Changes in 8.14.0 - May 28 2025

Changes:

• mqtt: send ping at upkeep interval
• schannel: handle pkcs12 client certificates containing CA certificates
• TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs
• vquic: ngtcp2 + openssl support
• wcurl: import v2025.04.20 script + docs
• websocket: add option to disable auto-pong reply

Bugfixes:

• _SEEALSO.md: remove spaces around command and man page section
• asny-thrdd: fix detach from running thread
• asnyc-thrdd: explain how this is okay with a comment
• asyn resolver code improvements
• async-threaded resolver: use ref counter
• async: DoH improvements
• autotools: detect `wolfSSL_set_quic_use_legacy_code` like cmake does
• autotools: install shell completion files on cross build
• aws-sigv4: allow a blank string
• build: check required rustls-ffi version
• build: enable gcc-12/13+, clang-10+ picky warnings
• build: enable gcc-15 picky warnings
• certs: drop unused `default_bits` from `.prm` files
• cf-https-connect: use the passed in dns struct pointer
• cf-socket: fix FTP accept connect
• cfilters: remove assert
• cmake/FindNGTCP2: simplify multi-pkg-config detection
• cmake: append picky warnings to `CMAKE_REQUIRED_FLAGS` as string
• cmake: avoid 'target is imported but not globally visible' when consuming libcurl with old cmake
• cmake: do not install `mk-ca-bundle` script and manpage
• cmake: enable `-Wall` for MSVC when `PICKY_COMPILER=ON`
• cmake: extend integration tests
• cmake: fix `fish` install directory detection via `pkg-config`
• cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`
• cmake: fix option() and mark_as_advanced() mixed order
• cmake: fix shell completion install when just one flavor is enabled
• cmake: honor individual picky option overrides found in `CMAKE_C_FLAGS`
• cmake: install shell completions for cross-builds
• cmake: link `crypt32` for OpenSSL feature detection
• cmake: merge `CURL_WERROR` logic into `PickyWarnings.cmake`
• cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options
• cmake: quotes, whitespace, use `VERSION_GREATER_EQUAL`
• cmake: revert `CURL_LTO` behavior for multi-config generators
• cmake: set `BUILDING_LIBCURL` directly for unit test targets
• cmake: stop deleting `-W<n>` from `CMAKE_C_FLAGS` (MSVC)
• cmake: tidy up and document feature detections in dependencies
• cmake: use `CMAKE_COMPILE_WARNING_AS_ERROR` if available
• cmake: use `INCLUDE_DIRECTORIES` prop to specify local header dirs
• cmake: use `LIB_NAME` in `curl-config.cmake.in`
• cmake: use absolute paths for completion targets
• cmake: use the `LINK_OPTIONS` property with CMake 3.13+
• configure: catch asking for double resolver without https-rr
• configure: fix --disable-rt
• configure: restore link checks
• configure: suppress command not found for brew
• conncache: make Curl_cpool_init return void
• connect: shutdown timer fix
• content_encoding: Transfer-Encoding parser improvements
• CONTRIBUTE: add project guidelines for AI use
• contrithanks.sh: drop set -e
• cpool/cshutdown: force close connections under pressure
• curl: fix memory leak when -h is used in config file
• curl: only warn once for --manual in manual-disabled build
• curl_get_line: handle lines ending on the buffer boundary
• curl_krb5: only use functions if FTP is still enabled
• curl_multibyte: fixup low-level calls, include in unity builds
• curl_osslq: remove a leftover debug fprintf() call
• curl_version_info.md: clarify ssl_version for MultiSSL
• CURLMOPT_TIMERFUNCTION.md: correct the example
• CURLOPT_ERRORBUFFER.md: buffer is read only after curl takes ownership
• CURLOPT_FOLLOWLOCATION.md: switch to GET => no body
• CURLOPT_READFUNCTION.md: mention the seek callback
• CURLOPT_XFERINFOFUNCTION.md: fix the callback return type in example
• curlx: move the docs to docs/internals/
• DEPRECATE.md: drop support for VS2008
• DEPRECATE.md: drop Windows CE support
• dist: drop duplicate entry from `CMAKE_DIST`
