                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.83.0 (27 Apr 2022)

Daniel Stenberg (27 Apr 2022)
- RELEASE-NOTES: synced
  
  The 7.83.0 release

- docs/THANKS: contributors from 7.83.0

- test 898/974/976: require proxy to run
  
  Fixes #8755
  Reported-by: Marc Hörsken
  Closes #8756

- gnutls: don't leak the SRP credentials in redirects
  
  Follow-up to 620ea21410030 and 139a54ed0a172a
  
  Reported-by: Harry Sintonen
  Closes #8752

- CURLOPT*TLSAUTH: they only work with OpenSSL or GnuTLS
  
  Closes #8753

- openssl: don't leak the SRP credentials in redirects either
  
  Follow-up to 620ea21410030
  
  Reported-by: Harry Sintonen
  Closes #8751

- [Liam Warfield brought this change]

  hyper: fix tests 580 and 581 for hyper
  
  Hyper now has the ability to preserve header order. This commit adds a
  few lines setting the connection options for this feature.
  
  Related to issue #8617
  Closes #8707

- conncache: remove name arg from Curl_conncache_find_bundle
  
  To simplify, and also since the returned name is not the full actual
  name used for the check. The port number and zone id is also involved,
  so just showing the name is misleading.
  
  Closes #8750

- tests: verify the fix for CVE-2022-27774
  
   - Test 973 redirects from HTTP to FTP, clear auth
   - Test 974 redirects from HTTP to HTTP different port, clear auth
   - Test 975 redirects from HTTP to FTP, permitted to keep auth
   - Test 976 redirects from HTTP to HTTP different port, permitted to keep
     auth

- transfer: redirects to other protocols or ports clear auth
  
  ... unless explicitly permitted.
  
  Bug: https://curl.se/docs/CVE-2022-27774.html
  Reported-by: Harry Sintonen
  Closes #8748

- connect: store "conn_remote_port" in the info struct
  
  To make it available after the connection ended.

- cookie.d: clarify when cookies are always sent

- test898: verify the fix for CVE-2022-27776
  
  Do not pass on Authorization headers on redirects to another port

- http: avoid auth/cookie on redirects same host diff port
  
  CVE-2022-27776
  
  Reported-by: Harry Sintonen
  Bug: https://curl.se/docs/CVE-2022-27776.html
  Closes #8749

- libssh2: make the md5 comparison fail if wrong length
  
  Making it just skip the check unless exactly 32 is too brittle. Even if
  the docs says it needs to be exactly 32, it is be safer to make the
  comparison fail here instead.
  
  Reported-by: Harry Sintonen
  Bug: https://hackerone.com/reports/1549461
  Closes #8745

- conncache: include the zone id in the "bundle" hashkey
  
  Make connections to two separate IPv6 zone ids create separate
  connections.
  
  Reported-by: Harry Sintonen
  Bug: https://curl.se/docs/CVE-2022-27775.html
  Closes #8747

- [Patrick Monnerat brought this change]

  url: check sasl additional parameters for connection reuse.
  
  Also move static function safecmp() as non-static Curl_safecmp() since
  its purpose is needed at several places.
  
  Bug: https://curl.se/docs/CVE-2022-22576.html
  
  CVE-2022-22576
  
  Closes #8746

- libssh2: compare sha256 strings case sensitively
  
  Reported-by: Harry Sintonen
  Bug: https://hackerone.com/reports/1549435
  Closes #8744

- tool_getparam: error out on missing -K file
  
  Add test 411 to verify.
  
  Reported-by: Median Median Stride
  Bug: https://hackerone.com/reports/1542881
  Closes #8731

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: deal with sub-millisecond timeout
  
  Closes #8738

- misc: update copyright year ranges

- c_escape: escape '?' in generated --libcurl code
  
  In order to avoid the risk of it being used in an accidental trigraph in
  the generated code.
  
  Reported-by: Harry Sintonen
  Bug: https://hackerone.com/reports/1548535
  Closes #8742

- [pheiduck on github brought this change]

  mlc: curl.zuul.vexxhost.dev is reachable again
  
  remove it from ignorelist for linkcheck
  
  Closes #8736

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: avoid busy loop in low CWND situation
  
  Closes #8739

- TODO: telnet - exit immediately upon connection if stdin is /dev/null
  
  Suggested-by: Robin A. Meade
  URL: https://curl.se/mail/archive-2022-04/0027.html

- [Kushal Das brought this change]

  docs: updates spellings with full words
  
  Closes #8730

- tests/FILEFORMAT.md: spellfix

Daniel Gustafsson (21 Apr 2022)
- misc: fix typos
  
  Fix a few random typos is comments and workflow names.

