                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 8.6.0 (31 Jan 2024)

Daniel Stenberg (31 Jan 2024)

- RELEASE-NOTES: synced

  curl 8.6.0

- THANKS: new contributors from 8.5.0

Jay Satiro (31 Jan 2024)

- cd2nroff: use perl 'strict' and 'warnings'

  - Use strict and warnings pragmas.

  - If open() fails then show the reason.

  - Set STDIN io layer :crlf so that input is properly read on Windows.

  - When STDIN is used as input, the filename $f is now set to "STDIN".

  Various error messages in single() use $f for the filename and this way
  it is not undefined when STDIN.

  Closes https://github.com/curl/curl/pull/12819

Daniel Stenberg (30 Jan 2024)

- cd2nroff: fix duplicate output issue

  Assisted-by: Jay Satiro
  Fixes https://github.com/curl/curl-www/issues/321
  Closes #12818

- lib: error out on multissl + http3

  Since the QUIC/h3 code has no knowledge or handling of multissl it might
  bring unintended consequences if we allow it.

  configure, cmake and curl_setup.h all now reject this combination.

  Assisted-by: Viktor Szakats
  Assisted-by: Gisle Vanem
  Ref: #12806
  Closes #12807

Patrick Monnerat (29 Jan 2024)

- OS400: sync ILE/RPG binding

  Also do not force git CRLF line endings on *.cmd files for OS400.

  Closes #12815

Viktor Szakats (28 Jan 2024)

- build: delete/replace 3 more clang warning pragmas

  - tool_msgs: delete redundant `-Wformat-nonliteral` suppression pragma.

  - whitespace formatting in `mprintf.h`, lib518, lib537.

  - lib518: fix wrong variable in `sizeof()`.

  - lib518: bump variables to `rlim_t`.
    Follow-up to e2b394106d543c4615a60795b7fdce04bd4e5090 #1469

  - lib518: sync error message with lib537
    Follow-up to 365322b8bcf9efb6a361473d227b70f2032212ce

  - lib518, lib537: replace `-Wformat-nonliteral` suppression pragmas
    by reworking test code.

  Follow-up to 5b286c250829e06a135a6ba998e80beb7f43a734 #12812
  Follow-up to aee4ebe59161d0a5281743f96e7738ad97fe1cd4 #12803
  Follow-up to 09230127589eccc7e01c1a7217787ef8e64f3328 #12540
  Follow-up to 3829759bd042c03225ae862062560f568ba1a231 #12489

  Reviewed-by: Daniel Stenberg
  Closes #12814

Richard Levitte (27 Jan 2024)

- cmake: freshen up docs/INSTALL.cmake

  - Turn docs/INSTALL.cmake into a proper markdown file,
    docs/INSTALL-CMAKE.md
  - Move things around to divide the description into configuration,
    building and installing sections
  - Mention the more modern cmake options to configure, build and install,
    but also retain the older variants as fallbacks

  Closes #12772

Viktor Szakats (27 Jan 2024)

- build: delete/replace clang warning pragmas

  - delete redundant warning suppressions for `-Wformat-nonliteral`.
    This now relies on `CURL_PRINTF()` and it's theoratically possible
    that this macro isn't active but the warning is. We're ignoring this
    as a corner-case here.

  - replace two pragmas with code changes to avoid the warnings.

  Follow-up to aee4ebe59161d0a5281743f96e7738ad97fe1cd4 #12803
  Follow-up to 09230127589eccc7e01c1a7217787ef8e64f3328 #12540
  Follow-up to 3829759bd042c03225ae862062560f568ba1a231 #12489

  Reviewed-by: Daniel Stenberg
  Closes #12812

Daniel Stenberg (27 Jan 2024)

- RELEASE-NOTES: synced

- http: only act on 101 responses when they are HTTP/1.1

  For 101 responses claiming to be any other protocol, bail out. This
  would previously trigger an assert.

  Add test 1704 to verify.