• dns_entry: move from conn to data->state
• Dockerfile: update debian:bookworm-slim Docker digest to 90522ee
• docs/INSTALL.md: drop reference to removed configure option
• docs/libcurl: fix type and prototype problems in examples
• docs/libcurl: make examples build with picky compiler options
• docs/libcurl: mention sensitive data/headers
• docs: add missing return statement in examples
• docs: fix incorrect shell substitution in docker run example command
• docs: fix typo in retry.md
• docs: update distros links
• doh: httpsrr fix
• doh: make sure CURLOPT_PROTOCOLS is set a with a "long" arg
• doh: reduce the DNS request buffer size
• easy_reset: fix dohfor_mid member
• ECH: reference the OpenSSL ECH feature branch
• etag-save.md: mention how using both options is a good idea
• eventfd: fix feature guards
• formdata: cleanups
• ftp: fix bug in failed init
• ftp: fix race in upload handling
• ftplistparser: add two overflow preventions
• ftplistparser: split up into more functions
• generate.bat: exclude curlinfo.c from legacy VS projects
• genserv.pl: fail with a message if `openssl` is missing or failing
• headers: enforce a max number of response header to accept
• headers: set an error message on illegal response headers
• hostip: fix build without threaded-resolver and without DoH
• hostip: show the correct name on proxy resolve error
• http2: fix stream window size after unpausing
• HTTP3.md: fix incorrect variable placeholders
• http: fix a build error when all auths are disabled
• http: fix HTTP/2 handling of TE request header using "trailers"
• http: in alt-svc negotiation only allow supported HTTP versions
• http_aws_sigv4: add additional verbose log statements
• http_aws_sigv4: improve sigv4 url encoding and canonicalization
• http_chunks: narrow variable scope for 'trlen'
• http_negotiate: fix non-SSL build with GSSAPI
• https-connect: fix httpsrr target check
• HTTPSRR.md: clarify somewhat
• if2ip: build the function also if FTP is present
• imap: remove redundant condition
• INSTALL-CMAKE.md: fix typo
• INSTALL.md: update the minimal libcurl size example
• KNOWN_BUGS: fix link in sivg4 issue 16.3
• lib/src/docs/test: improve curl_easy_setopt() calls
• lib1560: use hex notation, drop non-ASCII exception
• lib3026: drop DLL pre-load perf mitigation for old mingw
• lib: add const to clientwriter tables
• lib: drop curlx_getpid, use fake pid in SMB
• lib: include files using known path
• lib: make Curl_easyopts const
• lib: unify conversions to/from hex
• libcurl-tutorial.md: fix read callback explanation
• libssh: add NULL check for Curl_meta_get()
• libssh: fix memory leak
• libssh: remove a condition that always equals false
• libtest/first: stop defining MEMDEBUG_NODEFINES
• libtests: define CURL_DISABLE_DEPRECATION first
• make: clean tests better
• mbedtls: TLS 1.3 is max when mbedtls has 1.3 support
• metahash: add asserts to help analyzers
• mk-ca-bundle.pl: follow redirects
• mk-ca-bundle: switch URLs to GitHub versions
• mkhelp: fix to not generate a line-ending space in some cases
• mqtt: use conn/easy meta hash
• multi: do transfer book keeping using mid
• multi: init_do(): check result
• netrc: avoid NULL deref on weird input
• netrc: avoid strdup NULL
• netrc: deal with null token better
• ngtcp2: clarify ignoring of result
• openssl-quic: avoid potential `-Wnull-dereference`, add assert
• openssl-quic: fix printf mask
• openssl-quic: fix shutdown when stream not open
• openssl: enable builds for *both* engines and providers
• openssl: set the cipher string before doing private cert
• parsedate: provide Curl_wkday also for GnuTLS builds
• processhelp.pm: always call `taskkill` with `-f` (force)
• processhelp.pm: avoid potential endless loop, log more (Windows)
• progress: avoid integer overflow when gathering total transfer size
• pytest tls: extend coverage
• pytest-xdist: pytest in parallel
• pytest: add pinnedpubkey test cases
