                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 8.4.0 (11 Oct 2023)

Daniel Stenberg (11 Oct 2023)

- RELEASE-NOTES: synced

- THANKS: add contributors from 8.4.0

Jay Satiro (11 Oct 2023)

- socks: return error if hostname too long for remote resolve

  Prior to this change the state machine attempted to change the remote
  resolve to a local resolve if the hostname was longer than 255
  characters. Unfortunately that did not work as intended and caused a
  security issue.

  Bug: https://curl.se/docs/CVE-2023-38545.html

Stefan Eissing (10 Oct 2023)

- CI: remove slowed-network tests

  - remove these tests as they are currently not reliable in our CI
    setups.

  curl handles the test cases, but CI sometimes fails on these due to
  additional conditions. Rather than mix them in, an additional CI job
  will be added in the future that is specific to them.

  Closes https://github.com/curl/curl/pull/12075

Jay Satiro (10 Oct 2023)

- libcurl-env-dbg.3: move debug variables from libcurl-env.3

  - Move documentation of libcurl environment variables used only in debug
    builds from libcurl-env into a separate document libcurl-env-dbg.

  - Document more debug environment variables.

  Previously undocumented or missing a description:

  CURL_ALTSVC_HTTP, CURL_DBG_SOCK_WBLOCK, CURL_DBG_SOCK_WPARTIAL,
  CURL_DBG_QUIC_WBLOCK, CURL_DEBUG, CURL_DEBUG_SIZE, CURL_GETHOSTNAME,
  CURL_HSTS_HTTP, CURL_FORCETIME, CURL_SMALLREQSEND, CURL_SMALLSENDS,
  CURL_TIME.

  Closes https://github.com/curl/curl/pull/11811

Dan Fandrich (9 Oct 2023)

- test670: increase the test timeout

  This should make it more immune to loaded servers.

  Ref: #11328

Stefan Eissing (9 Oct 2023)

- MQTT: improve receive of ACKs

  - add `mq->recvbuf` to provide buffering of incomplete
    ACK responses
  - continue ACK reading until sufficient bytes available
  - fixes test failures on low network receives

  Closes #12071

Viktor Szakats (9 Oct 2023)

- quic: fix BoringSSL build

  Add guard around `SSL_CTX_set_ciphersuites()` use.

  Bug: https://github.com/curl/curl/pull/12065#issuecomment-1752171885

  Follow-up to aa9a6a177017e4b74d33cdf85a3594900f4a7f81

  Co-authored-by: Jay Satiro
  Reviewed-by: Daniel Stenberg
  Closes #12067

Stefan Eissing (9 Oct 2023)

- test1540: improve reliability

  - print that bytes have been received on pausing, but not how many

  Closes #12069

- test2302: improve reliability

  - make result print collected write data, unless
    change in meta flags is detected
  - will show same result even when data arrives via
    several writecb invocations

  Closes #12068

Daniel Stenberg (9 Oct 2023)

- curl_easy_pause: set "in callback" true on exit if true

  Because it might have called another callback in the mean time that then
  set the bit FALSE on exit.

  Reported-by: Jay Satiro
  Fixes #12059
  Closes #12061

Viktor Szakats (8 Oct 2023)

- h3: add support for ngtcp2 with AWS-LC builds

  ```
  curl 8.4.0-DEV (x86_64-apple-darwin) libcurl/8.4.0-DEV (SecureTransport) AWS-
  LC/1.15.0 nghttp2/1.56.0 ngtcp2/0.19.1 nghttp3/0.15.0
  Release-Date: [unreleased]
  Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps
   mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
  Features: alt-svc AsynchDNS HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefile Multi
  SSL NTLM SSL threadsafe UnixSockets
  ```

  Also delete an obsolete GnuTLS TODO and update the header comment in
  `FindNGTCP2.cmake`.