  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66184
  Closes #12811

Scarlett McAllister (27 Jan 2024)

- _VARIABLES.md: add missing 'be' into the sentence

  Closes #12809

Stefan Eissing (27 Jan 2024)

- mqtt, remove remaining use of data->state.buffer

  Closes #12799

Daniel Stenberg (27 Jan 2024)

- x509asn1: switch from malloc to dynbuf

  Closes #12808

- x509asn1: make utf8asn1str() use dynbuf instead of malloc + memcpy

  Closes #12808

- x509asn1: reduce malloc in Curl_extract_certinfo

  Using dynbuf

  Closes #12808

Jay Satiro (27 Jan 2024)

- THANKS: add Alexander Bartel and Brennan Kinney

  They reported and investigated #10259 which was fixed by 7b2d98df.

  Ref: https://github.com/curl/curl/issues/10259

Daniel Stenberg (26 Jan 2024)

- krb5: add prototype to silence clang warnings on mvsnprintf()

  "error: format string is not a string literal"

  Follow-up to 09230127589eccc7 which made the warning appear

  Assisted-by: Viktor Szakats
  Closes #12803

- x509asn1: remove code for WANT_VERIFYHOST

  No code ever sets this anymore since we dropped gskit

  Follow-up to 78d6232f1f326b9ab4d

  Closes #12804

- socks: reduce the buffer size to 600 (from 8K)

  This is malloc'ed memory and it does not more. Test 742 helps us verify
  this.

  Closes #12789

Stefan Eissing (26 Jan 2024)

- file+ftp: use stack buffers instead of data->state.buffer

  Closes #12789

- vtls: receive max buffer

  - do not only receive one TLS record, but try to fill
    the passed buffer
  - consider <4K remaning space is "filled".

  Closes #12801

Daniel Stenberg (26 Jan 2024)

- docs: do not start lines/sentences with So, But nor And

  Closes #12802

- docs: remove spurious ampersands from markdown

  They were leftovers from the nroff conversion.

  Follow-up to eefcc1bda4bccd800f5a5

  Closes #12800

Patrick Monnerat (26 Jan 2024)

- sasl: make login option string override http auth

  - Use http authentication mechanisms as a default, not a preset.

  Consider http authentication options which are mapped to SASL options as
  a default (overriding the hardcoded default mask for the protocol) that
  is ignored if a login option string is given.

  Prior to this change, if some HTTP auth options were given, sasl mapped
  http authentication options to sasl ones but merged them with the login
  options.

  That caused problems with the cli tool that sets the http login option
  CURLAUTH_BEARER as a side-effect of --oauth2-bearer, because this flag
  maps to more than one sasl mechanisms and the latter cannot be cleared
  individually by the login options string.

  New test 992 checks this.

  Fixes https://github.com/curl/curl/issues/10259
  Closes https://github.com/curl/curl/pull/12790

Stefan Eissing (26 Jan 2024)

- socks: use own buffer instead of data->state.buffer

  Closes #12788

Daniel Stenberg (26 Jan 2024)

- socks: fix generic output string to say SOCKS instead of SOCKS4

  ... since it was also logged for SOCKS5.

  Closes #12797

- test742: test SOCKS5 with max length user, password and hostname

  Adjusted the socksd server accordingly to allow for configuring that
  long user name and password.

  Closes #12797

Stefan Eissing (25 Jan 2024)

- ssh: use stack scratch buffer for seeks

  - instead of data->state.buffer

  Closes #12794

Daniel Stenberg (25 Jan 2024)

- krb5: access the response buffer correctly

  As the pingpong code no longer uses the download buffer.

  Folllow-up to c2d973627bab12ab
  Pointed-out-by: Stefan Eissing
  Closes #12796

Stefan Eissing (25 Jan 2024)

- mqtt: use stack scratch buffer for recv+publish

  - instead of data->state.buffer

  Closes #12792

- telnet, use stack scratch buffer for do

  - instead of data->state.buffer

  Closes #12793

- http, use stack scratch buffer

  - instead of data->state.buffer

  Closes #12791

- ntlm_wb: do not use data->state.buf any longer

  Closes #12787

- gitignore: the generated `libcurl-symbols.md`

  Closes #12795

Daniel Stenberg (25 Jan 2024)

- tool: fix the listhelp generation command

  The previous command line to generate the tool_listhelp.c source file
  broke with 2494b8dd5175cee7.

