TODO: add "WebSocket read callback"

remove "Upgrade to websockets" as we already have this

Closes #11402

test497: verify rejecting too large incoming headers

http: return error when receiving too large header set

To avoid abuse. The limit is set to 300 KB for the accumulated size of
all received HTTP headers for a single response. Incomplete

http: return error when receiving too large header set

To avoid abuse. The limit is set to 300 KB for the accumulated size of
all received HTTP headers for a single response. Incomplete research
suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
1MB.

Closes #11582

show more ...

http2: upgrade tests and add fix for non-existing stream

- check in h2 filter recv that stream actually exists
and return error if not
- add test for parallel, extreme h2 upgrades

http2: upgrade tests and add fix for non-existing stream

- check in h2 filter recv that stream actually exists
and return error if not
- add test for parallel, extreme h2 upgrades that fail if
connections get reused before fully switched
- add h2 upgrade upload test just for completeness

Closes #11563

show more ...

tests: ensure `libcurl.def` contains all exports

Add `test1279` to verify that `libcurl.def` lists all exported API
functions found in libcurl headers.

Also:

- extend t

tests: ensure `libcurl.def` contains all exports

Add `test1279` to verify that `libcurl.def` lists all exported API
functions found in libcurl headers.

Also:

- extend test suite XML `stdout` tag with the `loadfile` attribute.

- fix `tests/extern-scan.pl` and `test1135` to include websocket API.

- use all headers (sorted) in `test1135` instead of a manual list.

- add options `--sort`, `--heading=` to `tests/extern-scan.pl`.

- add `libcurl.def` to the auto-labeler GHA task.

Follow-up to 2ebc74c36a19a1700af394c16855ce144d9878e3

Closes #11570

show more ...

url: change default value for CURLOPT_MAXREDIRS to 30

It was previously unlimited by default, but that's not a sensible
default. While changing this has a remote risk of breaking an exis

url: change default value for CURLOPT_MAXREDIRS to 30

It was previously unlimited by default, but that's not a sensible
default. While changing this has a remote risk of breaking an existing
use case, I figure it is more likely to actually save users from loops.

Closes #11581

show more ...

lib: fix a few *printf() flag mistakes

Reported-by: Gisle Vanem
Ref: #11574
Closes #11579

openssl: make aws-lc version support OCSP

And bump version in CI

Closes #11568

tool: make the length argument an int for printf()-.* flags

Closes #11578

tool_operate: fix memory leak when SSL_CERT_DIR is used

Detected by Coverity

Follow-up to 29bce9857a12b6cfa726a5

Closes #11577

tool/var: free memory on OOM

Coverity detected this memory leak in OOM situation

Follow-up to 2e160c9c652504e

Closes #11575

gha: bump libressl and mbedtls versions

Closes #11573

schannel: fix user-set legacy algorithms in Windows 10 & 11

- If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then
use the SCHANNEL_CRED legacy structure to pass the

schannel: fix user-set legacy algorithms in Windows 10 & 11

- If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then
use the SCHANNEL_CRED legacy structure to pass the list to Schannel.

- If the user set both a legacy algorithm list and a TLS 1.3 cipher list
then abort.

Although MS doesn't document it, Schannel will not negotiate TLS 1.3
when SCHANNEL_CRED is used. That means setting a legacy algorithm list
limits the user to earlier versions of TLS.

Prior to this change, since 8beff435 (precedes 7.85.0), libcurl would
ignore legacy algorithms in Windows 10 1809 and later.

Reported-by: zhihaoy@users.noreply.github.com

Fixes https://github.com/curl/curl/pull/10741
Closes https://github.com/curl/curl/pull/10746

show more ...

variable.d: setting a variable again overwrites it

Reported-by: Niall McGee
Bug: https://twitter.com/niallmcgee/status/1686523075423322113
Closes #11571

CURLOPT_PROXY_SSL_OPTIONS.3: sync formatting

- Re-wrap CURLSSLOPT_ALLOW_BEAST description.

RELEASE-NOTES: synced

resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set

Previously it would always do PF_UNSPEC if CURL_IPRESOLVE_V4 is not
used, thus unnecessarily asking for addresses that

resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set

Previously it would always do PF_UNSPEC if CURL_IPRESOLVE_V4 is not
used, thus unnecessarily asking for addresses that will not be used.

Reported-by: Joseph Tharayil
Fixes #11564
Closes #11565

show more ...

docs: link to the website versions instead of markdowns

... to make the links work when the markdown is converted to webpages on
https://curl.se

Reported-by: Maurício Meneghini

docs: link to the website versions instead of markdowns

... to make the links work when the markdown is converted to webpages on
https://curl.se

Reported-by: Maurício Meneghini Fauth
Fixes https://github.com/curl/curl-www/issues/272
Closes #11569

show more ...

cmake: cache more config and delete unused ones

- cache more Windows config results for faster initialization.

- delete unused config macros `HAVE_SYS_UTSNAME_H`, `HAVE_SSL_H`.

cmake: cache more config and delete unused ones

- cache more Windows config results for faster initialization.

- delete unused config macros `HAVE_SYS_UTSNAME_H`, `HAVE_SSL_H`.

- delete dead references to `sys/utsname.h`.

Closes #11551

show more ...

egd: delete feature detection and related source code

EGD is Entropy Gathering Daemon, a socket-based entropy source supported
by pre-OpenSSL v1.1 versions and now deprecated. curl also

egd: delete feature detection and related source code

EGD is Entropy Gathering Daemon, a socket-based entropy source supported
by pre-OpenSSL v1.1 versions and now deprecated. curl also deprecated it
a while ago.

Its detection in CMake was broken all along because OpenSSL libs were
not linked at the point of feature check.

Delete detection from both cmake and autotools, along with the related
source snippet, and the `--with-egd-socket=` `./configure` option.

Closes #11556

show more ...

tests: fix h3 server check and parallel instances

- fix check for availability of nghttpx server
- add `tcp` frontend config for same port as quic, as
without this, port 3000 is bo

tests: fix h3 server check and parallel instances

- fix check for availability of nghttpx server
- add `tcp` frontend config for same port as quic, as
without this, port 3000 is bound which clashes for parallel
testing

Closes #11553

show more ...

docs/cmdline-opts: spellfixes, typos and polish

To make them accepted by the spell checker

Closes #11562

CI/spellcheck: build curl.1 and spellcheck it

Added acceptable words

Closes #11562

misc: fix various typos

Closes #11561

http2: avoid too early connection re-use/multiplexing

HTTP/1 connections that are upgraded to HTTP/2 should not be picked up
for reuse and multiplexing by other handles until the 101 swi

http2: avoid too early connection re-use/multiplexing

HTTP/1 connections that are upgraded to HTTP/2 should not be picked up
for reuse and multiplexing by other handles until the 101 switching
process is completed.

Lots-of-debgging-by: Stefan Eissing
Reported-by: Richard W.M. Jones
Bug: https://curl.se/mail/lib-2023-07/0045.html
Closes #11557

show more ...