                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.76.1 (14 Apr 2021)

Daniel Stenberg (14 Apr 2021)
- RELEASE-NOTES: synced
  
  curl 7.76.1 release

- THANKS: add names from 7.76.1

- misc: update copyright year ranges to match latest updates

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: Use ALPN h3-29 for now
  
  Fixes #6864
  Cloes #6886

Jay Satiro (11 Apr 2021)
- TODO: remove 18.22 --fail-with-body
  
  --fail-with-body was added in 8a964cb (precedes curl-7_76_0).

Daniel Stenberg (10 Apr 2021)
- [Jürgen Gmach brought this change]

  src/tool_vms.c: remove duplicated word in comment
  
  Closes #6881

- configure: fix CURL_DARWIN_CFLAGS use
  
  The macro name change was not completely done.
  
  Follow-up to 5d2c384452543c
  Bug: https://github.com/curl/curl/commit/5d2c384452543c7b6c9fb02eaa0afc84fd5ab941#commitcomment-49315187
  Reported-by: Marcel Raad
  Closes #6878

- [Anthony Shaw brought this change]

  github/workflow: add "security-extended" to codeql-analysis.yml
  
  Extends the CodeQL code scan.
  
  Closes #6815

- [Jochem Broekhoff brought this change]

  examples/hiperfifo.c: check event_initialized before delete
  
  If event_del is called with the event struct (still) zeroed out, a
  segmentation fault may occur.  event_initialized checks whether the
  event struct is nonzero.
  
  Closes #6876

- [Patrick Monnerat brought this change]

  ntlm: fix negotiated flags usage
  
  According to Microsoft document MS-NLMP, current flags usage is not
  accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
  extended security in an NTLM authentication message and NTLM version 2
  cannot be negotiated within the protocol.
  
  The solution implemented here is: if the extended security flag is set,
  prefer using NTLM version 2 (as a server featuring extended security
  should also support version 2). If version 2 has been disabled at
  compile time, use extended security.
  
  Tests involving NTLM are adjusted to this new behavior.
  
  Fixes #6813
  Closes #6849

- [Patrick Monnerat brought this change]

  ntlm: support version 2 on 32-bit platforms
  
  Closes #6849

- [Patrick Monnerat brought this change]

  curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION
  
  ... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the
  whole NTLM.
  
  Closes #6849

- lib: remove unused HAVE_INET_NTOA_R* defines
  
  Closes #6867

- [Michael Forney brought this change]

  configure: include <time.h> unconditionally
  
  In 2682e5f5, several instances of AC_HEADER_TIME were removed since
  it is a deprecated autoconf macro. However, this was the macro that
  defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
  can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
  used in the configure test body and since it is no longer defined,
  <time.h> is *not* included on systems that have <sys/time.h>.
  
  In particular, at least on musl libc and glibc, <sys/time.h> does
  not implicitly include <time.h> and does not declare clock_gettime,
  gmtime_r, or localtime_r. This causes configure to fail to detect
  those functions.
  
  The AC_HEADER_TIME macro deprecation text says
  
  > All current systems provide time.h; it need not be checked for.
  > Not all systems provide sys/time.h, but those that do, all allow
  > you to include it and time.h simultaneously.
  
  So, to fix this issue, simply include <time.h> unconditionally when
  testing for time-related functions and in libcurl, and don't bother
  checking for it.
  
  Closes #6859

- [Michael Forney brought this change]

  configure: remove use of RETSIGTYPE
  
  This was previously defined by the obsolete AC_TYPE_SIGNAL macro,
  which was removed in 2682e5f5. The deprecation text says
  
  > Your code may safely assume C89 semantics that RETSIGTYPE is void.
  
  So, remove it and just use void instead.
  
