Pending RELEASE-NOTES for the upcoming release

This is work in progress and will change before the release goes public on 2025-05-28.

Changes:

• mqtt: send ping at upkeep interval
• schannel: handle pkcs12 client certificates containing CA certificates
• TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs
• vquic: ngtcp2 + openssl support
• wcurl: import v2025.04.20 script + docs
• websocket: add option to disable auto-pong reply

Bugfixes:

• _SEEALSO.md: remove spaces around command and man page section
• asny-thrdd: fix detach from running thread
• asnyc-thrdd: explain how this is okay with a comment
• asyn resolver code improvements
• async-threaded resolver: use ref counter
• async: DoH improvements
• autotools: detect `wolfSSL_set_quic_use_legacy_code` like cmake does
• autotools: install shell completion files on cross build
• aws-sigv4: allow a blank string
• build: check required rustls-ffi version
• build: enable gcc-12/13+, clang-10+ picky warnings
• build: enable gcc-15 picky warnings
• certs: drop unused `default_bits` from `.prm` files
• cf-https-connect: use the passed in dns struct pointer
• cf-socket: fix FTP accept connect
• cfilters: remove assert
• cmake/FindNGTCP2: simplify multi-pkg-config detection
• cmake: append picky warnings to `CMAKE_REQUIRED_FLAGS` as string
• cmake: avoid 'target is imported but not globally visible' when consuming libcurl with old cmake
• cmake: do not install `mk-ca-bundle` script and manpage
• cmake: enable `-Wall` for MSVC when `PICKY_COMPILER=ON`
• cmake: extend integration tests
• cmake: fix `fish` install directory detection via `pkg-config`
• cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`
• cmake: fix option() and mark_as_advanced() mixed order
• cmake: fix shell completion install when just one flavor is enabled
• cmake: honor individual picky option overrides found in `CMAKE_C_FLAGS`
• cmake: install shell completions for cross-builds
• cmake: link `crypt32` for OpenSSL feature detection
• cmake: merge `CURL_WERROR` logic into `PickyWarnings.cmake`
• cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options
• cmake: quotes, whitespace, use `VERSION_GREATER_EQUAL`
• cmake: revert `CURL_LTO` behavior for multi-config generators
• cmake: set `BUILDING_LIBCURL` directly for unit test targets
• cmake: stop deleting `-W<n>` from `CMAKE_C_FLAGS` (MSVC)
• cmake: tidy up and document feature detections in dependencies
• cmake: use `CMAKE_COMPILE_WARNING_AS_ERROR` if available
• cmake: use `INCLUDE_DIRECTORIES` prop to specify local header dirs
• cmake: use `LIB_NAME` in `curl-config.cmake.in`
• cmake: use absolute paths for completion targets
• cmake: use the `LINK_OPTIONS` property with CMake 3.13+
• configure: catch asking for double resolver without https-rr
• configure: fix --disable-rt
• configure: restore link checks
• conncache: make Curl_cpool_init return void
• connect: shutdown timer fix
• content_encoding: Transfer-Encoding parser improvements
• CONTRIBUTE: add project guidelines for AI use
• contrithanks.sh: drop set -e
• cpool/cshutdown: force close connections under pressure
• curl: fix memory leak when -h is used in config file
• curl_get_line: handle lines ending on the buffer boundary
• curl_krb5: only use functions if FTP is still enabled
• curl_multibyte: fixup low-level calls, include in unity builds
• curl_osslq: remove a leftover debug fprintf() call
• curl_version_info.md: clarify ssl_version for MultiSSL
• CURLMOPT_TIMERFUNCTION.md: correct the example
• CURLOPT_ERRORBUFFER.md: buffer is read only after curl takes ownership
• CURLOPT_XFERINFOFUNCTION.md: fix the callback return type in example
• curlx: move the docs to docs/internals/
• dist: drop duplicate entry from `CMAKE_DIST`
• docs/INSTALL.md: drop reference to removed configure option
• docs/libcurl: fix type and prototype problems in examples
• docs/libcurl: make examples build with picky compiler options
• docs/libcurl: mention sensitive data/headers
• docs: add missing return statement in examples
• docs: fix incorrect shell substitution in docker run example command
• docs: update distros links
• doh: httpsrr fix
• doh: make sure CURLOPT_PROTOCOLS is set a with a "long" arg
• doh: reduce the DNS request buffer size
• easy_reset: fix dohfor_mid member
• ECH: reference the OpenSSL ECH feature branch
• etag-save.md: mention how using both options is a good idea
• eventfd: fix feature guards
• ftp: fix bug in failed init
• generate.bat: exclude curlinfo.c from legacy VS projects
• genserv.pl: fail with a message if `openssl` is missing or failing
• headers: enforce a max number of response header to accept
• headers: set an error message on illegal response headers
• hostip: fix build without threaded-resolver and without DoH
• hostip: show the correct name on proxy resolve error
• http2: fix stream window size after unpausing
• HTTP3.md: fix incorrect variable placeholders
• http: fix a build error when all auths are disabled
• http: fix HTTP/2 handling of TE request header using "trailers"
• http: in alt-svc negotiation only allow supported HTTP versions
• http_aws_sigv4: add additional verbose log statements
• http_chunks: narrow variable scope for 'trlen'
• http_negotiate: fix non-SSL build with GSSAPI
• https-connect: fix httpsrr target check
• HTTPSRR.md: clarify somewhat
• if2ip: build the function also if FTP is present
• imap: remove redundant condition
• INSTALL-CMAKE.md: fix typo
