docs: wolfssl and mbedtls add CURLOPT_TLS13_CIPHERS support

Documentation for #14384 and #14385

Closes #14386

wolfssl: add CURLOPT_TLS13_CIPHERS support

Bring setting ciphers with WolfSSL in line with other SSL backends,
to make the curl interface more consistent across the backends.

No

wolfssl: add CURLOPT_TLS13_CIPHERS support

Bring setting ciphers with WolfSSL in line with other SSL backends,
to make the curl interface more consistent across the backends.

Now the tls1.3 ciphers are set with the --tls13-ciphers option, when
not set the default tls1.3 ciphers are used. The tls1.2 (1.1, 1.0)
ciphers are set with the --ciphers option, when not set the default
tls1.2 ciphers are used. The ciphers available for the connection
are now a union of the tls1.3 and tls1.2 ciphers.

This changes the behaviour for WolfSSL when --ciphers is set, but
--tls13-ciphers is not set. Now the ciphers set with --ciphers
are combined with the default tls1.3 ciphers, whereas before solely
the ciphers of --ciphers were used.

Thus before when no tls1.3 ciphers were specified in --ciphers,
tls1.3 was completely disabled. This might not be what the user
expected, especially as this does not happen with OpenSSL.

Closes #14385

show more ...

VULN-DISCLOSURE-POLICY.md: small typo fix

cmake: fix `GSS_VERSION` for Heimdal found via pkg-config

Previously used source variable was never defined, possibly due
to a copy-paste-edit typo.

Closes #14393

mbedtls: add CURLOPT_TLS13_CIPHERS support

Bring setting ciphers with mbedTLS in line with other SSL backends,
to make the curl interface more consistent across the backends.

No

mbedtls: add CURLOPT_TLS13_CIPHERS support

Bring setting ciphers with mbedTLS in line with other SSL backends,
to make the curl interface more consistent across the backends.

Now the tls1.3 ciphers are set with the --tls13-ciphers option, when
not set the default tls1.3 ciphers are used. The tls1.2 (1.1, 1.0)
ciphers are set with the --ciphers option, when not set the default
tls1.2 ciphers are used. The ciphers available for the connection
are now a union of the tls1.3 and tls1.2 ciphers.

This changes the behaviour for mbedTLS when --ciphers is set, but
--tls13-ciphers is not set. Now the ciphers set with --ciphers
are combined with the default tls1.3 ciphers, whereas before solely
the ciphers of --ciphers were used.

Thus before when no tls1.3 ciphers were specified in --ciphers,
tls1.3 was completely disabled. This might not be what the user
expected, especially as this does not happen with OpenSSL.

Closes #14384

show more ...

ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks

Closes #14394

tool_help: fix a NULL deref in the --help option code

Follow-up to 9a0cf56471c1a

Pointed out by CodeSonar

Closes #14391

KNOWN_BUGS: "special characers" in URL works with aws-sigv4

Since #13754
Pointed-out-by: Slaven Rezić
Bug: https://github.com/curl/curl/issues/13754#issuecomment-2268374427
Close

KNOWN_BUGS: "special characers" in URL works with aws-sigv4

Since #13754
Pointed-out-by: Slaven Rezić
Bug: https://github.com/curl/curl/issues/13754#issuecomment-2268374427
Closes #14392

show more ...

curl: use libuv for parallel transfers with --test-event

add --with-libuv to configure to (optionally) use it in debug-builds to
drive the event-based API

Use curl_multi_socket_

curl: use libuv for parallel transfers with --test-event

add --with-libuv to configure to (optionally) use it in debug-builds to
drive the event-based API

Use curl_multi_socket_action() and friends to drive parallel transfers.

tests/README has brief documentation for this

Closes #14298

show more ...