  Reviewed-by: Daniel Stenberg
  Closes #12066

- build: do not publish `HAVE_BORINGSSL`, `HAVE_AWSLC` macros

  Syncing this up with CMake.

  Source code uses the built-in `OPENSSL_IS_AWSLC` and
  `OPENSSL_IS_BORINSSL` macros to detect BoringSSL and AWS-LC. No help is
  necessary from the build tools.

  The one use of `HAVE_BORINGSSL` in the source turned out to be no longer
  necessary for warning-free BoringSSL + Schannel builds. Ref: #1610 #2634

  autotools detects this anyway for display purposes.
  CMake detects this to decide whether to use the BoringSSL-specific
  crypto lib with ngtcp2. It detects AWS-LC, but doesn't use the detection
  result just yet (planned in #12066).

  Ref: #11964

  Reviewed-by: Daniel Stenberg
  Reviewed-by: Jay Satiro
  Closes #12065

Marc Hoersken (8 Oct 2023)

- CI: move distcheck job from Azure Pipelines to GitHub Actions

  This will allow for more trigger excludes within Azure Pipelines.

  Also fixes seemingly broken check with scripts/installcheck.sh.
  Ref: 190374c74ec4e5247d9066544c86e8d095e1d7b5

  Assisted-by: Philip Heiduck
  Closes #9532

Daniel Stenberg (8 Oct 2023)

- url: fall back to http/https proxy env-variable if ws/wss not set

  Reported-by: Craig Andrews
  Fixes #12031
  Closes #12058

Stefan Eissing (8 Oct 2023)

- cf-socket: simulate slow/blocked receives in debug

  add 2 env variables for non-UDP sockets:
  1. CURL_DBG_SOCK_RBLOCK: percentage of receive calls that randomly
     should return EAGAIN
  2. CURL_DBG_SOCK_RMAX: max amount of bytes read from socket

  Closes #12035

- http2: refused stream handling for retry

  - answer HTTP/2 streams refused via a GOAWAY from the server to
    respond with CURLE_RECV_ERROR in order to trigger a retry
    on another connection

  Reported-by: black-desk on github
  Ref #11859
  Closes #12054

Jay Satiro (8 Oct 2023)

- CURLOPT_DEBUGFUNCTION.3: warn about internal handles

  - Warn that the user's debug callback may be called with the handle
    parameter set to an internal handle.

  Without this warning the user may assume that the only handles their
  debug callback receives are the easy handles on which they set
  CURLOPT_DEBUGFUNCTION.

  This is a follow-up to f8cee8cc which changed DoH handles to inherit
  the debug callback function set in the user's easy handle. As a result
  those handles are now passed to the user's debug callback function.

  Closes https://github.com/curl/curl/pull/12034

- url: fix typo

Daniel Stenberg (8 Oct 2023)

- test458: verify --expand-output, expanding a file name accepting option

  Verifies the fix in #12055 (commit f2c8086ff15e6e995e1)

- tool_getparam: accept variable expansion on file names too

  Reported-by: PBudmark on github
  Fixes #12048
  Closes #12055

- RELEASE-NOTES: synced

- multi: do CURLM_CALL_MULTI_PERFORM at two more places

  ... when it does a state transition but there is no particular socket or
  timer activity. This was made apparent when commit b5bb84c removed a
  superfluous timer expiry.

  Reported-by: Dan Fandrich.
  Fixes #12033
  Closes #12056

Viktor Szakats (7 Oct 2023)

- GHA/linux: mbedtls 3.5.0 + minor dep bumps

  Closes #12057

Dan Fandrich (7 Oct 2023)

- CI: bump OpenLDAP package version on FreeBSD

  The old one is no longer available.

