                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.36.0 (26 Mar 2014)

Daniel Stenberg (26 Mar 2014)
- RELEASE-NOTES: 7.36.0

- [Richard J. Moore brought this change]

  test1397: unit test for certificate name wildcard handling

- Curl_cert_hostcheck: strip trailing dots in host name and wildcard
  
  Reported-by: Richard Moore

- Curl_cert_hostcheck: reject IP address wildcard matches
  
  There are server certificates used with IP address in the CN field, but
  we MUST not allow wild cart certs for hostnames given as IP addresses
  only. Therefore we must make Curl_cert_hostcheck() fail such attempts.
  
  Bug: http://curl.haxx.se/docs/adv_20140326B.html
  Reported-by: Richard Moore

- [Steve Holme brought this change]

  url: Fixed connection re-use when using different log-in credentials
  
  In addition to FTP, other connection based protocols such as IMAP, POP3,
  SMTP, SCP, SFTP and LDAP require a new connection when different log-in
  credentials are specified. Fixed the detection logic to include these
  other protocols.
  
  Bug: http://curl.haxx.se/docs/adv_20140326A.html

- THANKS: 14 new friends from the 7.36.0 announcement

- RELEASE-NOTES: synced with 3ebfaf6a0399b6a

Steve Holme (23 Mar 2014)
- tool_operate: Fixed uninitialised variable under some error situations
  
  For example when a URL is not specified or the headers file fails to
  open.

- tool_parsecfg: Reworked error handling from commit fc59a9e1

- tool_getparam: Removed "dead assignment" code introduced in commit 1a9b58fc

Daniel Stenberg (22 Mar 2014)
- [Gisle Vanem brought this change]

  polarssl: avoid extra newlines in debug messages
  
  The debug messages printed inside PolarSSL always seems to end with a
  newline. So 'infof()' should not add one. Besides the trace 'line'
  should be 'const'.

- rtsp: parse "Session:" header properly
  
  The parser skipped the initial letter, which presumably often is
  whitespace but doesn't have to be.
  
  Reported-by: Mike Hasselberg
  Bug: http://curl.haxx.se/mail/lib-2014-03/0134.html

- runtests.pl: verify specified test cases
  
  To better allow arguments like "1 to 9999" without flooding the terminal
  with error messages, the given test cases range is now checked and only
  test numbers with existing files are actually run.

Dan Fandrich (19 Mar 2014)
- RELEASE-NOTES: fixed typo

Daniel Stenberg (19 Mar 2014)
- trynextip: don't store 'ai' on failed connects...
  
  It leads to the "next family" tries starting from the wrong point and thus
  fails!
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1337
  Reported-by: ricker

- RELEASE-NOTES: synced with 47f8e99e78c

- [Gaël PORTAY brought this change]

  polarssl: fix possible handshake timeout issue in multi.
  
  Because of the socket is unblocking, PolarSSL does need call to getsock to
  get the action to perform in multi environment.
  
  In some cases, it might happen we have not received yet all data to perform
  the handshake. ssh_handshake returns POLARSSL_ERR_NET_WANT_READ, the state
  is updated but because of the getsock has not the proper #define macro to,
  the library never prevents to select socket for input thus the socket will
  never be awaken when last data is available. Thus it leads to timeout.

- [Gaël PORTAY brought this change]

  polarssl: break compatibility with version older than 1.3.
  
  Remove all #ifdef/else/endif macros that ensure compatibility with polarssl
  version previous than 1.3.

- [Gaël PORTAY brought this change]

  polarssl: drop use of 1.2 compatibility header.
  
  API has changed since version 1.3. A compatibility header has been created
  to ensure forward compatibility for code using old API:
   * x509 certificate structure has been renamed to from x509_cert to
     x509_crt
   * new dedicated setter for RSA certificates ssl_set_own_cert_rsa,
     ssl_set_own_cert is for generic keys
   * ssl_default_ciphersuites has been replaced by function
     ssl_list_ciphersuites()
  
  This patch drops the use of the compatibly header.