- macos: fix .plist installation into framework
  
  The copy command introduced in e498a9b1f had leftover '>' from the
  previous sed command it replaced, which broke its syntax.  Fix by
  removing.
  
  Reported-by: Emanuele Torre <torreemanuele6@gmail.com>

Daniel Stenberg (21 Apr 2022)
- [Christopher Degawa brought this change]

  Makefile: fix ca-bundle due to mk-ca-bundle.pl being moved
  
  The script was moved in 8e22fc68e7dda43e9f but the lines that called it
  was not changed to reflect it's new position
  
  Signed-off-by: Christopher Degawa <ccom@randomderp.com>
  
  Closes #8728

Daniel Gustafsson (20 Apr 2022)
- macos: set .plist version in autoconf
  
  Set the libcurl version in libcurl.plist like how libcurl.vers is
  created.
  
  Closes: #8692
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  Reviewed-by: Nick Zitzmann <nickzman@gmail.com>

- cookies: Improve errorhandling for reading cookiefile
  
  The existing programming had some issues with errorhandling for reading
  the cookie file. If the file failed to open, we would silently ignore it
  and continue as if there was no file (or stdin) passed. In this case, we
  would also call fclose() on the NULL FILE pointer, which is undefined
  behavior. Fix by ensuring that the FILE pointer is set before calling
  fclose on it, and issue a warning in case the file cannot be opened.
  Erroring out on nonexisting file would break backwards compatibility of
  very old behavior so we can't really go there.
  
  Closes: #8699
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>

Daniel Stenberg (20 Apr 2022)
- libcurl-tutorial.3: spellfix and minor polish

- CURLINFO_PRIMARY_PORT.3: spellfix
  
  Reported-by: Patrick Monnerat

- [Jay Dommaschk brought this change]

  libssh: fix double close
  
  libssh closes the socket in ssh_diconnect() so make sure that libcurl
  does not also close it.
  
  Fixes #8708
  Closes #8718

Jay Satiro (20 Apr 2022)
- [Gisle Vanem brought this change]

  unit1620: call global_init before calling Curl_open
  
  Curl_open calls the resolver init and on Windows if the resolver backend
  is c-ares then the Windows sockets library (winsock) must already have
  been initialized (via global init).
  
  Ref: https://github.com/curl/curl/pull/8540#issuecomment-1059771800
  
  Closes https://github.com/curl/curl/pull/8719

Daniel Stenberg (19 Apr 2022)
- CURLINFO_PRIMARY_PORT.3: clarify which port this is
  
  As it was not entirely clear previously.
  
  Closes #8725

- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
  
  Include details about Authentication headers.
  
  Reported-by: Brad Spencer
  Fixes #8724
  Closes #8726

- .github/workflows/macos.yml: add a libssh job with c-ares
  
  ... to enable the memdebug system
  
  Closes #8720

- RELEASE-NOTES: synced

Jay Satiro (17 Apr 2022)
- [Gisle Vanem brought this change]

  docs/HTTP3.md: fix typo
  
  also fix msh3 section formatting
  
  Ref: https://github.com/curl/curl/commit/37492ebb#r70980087

Marc Hoersken (17 Apr 2022)
- timediff.[ch]: add curlx helper functions for timeval conversions
  
  Also move timediff_t definitions from timeval.h to timediff.h and
  then make timeval.h include the new standalone-capable timediff.h.
  
  Reviewed-by: Jay Satiro
  Reviewed-by: Daniel Stenberg
  
  Supersedes #5888
  Closes #8595

Daniel Stenberg (17 Apr 2022)
- [Balakrishnan Balasubramanian brought this change]

  tests: refactor server/socksd.c to support --unix-socket
  
  Closes #8687

- [Emanuele Torre brought this change]

  tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
  
  This loop was using the number of bytes read from the file as condition
  to keep reading.
  
  From Linux's fread(3) man page:
  > On success, fread() and fwrite() return the number of items read or
  > written. This number equals the number of bytes transferred only when
  > size is 1. If an error occurs, or the end of the file is reached, the
  > return value is a short item count (or zero).
  >
  > The file position indicator for the stream is advanced by the number
  > of bytes successfully read or written.
  >
  > fread() does not distinguish between end-of-file and error, and
  > callers must use feof(3) and ferror(3) to determine which occurred.
  