  Closes #6861

- [Muhammed Yavuz Nuzumlalı brought this change]

  install: add instructions for Apple Darwin platforms
  
  Closes #6860

- [Muhammed Yavuz Nuzumlalı brought this change]

  configure: disable min version set for Darwin
  
  Fixes #6838
  Closes #6860

- [David Hu brought this change]

  docs/HTTP3.md: update the build instruction using gnutls
  
  In ngtcp2 the `with-gnutls` option is disabled by default, which will
  cause `curl` unable to be `make` because of lacking the libraries
  needed.
  
  Closes #6857

- RELEASE-NOTES: synced

- typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
  
  ... and not values.
  
  Reported-by: locpyl-tidnyd on github
  Fixes #6818
  Closes #6819

- ngtcp2+gnutls: clear credentials when freed
  
  ... to avoid double-free.
  
  Reported-by: Kenneth Davidson
  Fixes #6824
  Closes #6856

Jay Satiro (5 Apr 2021)
- [Cherish98 brought this change]

  tool_progress: Fix progress meter in parallel mode
  
  Make sure the total amount of DL/UL bytes are counted before the
  transfer finalizes. Otherwise if a transfer finishes too quick, its
  total numbers are not added, and results in a DL%/UL% that goes above
  100%.
  
  Detail:
  
  progress_meter() is called periodically, and it may not catch a
  transfer's total bytes if the value was unknown during the last call,
  and the transfer is finished and deleted (i.e., lost) during the next
  call.
  
  Closes https://github.com/curl/curl/pull/6840

- [Emil Engler brought this change]

  libssh: get rid of PATH_MAX
  
  This removes the last occurrence of PATH_MAX inside our libssh
  implementation by calculating the path length from the string length of
  the two components.
  
  Closes #6829

Daniel Stenberg (5 Apr 2021)
- http_proxy: only loop on 407 + close if we have credentials
  
  ... to fix the retry-loop.
  
  Add test 718 to verify.
  
  Reported-by: Daniel Kurečka
  Fixes #6828
  Closes #6850

- h2: allow 100 streams by default
  
  instead of 13, before the server has told how many streams it
  accepts. The server can always reject new streams anyway if we go above
  what it accepts.
  
  Ref: #6826
  Closes #6852

- [Luke Granger-Brown brought this change]

  file: support GETing directories again
  
  After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an
  expected_size for directories. This has the upshot that when we compare
  even an empty Range with the available size, we fail.
  
  This brings back the previous behaviour, which was to succeed, but with
  empty content. This also removes the "Accept-ranges: bytes" header,
  which is nonsensical on directories.
  
  Adds test 3016
  Fixes #6845
  Closes #6846

- RELEASE-NOTES: synced
  
  and bumped to 7.76.1

- TLS: fix HTTP/2 selection
  
  for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
  wolfSSL...
  
  Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0)
  Reported-by: Kenneth Davidson
  Reported-by: romamik om github
  Fixes #6825
  Closes #6827

Jay Satiro (2 Apr 2021)
- hostip: Fix for builds that disable all asynchronous DNS
  
  - Define Curl_resolver_error function only when USE_CURL_ASYNC.
  
  Prior to this change building curl without an asynchronous resolver
  backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is
  also asynchronous but independent of resolver backend) would cause a
  build error since Curl_resolver_error is called by and evaluates
  variables only available in asynchronous builds.
  
  Reported-by: Benbuck Nason
  
  Fixes https://github.com/curl/curl/issues/6831
  Closes https://github.com/curl/curl/pull/6832

Daniel Stenberg (31 Mar 2021)
- [Gilles Vollant brought this change]

  openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
  
  Reported-by: Christian Schmitz
  Fixes #6816
  Closes #6820

Version 7.76.0 (31 Mar 2021)

Daniel Stenberg (31 Mar 2021)
- RELEASE-NOTES: synced
  
  curl 7.76.0 release

- THANKS: added names from 7.76.0

- CURLOPT_AUTOREFERER.3: clarify that it sets the full URL
  
  ... some users may not want that!

- define: remove CURL_DISABLE_NTLM ifdefs
  
  It was never defined anywhere. Fixed disable-scan (test 1165) to also
  scan headers, which found this issue.
  