- polarssl: added missing end-of-comment from previous commit

- polarssl: now require 1.3.0+
  
  Also fixed a function name change in the version requirement bump

- [hasufell brought this change]

  polarssl: fix compilation
  
  Rename x509_cert to x509_crt and add "compat-1.2.h"
  include.
  This would still need some more thorough conversion
  in order to drop "compat-1.2.h" include.

Kamil Dudka (15 Mar 2014)
- nss: allow to enable/disable new AES GCM cipher-suites
  
  ... if built against a new enough version of NSS

- nss: allow to enable/disable new HMAC-SHA256 cipher-suites
  
  ... if built against a new enough version of NSS

- nss: do not enable AES cipher-suites by default
  
  ... but allow them to be enabled/disabled explicitly.  The default
  policy should be maintained at the NSS level.

Dan Fandrich (15 Mar 2014)
- tests: made the SASL modes separate keywords

- tests: added missing HTTP NTLM auth keywords
  
  Also, removed an unneeded strippart

- tests: disable valgrind on the remaining scp/sftp tests

- valgrind.supp: added another test 165 suppression
  
  This one seems to come and go as the optimizer decides how best
  to inline some functions.

- ssh: prevent a logic error that could result in an infinite loop

- docs: fixed a bunch of typos

- test640/1: add tests for --head with sftp and scp
  
  This option is currently rather useless with these protocols
  when no quote command is given, but it is valid.

- ssh: removed a redundant close state transition

- ssh: abort immediately on a header callback error

Daniel Stenberg (14 Mar 2014)
- chunked-encoding: provide a readable error string for chunked errors

- TODO: remove http2, we now have it

- [Tatsuhiro Tsujikawa brought this change]

  http2: free resources on disconnect
  
  ... and use Curl_safefree() instead of free()

- openssl: info massage with SSL version used
  
  Patch-by: byte_bucket

Steve Holme (9 Mar 2014)
- RELEASE-NOTES: Synced with 8ddda0e999

Daniel Stenberg (9 Mar 2014)
- README.http2: clarify the build prerequisites

- SSL-PROBLEMS: add "missing intermediate certificates" piece

- SSL-PROBLEMS: describes common curl+SSL problems

Nick Zitzmann (8 Mar 2014)
- docs: remove documentation on setting up krb4 support
  
  The information about building with Kerberos4 support was half a year out
  of date. We dropped support for that.

Daniel Stenberg (6 Mar 2014)
- ssh: fix compiler warning converting ssize_t to int

Dan Fandrich (6 Mar 2014)
- ssh: Fixed a style warning
  
  Also, combined a couple of #ifdef sections

- ssh: Pass errors from libssh2_sftp_read up the stack

Daniel Stenberg (6 Mar 2014)
- parse_remote_port: error out on illegal port numbers better

- remote_port: allow connect to port 0
  
  Port number zero is perfectly allowed to connect to. I moved to storing
  the remote port number in an int so that -1 means undefined and 0-65535
  can be used for legitimate port numbers.

- multi_runsingle: move timestamp into INIT
  
  Setting the TIMER_STARTSINGLE timestamp first in CONNECT has the
  drawback that for actions that go back to the CONNECT state, the time
  stamp is reset and for the multi_socket API there's no corresponding
  Curl_expire() then so the timeout logic gets wrong!
  
  Reported-by: Brad Spencer
  Bug: http://curl.haxx.se/mail/lib-2014-02/0036.html

- hostcheck: update comment after previous change

- hostcheck: Curl_cert_hostcheck is not used by NSS builds

- [Michael Osipov brought this change]

  configure: call it GSS-API
  
  ... since that’s how the RFC calls it.

- x509asn: moved out Curl_verifyhost from NSS builds
  
  ... as it isn't used then!

- NSS: avoid compiler warnings when built without http2 support

- [Jiri Malak brought this change]

  Rework Open Watcom make files to use standard Wmake features
  
  Remove slash/backslash problem, now only slashes are used,
  Wmake automaticaly translate slash/backslash to proper version or tools are not sensitive for it.
  Enable spaces in path.
  Use internal rm command for all host platforms
  Add error message if old Open Watcom version is used. Some old versions exhibit build problems for Curl latest version. Now only versions 1.8, 1.9 and 2.O beta are supported

- [Jiri Malak brought this change]

  parsedate: Fixed compilation warning
  
  Remove compilation message for platforms where size of long type
  is equal size of int type.

