libtests: generate the lib1521 atomically

By renaming from a temporary file name to the .c once completed. This
avoids the risk that the checksrc job tries to verify the file before it

libtests: generate the lib1521 atomically

By renaming from a temporary file name to the .c once completed. This
avoids the risk that the checksrc job tries to verify the file before it
is complete, in parallel build setups.

Reported-by: Dan Frandrich
Fixes #15258
Closes #15327

show more ...

GHA: drop the hyper job

Hyper support is being removed in 2025. No one works on it. Getting
flaky test runs with this job adds nothing to the project.

Closes #15326

openssl: improve retries on shutdown

Once SSL_shutdown() has been called, OpenSSL does not really seem to
like it when it is called again and the other side has some finally data
to

openssl: improve retries on shutdown

Once SSL_shutdown() has been called, OpenSSL does not really seem to
like it when it is called again and the other side has some finally data
to deliver.

Instead SSL_read() needs to be used solely, once the close notify has
been sent from curl's side.

Closes #15321

show more ...

tool_operate: break out of loop on error

Follow-up to 69bf530dfd2a

The loop could get stuck there in torture tests/OOM.

Closes #15322

GHA: switch off proselint

Because we cannot disable the individual warnings we do not care about,
making this tool almost unusable for our purposes. See
https://github.com/amperser/p

GHA: switch off proselint

Because we cannot disable the individual warnings we do not care about,
making this tool almost unusable for our purposes. See
https://github.com/amperser/proselint/issues/1367

Instead, make 'very' a banned word (as recently that has been what
proselint most commonly points out for us).

Closes #15314

show more ...

source: avoid use of 'very' in comments

DISTROS: avoid use of "very"

DISABLED: disable test 1060 with hyper

... as it has started to fail and nobody wants to debug this.

Closes #15319

tests/http: fix ubuntu GnuTLS CI failures

Override the system default config in test_17_09, since we want to check
all TLS versions. Provide own, empty config file to gnutls, so that any

tests/http: fix ubuntu GnuTLS CI failures

Override the system default config in test_17_09, since we want to check
all TLS versions. Provide own, empty config file to gnutls, so that any
system wide file has no effect.

The latest ubunu image in GH CI disables TLS 1.0 and 1.1
system wide for GnuTLS. Good intentions.

Closes #15310

show more ...

tests: update some HTTP/2 over HTTPS tests

- improve descriptions
- require http/2, not h2c, since they are done over HTTPS

Closes #15317

winbuild/README: document how to clean a build

- Add a new section explaining that a build can be cleaned by adding the
keyword "clean" to the build command.

- Add an example

winbuild/README: document how to clean a build

- Add a new section explaining that a build can be cleaned by adding the
keyword "clean" to the build command.

- Add an example of using the "x64 Native Tools" prompt to the VS
command prompt section.

- Update the Legacy Windows section's lack-of-cipher support warning to
say "Windows 8 and earlier" instead of "Windows XP and earlier".

Ref: https://github.com/curl/curl/discussions/15277

Closes https://github.com/curl/curl/pull/15291

show more ...

GHA/macos: merge autotools and cmake jobs

To match other workflows and to avoid repetition in rules.

Also:
- fix build example step for cmake. update a job to use it.
- use

GHA/macos: merge autotools and cmake jobs

To match other workflows and to avoid repetition in rules.

Also:
- fix build example step for cmake. update a job to use it.
- use `cmake` to invoke the builds (instead of ninja directly).
- extend test 2100 exclusion to more jobs.
It fails with all `!debug gcc-12` jobs with autotools.
With cmake this only happened for gcc-12 Secure Transport jobs
for some reason.

Closes #15312

show more ...

CI: explicitly specify the OS version when necessary

Commit 8ea120f6 added --break-system-packages which works in Ubuntu
24.04 but not 22.04, so explicitly specify that version in the ru

CI: explicitly specify the OS version when necessary

Commit 8ea120f6 added --break-system-packages which works in Ubuntu
24.04 but not 22.04, so explicitly specify that version in the runner
instead of relying on ubuntu-latest to provide it. Some runners have
regressed back to 22.04 for ubuntu-latest, resulting in build failures.

show more ...

tests: capture stdin to get the vsftpd version number

vsftpd 3.0 at least writes its version number to stdin (!) instead of
stderr. This works due for backwards compatibility reasons in

tests: capture stdin to get the vsftpd version number

vsftpd 3.0 at least writes its version number to stdin (!) instead of
stderr. This works due for backwards compatibility reasons in UNIX, so
we must check stdin for anything written there to reliably parse the
version string.

Closes #15278

show more ...