curl / Development / Pending Release Notes
Pending RELEASE-NOTES for the upcoming release
This is work in progress and will change before the release goes public on 2025-05-28.
Changes:
- mqtt: send ping at upkeep interval
- schannel: handle pkcs12 client certificates containing CA certificates
- TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs
- vquic: ngtcp2 + openssl support
- wcurl: import v2025.04.20 script + docs
- websocket: add option to disable auto-pong reply
Bugfixes:
- asyn resolver code improvements
- async-threaded resolver: use ref counter
- async: DoH improvements
- autotools: detect `wolfSSL_set_quic_use_legacy_code` like cmake does
- autotools: install shell completion files on cross build
- aws-sigv4: allow a blank string
- build: check required rustls-ffi version
- build: enable gcc-12/13+, clang-10+ picky warnings
- build: enable gcc-15 picky warnings
- certs: drop unused `default_bits` from `.prm` files
- cf-https-connect: use the passed in dns struct pointer
- cf-socket: fix FTP accept connect
- cfilters: remove assert
- cmake/FindNGTCP2: simplify multi-pkg-config detection
- cmake: append picky warnings to `CMAKE_REQUIRED_FLAGS` as string
- cmake: avoid 'target is imported but not globally visible' when consuming libcurl with old cmake
- cmake: do not install `mk-ca-bundle` script and manpage
- cmake: enable `-Wall` for MSVC when `PICKY_COMPILER=ON`
- cmake: extend integration tests
- cmake: fix `fish` install directory detection via `pkg-config`
- cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`
- cmake: fix option() and mark_as_advanced() mixed order
- cmake: fix shell completion install when just one flavor is enabled
- cmake: honor individual picky option overrides found in `CMAKE_C_FLAGS`
- cmake: install shell completions for cross-builds
- cmake: link `crypt32` for OpenSSL feature detection
- cmake: merge `CURL_WERROR` logic into `PickyWarnings.cmake`
- cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options
- cmake: quotes, whitespace, use `VERSION_GREATER_EQUAL`
- cmake: revert `CURL_LTO` behavior for multi-config generators
- cmake: stop deleting `-W<n>` from `CMAKE_C_FLAGS` (MSVC)
- cmake: tidy up and document feature detections in dependencies
- cmake: use `CMAKE_COMPILE_WARNING_AS_ERROR` if available
- cmake: use `INCLUDE_DIRECTORIES` prop to specify local header dirs
- cmake: use `LIB_NAME` in `curl-config.cmake.in`
- cmake: use absolute paths for completion targets
- cmake: use the `LINK_OPTIONS` property with CMake 3.13+
- configure: catch asking for double resolver without https-rr
- configure: fix --disable-rt
- configure: restore link checks
- conncache: make Curl_cpool_init return void
- connect: shutdown timer fix
- content_encoding: Transfer-Encoding parser improvements
- contrithanks.sh: drop set -e
- cpool/cshutdown: force close connections under pressure
- curl_get_line: handle lines ending on the buffer boundary
- curl_krb5: only use functions if FTP is still enabled
- curl_multibyte: fixup low-level calls, include in unity builds
- curl_osslq: remove a leftover debug fprintf() call
- CURLOPT_ERRORBUFFER.md: buffer is read only after curl takes ownership
- CURLOPT_XFERINFOFUNCTION.md: fix the callback return type in example
- dist: drop duplicate entry from `CMAKE_DIST`
- docs/INSTALL.md: drop reference to removed configure option
- docs/libcurl: fix type and prototype problems in examples
- docs/libcurl: make examples build with picky compiler options
- docs: add missing return statement in examples
- docs: fix incorrect shell substitution in docker run example command
- doh: httpsrr fix
- doh: make sure CURLOPT_PROTOCOLS is set a with a "long" arg
- doh: reduce the DNS request buffer size
- easy_reset: fix dohfor_mid member
- etag-save.md: mention how using both options is a good idea
- eventfd: fix feature guards
- genserv.pl: fail with a message if `openssl` is missing or failing
- hostip: fix build without threaded-resolver and without DoH
- hostip: show the correct name on proxy resolve error
- http2: fix stream window size after unpausing
- HTTP3.md: fix incorrect variable placeholders
- http: fix a build error when all auths are disabled
- http: fix HTTP/2 handling of TE request header using "trailers"
- http: in alt-svc negotiation only allow supported HTTP versions
- http_aws_sigv4: add additional verbose log statements
- http_negotiate: fix non-SSL build with GSSAPI
- https-connect: fix httpsrr target check
- HTTPSRR.md: clarify somewhat
- if2ip: build the function also if FTP is present
- INSTALL-CMAKE.md: fix typo
- INSTALL.md: update the minimal libcurl size example
- KNOWN_BUGS: fix link in sivg4 issue 16.3
- lib/src/docs/test: improve curl_easy_setopt() calls