  This means that nread!=0 doesn't make much sense as an end condition for
  the loop: nread==0 doesn't necessarily mean that EOF has been reached or
  an error has occured (but that is usually the case) and nread!=0 doesn't
  necessarily mean that EOF has not been reached or that no read errors
  have occured. feof(3) and ferror(3) should be uses when using fread(3).
  
  Currently curl has to performs an extra fread(3) call to get a return
  value equal to 0 to stop looping.
  
  This usually "works" (even though nread==0 shouldn't be interpreted as
  EOF) if stdin is a pipe because EOF usually marks the "real" end of the
  stream, so the extra fread(3) call will return immediately and the extra
  read syscall won't be noticeable:
  
      bash-5.1$ strace -e read curl -s -F file=@- 0x0.st <<< a 2>&1 |
      > tail -n 5
      read(0, "a\n", 4096)                    = 2
      read(0, "", 4096)                       = 0
      read(0, "", 4096)                       = 0
      http://0x0.st/oRs.txt
      +++ exited with 0 +++
      bash-5.1$
  
  But this doesn't work if curl is reading from stdin, stdin is a
  terminal, and the EOF is being emulated using a shell with ^D. Two
  consecutive ^D will be required in this case to actually make curl stop
  reading:
  
      bash-5.1$ curl -F file=@- 0x0.st
      a
      ^D^D
      http://0x0.st/oRs.txt
      bash-5.1$
  
  A possible workaround to this issue is to use a program that handles EOF
  correctly to indirectly send data to curl's stdin:
  
      bash-5.1$ cat - | curl -F file=@- 0x0.st
      a
      ^D
      http://0x0.st/oRs.txt
      bash-5.1$
  
  This patch makes curl handle EOF properly when using fread(3) in
  file2memory() so that the workaround is not necessary.
  
  Since curl was previously ignoring read errors caused by this fread(3),
  ferror(3) is also used in the condition of the loop: read errors and EOF
  will have the same meaning; this is done to somewhat preserve the old
  behaviour instead of making the command fail when a read error occurs.
  
  Closes #8701

- gen.pl: change wording for mutexed options
  
  Instead of saying "This option overrides NNN", now say "This option is
  mutually exclusive to NNN" in the generated man page ouput, as the
  option does not in all cases actually override the others but they are
  always mutually exclusive.
  
  Ref: #8704
  Closes #8716

- curl: error out if -T and -d are used for the same URL
  
  As one implies PUT and the other POST, both cannot be used
  simultaneously.
  
  Add test 378 to verify.
  
  Reported-by: Boris Verkhovskiy
  Fixes #8704
  Closes #8715

- lib: remove exclamation marks
  
  ... from infof() and failf() calls. Make them less attention seeking.
  
  Closes #8713

- fail.d: tweak the description
  
  Reviewed-by: Daniel Gustafsson
  Suggested-by: Robert Charles Muir
  Ref: https://twitter.com/rcmuir/status/1514915401574010887
  
  Closes #8714

Daniel Gustafsson (15 Apr 2022)
- docs: Fix missing semicolon in example code
  
  Multiple share examples were missing a semicolon on the line defining
  the CURLSHcode variable.
  
  Closes: #8697
  Reported-by: Michael Kaufmann <mail@michael-kaufmann.ch>
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- infof: consistent capitalization of warning messages
  
  Ensure that all infof calls with a warning message are capitalized
  in the same way.  At some point we should probably set up a style-
  guide for infof but until then let's aim for a little consistenncy
  where we can.
  
  Closes: #8711
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- RELEASE-NOTES: synced

- [Matteo Baccan brought this change]

  perl: removed a double semicolon at end of line
  
  Remove double semicolons at end of line in Perl code.
  
  Closes: #8709
  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

- curl_easy_header: fix typos in documentation
  
  Closes: #8694
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Marcel Raad (11 Apr 2022)
- appveyor: add Cygwin build
  
  Closes https://github.com/curl/curl/pull/8693

- appveyor: only add MSYS2 to PATH where required
  
  Closes https://github.com/curl/curl/pull/8693

Daniel Stenberg (10 Apr 2022)
- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: fix memory leak
  
  Closes #8691

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: remove remote_addr which is not used in a meaningful way
  
  Closes #8689

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: enlarge H3_SEND_SIZE
  
  Make h3_SEND_SIZE larger because current value (20KiB) is too small
  for the high latency environment.
  