RELEASE-NOTES: synced

http2: improved upload eos handling

- replace the counting of upload lengths with the new eos send flag
- improve frequency of stream draining to happen less on events where it
is

http2: improved upload eos handling

- replace the counting of upload lengths with the new eos send flag
- improve frequency of stream draining to happen less on events where it
is not needed
- this PR is based on #14220

http2, cf-h2-proxy: fix EAGAINed out buffer
- in adjust pollset and shutdown handling, a non-empty `ctx->outbufq`
must trigger send polling, irregardless of http/2 flow control
- in http2, fix retry handling of blocked GOAWAY frame

test case improvement:
- let client 'upload-pausing' handle http versions

Closes #14253

show more ...

wolfssl: improve shutdown handling

Improve handling of shutdown when sending gets blocked.

Add workaround for <https://github.com/wolfSSL/wolfssl/issues/7784>
where wolfSSL keep

wolfssl: improve shutdown handling

Improve handling of shutdown when sending gets blocked.

Add workaround for <https://github.com/wolfSSL/wolfssl/issues/7784>
where wolfSSL keeps on adding close notify messages to its outgoing
buffer on ever attempt.

Closes #14376

show more ...

openssl: improve shutdown handling

Make sure that `io_need` is cleared and set at the filter operations.
Add some more tracing for shutdown situations.

Improve shutdown handling

openssl: improve shutdown handling

Make sure that `io_need` is cleared and set at the filter operations.
Add some more tracing for shutdown situations.

Improve shutdown handling for blocked sends. OpenSSL is a bit tricksy
here that it only reports WANT_WRITE on SSL_shutdown(), but never on
SSL_read() on blocked sends. So we need to use both.

At last, set SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER when available since we
are not always retrying sends from the very same address, as testing
showed.

Closes #14375

show more ...

bearssl: improve shutdown handling

- replace own "adjust_pollset()" with vtls' standard one
- set io_need always accordingly
- handle EAGAIN on shutdown

Closes #14374

configure: fail if PSL is not disabled but not found

Regression since 9b3f67e (shipped in 8.7.0)
Reported-by: Ryan Carsten Schmidt
Fixes #14373
Assisted-by: Viktor Szakats
Cl

configure: fail if PSL is not disabled but not found

Regression since 9b3f67e (shipped in 8.7.0)
Reported-by: Ryan Carsten Schmidt
Fixes #14373
Assisted-by: Viktor Szakats
Closes #14379

show more ...

KNOWN_BUGS: mention AppleIDN and WinIDN test problems

Closes #14176
Closes #14387

tool_operhlp: fix "potentially uninitialized local variable 'pc' used"

A false positive by MSVC.

Closes #14389

sigpipe: init the struct so that first apply ignores

Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after
init ignores the signal (unless CURLOPT_NOSIGNAL) is set.

sigpipe: init the struct so that first apply ignores

Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after
init ignores the signal (unless CURLOPT_NOSIGNAL) is set.

I have read the existing code multiple times now and I think it gets the
initial state reversed this missing to ignore.

Regression from 17e6f06ea37136c36d27

Reported-by: Rasmus Thomsen
Fixes #14344
Closes #14390

show more ...

wolfssl: add support for ssl cert blob / ssl key blob options

wolfSSL supports setting certificates/private keys from memory blobs
which allow us to implement both CURLOPT_SSLCERT_BLOB a

wolfssl: add support for ssl cert blob / ssl key blob options

wolfSSL supports setting certificates/private keys from memory blobs
which allow us to implement both CURLOPT_SSLCERT_BLOB and
CURLOPT_SSLKEY_BLOB options.

Closes #14018

show more ...

cmake: add support for versioned symbols option

Implement the `--enable-versioned-symbols` feature available in
`./configure` for CMake.

Enable with `-DCURL_LIBCURL_VERSIONED_SY

cmake: add support for versioned symbols option

Implement the `--enable-versioned-symbols` feature available in
`./configure` for CMake.

Enable with `-DCURL_LIBCURL_VERSIONED_SYMBOLS=ON`. Customize the version
prefix with `-DCURL_LIBCURL_VERSIONED_SYMBOLS_PREFIX=MYPREFIX_`. By
default the prefix matches what autotools uses.

When enabled, the feature is detected and a warning shown if
unavailable. (E.g. on Apple and Windows, it isn't.)

Included `HIDDEN {};` to match autotools, though I don't know if it's
necessary, useful or making any difference.