  Make 'make listhelp' invoked in src/ generate it. Also update the
  comment in the file to mention the right procedure.

  Closes #12786

- http: check for "Host:" case insensitively

  When checking if the user wants to replace the header, the check should
  be case insensitive.

  Adding test 461 to verify

  Found-by: Dan Fandrich
  Ref: #12782
  Closes #12784

Tatsuhiro Tsujikawa (25 Jan 2024)

- configure: add libngtcp2_crypto_boringssl detection

  If OpenSSL is found to be BoringSSL or AWS-LC, and ngtcp2 is requested,
  try to detect libngtcp2_crypto_boringssl.

  Reported-by: ウさん
  Fixes #12724
  Closes #12769

Daniel Stenberg (25 Jan 2024)

- http: remove comment reference to a removed solution

  Follow-up to 58974d25d

  Closes #12785

Stefan Eissing (25 Jan 2024)

- pytest: Scorecard tracking CPU and RSS

  Closes #12765

Graham Campbell (25 Jan 2024)

- GHA: bump ngtcp2, gnutls, mod_h2, quiche

  - ngtcp2 to v1.2.0
  - gnutls to 3.8.3
  - mod_h2 to 2.0.26
  - quiche to 0.20.0

  Closes #12778
  Closes #12779
  Closes #12780
  Closes #12781

Daniel Stenberg (25 Jan 2024)

- ftpserver.pl: send 213 SIZE response without spurious newline

- pingpong: stop using the download buffer

  The pingpong logic now uses its own dynbuf for receiving command
  response data.

  When the "final" response header for a commanad has been received, that
  final line is left first in the recvbuf for the protocols to parse at
  will. If there is additional data behind the final response line, the
  'overflow' counter is indicate how many bytes.

  Closes #12757

- gen.pl: remove bold from .IP used for ##

  Reported-by: Viktor Szakats
  Fixes #12776
  Closes #12777

Viktor Szakats (24 Jan 2024)

- cmake: rework options to enable curl and libcurl docs

  Rework CMake options for building/using curl tool and libcurl manuals.

  - rename `ENABLE_MANUAL` to `ENABLE_CURL_MANUAL`, meaning:
    to build man page and built-in manual for curl tool.

  - rename `BUILD_DOCS` to `BUILD_LIBCURL_DOCS`, meaning:
    to build man pages for libcurl.

  - `BUILD_LIBCURL_DOCS` now works without having to enable
    `ENABLE_CURL_MANUAL` too.

  - drop support for existing CMake-level `USE_MANUAL` option to avoid
    confusion. (It used to work with the effect of current
    `ENABLE_CURL_MANUAL`, but only by accident.)

  Assisted-by: Richard Levitte
  Ref: #12771
  Closes #12773

Daniel Stenberg (24 Jan 2024)

- urlapi: remove assert

  This assert triggers wrongly when CURLU_GUESS_SCHEME and
  CURLU_NO_AUTHORITY are both set and the URL is a single path.

  I think this assert has played out its role. It was introduced in a
  rather big refactor.

  Follow-up to 4cfa5bcc9a

  Reported-by: promptfuzz_ on hackerone
  Closes #12775

Patrick Monnerat (24 Jan 2024)

- tests: avoid int/size_t conversion size/sign warnings

  Closes #12768

Daniel Stenberg (24 Jan 2024)

- GHA: add a job scanning for "bad words" in markdown

  This means words, phrases or things we have decided not to use - words that
  are spelled right according to the dictionary but we want to avoid. In the
  name of consistency and better documentation.

  Closes #12764

Viktor Szakats (23 Jan 2024)

- cmake: speed up curldown processing, enable by default

  - cmake: enable `BUILD_DOCS` by default (this controls converting and
    installing `.3` files from `.md` sources)

  - cmake: speed up generating `.3` files by using a single command per
    directory, instead of a single command per file. This reduces external
    commands by about a thousand. (There remains some CMake logic kicking
    in resulting in 500 -one per file- external `-E touch_nocreate` calls.)

  - cd2nroff: add ability to process multiple input files.

  - cd2nroff: add `-k` option to use the source filename to form the
    output filename. (instead of the default in-file `Title:` line.)