- lib: add const to clientwriter tables
- lib: include files using known path
- lib: make Curl_easyopts const
- lib: unify conversions to/from hex
- libcurl-tutorial.md: fix read callback explanation
- libtest/first: stop defining MEMDEBUG_NODEFINES
- make: clean tests better
- mbedtls: TLS 1.3 is max when mbedtls has 1.3 support
- mk-ca-bundle.pl: follow redirects
- mkhelp: fix to not generate a line-ending space in some cases
- mqtt: use conn/easy meta hash
- multi: do transfer book keeping using mid
- multi: init_do(): check result
- openssl-quic: avoid potential `-Wnull-dereference`, add assert
- openssl-quic: fix printf mask
- openssl-quic: fix shutdown when stream not open
- openssl: enable builds for *both* engines and providers
- openssl: set the cipher string before doing private cert
- parsedate: provide Curl_wkday also for GnuTLS builds
- processhelp.pm: always call `taskkill` with `-f` (force)
- processhelp.pm: avoid potential endless loop, log more (Windows)
- progress: avoid integer overflow when gathering total transfer size
- pytest: make test_07_22 more lenient to exit codes
- quic: no local idle connection timeout, ngtcp2 keep-alive
- rand: update comment on Curl_rand_bytes weak random
- RELEASE-PROCEDURE.md: release candidate git tagging explained
- runtests: add retry option to reduce flakiness
- runtests: fix indentation
- runtests: recognize lowercase `windows` in `curl -V`
- runtests: remove server verification after start
- runtests: split `SSH_PWD` into `SCP_PWD` and `SFTP_PWD`, and more
- rustls: make max size of cert and key reasonable
- scripts: completion.pl: sort the completion file for all shells
- scripts: drop unused import, formatting
- scripts: fix --opts-dir help in completion.pl
- scripts: fix perl indentation, whitespace, semicolons
- sectransp: fix building for macOS Sierra and older
- smb: avoid integer overflow on weird input date
- socket: use accept4 when available
- socketpair: support pipe2 where available
- test1658: add unit test for the HTTPS RR decoder
- test: make unittest 1308 into a libtest
- tests/ech_tests.sh: sync shebang with rest of bash scripts
- tests/README.md: document --test-duphandle
- tests/README.md: list the openssl tool among the prerequisites
- tests/server/dnsd: basic DNS server for test suite
- tests/server: fix typo in comment
- tests/serverhelp: remove last remnants of http-pipe server
- tests/tunit: make a separate directory for tool-based unit tests
- tests: Add https-mtls server to force client auth
- tests: fix some test tag mismatches
- tests: mark ipfs tests to require ipfs
- tests: move a boolean variable out of the path section
- tests: prefer `--insecure` over `-k`
- tests: remove some unused test case sections
- tests: require IPv6 for 1265, 1324, 2086
- tests: unify test case keywords
- tests: use a more portable null device path
- TODO: remove "nicer lacking perl message"
- tool_cb_write.c: handle EINTR on flush
- tool_getparam: clear argument only when needed
- tool_paramhlp: avoid integer overflow in secs2ms()
- tool_parsecfg: make get_line handle lines ending on the buffer boundary
- typecheck-gcc.h: fix the typechecks
- urlapi: redirecting to "" is considered fine
- VERSIONS: list all past releases
- vquic: consistent name for the stream struct across backends
- vquic: init for every call to recvmsg
- vtls: fix build with ssl but without http
- VULN-DISCLOSURE-POLICY: use of weak algos
- winbuild: add the deprecation warning to the README
- wolfssl: fix to enable ALPN when available
- ws: fix the header replace check
- ws: store protocol context as connection meta data
Contributors:
Abhinav Singhal, Andreas Westin, Andrei Florea, Andrew Kirillov, Andy Pan, Arian van Putten, bo0tzz on github, Bo Anderson, Brian Chrzanowski, bruce.yoon, bsr13 on hackerone, calvin2021y on github, Calvin Ruocco, Carlos Henrique Lima Melara, Christian Schmitz, Cole Helbling, Corinna Brandt, Dagobert Michelsen, Dan Fandrich, Daniel Engberg, Daniel McCarney, Daniel Stenberg, Demi Marie Obenour, dependabot[bot], epicmkirzinger on github, Eric Knibbe, Fujii Hironori, gkarracer on github, Graham Christensen, Harry Sintonen, Helmut Grohne, Jake Yuesong Li, Jean-Christophe Amiel, Jixinqi, Jochen Sprickerhof, Joel Depooter, Johan Eliasson, Jonathan Rosa, Kai Pastor, kkalganov on github, Marius Kleidl, Max Eliaser, mschroeder-fzj on github, NeimadTL, Niall O'Reilly, Nigel Brittain, Nils Goroll, Pavel Kropachev, PleaseJustDont, Rasmus Melchior Jacobsen, Ray Satiro, renovate[bot], Samuel Henrique, sbernatsky on github, Sergey, Sören Tempel, Stefan Eissing, Stephen Farrell, Tal Regev, Thomas Klausner, Tomas Volf, Travis Lane, Viktor Szakats, x1sc0 on github, xiadnoring on github, Yedaya Katsman, zopsicle on github