  Closes #6809

- vtls: fix addsessionid for non-proxy builds
  
  Follow-up to b09c8ee15771c61
  Fixes #6812
  Closes #6811

- [Li Xinwei brought this change]

  cmake: support WinIDN
  
  Closes #6807

- transfer: clear 'referer' in declaration
  
  To silence (false positive) compiler warnings about it.
  
  Follow-up to 7214288898f5625
  
  Reviewed-by: Marcel Raad
  Closes #6810

- [Marc Hoersken brought this change]

  config: fix SSPI enabling NTLM if crypto auth is disabled
  
  Avoid enabling NTLM feature based upon Windows SSPI
  being enabled in case that crypto auth is disabled.
  
  Reported-by: Marcel Raad
  
  Follow-up to #6277
  Fixes #6803
  Closes #6808

- HISTORY: add two 2021 events

- vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
  
  To make sure we set and extract the correct session.
  
  Reported-by: Mingtao Yang
  Bug: https://curl.se/docs/CVE-2021-22890.html
  
  CVE-2021-22890

- [Viktor Szakats brought this change]

  transfer: strip credentials from the auto-referer header field
  
  Added test 2081 to verify.
  
  CVE-2021-22876
  
  Bug: https://curl.se/docs/CVE-2021-22876.html

- curl_sasl: fix compiler error with --disable-crypto-auth
  
  ... if libgsasl was found.
  
  Closes #6806

- [Patrick Monnerat brought this change]

  ldap: only set the callback ptr for TLS context when TLS is used
  
  Follow-up to a5eee22e594c2460f
  Fixes #6804
  Closes #6805

- copyright: update copyright year ranges to 2021
  
  Reviewed-by: Emil Engler
  Closes #6802

- send_speed: simplify the checks for if a speed limit is set
  
  ... as we know the value cannot be set to negative: enforced by
  setopt()

- http: cap body data amount during send speed limiting
  
  By making sure never to send off more than the allowed number of bytes
  per second the speed limit logic is given more room to actually work.
  
  Reported-by: Fabian Keil
  Bug: https://curl.se/mail/lib-2021-03/0042.html
  Closes #6797

- urldata: merge "struct DynamicStatic" into "struct UrlState"
  
  Both were used for the same purposes and there was no logical separation
  between them. Combined, this also saves 16 bytes in less holes in my
  test build.
  
  Closes #6798

- tests/README.md: mentioned that en_US.UTF-8 is required
  
  Reported-by: Oumph on github
  Fixes #6768

- HISTORY: fixed the Mac OS X 10.1 release date
  
  Based on what Wikipedia says

Jay Satiro (26 Mar 2021)
- examples: Remove threaded-shared-conn.c due to bug
  
  Known bug 11.11 is the shared object's connection cache is not thread
  safe, so we should not have an example for it.
  
  Ref: https://github.com/curl/curl/issues/4915
  Ref: https://curl.se/docs/knownbugs.html#A_shared_connection_cache_is_not
  
  Closes https://github.com/curl/curl/pull/6795

- KNOWN_BUGS: Update 11.9 - DoH option inheritance
  
  - Add description: Explain that some options aren't inherited because
    they are not relevant for the DoH SSL connections or may result in
    unexpected behavior.
  
  - Remove the reference to #4578 (SSL verify options not inherited) since
    that was fixed by #6597 (separate DoH-specific options for verify).
  
  - Explain that DoH-specific options (those created by #6597) are
    available: CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and
    CURLOPT_DOH_SSL_VERIFYSTATUS.
  
  - Add a reference to #6605 and explain that the user's debug function is
    not inherited because it would be unexpected to pass internal handles
    (ie DoH handles) to the user's callback.
  