  Follow-up to 3f08d80b2244524646ce86915c585509ac54fb4c
  Follow-up to ea0b575dab86a3c44dd1d547dc500276266aa382 #12753
  Follow-up to eefcc1bda4bccd800f5a56a0fe17a2f44a96e88b #12730

  Closes #12762

Richard Levitte (23 Jan 2024)

- docs: install curl.1 with cmake as well

  Closes #12759

Daniel Stenberg (23 Jan 2024)

- osslq: remove the TLS library from the version output

  Since we only support using a single TLS library at any one time, we
  know that the TLS library for QUIC is the same that is also shown for
  regular TLS.

  Fixes #12763
  Reported-by: Viktor Szakats
  Closes #12767

Stefan Eissing (23 Jan 2024)

- CI: remove unnecessary OpenSSL 3 option `enable-tls1_3`

  .. and switch OpenSSL 3 libdir from lib64 to lib for consistency.

  Closes https://github.com/curl/curl/pull/12758

- GHA: bump nghttp2 version to v1.59.0

  - Switch to v1.59.0 for GHA CI jobs that use a specific nghttp2-version.

  Closes https://github.com/curl/curl/pull/12766

Daniel Stenberg (23 Jan 2024)

- RELEASE-NOTES: synced

- docs/cmdline: change to .md for cmdline docs

   - switch all invidual files documenting command line options into .md,
     as the documentation is now markdown-looking.

   - made the parser treat 4-space indents as quotes

   - switch to building the curl.1 manpage using the "mainpage.idx" file,
     which lists the files to include to generate it, instead of using the
     previous page-footer/headers. Also, those files are now also .md
     ones, using the same format. I gave them underscore prefixes to make
     them sort separately:
     _NAME.md, _SYNOPSIS.md, _DESCRIPTION.md, _URL.md, _GLOBBING.md,
     _VARIABLES.md, _OUTPUT.md, _PROTOCOLS.md, _PROGRESS.md, _VERSION.md,
     _OPTIONS.md, _FILES.md, _ENVIRONMENT.md, _PROXYPREFIX.md,
     _EXITCODES.md, _BUGS.md, _AUTHORS.md, _WWW.md, _SEEALSO.md

   - updated test cases accordingly

  Closes #12751

dependabot[bot] (23 Jan 2024)

- CI: bump actions/cache from 3 to 4

  Bumps [actions/cache](https://github.com/actions/cache) from 3 to 4.
  - [Release notes](https://github.com/actions/cache/releases)
  - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
  - [Commits](https://github.com/actions/cache/compare/v3...v4)

  ---
  updated-dependencies:
  - dependency-name: actions/cache
    dependency-type: direct:production
    update-type: version-update:semver-major
  ...

  Signed-off-by: dependabot[bot] <support@github.com>
  Closes #12756

Daniel Stenberg (23 Jan 2024)

- openssl: when verifystatus fails, remove session id from cache

  To prevent that it gets used in a subsequent transfer that skips the
  verifystatus check since that check can't be done when the session id is
  reused.

  Reported-by: Hiroki Kurosawa
  Closes #12760

Viktor Szakats (23 Jan 2024)

- cmake: add option to disable building docs

Richard Levitte (23 Jan 2024)

- cmake: use curldown to build man pages

  This throws away the previous HTML and PDF producers, to mimic what
  Makefile.am does as faithfully as possible.

  Closes #12753

Daniel Stenberg (23 Jan 2024)

- mksymbolsmanpage.pl: provide references to where the symbol is used

- docs: introduce "curldown" for libcurl man page format

  curldown is this new file format for libcurl man pages. It is markdown
  inspired with differences:

  - Each file has a set of leading headers with meta-data
  - Supports a small subset of markdown
  - Uses .md file extensions for editors/IDE/GitHub to treat them nicely
  - Generates man pages very similar to the previous ones
  - Generates man pages that still convert nicely to HTML on the website
  - Detects and highlights mentions of curl symbols automatically (when
    their man page section is specified)

  tools:

  - cd2nroff: converts from curldown to nroff man page
  - nroff2cd: convert an (old) nroff man page to curldown
  - cdall: convert many nroff pages to curldown versions
  - cd2cd: verifies and updates a curldown to latest curldown

  This setup generates .3 versions of all the curldown versions at build time.