  Closes #8690

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: fix HTTP/3 upload stall and avoid busy loop
  
  This commit fixes HTTP/3 upload stall if upload data is larger than
  H3_SEND_SIZE.  Only check writability of socket if a stream is
  writable to avoid busy loop when QUIC flow control window is filled
  up, or upload buffer is full.
  
  Closes #8688

- [Nick Banks brought this change]

  msh3: add support for QUIC and HTTP/3 using msh3
  
  Considered experimental, as the other HTTP/3 backends.
  
  Closes #8517

- TODO: "SFTP with SCP://"

- GHA: move bearssl jobs over from zuul
  
  Closes #8684

- data/DISABLED: disable test 313 on bearssl builds
  
  Closes #8684

- runtests: add 'bearssl' as testable feature
  
  Closes #8684

- GHA: add openssl3 jobs moved over from zuul
  
  Closes #8683

- schannel: remove dead code that will never run
  
  As the condition can't ever evaluate true
  
  Reported-by: Andrey Alifanov
  Ref: #8675
  Closes #8677

- connecache: remove duplicate connc->closure_handle check
  
  The superfluous extra check could cause analyzer false positives
  and doesn't serve any purpose.
  
  Closes #8676

- [Michał Antoniak brought this change]

  mbedtls: remove server_fd from backend
  
  Closes #8682

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: use token when detecting :status header field
  
  Closes #8679

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: make curl 1ms faster
  
  Pass 0 for an already expired timer.
  
  Closes #8678

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: fix QUIC_IDLE_TIMEOUT
  
  QUIC_IDLE_TIMEOUT should be of type ngtcp2_duration which is
  nanoseconds resolution.
  
  Closes #8678

- English: use American spelling consistently
  
  Authorization, Initialization, Organization etc.
  
  Closes #8673

Daniel Gustafsson (5 Apr 2022)
- [Sascha Zengler brought this change]

  BUGS: Fix incorrect punctuation
  
  Closes #8672
  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

Daniel Stenberg (4 Apr 2022)
- tool_listhelp.c: uppercase URL

- RELEASE-NOTES: synced

- http: streamclose "already downloaded"
  
  Instead of connclose()ing, since when HTTP/2 is used it doesn't need to
  close the connection as stopping the current transfer is enough.
  
  Reported-by: Evangelos Foutras
  Closes #8665

Jay Satiro (1 Apr 2022)
- ftp: fix error message for partial file upload
  
  - Show the count of bytes written on partial file upload.
  
  Prior to this change the error message mistakenly showed the count of
  bytes read, not written.
  
  Bug: https://github.com/curl/curl/discussions/8637
  Reported-by: Taras Kushnir
  
  Closes https://github.com/curl/curl/pull/8649

Daniel Stenberg (1 Apr 2022)
- http: correct the header error message to say colon
  
  Not semicolon
  
  Reported-by: Gisle Vanem
  Ref: #8666
  Closes #8667

- lib: #ifdef on USE_HTTP2 better
  
  ... as nghttp2 might not be the library that provides HTTP/2 support.
  
  Closes #8661

- [Michał Antoniak brought this change]

  mbedtls: remove 'protocols' array from backend when ALPN is not used
  
  Closes #8663

- http2: RST the stream if we stop it on our own will
  
  For the "simulated 304" case the done-call isn't considered "premature"
  but since the server didn't close the stream it needs to be reset to
  stop delivering data.
  
  Closes #8664

- http: close the stream (not connection) on time condition abort
  
  Closes #8664

- http2: handle DONE called for the paused stream
  
  As it could otherwise stall all streams on the connection
  
  Reported-by: Evangelos Foutras
  Fixes #8626
  Closes #8664

- tls: make mbedtls and NSS check for h2, not nghttp2
  
  This makes them able to also negotiate HTTP/2 even when built to use
  hyper for h2.
  
  Closes #8656

- tests/libtest/lib670.c: fixup the copyright year range
  
  follow-up to b54e18640ea4b7

- [Leandro Coutinho brought this change]

  lib670: avoid double check result
  
  Closes #8660

- vtls: use a generic "ALPN, server accepted" message
  
  Closes #8657

- vtls: use a backend standard message for "ALPN: offers %s"
  
  I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the
  infof() call also needs a string argument: the ALPN ID.
  