  Closes https://github.com/curl/curl/issues/6605

Daniel Stenberg (26 Mar 2021)
- curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO

- [Jean-Philippe Menil brought this change]

  openssl: ensure to check SSL_CTX_set_alpn_protos return values
  
  SSL_CTX_set_alpn_protos() return 0 on success, and non-0 on failure
  
  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
  
  Closes #6794

- multi: close the connection when h2=>h1 downgrading
  
  Otherwise libcurl is likely to reuse the connection again in the next
  attempt since the connection reuse logic doesn't take downgrades into
  account.
  
  Reported-by: Anthony Ramine
  Fixes #6788
  Closes #6793

- openssl: set the transfer pointer for logging early
  
  Otherwise, the transfer will be NULL in the trace function when the
  early handshake details arrive and then curl won't show them.
  
  Regresssion in 7.75.0
  
  Reported-by: David Hu
  Fixes #6783
  Closes #6792

- RELEASE-NOTES: synced

- TODO: Custom progress meter update interval
  
  Ref: https://stackoverflow.com/q/66789977/93747

- docs/ABI: tighten up the language
  
  Make the promises more firm
  
  Closes #6786

- openldap: disconnect better
  
  Instead of clearing the callback argument in disconnect, set it to the
  (new) transfer to make sure the correct data is passed to the callbacks.
  
  Follow-up to e467ea3bd937f38
  Assisted-by: Patrick Monnerat
  Closes #6787

- libssh2: kdb_callback: get the right struct pointer
  
  After the recent conn/data refactor in this source file, this function
  was mistakenly still getting the old struct pointer which would lead to
  crash on servers with keyboard-interactive auth enabled.
  
  Follow-up to a304051620b92e12b (shipped in 7.75.0)
  
  Reported-by: Christian Schmitz
  Fixes #6691
  Closes #6782

- tftp: remove unused struct fields
  
  Follow-up to d3d90ad9c00530d
  
  Closes #6781

- openldap: avoid NULL pointer dereferences
  
  Follow-up to a59c33ceffb8f78
  Reported-by: Patrick Monnerat
  Fixes #6676
  Closes #6780

- http: strip default port from URL sent to proxy
  
  To make sure the Host: header and the URL provide the same authority
  portion when sent to the proxy, strip the default port number from the
  URL if one was provided.
  
  Reported-by: Michael Brown
  Fixes #6769
  Closes #6778

- azure: disable test 433 on azure-ubuntu
  
  Something in that environment sets XDG_CONFIG_HOME for us in a way that
  breaks the test.
  
  Reported-by: Marc Hörsken
  Fixes #6739
  Closes #6777

- tftp: remove the 3600 second default timeout
  
  ... it was never meant to be there.
  
  Reported-by: Tomas Berger
  Fixes #6774
  Closes #6776

- docs: make gen.pl support *italic* and **bold**
  
  Remove some nroffisms from the cmdline doc files to simplify editing,
  and instead support this markdown style.
  
  Closes #6771

- ngtcp2: sync with recent API updates
  
  Closes #6770

- RELEASE-NOTES: synced

- libssh2:ssh_connect: clear session pointer after free
  
  If libssh2_knownhost_init() returns NULL, like in an OOM situation, the
  ssh session was freed but the pointer wasn't cleared which made libcurl
  later call libssh2 to cleanup using the stale pointer.
  
  Fixes #6764
  Closes #6766

- [Jacob Hoffman-Andrews brought this change]

  docs: document version of crustls dependency
  
  This also pins a specific release in the Travis test so future
  API-breaking changins in crustls won't break curl builds.
  
  Add RUSTLS documentation to release tarball.
  
  Enable running tests for rustls, minus FTP tests (require
  connect_blocking, which rustls doesn't implement) and 313 (requires CRL
  handling).
  
  Closes #6763

- [Jacob Hoffman-Andrews brought this change]

  rustls: Handle close_notify.
  
  If we get a close_notify, treat that as EOF. If we get an EOF from the
  TCP stream, treat that as an error (because we should have ended the
  connection earlier, when we got a close_notify).
  