  CI:

  Since the documentation is now technically markdown in the eyes of many
  things, the CI runs many more tests and checks on this documentation,
  including proselint, link checkers and tests that make sure we capitalize the
  first letter after a period...

  Closes #12730

Viktor Szakats (22 Jan 2024)

- libssh2: use `libssh2_session_callback_set2()` with v1.11.1

  To avoid a local hack to pass function pointers and to avoid
  deprecation warnings when building with libssh2 v1.11.1 or newer:
  ```
  lib/vssh/libssh2.c:3324:5: warning: 'libssh2_session_callback_set' is depreca
  ted: since libssh2 1.11.1. Use libssh2_session_callback_set2() [-Wdeprecated-
  declarations]
  lib/vssh/libssh2.c:3326:5: warning: 'libssh2_session_callback_set' is depreca
  ted: since libssh2 1.11.1. Use libssh2_session_callback_set2() [-Wdeprecated-
  declarations]
  ```
  Ref: https://github.com/curl/curl-for-win/actions/runs/7609484879/job/2072082
  1100#step:3:4982

  Ref: https://github.com/libssh2/libssh2/pull/1285
  Ref: https://github.com/libssh2/libssh2/commit/c0f69548be902147ce014ffa40b8db
  3cf1d4b0b4
  Reviewed-by: Daniel Stenberg
  Closes #12754

Daniel Stenberg (22 Jan 2024)

- transfer: make the select_bits_paused condition check both directions

  If there is activity in a direction that is not paused, return false.

  Reported-by: Sergey Bronnikov
  Bug: https://curl.se/mail/lib-2024-01/0049.html
  Closes #12740

Stefan Eissing (22 Jan 2024)

- http3: initial support for OpenSSL 3.2 QUIC stack

  - HTTP/3 for curl using OpenSSL's own QUIC stack together
    with nghttp3
  - configure with `--with-openssl-quic` to enable curl to
    build this. This requires the nghttp3 library
  - implementation with the following restrictions:
    * macOS has to use an unconnected UDP socket due to an
      issue in OpenSSL's datagram implementation
      See https://github.com/openssl/openssl/issues/23251
      This makes connections to non-reponsive servers hang.
    * GET requests will send the indicator that they have
      no body in a separate QUIC packet. This may result
      in processing delays or Transfer-Encodings on proxied
      requests
    * uploads that encounter blocks will use 100% cpu as
      detection of these flow control issue is not working
      (we have not figured out to pry that from OpenSSL).

  Closes #12734

Viktor Szakats (22 Jan 2024)

- cmake: fix `ENABLE_MANUAL` option

  Fix the `ENABLE_MANUAL` option. Set it to default to `OFF`.

  Before this patch `ENABLE_MANUAL=ON` was a no-op, even though it was the
  option designed to enable building and using the built-in curl manual.
  (`USE_MANUAL=ON` option worked for this instead, by accident).

  Ref: https://github.com/curl/curl/pull/12730#issuecomment-1902572409
  Closes #12749

Mohammadreza Hendiani (19 Jan 2024)

- TODO: update broken link to ratelimit-headers draft

  Closes #12741

Daniel Stenberg (19 Jan 2024)

- cmake: when USE_MANUAL=YES, build the curl.1 man page

  Fixes KNOWN_BUG 15.4

  Closes #12742

- cmdline-opts/write-out.d: remove spurious double quotes

Stefan Eissing (19 Jan 2024)

- rtsp: Convert assertion into debug log

  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65934

  - write excess bytes to the client where the standard excess bytes
    checks will report any wrongness and fail the transfer

  Fixes #12738
  Closes #12739

Daniel Stenberg (19 Jan 2024)

- headers: remove assert from Curl_headers_push

  The fuzzer managed to reach the function without a terminating CR or LF
  so let's handle it normally. While there, remove the goto.

  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65839

  Closes #12721

- curl_easy_getinfo.3: remove the wrong time value count

  It said "six" time values but they are eight by now. Remove the mention
  of the amount.