Marc Hoersken (7 Oct 2023)

- docs/libcurl/opts/Makefile.inc: add missing manpage files

  Detected with #9532

Dan Fandrich (7 Oct 2023)

- tests: fix a race condition in ftp server disconnect

  If a client disconnected and reconnected quickly, before the ftp server
  had a chance to respond, the protocol message/ack (ping/pong) sequence
  got out of sync, causing messages sent to the old client to be delivered
  to the new.  A disconnect must now be acknowledged and intermediate
  requests thrown out until it is, which ensures that such synchronization
  problems can't occur. This problem could affect ftp, pop3, imap and smtp
  tests.

  Fixes #12002
  Closes #12049

Viktor Szakats (7 Oct 2023)

- appveyor: bump mingw-w64 job to gcc 13 (was: 8)

  This sets gcc 6, 7, 9, 13 in our test mix (was: 6, 7, 8, 9).
  Adding a modern gcc version to the tests.

  (The gcc 8 job used to take around 50 minutes. The new image with gcc 13
  finished in 32, 35, 34 minutes in the 3 test runs so far.)

  It also adds a modern CMake version and OS env to our mingw-w64 builds.

  Closes #12051

David Benjamin (6 Oct 2023)

- openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR

  While the struct is still public in OpenSSL, there is a (somewhat
  inconvenient) accessor. Use it to remain compatible if it becomes opaque
  in the future.

  Closes #12038

Daniel Stenberg (6 Oct 2023)

- curl_easy_pause.3: mention it works within callbacks

  Reported-by: Maxim Dzhura
  Bug: https://curl.se/mail/lib-2023-10/0010.html
  Closes #12046

- curl_easy_pause.3: mention h2/h3 buffering

  Asked-by: Maxim Dzhura
  Ref: https://curl.se/mail/lib-2023-10/0011.html

  Closes #12045

Viktor Szakats (6 Oct 2023)

- cmake: re-add missed C89 headers for specific detections

  We removed C89 `setjmp.h` and `signal.h` detections and excluded them
  from the global header list we use when detecting functions [1]. Then
  missed to re-add these headers to the specific functions which need
  them to be detected [2]. Fix this omission in this patch.

  [1] Follow-up to 3795fcde995d96db641ddbcc8a04f9f0f03bef9f #11951
  [2] Follow-up to 96c29900bcec32dd6bc8e9857c8871ff4b8b8ed9 #11940

  Closes #12043

Daniel Stenberg (6 Oct 2023)

- multi: set CURLM_CALL_MULTI_PERFORM after switch to DOING_MORE

  Since there is nothing to wait for there. Avoids the test 1233 hang
  reported in #12033.

  Reported-by: Dan Fandrich
  Closes #12042

Dan Fandrich (5 Oct 2023)

- test1903: actually verify the cookies after the test

  The test otherwise could do just about anything (except leak memory in
  debug mode) and its bad behaviour wouldn't be detected. Now, check the
  resulting cookie file to ensure the cookies are still there.

  Closes #12041

- test: add missing <feature>s

  The tests will otherwise fail if curl has them disabled.

- test1906: set a lower timeout since it's hit on Windows

  msys2 builds actually hit the connect timeout in normal operation, so
  lower the timeout from 5 minutes to 5 seconds to reduce test time.

  Ref: #11328
  Closes #12036

Daniel Stenberg (5 Oct 2023)

- RELEASE-NOTES: synced

Jay Satiro (5 Oct 2023)

- idn: fix WinIDN null ptr deref on bad host

  - Return CURLE_URL_MALFORMAT if IDN hostname cannot be converted from
    UTF-8 to UTF-16.

  Prior to this change a failed conversion erroneously returned CURLE_OK
  which meant 'decoded' pointer (what would normally point to the
  punycode) would not be written to, remain NULL and be dereferenced
  causing an access violation.

  Closes https://github.com/curl/curl/pull/11983

Dan Fandrich (4 Oct 2023)

- tests: close the shell used to start sshd

  This shell isn't needed once sshd starts, so use "exec" so it doesn't
  stick around.