Steve Holme (2 Mar 2014)
- RELEASE-NOTES: Synced with 7fef4016de

- tool: Do not output libcurl source for the information only parameters
  
  Ensure a source file isn't generated for the following informational
  command line parameters when --libcurl is specified:
  
  --help, --manual, --version and --engine list
  
  As the output would only include a fairly empty looking main() function
  and a call to curl_easy_init() and curl_easy_cleanup() when performed
  with --engine list.

- tool: Fixed libcurl source output for multiple operations
  
  Correctly output libcurl source code that includes multiply operations
  as specified by --next. Note that each operation evaluates to a single
  curl_easy_perform() in source code form.
  
  Also note that the output could be optimised a little so global config
  options are only output once rather than per operation as is presently
  the case.

- tool_metalink.h: Fixed compilation warning
  
  warning: declaration of 'struct GlobalConfig' will not be visible
  outside of this function

- tool: Moved internal variable isatty to the global config

- tool_operate.c: Fixed compilation error
  
  incompatible types - from 'OperationConfig *' to 'GlobalConfig *'

- tool: Moved --libcurl to the global config

- tool: Moved --progress-bar to the global config

- tool: Moved --stderr to the global config

- transfer.c: Fixed non-HTTP2 builds from commit cde0cf7c5e

Daniel Stenberg (28 Feb 2014)
- [Tatsuhiro Tsujikawa brought this change]

  Fix bug that HTTP/2 hangs if whole response body is read with headers
  
  For HTTP/2, we may read up everything including responde body with
  header fields in Curl_http_readwrite_headers. If no content-length is
  provided, curl waits for the connection close, which we emulate it
  using conn->proto.httpc.closed = TRUE. The thing is if we read
  everything, then http2_recv won't be called and we cannot signal the
  HTTP/2 stream has closed. As a workaround, we return nonzero from
  data_pending to call http2_recv.

- http2: build with current nghttp2 version
  
  nghttp2 has yet again extended its callback struct and this is an
  attempt to make curl compile with nghttp2 from current git

Dan Fandrich (28 Feb 2014)
- tool_main: Fixed a memory leak on main_init error

Steve Holme (28 Feb 2014)
- test96: Updated accordly for recent changes

- tool_cfgable: Code policing of structure pointers

- tool: Moved --trace and --verbose to the global config

- tool_main: Forgot to initialise the first operation's global pointer

- tool: Moved --silient to the global config
  
  Other global options such as --libcurl, --trace and --verbose to
  follow.

- tool_cfgable: Added GlobalConfig pointer to OperationConfig
  
  In order to ease the moving of global options such as the error stream,
  updated the OperationConfig structure to point to the GlobalConfig.

- tool: Added support to .curlrc for URL specific options
  
  In addition to adding support for URL specific options via the command
  line with --next it is now possible to specify "next" in .curlrc.

- tool: Reworked argument parsing to use --next/-:
  
  Follow up to commit 1a9b58fcb2 to replace the : command line option
  with --next and -:.

- tool_getparam: Added initial support for --next/-:
  
  Added initial support for --next/-: which will be used to replace the
  rather confusing : command line operation what was used for the URL
  specific options prototype.

Dan Fandrich (26 Feb 2014)
- valgrind.supp: tweaked a test 165 suppression
  
  A recent change seems to have slightly changed the call stack
  produced by the gcc optimizer.

nickzman (25 Feb 2014)
- Merge pull request #93 from d235j/darwinssl_ip_address_fix
  
  darwinssl: don't omit CN verification when an IP address is used

Daniel Stenberg (25 Feb 2014)
- parse_args: fix a too long source code line

- [naota brought this change]

  configure: Tiny fix to honor POSIX
  
  Change "==" to "=" to honor POSIX test construction.