• INSTALL.md: update the minimal libcurl size example
• KNOWN_BUGS: fix link in sivg4 issue 16.3
• lib/src/docs/test: improve curl_easy_setopt() calls
• lib1560: use hex notation, drop non-ASCII exception
• lib: add const to clientwriter tables
• lib: drop curlx_getpid, use fake pid in SMB
• lib: include files using known path
• lib: make Curl_easyopts const
• lib: unify conversions to/from hex
• libcurl-tutorial.md: fix read callback explanation
• libssh: add NULL check for Curl_meta_get()
• libssh: fix memory leak
• libssh: remove a condition that always equals false
• libtest/first: stop defining MEMDEBUG_NODEFINES
• libtests: define CURL_DISABLE_DEPRECATION first
• make: clean tests better
• mbedtls: TLS 1.3 is max when mbedtls has 1.3 support
• metahash: add asserts to help analyzers
• mk-ca-bundle.pl: follow redirects
• mk-ca-bundle: switch URLs to GitHub versions
• mkhelp: fix to not generate a line-ending space in some cases
• mqtt: use conn/easy meta hash
• multi: do transfer book keeping using mid
• multi: init_do(): check result
• netrc: avoid NULL deref on weird input
• netrc: avoid strdup NULL
• netrc: deal with null token better
• ngtcp2: clarify ignoring of result
• openssl-quic: avoid potential `-Wnull-dereference`, add assert
• openssl-quic: fix printf mask
• openssl-quic: fix shutdown when stream not open
• openssl: enable builds for *both* engines and providers
• openssl: set the cipher string before doing private cert
• parsedate: provide Curl_wkday also for GnuTLS builds
• processhelp.pm: always call `taskkill` with `-f` (force)
• processhelp.pm: avoid potential endless loop, log more (Windows)
• progress: avoid integer overflow when gathering total transfer size
• pytest-xdist: pytest in parallel
• pytest: give parameterised tests better ids for read- and parsability
• pytest: make test_07_22 more lenient to exit codes
• quic: no local idle connection timeout, ngtcp2 keep-alive
• rand: update comment on Curl_rand_bytes weak random
• RELEASE-PROCEDURE.md: release candidate git tagging explained
• rtsp: remove redundant condition
• runtests: add retry option to reduce flakiness
• runtests: fix indentation
• runtests: recognize lowercase `windows` in `curl -V`
• runtests: remove server verification after start
• runtests: split `SSH_PWD` into `SCP_PWD` and `SFTP_PWD`, and more
• rustls: make max size of cert and key reasonable
• scripts: completion.pl: sort the completion file for all shells
• scripts: drop unused import, formatting
• scripts: fix --opts-dir help in completion.pl
• scripts: fix perl indentation, whitespace, semicolons
• sectransp: fix building for macOS Sierra and older
• setopt: provide info for CURLE_BAD_FUNCTION_ARGUMENT
• smb: avoid integer overflow on weird input date
• socket: use accept4 when available
• socketpair: support pipe2 where available
• spacecheck.pl: check for non-ASCII chars, fix fallouts
• spacecheck.pl: verify `tests/data/test*` for non-ASCII chars
• src: drop strcase.[ch] from tool builds
• src: include memdebug.h consistently with angle brackets <>
• src: rename curlx_safefree to tool_safefree
• test1173.pl: whitelist some option-looking names that aren't options
• test1658: add unit test for the HTTPS RR decoder
• test: make unittest 1308 into a libtest
• tests/ech_tests.sh: sync shebang with rest of bash scripts
• tests/FILEFORMAT.md: clarify %hex[] formatting
• tests/FILEFORMAT.md: document the aws feature
• tests/README.md: document --test-duphandle
• tests/README.md: list the openssl tool among the prerequisites
• tests/server/dnsd: basic DNS server for test suite
• tests/server: check for `stream != NULL` in mqttd
• tests/server: fix typo in comment
• tests/server: stop using libcurl string comparisons
• tests/server: stop using libcurl's printf functions
• tests/serverhelp: remove last remnants of http-pipe server
• tests/tunit: make a separate directory for tool-based unit tests
• tests: add aws feature to the related tests
• tests: Add https-mtls server to force client auth
• tests: fix some test tag mismatches
• tests: mark ipfs tests to require ipfs
• tests: move a boolean variable out of the path section
• tests: prefer `--insecure` over `-k`
• tests: provide all non-ascii data hex encoded
• tests: remove some unused test case sections
• tests: require IPv6 for 1265, 1324, 2086
• tests: separate tunit tests from unit tests more
• tests: stop using libcurl's strdup
• tests: unify test case keywords
• tests: use a more portable null device path
• TODO: remove "nicer lacking perl message"
• tool_cb_write.c: handle EINTR on flush
• tool_getparam: clear argument only when needed
• tool_operate: when retrying, only truncate regular files
• tool_paramhlp: avoid integer overflow in secs2ms()
• tool_parsecfg: make get_line handle lines ending on the buffer boundary
• typecheck-gcc.h: fix the typechecks
• urlapi: redirecting to "" is considered fine
• urlapi: remove unneeded guards around PUNY2IDN
• VERSIONS: list all past releases
• vquic: consistent name for the stream struct across backends
• vquic: init for every call to recvmsg
• vtls: avoid NULL deref on bad PEM input
• vtls: fix build with ssl but without http
• VULN-DISCLOSURE-POLICY: use of weak algos
• winbuild: add the deprecation warning to the README
• winbuild: curl_get_line is not used for tool builds
• wolfssl: fix to enable ALPN when available
• ws: fix the header replace check
• ws: store protocol context as connection meta data