  Closes #12032

Daniel Stenberg (4 Oct 2023)

- base64: also build for curl

  Since the tool itself now uses the base64 code using the curlx way, it
  needs to build also when the tool needs it. Starting now, the tool build
  defines BULDING_CURL to allow lib-side code to use it.

  Follow-up to 2e160c9c6525

  Closes #12010

Eduard Strehlau (4 Oct 2023)

- tests: Fix zombie processes left behind by FTP tests.

  ftpserver.pl correctly cleans up spawned server processes,
  but forgets to wait for the shell used to spawn them.
  This is barely noticeable during a normal testrun,
  but causes process exhaustion and test failure
  during a complete torture run of the FTP tests.

  Fixes #12018
  Closes #12020

Dan Fandrich (4 Oct 2023)

- github/labeler: improve labeler matches

- test574: add a timeout to the test

  This one hangs occasionally, so this will speed up a test run and allow
  logs to be seen when it does.

  Closes #12025

- tests: propagate errors in libtests

  Use the test macros to automatically propagate some errors, and check
  and log others while running the tests. This can help in debugging
  exactly why a test has failed.

- tests: set --expect100-timeout to improve test reliability

  On an overloaded server, the default 1 second timeout can go by without
  the test server having a chance to respond with the expected headers,
  causing tests to fail. Increase the 1 second timeout to 99 seconds so
  this failure mode is no longer a problem on test 1129. Some other tests
  already set a high value, but make them consistently 99 seconds so if
  something goes wrong the test is stalled for less time.

  Ref: #11328

- CI: ignore the "flaky" and "timing-dependent" test results in CMake

  This was already done for automake builds but CMake builds were missed.
  Test 1086 actually causes the test harness to crash with:

  Warning: unable to close filehandle DWRITE properly: Broken pipe at C:/projec
  ts/curl/tests/ftpserver.pl line 527

  Rather than fix it now, this change leaves test 1086 entirely skipped on
  those builds that show this problem.

  Follow-up to 589dca761

  Ref: #11865

Viktor Szakats (4 Oct 2023)

- cmake: improve OpenLDAP builds

  - cmake: detect OpenLDAP based on function `ldap_init_fd`.
    autotools does this. autotools also publishes this detection result
    in `HAVE_LDAP_INIT_FD`. We don't mimic that with CMake as the source
    doesn't use this value. (it might need to be remove-listed in
    `scripts/cmp-config.pl` for future OpenLDAP test builds.)
    This also deletes existing self-declaration method via the
    CMake-specific `CURL_USE_OPENLDAP` configuration.

  - cmake: define `LDAP_DEPRECATED=1` for OpenLDAP.
    Like autotools does. This fixes a long list of these warnings:
    ```
    /usr/local/opt/openldap/include/ldap.h:1049:5: warning: 'LDAP_DEPRECATED' i
  s not defined, evaluates to 0 [-Wundef]
    ```

  - cmake: delete LDAP TODO comment no longer relevant.

  Also:

  - autotools: replace domain name `dummy` with `0.0.0.0` in LDAP feature
    detection functions.

  Ref: #11964 (effort to sync cmake detections with autotools)

  Closes #12024

- cmake: fix unity builds for more build combinations

  By using unique static function/variable names in source files
  implementing these interfaces.

  - OpenLDAP combined with any SSH backend.

  - MultiSSL with mbedTLS, OpenSSL, wolfSSL, SecureTransport.

  Closes #12027

Daniel Stenberg (4 Oct 2023)

- tests: remove leading spaces from some tags

  The threee tags `<name>`, `</name>` and `<command>` were frequently used
  with a leading space that this removes. The reason this habbit is so
  widespread in testcases is probably that they have been copy and pasted.

  Hence, fixing them all now might curb this practice from now on.