Differences from the autotools implementation:
- soversion is dynamic instead of hard-coded.
- omits referencing non-curl symbols.
- allows prefix/flavour override.
- more universal feature detection.
- doesn't rely on the in-repo `lib/libcurl.vers.in` file.

Also:
- add mbedTLS and BearSSL versioned symbol prefix support to autotools.
- enable this option in an old-linux job.

Follow-up to 7cc2e8b349df28d55d5f40bfae323485df9f0cf2
Fixes #14349
Closes #14378

show more ...

easy: fix curl_easy_upkeep for shared connection caches

- Determine which connection cache is or will be used by the easy handle
and perform connection upkeep on that cache.

T

easy: fix curl_easy_upkeep for shared connection caches

- Determine which connection cache is or will be used by the easy handle
and perform connection upkeep on that cache.

This change allows curl_easy_upkeep to be effective on easy handles that
are using a shared connection cache, either from a user created shared
connection cache or a user created multi which has its own shared
connection cache.

Prior to this change curl_easy_upkeep would upkeep the connection cache
for the easy handle only if that cache was from the multi owned by the
easy handle (ie curl_easy_perform was previously called and there's a
connection cache exclusive to the easy handle in
data->multi_easy->conn_cache).

Ref: https://curl.se/mail/lib-2024-01/0016.html

Closes https://github.com/curl/curl/pull/12677

show more ...

vtls: stop offering alpn http/1.1 for http2-prior-knowledge

- For HTTPS if http2-prior-knowledge is set then only offer h2 (HTTP/2)
alpn to the server for protocol negotiation.

vtls: stop offering alpn http/1.1 for http2-prior-knowledge

- For HTTPS if http2-prior-knowledge is set then only offer h2 (HTTP/2)
alpn to the server for protocol negotiation.

Prior to this change both HTTP/2 ("h2") and HTTP/1.1 ("http/1.1") were
offered for ALPN when http2-prior-knowledge was set.

CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE (tool: --http2-prior-knowledge) is
meant to send non-TLS HTTP requests HTTP/2 when it is known the server
supports them. However when HTTPS is used then it attempts to first
negotiate the connection with ALPN. In that case the user likely does
not want to offer http/1.1 to the server as an acceptable protocol.

Reported-by: kit-ty-kate@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/9963
Closes https://github.com/curl/curl/pull/14266

show more ...

curl: add --skip-existing

With this option, the entire download is skipped if the selected target
filename already exists when the opertion is about to begin.

Test 994, 995 and

curl: add --skip-existing

With this option, the entire download is skipped if the selected target
filename already exists when the opertion is about to begin.

Test 994, 995 and 996 verify.

Ref: #11012
Closes #13993

show more ...

revert "tests/http: configure test httpd to honor client cipher order"

revert f6cb3c63 #14338

Setting SSLHonorCipherOrder to on means it honors the server cipher
order. From the

revert "tests/http: configure test httpd to honor client cipher order"

revert f6cb3c63 #14338

Setting SSLHonorCipherOrder to on means it honors the server cipher
order. From the documentation: "When choosing a cipher during an SSLv3
or TLSv1 handshake, normally the client's preference is used. If this
directive is enabled, the server's preference will be used instead."

Also the commit inhibits test_17_07_ssl_ciphers. The test tries to
tests if all the ciphers specified, and only those, are properly set
in curl. For that to work we need have cases where some or all ciphers
do no intersect with the cipher-set of the server. We need to be able
to assert a failed connection based on a cipher set mismatch.

That is why a restricted set of ciphers is used on the server. This
set is so chosen that it contains the well known most secure ciphers.
Except with the slower aes256 variant intentionally left out, to be
able to test above described.

As test_17_07_ssl_ciphers is currently the only test that tests the
functioning of the --ciphers and --tls13-ciphers options, it is
important that its coverage is as good as possible.

Closes #14381

show more ...

GHA/windows: add mbedTLS MSVC job

Ref: 92e28f2897dc4adf0014af197e88fd8e1ccc6aeb #14228
Closes #14203