Contributors:

Abhinav Singhal, Andreas Westin, Andrei Florea, Andrew Kirillov, Andy Pan, antypanty on hackerone, Arian van Putten, bo0tzz on github, Bo Anderson, Brendan Dolan-Gavitt, Brian Chrzanowski, bruce.yoon, bsr13 on hackerone, calvin2021y on github, Calvin Ruocco, Carlos Henrique Lima Melara, Christian Schmitz, Christoph Jabs, Cole Helbling, Corinna Brandt, Dagobert Michelsen, Dan Fandrich, Daniel Engberg, Daniel Fosco, Daniel McCarney, Daniel Stenberg, Demi Marie Obenour, dependabot[bot], Dirk Feytons, epicmkirzinger on github, Eric Knibbe, Fujii Hironori, gkarracer on github, Gordon Parke, Graham Christensen, Harry Sintonen, Helmut Grohne, Hiroki Kurosawa, Int64x86 on github, Jacob Mealey, Jake Yuesong Li, James Fuller, Jean-Christophe Amiel, Jimmy Sjölund, Jixinqi, Jochen Sprickerhof, Joe Cise, Joel Depooter, Johan Eliasson, John Bampton, John Haugabook, Jonathan Rosa, Kai Pastor, kkalganov on github, Maksim Ściepanienka, Manuel Strehl, Marius Kleidl, Mathieu Garaud, Max Eliaser, mschroeder-fzj on github, NeimadTL, Niall O'Reilly, Nigel Brittain, Nils Goroll, Pavel Kropachev, PleaseJustDont, Rasmus Melchior Jacobsen, Ray Satiro, renovate[bot], Samuel Henrique, Sarah Gooding, sbernatsky on github, Sergey, Sören Tempel, Stefan Eissing, Stephen Farrell, Tal Regev, Thomas Klausner, Tomas Volf, Travis Lane, Viktor Szakats, wolfsage on hackerone, x1sc0 on github, xiadnoring on github, Yedaya Katsman, zopsicle on github