  Closes #6763

- docs: clarify timeouts for queued transfers in multi API
  
  Closes #6758

- ftpserver: only load the preprocessed test file
  
  We always preprocess and tests are no longer sensible to load "raw"
  
  Closes #6738

- tests: use %TESTNUMBER instead of fixed number
  
  This makes the tests easier to copy and relocate to other test numbers
  without having to update content.
  
  Closes #6738

- KNOWN_BUGS: CURLOPT_OPENSOCKETPAIRFUNCTION is missing
  
  Closes #5747

- TODO: provide timing info for each redirect
  
  Closes #6743

Jay Satiro (17 Mar 2021)
- docs: Add SSL backend names to CURL_SSL_BACKEND
  
  - Document the names that can be used with CURL_SSL_BACKEND:
    bearssl, gnutls, gskit, mbedtls, mesalink, nss, openssl, rustls,
    schannel, secure-transport, wolfssl
  
  Ref: https://github.com/curl/curl/issues/2209#issuecomment-360623286
  Ref: https://github.com/curl/curl/issues/6717#issuecomment-800745201
  
  Closes https://github.com/curl/curl/pull/6755

- docs: Explain DOH transfers inherit some SSL settings
  
  - Document in DOH that some SSL settings are inherited but DOH hostname
    and peer verification are not and are controlled separately.
  
  - Document that CURLOPT_SSL_CTX_FUNCTION is inherited by DOH handles but
    we're considering changing behavior to no longer inherit it. Request
    feedback.
  
  Closes https://github.com/curl/curl/pull/6688

Daniel Stenberg (17 Mar 2021)
- http: make 416 not fail with resume + CURLOPT_FAILONERRROR
  
  When asked to resume a download, libcurl will convert that to HTTP logic
  and if then the entire file is already transferred it will result in a
  416 response from the HTTP server. With CURLOPT_FAILONERRROR set in that
  scenario, it should *not* lead to an error return.
  
  Updated test 1156, added test 1273
  
  Reported-by: Jonathan Watt
  Fixes #6740
  Closes #6753

- Curl_timeleft: check both timeouts during connect
  
  The duration of a connect and the total transfer are calculated from two
  different time-stamps. It can end up with the total timeout triggering
  before the connect timeout expires and we should make sure to
  acknowledge whichever timeout that is reached first.
  
  This is especially notable when a transfer first sits in PENDING, as
  that time is counted in the total time but the connect timeout is based
  on the time since the handle changed to the CONNECT state.
  
  The CONNECTTIMEOUT is per connect attempt. The TIMEOUT is for the entire
  operation.
  
  Fixes #6744
  Closes #6745
  Reported-by: Andrei Bica
  Assisted-by: Jay Satiro

- configure: remove use of deprecated macros
  
  AC_HEADER_TIME, AC_HEADER_STDC and AC_TYPE_SIGNAL

- configure: make AC_TRY_* into AC_*_IFELSE
  
  ... as the former versions are deprecated.

- configure: s/AC_HELP_STRING/AS_HELP_STRING
  
  AC_HELP_STRING is deprecated in 2.70+ and I believe AS_HELP_STRING works
  already since 2.59 so bump the minimum required version to that.
  
  Reported-by: Emil Engler
  Fixes #6647
  Closes #6748

- RELEASE-NOTES: synced

- travis: use ubuntu nghttp2 package instead of build our own
  
  Closes #6751

- travis: bump wolfssl to 4.7.0

- travis: only build wolfssl when needed
  
  Closes #6751

- [Jacob Hoffman-Andrews brought this change]

  rustls: allocate a buffer for TLS data.
  
  Previously, rustls was using an on-stack array for TLS data. However,
  crustls has an (unusual) requirement that buffers it deals with are
  initialized before writing to them. By using calloc, we can ensure the
  buffer is initialized once and then reuse it across calls.
  
