tests: add SNI and peer name checks

- connect to DNS names with trailing dot
- connect to DNS names with double trailing dot
- rustls, always give `peer->hostname` and let it
f

tests: add SNI and peer name checks

- connect to DNS names with trailing dot
- connect to DNS names with double trailing dot
- rustls, always give `peer->hostname` and let it
figure out SNI itself
- add SNI tests for ip address and localhost
- document in code and TODO that QUIC with ngtcp2+wolfssl
does not do proper peer verification of the certificate
- mbedtls, skip tests with ip address verification as not
supported by the library

Closes #13486

show more ...

curl_getdate.md: document two-digit year handling

Mentioned-by: Paul Gilmartin
Ref: https://curl.se/mail/archive-2024-04/0014.html
Closes #13494

cmake: add `BUILD_EXAMPLES` option to build examples

You can enable it with `-DBUILD_EXAMPLES=ON`.

To match autotools' `make examples` feature.
Windows (static) builds not teste

cmake: add `BUILD_EXAMPLES` option to build examples

You can enable it with `-DBUILD_EXAMPLES=ON`.

To match autotools' `make examples` feature.
Windows (static) builds not tested.

Also enable examples in a pair of CI jobs.

Apply related updates to the macOS CI workflow:
- drop unused `CXX` envs.
- drop no longer needed `-Wno-error=undef -Wno-error=conversion` flags.
- pass `-Wno-deprecated-declarations` to GCC too (for `BUILD_EXAMPLES`).
- document why `-Wno-deprecated-declarations` is necessary.

Closes #13491

show more ...

http3: quiche+ngtcp2 improvements

- quiche: error transfers that try to receive on a closed
or draining connection
- ngtcp2: use callback for extending max bidi streams. This

http3: quiche+ngtcp2 improvements

- quiche: error transfers that try to receive on a closed
or draining connection
- ngtcp2: use callback for extending max bidi streams. This
allows more precise calculation of MAX_CONCURRENT as we
only can start a new stream when the server acknowledges
the close - not when we locally have closed it.
- remove a fprintf() from h2-download client to avoid excess
log files on tests timing out.

Closes #13475

show more ...

vtls: TLS session storage overhaul

- add session with destructor callback
- remove vtls `session_free` method
- let `Curl_ssl_addsessionid()` take ownership
of session object,

vtls: TLS session storage overhaul

- add session with destructor callback
- remove vtls `session_free` method
- let `Curl_ssl_addsessionid()` take ownership
of session object, freeing it also on failures
- change tls backend use
- test_17, add tests for SSL session resumption

Closes #13386

show more ...

multi: multi_wait improvements

- only call `multi_getsock()` once for all transfers
- realloc pollset array on demand
- fold repeated sockets

Closes #13150

ci: remove microsoft-prod.list

This is added by default, and it is often broken, but we don't need
anything from it.

Closes #13473

curl_setup.h: detect 'inline' support

Closes #13355

multi: avoid memory-leak risk

'newurl' is allocated in some conditions and used in a few scenarios,
but there were theoretical combinations in which it would not get freed.
Move the

multi: avoid memory-leak risk

'newurl' is allocated in some conditions and used in a few scenarios,
but there were theoretical combinations in which it would not get freed.
Move the free to happen unconditionally. Never triggered by tests, but
spotted by Coverity.

Closes #13471

show more ...

sendf: Curl_cwriter_write: remove comment disallowing zero length writes

They are needed to pass CLIENTWRITE_EOS.

Closes #13477

CI: macos fixes for new ARM GHA images

- based on #13478 with additions from #13476
- make homebrew install path flexible
- fix OpenSSL pkgconfig files libdir
- add path to --wit

CI: macos fixes for new ARM GHA images

- based on #13478 with additions from #13476
- make homebrew install path flexible
- fix OpenSSL pkgconfig files libdir
- add path to --with-libssh2 target
- disable gcc securetransport due to linker
errors (missing symbols), probably because
the os version is no longer low enough

Assisted-by: Viktor Szakats

Closes #13479

show more ...

content_encoding: ignore duplicate chunked encoding

- ignore duplicate "chunked" transfer-encodings from
a server to accomodate for broken implementations
- add test1482 and test14

content_encoding: ignore duplicate chunked encoding

- ignore duplicate "chunked" transfer-encodings from
a server to accomodate for broken implementations
- add test1482 and test1483

Reported-by: Mel Zuser
Fixes #13451
Closes #13461

show more ...

tool: move tool_ftruncate64 to tool_util.c

... and the prototype to tool_setup.h, to make them both available more
widely and accurately.

Follow-up to 00bef95946d3511

F

tool: move tool_ftruncate64 to tool_util.c

... and the prototype to tool_setup.h, to make them both available more
widely and accurately.

Follow-up to 00bef95946d3511

Fixes #13458
Closes #13459

show more ...

lib: silence `-Wsign-conversion` in base64, strcase, mprintf

Closes #13467

CI: retain failure code after `./configure` with Circle CI

Suggested-by: Dan Fandrich
Follow-up to 43299e93c06b96fea8a8dc9b1c2e49c82bc21801 #13462
Follow-up to d7332e3e46c3ef401b34e6

CI: retain failure code after `./configure` with Circle CI

Suggested-by: Dan Fandrich
Follow-up to 43299e93c06b96fea8a8dc9b1c2e49c82bc21801 #13462
Follow-up to d7332e3e46c3ef401b34e6a1a129eb4dd846c452 #12635
Closes #13468

show more ...