  Closes #12028

Viktor Szakats (4 Oct 2023)

- GHA: bump actions/checkout

  Follow-up to 2e0fa50fc16b9339f51e0a7bfff0352829323acb #11964
  Follow-up to c39585d9b7ef3cbfc1380812dec60e7b275b6af3 #12000

  Closes #12023

- spelling: fix codespell 2.2.6 typos

  Closes #12019

Daniel Stenberg (3 Oct 2023)

- GHA: add workflow to compare configure vs cmake outputs

  Uses scripts/cmp-config.pl two compare two curl_config.h files,
  presumbly generated with configure and cmake. It displays the
  differences and filters out a lot of known lines we ignore.

  The script also shows the matches that were *not* used. Possibly
  subjects for removal.

  Closes #11964

- appveyor: enable test 571

  Follow-up from 8a940fd55c175f7 / #12013

  Closes #12017

Viktor Szakats (3 Oct 2023)

- build: alpha-sort source files for lib and src

  Closes #12014

- cmake: delete old `HAVE_LDAP_URL_PARSE` logic

  Left there by accident after adding proper detection for this.

  Follow-up to 772f0d8edf1c3c2745543f42388ccec5a16ee2c0 #12006

  Ref: #11964 (effort to sync cmake detections with autotools)

  Closes #12015

Stefan Eissing (3 Oct 2023)

- tests: increase lib571 timeout from 3s to 30s

  - 3s is too short for our CI, making this test fail occasionally
  - test usually experiences no delay run locally, so 30s wont hurt

  Closes #12013

Viktor Szakats (3 Oct 2023)

- cmake: fix unity with Windows Unicode + TrackMemory

  Found the root cause of the startup crash in unity builds with Unicode
  and TrackMemory enabled at the same time.

  We must make sure that the `memdebug.h` header doesn't apply to
  `lib/curl_multibyte.c` (as even noted in a comment there.) In unity
  builds all headers apply to all sources, including `curl_multibyte.c`.
  This probably resulted in an infinite loop on startup.

  Exclude this source from unity compilation with TrackMemory enabled,
  in both libcurl and curl tool. Enable unity mode for a debug Unicode
  CI job to keep it tested. Also delete the earlier workaround that
  fully disabled unity for affected builds.

  Follow-up to d82b080f6374433ce7c98241329189ad2d3976f8 #12005
  Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719 #11095

  Closes #11928

- cmake: disable unity mode with Windows Unicode + TrackMemory

  "TrackMemory" is `ENABLE_DEBUG=ON` (aka `ENABLE_CURLDEBUG=ON`,
  aka `-DCURLDEBUG`).

  There is an issue with memory tracking and Unicode when built in "unity"
  mode, which results in the curl tool crashing right on startup, even
  without any command-line option. Interestingly this doesn't happen under
  WINE (at least on the system I tested this on), but consistenly happens
  on real Windows machines. Crash is 0xC0000374 heap corruption. Both
  shared and static curl executables are affected.

  This limitation probably won't hit too many people, but it remains
  a TODO to find and fix the root cause and drop this workaround.

  Example builds and runs:
  https://ci.appveyor.com/project/curlorg/curl/builds/48169111/job/17cptxhtpubd
  7iwj#L313 (static)
  https://ci.appveyor.com/project/curlorg/curl/builds/48169111/job/76e1ge758tby
  qu9c#L317 (shared)

  Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719 #11095

  Ref: #11928
  Closes #12005

- cmake: tidy-up `NOT_NEED_LBER_H` detection

  Follow-up to 772f0d8edf1c3c2745543f42388ccec5a16ee2c0 #12006

- appveyor: rewrite batch in PowerShell + CI improvements

  1. Rewrite in PowerShell:

  - rewrite MS-DOS batch build script in PowerShell.
  - move some bash operations into native PowerShell.
  - fixups for PowerShell insisting on failure when a command outputs
    something to stderr.
  - fix to actually run `curl -V` after every build.
    (and exclude ARM64 builds.)
  - also say why we skipped `curl -V` if we had to skip.
  - fix CMake warnings about unused configuration variables, by adapting
    these dynamically for build cases.
  - dedupe OpenSSL path into a variable.
  - disable `test1451` failing with a warning anyway due to missing python
    impacket. (after trying and failing to install impacket)
    PowerShell promotes these warnings to errors by PowerShell. We can also
    suppress they wholesale if they start causing issues in the future,
    like we already to with `autoreconf` and `./configure`.