Steve Holme (25 Feb 2014)
- tool_help: Moved --no-alpn and --no-npn to be listed alphabetically
  
  ...and added the HTTP suffix as these options are only used for HTTP2
  based connections.

- tool: Moved --showerror to the global config
  
  Other global options such as --libcurl, --trace and --verbose to
  follow.

- tool_getparam: Added global config to getparameter()
  
  In preparation for parsing global options added the GlobalConfig
  structure to the getparameter() function.

- tool_getparam.h: Fixed compilation warning
  
  warning: declaration of 'struct GlobalConfig' will not be visible
  outside of this function

Marc Hoersken (24 Feb 2014)
- RELEASE-NOTES: Updated for 63fc8ee7

Steve Holme (24 Feb 2014)
- tool_cfgable: Added support for knowing the current operation

Marc Hoersken (24 Feb 2014)
- curl_schannel.c: Updated copyright years

- [David Ryskalczyk brought this change]

  winssl: Enable hostname verification of IP address using SAN or CN
  
  Original commit message was:
   Don't omit CN verification in SChannel when an IP address is used.
  
  Side-effect of this change:
   SChannel and CryptoAPI do not support the iPAddress subjectAltName
   according to RFC 2818. If present, SChannel will first compare the
   IP address to the dNSName subjectAltNames and then fallback to the
   most specific Common Name in the Subject field of the certificate.
  
   This means that after this change curl will not connect to SSL/TLS
   hosts as long as the IP address is not specified in the SAN or CN
   of the server certificate or the verifyhost option is disabled.

Steve Holme (24 Feb 2014)
- tool_operate: Moved easy handle cleanup into tool_main

Marc Hoersken (24 Feb 2014)
- tool_hugehelp: partially reverted 24e22e10
  
  Compilation was not possible if manuel is disabled due this error:
   error: macro "hugehelp" passed 1 arguments, but takes just 0
    void hugehelp(void) {}

Steve Holme (24 Feb 2014)
- tool_main: Moved easy handle into global config structure

David Ryskalczyk (23 Feb 2014)
- Don't omit CN verification in DarwinSSL when an IP address is used.

Steve Holme (23 Feb 2014)
- tool: Fixed line longer than 79 characters from commit 705a4cb549

- tool_main: Corrected typo from commit d6b9f054e9 in Symbian code

- tool_main: Moved OperateConfig cleanup into main_free()

- tool_main: Moved initial OperateConfig creation into main_init()

- tool_cfgable: Added global config structure

- tool_cfgable: Renamed Configurable structure to OperationConfig
  
  To allow for the addition of a global config structure and prevent
  confusion between the two.

- tool: Fixed incorrect return code with --version from commit c10bf9bb36

- RELEASE-NOTES: Synced with 8c80840d01

- tool_getparam: Moved tool_help() call into operate()

- tool_getparam: Moved hugehelp() call into operate()

- tool_getparam: Moved tool_version_info() call into operate()

- tool_cfgable: Removed list_engine flag from config structure
  
  In preparation for separating the global config options from the per
  operation config options, reworked the list engines code to not use a
  member variable in the Configurable structure.

- tool_operate: Start to use CURLcode rather than int for return codes
  
  To help assist with the detection of incorrect return codes, as per
  commits ee23d13a79, 33b8960dc8 and aba98991a5, updated the operate
  based functions to return CURLcode error codes.

- tool: Fixed incorrect return code when setting HTTP request fails
  
  During initialisation SetHTTPrequest() may fail and cURL would return
  PARAM_BAD_USE, which is equivalent to CURLE_NOT_BUILT_IN in cURL error
  terms.
  
  Instead, return CURLE_FAILED_INIT as we do for other functions that may
  fail during initialisation.

- tool_getparam: Moved version information into separate function in tool_help

- tool_operhlp.h: Fixed compilation warning
  
  warning: 'struct Configurable' declared inside parameter list

- tool_operhlp: Consolidated engine output code into tool_help

- tool_operate: Moved list engines into separate function in tool_help

Marc Hoersken (22 Feb 2014)
- RELEASE-NOTES: added note about impact of changes to WinSSL defaults

- stunnel: regenerated self-signed test certificate with SHA1 hash
  
  The previous test certificate contained a MD5 hash which is not
  supported using TLSv1.2 with Schannel on Windows 7 or newer.
  