• pytest: give parameterised tests better ids for read- and parsability
• pytest: make test_07_22 more lenient to exit codes
• quic: no local idle connection timeout, ngtcp2 keep-alive
• rand: update comment on Curl_rand_bytes weak random
• RELEASE-PROCEDURE.md: release candidate git tagging explained
• rtsp: remove redundant condition
• runtests: add retry option to reduce flakiness
• runtests: fix indentation
• runtests: recognize lowercase `windows` in `curl -V`
• runtests: remove server verification after start
• runtests: split `SSH_PWD` into `SCP_PWD` and `SFTP_PWD`, and more
• rustls: make max size of cert and key reasonable
• sasl: give help when unable to select AUTH
• scripts: completion.pl: sort the completion file for all shells
• scripts: drop unused import, formatting
• scripts: fix --opts-dir help in completion.pl
• scripts: fix perl indentation, whitespace, semicolons
• sectransp: fix building for macOS Sierra and older
• setopt: provide info for CURLE_BAD_FUNCTION_ARGUMENT
• smb: avoid integer overflow on weird input date
• socket: use accept4 when available
• socketpair: support pipe2 where available
• spacecheck.pl: check for non-ASCII chars, fix fallouts
• spacecheck.pl: verify `tests/data/test*` for non-ASCII chars
• src: drop strcase.[ch] from tool builds
• src: include memdebug.h consistently with angle brackets <>
• src: rename curlx_safefree to tool_safefree
• test1173.pl: whitelist some option-looking names that aren't options
• test1658: add unit test for the HTTPS RR decoder
• test: make unittest 1308 into a libtest
• tests/ech_tests.sh: sync shebang with rest of bash scripts
• tests/FILEFORMAT.md: clarify %hex[] formatting
• tests/FILEFORMAT.md: document the aws feature
• tests/README.md: document --test-duphandle
• tests/README.md: list the openssl tool among the prerequisites
• tests/server/dnsd: basic DNS server for test suite
• tests/server: check for `stream != NULL` in mqttd
• tests/server: fix typo in comment
• tests/server: stop using libcurl string comparisons
• tests/server: stop using libcurl's printf functions
• tests/serverhelp: remove last remnants of http-pipe server
• tests/tunit: make a separate directory for tool-based unit tests
• tests: add aws feature to the related tests
• tests: Add https-mtls server to force client auth
• tests: fix some test tag mismatches
• tests: mark ipfs tests to require ipfs
• tests: move a boolean variable out of the path section
• tests: prefer `--insecure` over `-k`
• tests: provide all non-ascii data hex encoded
• tests: remove some unused test case sections
• tests: require IPv6 for 1265, 1324, 2086
• tests: separate tunit tests from unit tests more
• tests: stop using libcurl's strdup
• tests: unify test case keywords
• tests: use a more portable null device path
• TODO: remove "nicer lacking perl message"
• tool_cb_write.c: handle EINTR on flush
• tool_getparam: clear argument only when needed
• tool_operate: make retrycheck() a separate function
• tool_operate: when retrying, only truncate regular files
• tool_paramhlp: avoid integer overflow in secs2ms()
• tool_parsecfg: make get_line handle lines ending on the buffer boundary
• typecheck-gcc.h: fix the typechecks
• urlapi: redirecting to "" is considered fine
• urlapi: remove unneeded guards around PUNY2IDN
• urldata: remove the unused struct field 'hide_progress'
• VERSIONS: list all past releases
• vquic: consistent name for the stream struct across backends
• vquic: init for every call to recvmsg
• vtls: avoid NULL deref on bad PEM input
• vtls: fix build with ssl but without http
• VULN-DISCLOSURE-POLICY: use of weak algos
• winbuild: add the deprecation warning to the README
• winbuild: curl_get_line is not used for tool builds
• windows: fix builds targeting WinXP, test it in CI
• wolfssl: fix to enable ALPN when available
• ws: fix the header replace check
• ws: store protocol context as connection meta data

Further