  PowerShell is better than MS-DOS batches, so the hope is this makes it
  easier to extend and maintain the AppVeyor build logic. POSIX/bash isn't
  supported inline by AppVeyor on Windows build machines, but we are okay
  to keep it in an external script, so it's also an option.

  2. CI improvements:

  - enable tests for a "unity" build job.
  - speed-up CI initialization by using shallow clones of the curl repo.
  - speed-up CMake MSVC jobs with `TrackFileAccess=false`.
  - enable parallelism in `VisualStudioSolution` builds.
  - display CMake version before builds.
  - always show the CPU in job names.
  - tell which jobs are build-only in job names.
  - move `TESTING:` value next to `DISABLED_TESTS:` in two jobs.
  - add `config.log` (autotools) to dumped logs (need to enable manually).

  3. Style:

  - use single-quotes in YAML like we do in other CI YAML files.
    It also allows to drop quoting characters and lighter to write/read.
    (keep double quotes for PowerShell strings needing expansion.)

  Closes #11999

- cmake: fix `HAVE_LDAP_SSL`, `HAVE_LDAP_URL_PARSE` on non-Windows

  - set `HAVE_LDAP_URL_PARSE` if `ldap_url_parse` function exists.
    Before this patch we set it based it on the presence of `stricmp`,
    which correctly enabled it on e.g. Windows, but was inaccurate for
    other platforms.

  - always set `HAVE_LDAP_SSL` if an LDAP backend is detected and
    LDAPS is not explicitly disabled. This mimics autotools behaviour.
    Previously we set it only for Windows LDAP. After this fix, LDAPS is
    correctly enabled in default macOS builds.

  - enable LDAP[S] for a CMake macOS CI job. Target OS X 10.9 (Mavericks)
    to avoid deprecation warnings for LDAP API.

  - always detect `HAVE_LDAP_SSL_H`, even with LDAPS explicitly disabled.
    This doesn't make much sense, but let's do it to sync behaviour with
    autotools.

  - fix benign typo in variable name.

  Ref: #11964 (effort to sync cmake detections with autotools)

  Closes #12006

- autotools: restore `HAVE_IOCTL_*` detections

  This restores `CURL_CHECK_FUNC_IOCTL` detection. I deleted it in
  4d73854462f30948acab12984b611e9e33ee41e6 and
  c3456652a0c72d1845d08df9769667db7e159949 (2022-08), because the
  `HAVE_IOCTL` result it generated was unused in the source. But,
  I did miss the fact that this had two dependent checks:
  `CURL_CHECK_FUNC_IOCTL_FIONBIO`,
  `CURL_CHECK_FUNC_IOCTL_SIOCGIFADDR` that we do actually need:
  `HAVE_IOCTL_FIONBIO`, `HAVE_IOCTL_SIOCGIFADDR`.

  Regression from 4d73854462f30948acab12984b611e9e33ee41e6

  Ref: #11964 (effort to sync cmake detections with autotools)

  Closes #12008

Daniel Stenberg (2 Oct 2023)

- RELEASE-PROCEDURE.md: updated coming release dates

- RELEASE-NOTES: synced

Viktor Szakats (1 Oct 2023)

- cmake: pre-cache `HAVE_POLL_FINE` on Windows

  Windows doesn't support `poll()`, so we can safely skip checking for
  fine poll.