  See the update to this blog post on IEInternals / MSDN:
  http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/
  misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx
  
  "Update: If the server negotiates a TLS1.2 connection with a
  Windows 7 or 8 schannel.dll-using client application, and it
  provides a certificate chain which uses the (weak) MD5 hash
  algorithm, the client will abort the connection (TCP/IP FIN)
  upon receipt of the certificate."

Dan Fandrich (22 Feb 2014)
- easy: Fixed a memory leak on OOM condition

Steve Holme (20 Feb 2014)
- tool_paramhlp: Fixed compilation warnings
  
  declaration of 'index' shadows a global declaration

- lib1515.c: Fixed #include path in commit 647f83e809

Daniel Stenberg (19 Feb 2014)
- [Maks Naumov brought this change]

  test1515: fix compilation with msvc
  
  ... or any other systems lacking a native snprintf

- SFTP: skip reading the dir when NOBODY=1
  
  When asking for an SFTP directory with NOBODY set, no directory contents
  should be retrieved.
  
  Bug: http://curl.haxx.se/mail/lib-2014-02/0155.html

Dan Fandrich (18 Feb 2014)
- axtls: comment the call ssl_read repeatedly loop

Kamil Dudka (18 Feb 2014)
- curl.1: update the description of --tlsv1
  
  ... and mention the --tlsv1.[0-2] options in the --tslv1 entry
  
  Reported-by: Hubert Kario

Daniel Stenberg (18 Feb 2014)
- curl_version.3: recommend using curl_version_info() instead

- curl_version_info.3: added *HTTP2
  
  ... and edited language slightly

- curl_multi_assign.3: updated language

- libcurl.3: edited slightly to improve readability

- curl_easy_perform.3: extended and clarified

- curl_multi_add_handle.3: clarify multi vs easy use
  
  it is only WHILE added to a multi handle that it can't be used with the
  easy interface

- [Tatsuhiro Tsujikawa brought this change]

  http2: Support HTTP POST/PUT
  
  This patch enables HTTP POST/PUT in HTTP2.
  We disabled Expect header field and  chunked transfer encoding
  since HTTP2 forbids them.
  In HTTP1, Curl sends small upload data with request headers, but
  HTTP2 requires upload data must be in DATA frame separately.
  So we added some conditionals to achieve this.

- RELEASE-NOTES: synced with 854aca5420f

- multi: ignore sigpipe internally
  
  When the multi API is used we must also ignore SIGPIPE signals when
  caused by things we do, like they can easily be generated by OpenSSL.

Dan Fandrich (17 Feb 2014)
- tests: Made the crypto test feature usable
  
  This feature specifies the availability of cryptographic
  authentication, which can be disabled at compile-time

- configure: Fix the --disable-crypto-auth option
  
  It now disables NTLM and GSS authentication methods, and produces
  compilable code when SSL is enabled.

Daniel Stenberg (17 Feb 2014)
- curl_multi_setopt.3: clarify CURLMOPT_MAXCONNECTS

- [Shao Shuchao brought this change]

  ConnectionDone: default maxconnects to 4 x number of easy handles
  
  ... as documented!

- examples: remove all use of CURLM_CALL_MULTI_PERFORM
  
  ... since it is never returned since a long while back.

- [Colin Hogben brought this change]

  curl_easy_setopt.3: Add another non-matching hostname
  
  For the avoidance of doubt, show a domain which contains the no-proxy
  pattern but not at the top level.

- axtls: bump copyright year

- [Fabian Frank brought this change]

  axtls: call ssl_read repeatedly
  
  Perform more work in between sleeps. This is work around the
  fact that axtls does not expose any knowledge about when work needs
  to be performed. Depending on connection and how often perform is
  being called this can save ~25% of time on SSL handshakes (measured
  on 20ms latency connection calling perform roughly every 10ms).

