Changes in 7.77.0 - May 26 2021

Changes:

• configure: make the TLS library choice(s) explicit
• curl: ignore options asking for SSLv2 or SSLv3
• hsts: enable by default
• SSL: support in-memory CA certs for some backends
• vtls: refuse setting any SSL version

Bugfixes:

• CVE-2021-22897: schannel cipher selection surprise
• CVE-2021-22898: TELNET stack contents disclosure
• CVE-2021-22901: TLS session caching disaster
• AmigaOS: add functions definitions for SHA256
• build: fix compilation for Windows UWP platform
• c-hyper: don't write to set.writeheader if null
• c-hyper: fix handling of zero-byte chunk from hyper
• c-hyper: handle body on HYPER_TASK_EMPTY
• checksrc: complain on == NULL or != 0 checks in conditions
• CI/cirrus: add shared and static Windows release builds
• cmake: add CURL_ENABLE_EXPORT_TARGET option
• cmake: check for getppid and utimes
• cmake: detect CURL_SA_FAMILY_T
• cmake: fix two invokes result in different curl_config.h
• cmake: make libcurl output filename configurable
• cmake: Use multithreaded compilation on VS 2008+
• config: remove now-unused macros
• configure: if asked for, fail if ldap is not found
• configure: provide --with-openssl, deprecate --with-ssl
• conn: add 'attach' to protocol handler, make libssh2 use it
• connect: use CURL_SA_FAMILY_T for portability
• ConnectionExists: respect requests for h1 connections better
• cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
• curl-wolfssl.m4: without custom include path, assume /usr/include
• curl: include libmetalink version in --version output
• Curl_http_header: check for colon when matching Persistent-Auth
• Curl_http_input_auth: require valid separator after negotiation type
• Curl_input_digest: require space after Digest
• curl_mprintf.3: add description
• curl_setup: provide the shutdown flags wider
• curl_url_set.3: add memory management information
• CURLcode: add CURLE_SSL_CLIENTCERT
• CURLOPT_CAPATH.3: defaults to a path, not NULL
• CURLOPT_IPRESOLVE: preventing wrong IP version from being used
• CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
• data_pending: check only SECONDARY socket for FTP(S) transfers
• docs/TheArtOfHttpScripting: fix markdown links
• docs: camelcase it like GitHub everywhere
• docs: cookies from HTTP headers need domain set
• docs: fix typo in fail-with-body doc
• docs: improve INTERNALS.md regarding getsock cb
• docs: replace dots with dashes in markdown enums
• easy: ignore sigpipe in curl_easy_send
• FILEFORMAT: mention sectransp as a feature
• GIT-INFO: suggest using autoreconf instead of buildconf
• github: add a workflow with libssh2 on macOS using cmake
• github: inhibit deprecated declarations for clang on macOS
• GnuTLS: don't allow TLS 1.3 for versions that don't support it
• gnutls: make setting only the MAX TLS allowed version work
• gskit: fix CURL_DISABLE_PROXY build
• gskit: fix undefined reference to 'conn'
• hostip.h: remove declaration of unimplemented function
• hostip: remove the debug code for LocalHost
• http2: call the handle-closed function correctly on closed stream
• http2: fix a resource leak in push_promise()
• http2: fix resource leaks in set_transfer_url()
• http2: make sure pause is done on HTTP
• http2: move the stream error field to the per-transfer storage
• http2: skip immediate parsing of payload following protocol switch
• http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade
• HTTP3.md: fix nghttp2's HTTP/3 server port
• HTTP3.md: make the ngtcp2 build use the quictls fork
• http: deal with partial CONNECT sends
• http: fix the check for 'Authorization' with Bearer
• http: limit the initial send amount to used upload buffer size
• http: reset the header buffer when sending the request
• http: use offsets inst of integer literals for header parsing
• INSTALL: add IBM i specific quirks
• krb5/name_to_level: replace checkprefix with curl_strequal
• krb5: don't use 'static' to store PBSZ size response
• krb5: remove the unused 'overhead' function
• lib/hostip6.c: make NAT64 address synthesis on macOS work
• lib1564.c: enable last wakeup test part on Windows
• lib: fix 0-length Curl_client_write calls
• lib: fix some misuse of curlx_convert_UTF8_to_tchar
• libcurl-security.3: be careful of setuid
• libcurl-security.3: don't try to filter IPv4 hosts based on the URL
• libcurl.3: mention the URL API
• libssh2: fix Value stored to 'sshp' is never read
• libssh2: ignore timeout during disconnect
• libssh: fix "empty expression statement has no effect" warnings
• libtest: remove lib530.c
• m4: add security frameworks on Mac when compiling rustls
• multi: don't close connection HTTP_1_1_REQUIRED
• multi: fix slow write/upload performance on Windows
• multi: reduce Win32 API calls to improve performance
• ngtcp2: fix the cb_acked_stream_data_offset proto
• NSS: add ciphers to map
• NSS: make colons, commas and spaces valid separators in cipher list
• nss_set_blocking: avoid static for sock_opt
• ntlm: precaution against super huge type2 offsets
• openldap: protect SSL-specific code with proper #ifdef
• openldap: replace ldap_ prefix on private functions
• openssl: fix build error with OpenSSL < 1.0.2
• openssl: remove unneeded cast for CertOpenSystemStore()
• os400: additional support for options metadata
• progress: fix scan-build-11 warnings
• progress: reset limit_size variables at transfer start
• progress: when possible, calculate transfer speeds with microseconds
• README.md: delete Codacy UTM parameters
• Revert "Revert 'multi: implement wait using winsock events'"
• rustls: only return CURLE_AGAIN when TLS session is fully drained
• rustls: use ALPN
• sasl: use 'unsigned short' to store mechanism
• schannel: Disable auto credentials; add an option to enable it
• schannel: Support strong crypto option
• sectransp: allow cipher name to be specified
• sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer
• sigpipe: ignore SIGPIPE when using wolfSSL as well
• sockfilt: avoid getting stuck waiting for writable socket
• sockfilt: fix invalid increment of handles index variable nfd
• sws: #ifdef S_IFSOCK use
• sws: allow HTTP requests up to 2MB in size
• test server: take care of siginterrupt() deprecation
• test2100: make it run with and require IPv6
• tests/disable-scan.pl: also scan all m4 files
• tests/getpart: generate output URL encoded for better diffs
• tests: ignore case of chunked hex numbers in tests
• tls: add USE_HTTP2 define
• tool_getparam: handle failure of curlx_convert_tchar_to_UTF8()
• tool_getparam: replace (in-place) '%20' by '+' according to RFC1866
• tool_operate: don't discard failed parallel transfer result
• tool_writeout: fix the HTTP_CODE json output
• travis: disable the failing libssh build
• URL-SYNTAX: update IDNA section for WHATWG spec changes
• urlapi: "normalize" numerical IPv4 hostnames
• vauth: factor base64 conversions out of authentication procedures
• version: add gsasl_version to curl_version_info_data
• version: add OpenLDAP version in the output
• vtls: deduplicate some DISABLE_PROXY ifdefs
• vtls: reset ssl use flag upon negotiation failure
• wolfssl: handle SSL_write() returns 0 for error
• wolfssl: remove SSLv3 support leftovers

Further