ftpserver: lower the normal DATA connect timeout to speed up torture tests

- tests/ftpserver.pl blocks when expecting a DATA connection from the
client.

- the previous 10 seco

ftpserver: lower the normal DATA connect timeout to speed up torture tests

- tests/ftpserver.pl blocks when expecting a DATA connection from the
client.

- the previous 10 seconds were encountered repeatedly in torture tests
and let to long waits.

- 2 seconds should still be sufficient for current hw, but CI will show.

Closes #10178

show more ...

msh3: add support for request payload

Closes #10136

openssl: remove attached easy handles from SSL instances

- keeping the "current" easy handle registered at SSL* is no longer
necessary, since the "calling" data object is already sto

openssl: remove attached easy handles from SSL instances

- keeping the "current" easy handle registered at SSL* is no longer
necessary, since the "calling" data object is already stored in the
cfilter's context (and used by other SSL backends from there).
- The "detach" of an easy handle that goes out of scope is then avoided.
- using SSL_set0_wbio for clear reference counting where available.

Closes #10151

show more ...

socketpair: allow localhost MITM sniffers

Windows allow programs to MITM connections to localhost. The previous
check here would detect that and error out. This new method writes data

socketpair: allow localhost MITM sniffers

Windows allow programs to MITM connections to localhost. The previous
check here would detect that and error out. This new method writes data
to verify the pipe thus allowing MITM.

Reported-by: SerusDev on github
Fixes #10144
Closes #10169

show more ...

HTTP3: mention what needs to be in place to remove EXPERIMENTAL label

Closes #10168

MANUAL.md: add pipe to apt-key example

Closes #10170

test417: verify %{certs} output

runtests: make 'mbedtls' a testable feature

Also add to FILEFORMAT.md

writeout: add %{certs} and %{num_certs}

Let users get the server certificate chain using the command line

Closes #10019

haxproxy: send before TLS handhshake

- reverse order of haproxy and final ssl cfilter

- make haproxy avaiable on PROXY builds, independent of HTTP support as
it can be used wi

haxproxy: send before TLS handhshake

- reverse order of haproxy and final ssl cfilter

- make haproxy avaiable on PROXY builds, independent of HTTP support as
it can be used with any protocol.

Reported-by: Sergio-IME on github
Fixes #10165
Closes #10167

show more ...

RELEASE-NOTES: synced

test446: verify hsts with two URLs

runtests: support crlf="yes" for verify/proxy

hsts: handle adding the same host name again

It will then use the largest expire time of the two entries.

tool_operate: share HSTS between handles

share: add sharing of HSTS cache among handles

Closes #10138

Makefile.mk: fix wolfssl and mbedtls default paths

Fix the defaults for `WOLFSSL_PATH` and `MBEDTLS_PATH` to have
meaningful values instead of the copy-pasted wrong ones.

Ref: h

Makefile.mk: fix wolfssl and mbedtls default paths

Fix the defaults for `WOLFSSL_PATH` and `MBEDTLS_PATH` to have
meaningful values instead of the copy-pasted wrong ones.

Ref: https://github.com/curl/curl/commit/66e68ca47f7fd00dff2cb7c45ba6725d40099585#r94275172

Reported-by: Ryan Schmidt
Closes #10164

show more ...

INTERNALS: cleanup

- remove "operating systems" (mostly outdated)

- upodate the "build tools"

Closes #10162

cmake: bump requirement to 3.7

Because this is the cmake version (released in November 2016) that
introduced GREATER_EQUAL, which is used already.

Reported-by: nick-telia on git

cmake: bump requirement to 3.7

Because this is the cmake version (released in November 2016) that
introduced GREATER_EQUAL, which is used already.

Reported-by: nick-telia on github
Fixes #10128
Closes #10161

show more ...

cfilters:Curl_conn_get_select_socks: use the first non-connected filter

When there are filters addded for both socket and SSL, the code
previously checked the SSL sockets during connect

cfilters:Curl_conn_get_select_socks: use the first non-connected filter

When there are filters addded for both socket and SSL, the code
previously checked the SSL sockets during connect when it *should* first
check the socket layer until that has connected.

Fixes #10157
Fixes #10146
Closes #10160

Reviewed-by: Stefan Eissing

show more ...

urlapi: add CURLU_PUNYCODE

Allows curl_url_get() get the punycode version of host names for the
host name and URL parts.

Extend test 1560 to verify.

Closes #10109

RELEASE-NOTES: synced

libssh2: try sha2 algos for hostkey methods

As is supported by recent libssh2, but should just be ignored by older
versions.

Reported-by: norbertmm on github
Assisted-by: no

libssh2: try sha2 algos for hostkey methods

As is supported by recent libssh2, but should just be ignored by older
versions.

Reported-by: norbertmm on github
Assisted-by: norbertmm on github
Fixes #10143
Closes #10145

show more ...

typecheck: accept expressions for option/info parameters

As expressions can have side effects, evaluate only once.

To enable deprecation reporting only once, get rid of the __typeof

typecheck: accept expressions for option/info parameters

As expressions can have side effects, evaluate only once.

To enable deprecation reporting only once, get rid of the __typeof__
use to define the local temporary variable and use the target type
(CURLoption/CURLINFO). This also avoids multiple reports on type
conflicts (if some) by the curlcheck_* macros.

Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not
their values: a curl_easy_setopt call with an integer constant as option
will never report a deprecation.

Reported-by: Thomas Klausner
Fixes #10148
Closes #10149

show more ...

tests: avoid use of sha1 in certificates

The SHA-1 algorithm is deprecated (particularly for security-sensitive
applications) in a variety of OS environments. This already affects
RH

tests: avoid use of sha1 in certificates

The SHA-1 algorithm is deprecated (particularly for security-sensitive
applications) in a variety of OS environments. This already affects
RHEL-9 and derivatives, which are not willing to use certificates using
that algorithm. The fix is to use sha256 instead, which is already used
for most of the other certificates in the test suite.

Fixes #10135

This gets rid of issues related to sha1 signatures.

Manual steps after "make clean-certs" and "make build-certs":

- Copy tests/certs/stunnel-sv.pem to tests/stunnel.pem
(make clean-certs does not remove the original tests/stunnel.pem)

- Copy tests/certs/Server-localhost-sv.pubkey-pinned into --pinnedpubkey
options of tests/data/test2041 and tests/data/test2087

Closes #10153

show more ...