- [Yehezkel Horowitz brought this change]

  url_easy_setopt.3: Add undocumented values of curl_infotype
  
  ... for debug function

- ConnectionExists: re-use connections better
  
  When allowing NTLM, the re-use connection logic was too focused on
  finding an existing NTLM connection to use and didn't properly allow
  re-use of other ones. This made the logic not re-use perfectly re-usable
  connections.
  
  Added test case 1418 and 1419 to verify.
  
  Regression brought in 8ae35102c (curl 7.35.0)
  
  Reported-by: Jeff King
  Bug: http://thread.gmane.org/gmane.comp.version-control.git/242213

Steve Holme (16 Feb 2014)
- tool_paramhlp: Added URL index to password prompt for multiple operations

Marc Hoersken (16 Feb 2014)
- sockfilt.c: add undefs which are required after 6239146e

Steve Holme (16 Feb 2014)
- warnless: Updated copyright year for recent changes

Marc Hoersken (16 Feb 2014)
- warnless: add wrapper function for read and write on Windows

Steve Holme (16 Feb 2014)
- examples: Added IMAP LSUB example

- tool_operate: Changed the required argument check/get to be upfront
  
  Rather than check for required arguments, and prompt for any host and
  proxy passwords, as each operation is performed, changed the code so
  all configurations are checked before any operations are performed.
  
  This allows the user to input all the required passwords, for example,
  upfront rather than wait for each operation.

- tool_operate: Moved required argument getting into separate function

Dan Fandrich (15 Feb 2014)
- valgrind: added another test 165 suppression
  
  This one is needed with the gcc options -fstack-protector-all -O2
  That brings the number of suppressions for test 165 to four, and I
  suspect I could find another two missing without trying very hard. I'm
  beginning to think suppressions isn't the best way to handle these
  kinds of cases.

Marc Hoersken (15 Feb 2014)
- testsuite: more Windows line-endings fixes

- test1114: fix line-endings checks on Windows after 75f00de

- test1113: fix line-endings checks on Windows after 75f00de5

- lib1515.c: Added support for Windows using the Sleep function

- HTTP tests: use CRLF as header seperator according to RFC 2616
  
  Updates the test suite to handle binary-mode header output.

- curl: output protocol headers using binary mode
  
  Since protocol headers contain explicit line-endings there should
  be no automatic conversion to ASCII text or CRLF line-endings.
  
  This might break third party tools that already depend on this
  behaviour. We might need to introduce an option to make this optional.

- HTTP tests: use CRLF as header seperator according to RFC 2616
  
  Changes LF to CRLF and disables automatic output conversion.

- testsuite: use binary output mode for custom curl test tools
  
  Do not try to convert line-endings to CRLF on Windows by setting stdout
  to binary mode, just like the curl tool does if --ascii is not specified.
  
  This should prevent corrupted stdout line-ending output like CRCRLF.
  
  In order to make the previously naive text-aware tests work with
  binary mode on Windows, text-mode is disabled for them if it is not
  actually part of the test case and line-endings are corrected.

- testsuite: changed HTTP and RTSP header line-endings to CRLF
  
  According to RFC 2616 and RFC 2326 individual protocol elements, like
  headers and except the actual content, are terminated by using CRLF.
  
  Therefore the test data files for these protocols need to contain
  mixed line-endings if the actual protocol elements use CRLF while
  the file uses LF.

Daniel Stenberg (14 Feb 2014)
- [Colin Hogben brought this change]

  curl_easy_setopt.3: Fix word order of CURLOPT_PROXY section
  
  The word CURLOPT_PROXYPORT became detached from its sentence when the
  note about the default was added.

Patrick Monnerat (14 Feb 2014)
- OS400: Add new options to RPG binding.

Dan Fandrich (14 Feb 2014)
- valgrind: added suppression on optimized code
  
  gcc 4.7.2 with -O2 will optimize Curl_connect by inlining some
  functions two levels deep, which makes the valgrind suppression
  fail to match. The underlying reason for these idna suppressions is
  a gcc strlen optimization when compiling libidn; compiling it with
  -fno-builtin-strlen makes this suppression unnecessary.