RELEASE-NOTES: synced

mbedTLS: implement CURLOPT_SSL_CIPHER_LIST option

Use a lookup list to set the cipher suites, allowing the
ciphers to be set by either openssl or IANA names.

To keep the binary

mbedTLS: implement CURLOPT_SSL_CIPHER_LIST option

Use a lookup list to set the cipher suites, allowing the
ciphers to be set by either openssl or IANA names.

To keep the binary size of the lookup list down we compress
each entry in the cipher list down to 2 + 6 bytes using the
C preprocessor.

Closes #13442

show more ...

CI: show more failed `config.log` on Circle CI

Show last 1000 lines of `config.log` if `./configure` fails. This was
already done for one job, this patch extends it to all.

Ref:

CI: show more failed `config.log` on Circle CI

Show last 1000 lines of `config.log` if `./configure` fails. This was
already done for one job, this patch extends it to all.

Ref: #13438
Closes #13462

show more ...

telnet: check return code from fileno()

and return error if necessary

Spotted by CodeSonar

Closes #13457

tls: fix SecureTransport + BearSSL cmake unity builds

Avoid clashing static function names by namespacing them.

Pointed-out-by: Jan Venekamp
Ref: https://github.com/curl/curl/pu

tls: fix SecureTransport + BearSSL cmake unity builds

Avoid clashing static function names by namespacing them.

Pointed-out-by: Jan Venekamp
Ref: https://github.com/curl/curl/pull/13442#discussion_r1576350700
Closes #13450

show more ...

dllmain: Call OpenSSL thread cleanup for Windows and Cygwin

- Call OPENSSL_thread_stop on thread termination (DLL_THREAD_DETACH)
to prevent a memory leak in case OpenSSL is linked stat

dllmain: Call OpenSSL thread cleanup for Windows and Cygwin

- Call OPENSSL_thread_stop on thread termination (DLL_THREAD_DETACH)
to prevent a memory leak in case OpenSSL is linked statically.

- Warn in libcurl-thread.3 that if OpenSSL is linked statically then it
may require thread cleanup.

OpenSSL may need per-thread cleanup to stop a memory leak. For Windows
and Cygwin if libcurl was built as a DLL then we can do that for the
user by calling OPENSSL_thread_stop on thread termination. However, if
libcurl was built statically then we do not have notification of thread
termination and cannot do that for the user.

Also, there are several other unusual cases where it may be necessary
for the user to call OPENSSL_thread_stop, so in the libcurl-thread
warning I added a link to the OpenSSL documentation.

Co-authored-by: Viktor Szakats

Reported-by: southernedge@users.noreply.github.com
Reported-by: zmcx16@users.noreply.github.com

Ref: https://www.openssl.org/docs/man3.0/man3/OPENSSL_thread_stop.html#NOTES

Fixes https://github.com/curl/curl/issues/12327
Closes https://github.com/curl/curl/pull/12408

show more ...

rustls: remove incorrect SSLSUPP_TLS13_CIPHERSUITES flag

The rustls backend advertises SSLSUPP_TLS13_CIPHERSUITES, but
the code does not actually seem to support it (yet?). Removed
t

rustls: remove incorrect SSLSUPP_TLS13_CIPHERSUITES flag

The rustls backend advertises SSLSUPP_TLS13_CIPHERSUITES, but
the code does not actually seem to support it (yet?). Removed
the flag and corrected documentation.

Closes #13452

show more ...

quiche: expire all active transfers on connection close

- when a connection close is detected, all ongoing transfers
need to expire bc no more POLL events are likely to happen
fo

quiche: expire all active transfers on connection close

- when a connection close is detected, all ongoing transfers
need to expire bc no more POLL events are likely to happen
for them.

Fixes #13439
Reported-by: Jay Satiro
Closes #13447

show more ...

tests: fix feature case in test1481

This test was being skipped everywhere because the feature never
matched.

Closes #13445

tool_operate: don't truncate the etag save file by default

This fixes a regression of 75d79a4486b279100209ddf8c7fdb12955fb66e9. The
code in tool-operate truncated the etag save file, und

tool_operate: don't truncate the etag save file by default

This fixes a regression of 75d79a4486b279100209ddf8c7fdb12955fb66e9. The
code in tool-operate truncated the etag save file, under the assumption
that the file would be written with a new etag value. However since
75d79a4486b279100209ddf8c7fdb12955fb66e9 that might not be the case
anymore and could result in the file being truncated when --etag-compare
and --etag-save was used and that the etag value matched with what the
server responded. Instead the truncation should not be done when a new
etag value should be written.

Test 3204 was added to verify that the file with the etag value doesn't
change the contents when used by --etag-compare and --etage-save and
that value matches with what the server returns on a non 2xx response.

Closes #13432

show more ...