  Closes #8657

- [Christian Schmitz brought this change]

  strcase.h: add comment about the return code
  
  Tool often we run into expecting this to work like strcmp, but it
  returns 1 instead of 0 for match.
  
  Closes #8658

- vtls: provide a unified APLN-disagree string for all backends
  
  Also rephrase to make it sound less dangerous:
  
   "ALPN: server did not agree on a protocol. Uses default."
  
  Reported-by: Nick Coghlan
  Fixes #8643
  Closes #8651

- projects/README: converted to markdown
  
  Closes #8652

- misc: spelling fixes
  
  Mostly in comments but also in the -w documentation for headers_json.
  
  Closes #8647

- KNOW_BUGS: HTTP3/Transfer closed with n bytes remaining to read
  
  "HTTP/3 does not support client certs" considered fixed, at least with
  the ngtcp2 backend.
  
  Closes #8523

- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs
  
  Also add to quote.d. Add to TODO as something to add in a future.
  
  Reported-by: anon00000000 on github
  Closes #8602
  Closes #8648

- RELEASE-NOTES: synced

- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
  
  This leaves the CURLE_RECV_ERROR error code for explicit failure to
  receive network data and allows users to better separate the problems.
  
  Ref #8356
  Reported-by: Rianov Viacheslav
  Closes #8506

- docs: lots of minor language polish
  
  Mostly based on recent language decisions from "everything curl":
  
  - remove contractions (isn't => is not)
  - *an* HTTP (consistency)
  - runtime (no hyphen)
  - backend (no hyphen)
  - URL is uppercase
  
  Closes #8646

Jay Satiro (29 Mar 2022)
- projects: Update VC version names for VS2017, VS2022
  
  - Rename VC15 -> VC14.10, VC17 -> VC14.30.
  
  The projects directory that holds the pre-generated Visual Studio
  project files uses VC<ver> to indicate the MSVC version. At some point
  support for Visual Studio 2017 (Visual Studio version 15 which uses MSVC
  14.10) was added as VC15. Visual Studio 2022 (Visual Studio version 17
  which uses MSVC 14.30) project files were recently added and followed
  that same format using VC17.
  
  There is no such MSVC version (yet) as VC15 or VC17.
  
  For VS 2017 for example, the name we use is correct as either VS17,
  VS2017, VC14.10. I opted for the latter since we use VC for earlier
  versions (eg VC10, VC12, etc).
  
  Ref: https://github.com/curl/curl/pull/8438#issuecomment-1037070192
  
  Closes https://github.com/curl/curl/pull/8447

Daniel Stenberg (29 Mar 2022)
- mqtt: better handling of TCP disconnect mid-message
  
  Reported-by: Jenny Heino
  Bug: https://hackerone.com/reports/1521610
  Closes #8644

- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL

- [Ian Blanes brought this change]

  docs/DYNBUF: clarify documentation for Curl_dyn_ptr and Curl_dyn_uptr
  
  Closes #8606

- [Ian Blanes brought this change]

  curl: fix segmentation fault for empty output file names.
  
  Function glob_match_url set *result to NULL when called with filename =
  "", producing an indirect NULL pointer dereference.
  
  Closes #8606

- TODO: Read keys from ~/.ssh/id_ecdsa, id_ed25519
  
  It would be nice to expand the list of key locations curl uses for the
  newer key types supported by libssh2.
  
  Closes #8586

- ngtcp2: update to work after recent ngtcp2 updates
  
  Assisted-by: Tatsuhiro Tsujikawa
  Reported-by: jurisuk on github
  Fixes #8638
  Closes #8639

- [Farzin brought this change]

  CURLOPT_PROGRESSFUNCTION.3: fix typo in example
  
  Closes #8636

- curl/header_json: output the header names in lowercase
  
  To better allow json[“header”].
  
  Reported-by: Peter Korsgaard
  Bug: https://daniel.haxx.se/blog/2022/03/24/easier-header-picking-with-curl/comment-page-1/#comment-25878
  Closes #8633

- RELEASE-NOTES: synced

- headers.h: make Curl_headers_push() be CURLE_OK when not built
  
  ... to avoid errors when the function isn't there.
  
  Reported-by: Marcel Raad
  Fixes #8627
  Closes #8628

- scripts: move three scripts from lib/ to scripts/
  
  Move checksrc.pl, firefox-db2pem.sh and mk-ca-bundle.pl since they don't
  particularly belong in lib/
  
  Also created an EXTRA_DIST= in scripts/Makefile.am instead of specifying
  those files in the root Makefile.am
  
  Closes #8625

Marc Hoersken (23 Mar 2022)
- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32
  
  curl_setup.h automatically defines WIN32 if just _WIN32 is defined.
  