  Closes #12727

Viktor Szakats (18 Jan 2024)

- mbedtls: fix `-Wnull-dereference` and `-Wredundant-decls`

  - Silence warning in mbedTLS v3.5.1 public headers:
    ```
    ./mbedtls/_x64-linux-musl/usr/include/psa/crypto_extra.h:489:14: warning: r
  edundant redeclaration of 'psa_set_key_domain_parameters' [-Wredundant-decls]
    ./mbedtls/_x64-linux-musl/usr/include/psa/crypto_struct.h:354:14: note: pre
  vious declaration of 'psa_set_key_domain_parameters' was here
    ```
    Ref: https://github.com/libssh2/libssh2/commit/ecec68a2c13a9c63fe8c2dc457ae
  785a513e157c
    Ref: https://github.com/libssh2/libssh2/pull/1226

  - Fix compiler warnings seen with gcc 9.2.0 + cmake unity:
    ```
    ./curl/lib/vtls/mbedtls.c: In function 'mbedtls_bio_cf_read':
    ./curl/lib/vtls/mbedtls.c:189:11: warning: null pointer dereference [-Wnull
  -dereference]
      189 |   nread = Curl_conn_cf_recv(cf->next, data, (char *)buf, blen, &res
  ult);
          |           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ~~~~
    ./curl/lib/vtls/mbedtls.c: In function 'mbedtls_bio_cf_write':
    ./curl/lib/vtls/mbedtls.c:168:14: warning: null pointer dereference [-Wnull
  -dereference]
      168 |   nwritten = Curl_conn_cf_send(cf->next, data, (char *)buf, blen, &
  result);
          |              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ~~~~~~~
    ```

  - delete stray `#else`.

  Closes #12720

Daniel Stenberg (17 Jan 2024)

- docs: cleanup nroff format use

  - remove use of .BI for code snippet
  - stop using .br, just do a blank line
  - remove use of .PP
  - remove use for .sp
  - remove backslash in .IP
  - use .IP instead of .TP

  Closes #12731

Stefan Eissing (17 Jan 2024)

- test2307: fix expected failure code after ws refactoring

  Fixes #12722
  Closes #12728

Jay Satiro (17 Jan 2024)

- cf-socket: show errno in tcpkeepalive error messages

  - If the socket keepalive options (TCP_KEEPIDLE, etc) cannot be set
    then show the errno in the verbose error messages.

  Ref: https://github.com/curl/curl/discussions/12715#discussioncomment-8151652

  Closes https://github.com/curl/curl/pull/12726

- tool_getparam: stop supporting `@filename` style for --cookie

  The `@filename` style was never documented for --cookie <data|filename>
  but prior to this change curl would accept it anyway and always treat a
  @ prefixed string as a filename.

  That's a problem if the string also contains a = sign because then it is
  documented to be interpreted as a cookie string and not a filename.

  Example:

  `--cookie @foo=bar`

  Before: Interpreted as load cookies from filename foo=bar.

  After: Interpreted as cookie `@foo=bar` (name `@foo` and value `bar`).

  Other curl options with a data/filename option-value use the `@filename`
  to distinguish filenames which is probably how this happened. The
  --cookie option has never been documented that way.

  Ref: https://curl.se/docs/manpage.html#-b

  Closes https://github.com/curl/curl/pull/12645

Stefan Eissing (16 Jan 2024)

- websockets: refactor decode chain

  - use client writer stack for decoding frames
  - move websocket protocol handler to ws.c

  Closes #12713

- websockets: check for negative payload lengths

  - in en- and decoding, check the websocket frame payload lengths for
    negative values (from curl_off_t) and error the operation in that case
  - add test 2307 to verify

  Closes #12707

Daniel Stenberg (16 Jan 2024)

- docs: mention env vars not used by schannel

  Ref: #12704

  Co-authored-by: Jay Satiro <raysatiro@yahoo.com>

  Closes #12711

- tool_operate: make --remove-on-error only remove "real" files

  Reported-by: Harry Sintonen
  Assisted-by: Dan Fandrich

  Closes #12710

Jay Wu (16 Jan 2024)

- url: don't set default CA paths for Secure Transport backend

  As the default for this backend is the native CA store.