  Closes #6742

- travis: add a rustls build
  
  ... that doesn't run any tests (yet)
  
  Closes #6750

- HTTP2: remove the outdated remark about multiplexing for the tool

- [Robert Ronto brought this change]

  http2: don't set KEEP_SEND when there's no more data to be sent
  
  this should fix an issue where curl sometimes doesn't send out a request
  with authorization info after a 401 is received over http2
  
  Closes #6747

Marc Hoersken (15 Mar 2021)
- config: fix building SMB with configure using Win32 Crypto
  
  Align conditions for NTLM features between CMake and configure
  builds by differentiating between USE_NTLM and USE_CURL_NTLM_CORE,
  just like curl_setup.h does internally to detect support of:
  
  - USE_NTLM: required for NTLM crypto authentication feature
  - USE_CURL_NTLM_CORE: required for SMB protocol
  
  Implement USE_WIN32_CRYPTO detection by checking for Crypt functions
  in wincrypt.h which are not available in the Windows App environment.
  
  Link advapi32 and crypt32 for Crypto API and Schannel SSL backend.
  Fix condition of Schannel SSL backend in CMake build accordingly.
  
  Reviewed-by: Marcel Raad
  
  Closes #6277

- config: fix detection of restricted Windows App environment
  
  Move the detection of the restricted Windows App environment
  in curl_setup.h before the definition of USE_WIN32_CRYPTO
  via included config-win32.h in case no build system is used.
  
  Reviewed-by: Marcel Raad
  
  Part of #6277

Daniel Stenberg (15 Mar 2021)
- HISTORY: curl 7.7.2 was the first version used in Mac OS X 10.1

- gen.pl: quote "bare" minuses in the nroff curl.1
  
  Reported-by: Alejandro Colomar
  Fixes #6698
  Closes #6722

Daniel Gustafsson (14 Mar 2021)
- hsts: remove unused defines
  
  MAX_HSTS_SUBLEN and MAX_HSTS_SUBLENSTR were unused from the initial commit,
  and mostly likely leftovers from early development.  Remove as they're not
  used for anything.
  
  Closes #6741
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Daniel Stenberg (12 Mar 2021)
- github: add torture-ftp for FTP-only torture testing
  
  and at 20% to try to keep the run-time reasonable
  
  Closes #6728

- travis: split "torture" into a separate "events" build as well
  
  Run torture without FTP and reducing coverage to 20%
  
  For some reason the torture tests now run a lot slower on travis and run
  into the 50 minute limit all the time.
  
  Closes #6728

- ftp: fix memory leak in ftp_done
  
  If after a transfer is complete Curl_GetFTPResponse() returns an error,
  curl would not free the ftp->pathalloc block.
  
  Found by torture-testing test 576
  
  Closes #6737

- [oxalica brought this change]

  http2: fail if connection terminated without END_STREAM
  
  Closes #6736

- RELEASE-NOTES: synced

- [Jacob Hoffman-Andrews brought this change]

  rustls: support CURLOPT_SSL_VERIFYPEER
  
  This requires the latest main branch of crustls, which provides
  rustls_client_config_builder_dangerous_set_certificate_verifier and
  rustls_client_config_builder_set_enable_sni.
  
  This refactors the session setup into its own function, and adds a new
  function cr_hostname_is_ip. Because crustls doesn't support verification
  of IP addresses, special handling is needed: We disable SNI and set a
  placeholder hostname (which never actually gets sent on the wire).
  
  Closes #6719

Daniel Gustafsson (12 Mar 2021)
- cookies: Fix potential NULL pointer deref with PSL
  
  Curl_cookie_init can be called with data being NULL, and this can in turn
  be passed to Curl_cookie_add, meaning that both functions must be careful
  to only use data where it's checked for being a NULL pointer.  The libpsl
  support code does however dereference data without checking, so if we are
  indeed having an unset data pointer we cannot PSL check the cookiedomain.
  
  This is currently not a reachable dereference, as the only caller with a
  NULL data isn't passing a file to initialize cookies from, but since the
  API has this contract let's ensure we hold it.
  