  Closes #12003

- gha: bump actions to latest versions

  - actions@checkout@v4 (from v3 and v2)

  - fsfe/reuse-action@v2 (from v1)

  Closes #12000

Stefan Eissing (30 Sep 2023)

- h2: testcase and fix for pausing h2 streams

  - refs #11982 where it was noted that paused transfers may
    close successfully without delivering the complete data
  - made sample poc into tests/http/client/h2-pausing.c and
    added test_02_27 to reproduce

  Closes #11989
  Fixes #11982
  Reported-by: Harry Sintonen

Viktor Szakats (30 Sep 2023)

- cmake: validate `CURL_DEFAULT_SSL_BACKEND` config value

  Before this patch CMake builds accepted any value and it was used at
  runtime as-is. This patch make sure that the selected default backend
  is also enabled in the build. It also enforces a full lowercase value.

  This improves reproducibility and brings CMake in sync with autotools
  which already worked like described above.

  Follow-up to 26c7feb8b9d51a57fab3325571b4bbfa03b11af0 #11774

  Closes #11998

- autotools: adjust `CURL_CA_PATH` value to CMake

  autotools was using the same value as CMake, but with an ending
  slash. Delete the ending slash to match configurations.

  Ref: #11964 (effort to sync cmake detections with autotools)

  Closes #11997

- cmake: detect `sys/wait.h` and `netinet/udp.h`

  Ref: #11964 (effort to sync cmake detections with autotools)

  Closes #11996

Daniel Stenberg (30 Sep 2023)

- lib: provide and use Curl_hexencode

  Generates a lower case ASCII hex output from a binary input.

  Closes #11990

- configure: check for the capath by default

  ... if the chosen TLS backend supports it: OpenSSL, GnuTLS, mbedTLS or wolfSS
  L

  cmake: synced

  Assisted-by: Viktor Szakats
  Closes #11987

- wolfssl: ignore errors in CA path

  The default wolfSSL_CTX_load_verify_locations() function is quite picky
  with the certificates it loads and will for example return error if just
  one of the certs has expired.

  With the *_ex() function and its WOLFSSL_LOAD_FLAG_IGNORE_ERR flag, it
  behaves more similar to what OpenSSL does by default.

  Even the set of default certs on my Debian unstable has several expired
  ones.

  Assisted-by: Juliusz Sosinowicz
  Assisted-by: Michael Osipov

  Closes #11987

- create-dirs.d: clarify it also uses --output-dirs

  Reported-by: Robert Simpson
  Fixes #11991
  Closes #11995

Viktor Szakats (30 Sep 2023)

- appveyor: fix yamlint issues, indent

  Also:
  - use double quotes in all batch if statements.

  Closes #11994

- cmake: detect `HAVE_CLOCK_GETTIME_MONOTONIC_RAW`

  Based on existing autotools logic.

  Ref: #11964 (effort to sync cmake detections with autotools)

  Closes #11981

- cmake: detect `HAVE_GETADDRINFO_THREADSAFE`

  Based on existing autotools logic.

  autotools checks for old versions of the allowlisted target OSes and
  disables this feature when seeing them. In CMake we assume we're running
  on newer systems and enable regardless of OS version.

  autotools always runs all 3 probes for non-fast-tracked systems and
  enables this feature if any one of them was successful. To save
  configuration time,  CMake stops at the first successful check.

  OpenBSD is not fast-tracked and then gets blocklisted as a generic BSD
  system. I haven't double-checked if this is correct, but looks odd.

  Ref: #11964 (effort to sync cmake detections with autotools)

  Closes #11979

- cmake: fix `HAVE_WRITABLE_ARGV` detection

  Move detection before the creation of detection results in
  `curl_config.h`.

  Ref: #11964 (effort to sync cmake detections with autotools)

  Closes #11978

- appveyor: minor improvements

  - run `curl -V` after builds to see if they run and with what features.
    Except for one job where a CRT DLL is missing. And ARM64 which should
    fail, but is silently not launched instead.