  Closes #12704

Lin Sun (16 Jan 2024)

- asyn-ares: with modern c-ares, use its default timeout

  Closes #12703

Daniel Stenberg (15 Jan 2024)

- tool_operate: stop setting the file comment on Amiga

  - the URL is capped at 80 cols, which ruins it if longer
  - it does not strip off URL credentials
  - it is done unconditonally, not on --xattr
  - we don't have Amiga in the CI which makes fixing it blindly fragile

  Someone who builds and tests on Amiga can add it back correctly in a
  future if there is a desire.

  Reported-by: Harry Sintonen
  Closes #12709

Stefan Eissing (15 Jan 2024)

- rtsp: deal with borked server responses

  - enforce a response body length of 0, if the
    response has no Content-lenght. This is according
    to the RTSP spec.
  - excess bytes in a response body are forwarded to
    the client writers which will report and fail the
    transfer

  Follow-up to d7b6ce6
  Fixes #12701
  Closes #12706

Daniel Stenberg (14 Jan 2024)

- version: show only the libpsl version, not its dependencies

  The libpsl version output otherwise also includes version number for its
  dependencies, like IDN lib, but since libcurl does not use libpsl's IDN
  functionality those components are not important.

  Ref: https://github.com/curl/curl-for-win/issues/63
  Closes #12700

Brad Harder (14 Jan 2024)

- curl.h: CURLOPT_DNS_SERVERS is only available with c-ares

  Closes #12695

Daniel Stenberg (14 Jan 2024)

- cmdline-opts/gen.pl: error on initital blank line

  After the "---" separator, there should be no blank line and this script
  now errors out if one is detected.

  Ref: #12696
  Closes #12698

- cf-h1-proxy: no CURLOPT_USERAGENT in CONNECT with hyper

  Follow-up to 693cd1679361828a which was incomplete

  Ref #12680
  Closes #12697

- curl_multi_fdset.3: remove mention of null pointer support

  ... since this funtion has not supported null pointer fd_set arguments since
  at least 2006. (That's when I stopped my git blame journey)

  Fixes #12691
  Reported-by: sfan5 on github
  Closes #12692

Mark Huang (14 Jan 2024)

- docs/cmdline: remove unnecessary line breaks

  Closes #12696

Daniel Stenberg (14 Jan 2024)

- transfer: remove warning: Value stored to 'blen' is never read

  Detected by scan-build

  Follow-up from 1cd2f0072f

  Closes #12693

Stefan Eissing (13 Jan 2024)

- lib: replace readwrite with write_resp

  This clarifies the handling of server responses by folding the code for
  the complicated protocols into their protocol handlers. This concerns
  mainly HTTP and its bastard sibling RTSP.

  The terms "read" and "write" are often used without clear context if
  they refer to the connect or the client/application side of a
  transfer. This PR uses "read/write" for operations on the client side
  and "send/receive" for the connection, e.g. server side. If this is
  considered useful, we can revisit renaming of further methods in another
  PR.

  Curl's protocol handler `readwrite()` method been changed:

  ```diff
  -  CURLcode (*readwrite)(struct Curl_easy *data, struct connectdata *conn,
  -                        const char *buf, size_t blen,
  -                        size_t *pconsumed, bool *readmore);
  +  CURLcode (*write_resp)(struct Curl_easy *data, const char *buf, size_t ble
  n,
  +                         bool is_eos, bool *done);
  ```

  The name was changed to clarify that this writes reponse data to the
  client side. The parameter changes are:

  * `conn` removed as it always operates on `data->conn`
  * `pconsumed` removed as the method needs to handle all data on success
  * `readmore` removed as no longer necessary
  * `is_eos` as indicator that this is the last call for the transfer
    response (end-of-stream).
  * `done` TRUE on return iff the transfer response is to be treated as
    finished

  This change affects many files only because of updated comments in
  handlers that provide no implementation. The real change is that the
  HTTP protocol handlers now provide an implementation.

  The HTTP protocol handlers `write_resp()` implementation will get passed
  **all** raw data of a server response for the transfer. The HTTP/1.x