  Closes #6731
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Daniel Stenberg (12 Mar 2021)
- [Michael Hordijk brought this change]

  configure: only add OpenSSL paths if they are defined
  
  Add paths for OpenSSL compiling and linking only if they have been
  defined.  If they haven't been defined, we'll assume that the paths are
  already available to the toolchain.
  
  Closes #6730

Jay Satiro (12 Mar 2021)
- retry.d: Clarify transient 5xx HTTP response codes
  
  - Clarify the only 5xx response codes that are treated as transient are
    500, 502, 503 and 504.
  
  Prior to this change it said it treated all 5xx as transient, but the
  code says otherwise.
  
  Ref: https://github.com/curl/curl/blob/curl-7_75_0/src/tool_operate.c#L462-L495
  
  Closes https://github.com/curl/curl/pull/6724

- retry-all-errors.d: Explain curl errors versus HTTP response errors
  
  - Add a paragraph explaining that curl does not consider HTTP response
    errors as curl errors, and how that behavior can be modified by using
    --retry and --fail.
  
  The --retry-all-errors doc says "Retry on any error" which some users
  may find misleading without the added explanation.
  
  Ref: https://curl.se/docs/faq.html#Why_do_I_get_downloaded_data_eve
  Ref: https://curl.se/docs/faq.html#curl_doesn_t_return_error_for_HT
  
  Reported-by: Lawrence Gripper
  
  Fixes https://github.com/curl/curl/issues/6712
  Closes https://github.com/curl/curl/pull/6720

Daniel Stenberg (11 Mar 2021)
- travis: switch ngtcp2 build over to quictls
  
  The ngtcp2 project switched over to using the quictls OpenSSL fork
  instead of their own patched OpenSSL. We follow suit.
  
  Closes #6729

- test220/314: adjust to run with Hyper

- c-hyper: support automatic content-encoding
  
  Closes #6727

- http: remove superfluous NULL assign
  
  Closes #6727

- tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
  
  Closes #6727

- setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
  
  Not supported.
  
  Closes #6727

- test306: make it not run with Hyper
  
  ... as it tests HTTP/0.9 which Hyper doesn't support.

- test304: header CRLF cleanup to work with Hyper

- FTP: allow SIZE to fail when doing (resumed) upload
  
  Added test 362 to verify.
  
  Reported-by: Jordan Brown
  Regression since 7ea2e1d0c5a7f (7.73.0)
  Fixes #6715
  Closes #6725

- configure: provide Largefile feature for curl-config
  
  ... as cmake now does it correctly, and make test1014 check for it
  
  Closes #6702

- config: remove CURL_SIZEOF_CURL_OFF_T use only SIZEOF_CURL_OFF_T
  
  Make the code consistently use a single name for the size of the
  "curl_off_t" type.
  
  Closes #6702

Jay Satiro (10 Mar 2021)
- [Jun-ya Kato brought this change]

  ngtcp2: Fix build error due to change in ngtcp2_addr_init
  
  ngtcp2/ngtcp2@b8d90a9 changed the function prototype.
  
  Closes https://github.com/curl/curl/pull/6716

Daniel Stenberg (10 Mar 2021)
- [ejanchivdorj brought this change]

  multi: update pending list when removing handle
  
  when removing a handle, most of the lists are updated but pending list
  is not updated. Updating now.
  
  Closes #6713

- [kokke brought this change]

  lib1536: check ptr against NULL before dereferencing it
  
  Closes #6710

- [kokke brought this change]

  lib1537: check ptr against NULL before dereferencing it
  
  Fixes #6707
  Closes #6708

- travis: make torture tests skip TLS-SRP tests
  
  ... as it seems to often hang.
  
  Also: skip the "normal" tests as they're already run by many other
  builds.
  
  Closes #6705

- openssl: adapt to v3's new const for a few API calls
  
  Closes #6703

- quiche: fix crash when failing to connect
  
  Reported-by: ウさん
  Fixes #6664
  Closes #6701

- RELEASE-NOTES: synced
  