  - copy libcurl DLL next to curl tool and tests binaries in shared mode.
    This makes it possible to run the tests. (We don't run tests after
    these builds yet.)

  - list the DLLs and EXEs present after the builds.

  - add `DEBUG` variable for CMake builds to allow disabling it, for
    testing non-debug builds. (currently enabled for all)

  - add commented lines that dump CMake configuration logs for debugging
    build/auto-detection issues.

  - add gcc version to jobs where missing.

  - switch a job to the native MSYS2 mingw-w64 toolchain. This adds gcc 9
    to the build mix.

  - make `SHARED=OFF` and `OPENSSL=OFF` defaults global.

  - delete a duplicate backslash.

  Closes #11976

- configure: replace adhoc domain with `localhost` in tests

  Reviewed-by: Daniel Stenberg
  Closes #11988

- tidy-up: use more example domains

  Also make use of the example TLD:
  https://en.wikipedia.org/wiki/.example

  Reviewed-by: Daniel Stenberg
  Closes #11992

Dan Fandrich (29 Sep 2023)

- runtests: display the test status if tests appear hung

  It sometimes happens that a test hangs during a test run and never
  returns. The test harness will wait indefinitely for the results and on
  CI servers the CI job will eventually be killed after an hour or two.
  At the end of a test run, if results haven't come in within a couple of
  minutes, display the status of all test runners and what tests they're
  running to help in debugging the problem.

  This feature is really only kick in with parallel testing enabled, which
  is fine because without parallel testing it's usually easy to tell what
  test has hung.

  Closes #11980

- github/labeler: remove workaround for labeler

  This was added due to what seemed to be a bug regarding the sync-labels:
  config option, but it looks like it wasn't necessary.

  Follow-up to b2b0534e7

Viktor Szakats (29 Sep 2023)

- docs: upgrade an URL to HTTPS in `BINDINGS.md` [ci skip]

Daniel Stenberg (29 Sep 2023)

- docs: replace made up domains with example.com

  in FAQ and MANUAL.md

  - example.com was made for this purpose.

  - reduces the risk that one of those domains suddenly start hosting
    something nasty and we provide links to them

  Closes #11986

Michael Osipov (29 Sep 2023)

- acinclude.m4: Document proper system truststore on FreeBSD

  The default system truststore on FreeBSD has been /etc/ssl/certs for many
  years now. It is managed canonically through certctl(8) and contains hashed
  symlinks for OpenSSL and other TLS providers.
  The previous ones require security/ca_root_nss which might not be installed o
  r
  will not contain any custom CA certificates.

  Closes #11985

Daniel Stenberg (29 Sep 2023)

- FAQ: How do I upgrade curl.exe in Windows?

  This is a growing question, better answer it here to get somewhere to
  point users to.

  Closes #11984

Viktor Szakats (28 Sep 2023)

- cmake: pre-cache `HAVE_BASENAME` for mingw-w64 and MSVC

  `basename` is present in mingw-w64, missing from MSVC. Pre-cache
  accordingly to make configure faster.

  Notice that `basename` has a bug so we later disable it even with
  mingw-w64:
  https://github.com/curl/curl/blob/781242ffa44a9f9b95b6da5ac5a1bf6372ec6257/li
  b/curl_setup.h#L820-L825

  Closes #11974

Daniel Stenberg (28 Sep 2023)

- cmake: add missing checks

  - check for arc4random. To make rand.c use it accordingly.
  - check for fcntl
  - fix fseek detection
  - add SIZEOF_CURL_SOCKET_T
  - fix USE_UNIX_SOCKETS
  - define HAVE_SNPRINTF to 1
  - check for fnmatch
  - check for sched_yield
  - remove HAVE_GETPPID duplicate from curl_config.h
  - add HAVE_SENDMSG

  Ref: #11964

  Co-authored-by: Viktor Szakats
  Closes #11973

- configure: remove unused checks