  Therefore make sure curl_setup.h is included through warnless.h.
  
  Reviewed-by: Daniel Stenberg
  Reviewed-by: Jay Satiro
  
  Closes #8594

- tests/server/util.h: align WIN32 condition with util.c
  
  There is no need to test for both _WIN32 and WIN32 as curl_setup.h
  automatically defines the later if the first one is defined.
  
  Also tests/server/util.c is only checking for WIN32 arouund the
  implementation of win32_perror, so just defining _WIN32
  would not be sufficient for a successful compilation.
  
  Reviewed-by: Daniel Stenberg
  Reviewed-by: Jay Satiro
  
  Closes #8594

Daniel Stenberg (22 Mar 2022)
- [pheiduck on github brought this change]

  firefox-db2pem.sh: make the shell script safer
  
  Reported by lift
  
  Closes #8616

Jay Satiro (22 Mar 2022)
- gtls: fix build for disabled TLS-SRP
  
  Prior to this change if, at build time, the GnuTLS backend was found to
  have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl
  via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur.
  
  Bug: https://curl.se/mail/lib-2022-03/0046.html
  Reported-by: Robert Brose
  
  Closes https://github.com/curl/curl/pull/8604

- winbuild: Add a Visual Studio example to the README
  
  - Add an example that explains in detail how the user can add libcurl to
    their Visual Studio project.
  
  Ref: https://github.com/curl/curl/issues/8591
  
  Closes https://github.com/curl/curl/pull/8592

- docs/opts: Mention Schannel client cert type is P12
  
  Schannel backend code behaves same as Secure Transport, it expects a P12
  certificate file or the name of a certificate already in the user's OS
  key store. Also, both backends ignore CURLOPT_SSLKEY (tool: --key)
  because they expect the private key to already be available from the
  keystore or P12 certificate.
  
  Ref: https://github.com/curl/curl/discussions/8581#discussioncomment-2337260
  
  Closes https://github.com/curl/curl/pull/8587

Daniel Stenberg (22 Mar 2022)
- lib1945: fix compiler warning 4706 on MSVC
  
  Follow-up from d1e4a677340c
  
  Closes #8623

- [pheiduck on github brought this change]

  ci/event-based.yml: improve impacket install
  
  skip python3-pip
  install impacket with library module
  
  Closes #8621

- test1459: disable for oldlibssh
  
  This test with libssh 0.9.3 works fine on github but fails on circleci.
  Might as well disable this test for oldlibssh installations.
  
  Closes #8622

- test1135: sync with recent API updates
  
  This test verifies that the order of functions in public headers remain
  the same but hasn't been updated to care for recently added header
  files. The order is important for some few platforms - or VERSIONINFO
  needs to updated.
  
  This fix also updates VERSIONINFO to be sure.
  
  Closes #8620

- curl_easy_nextheader.3: fix two typos
  
  Reported-by: Timothe Litt
  Bug: https://curl.se/mail/lib-2022-03/0060.html

- options: remove mistaken space before paren in prototype

- cirrus: add --enable-headers-api for some windows builds

- GHA: --enable-headers-api in all workflows

- lib: make the headers API depend on --enable-headers-api

- configure: add --enable-headers-api to enable the headers API
  
  Defaults to disabled while labeled EXPERIMENTAL.
  
  Make all the headers API tests require 'headers-api' to run.

- test1671: verify -w '%{header_json}

- test1670: verify -w %header{}

- curl: add %{header_json} support in -w handling
  
  Outputs all response headers as a JSON object.

- curl: add %header{name} support in -w handling
  
  Outputs the response header 'name'

- header api: add curl_easy_header and curl_easy_nextheader
  
  Add test 1940 to 1946 to verify.
  
  Closes #8593

- test1459: remove the different exit code for oldlibssh
  
  When using libssh/0.9.3/openssl/zlib, we seem to be getting the "right"
  error code.
  
  Closes #8490

- libssh: unstick SFTP transfers when done event-based
  
  Test 604 and 606 (at least).
  
  Closes #8490

- gha: move the event-based test over from Zuul
  
  Switched libssh2 to libssh
  
  Closes #8490

- RELEASE-NOTES: synced

- http: return error on colon-less HTTP headers