Daniel Stenberg (14 Feb 2014)
- [Arvid Norberg brought this change]

  dict: fix memory leak in OOM exit path
  
  Bug: https://github.com/bagder/curl/pull/90

- Curl_urldecode: don't allow NULL as receiver
  
  For a function that returns a decoded version of a string, it seems
  really strange to allow a NULL pointer to get passed in which then
  prevents the decoded data from being returned!
  
  This functionality was not documented anywhere either.
  
  If anyone would use it that way, that memory would've been leaked.
  
  Bug: https://github.com/bagder/curl/pull/90
  Reported-by: Arvid Norberg

- RELEASE-NOTES: synced with 378af08c992

- ConnectionExists: reusing possible HTTP+NTLM connections better
  
  Make sure that the special NTLM magic we do is for HTTP+NTLM only since
  that's where the authenticated connection is a weird non-standard
  paradigm.
  
  Regression brought in 8ae35102c (curl 7.35.0)
  
  Bug: http://curl.haxx.se/mail/lib-2014-02/0100.html
  Reported-by: Dan Fandrich

- [Tiit Pikma brought this change]

  transfer: make Expect: 100-continue timeout configurable.
  
  Replaced the #define CURL_TIMEOUT_EXPECT_100 in transfer.c with the
  CURLOPT_EXPECT_100_TIMEOUT_MS option to make the timeout configurable.

- [Thomas Braun brought this change]

  Fix compilation with make mingw32
  
  The source files from lib/vtls where generated in lib instead of lib/vtls.
  
  Verified-by: Thomas Braun <thomas.braun@virtuell-zuhause.de>

- chunked decoder: track overflows correctly
  
  The code didn't properly check the return codes to detect overflows so
  it could trigger incorrectly. Like on mingw32.
  
  Regression introduced in 345891edba (curl 7.35.0)
  
  Bug: http://curl.haxx.se/mail/lib-2014-02/0097.html
  Reported-by: LM

- [Fabian Frank brought this change]

  curl_easy_setopt.3: add CURL_HTTP_VERSION_2_0

- [Fabian Frank brought this change]

  openssl: honor --[no-]alpn|npn command line switch
  
  Disable ALPN or NPN if requested by the user.

- [Fabian Frank brought this change]

  gtls: honor --[no-]alpn command line switch
  
  Disable ALPN if requested by the user.

Dan Fandrich (11 Feb 2014)
- tests: Disabled broken test 1316
  
  See http://curl.haxx.se/mail/lib-2014-02/0004.html for a
  discussion on the problem.

Daniel Stenberg (11 Feb 2014)
- version: next release will become 7.36.0

- curl_easy_setopt.3: add CURLOPT_SSL_ENABLE_ALPN/NPN

Steve Holme (10 Feb 2014)
- tool_cfgable: Moved easy handle cleanup to fix pingpong logout issues
  
  Commmit c5f8e2f5f4 removed the easy handle clean-up from tool_operate,
  letting the code that was already present in free_config_fields()
  perform the task. Unfortunately, this wasn't the correct place to do
  this as it broke protocols, that would perform a logout, as the main
  clean-up in tool_main had already been called.

Dan Fandrich (10 Feb 2014)
- secureserver: Only set stunnel FIPS option when available
  
  It seems the fips config option causes an error if FIPS mode was
  not enabled at stunnel compile-time.  FIPS support was disabled
  by default in stunnel 5.00, so this is probably really only needed
  on versions between 4.32 and 5.00.

Daniel Stenberg (10 Feb 2014)
- [Fabian Frank brought this change]

  NPN/ALPN: allow disabling via command line
  
  when using --http2 one can now selectively disable NPN or ALPN with
  --no-alpn and --no-npn. for now honored with NSS only.
  
  TODO: honor this option with GnuTLS and OpenSSL

- [Fabian Frank brought this change]

  nss: use correct preprocessor macro
  
  SSL_ENABLE_ALPN can be used for preprocessor ALPN feature detection,
  but not SSL_NEXT_PROTO_SELECTED, since it is an enum value and not a
  preprocessor macro.

Steve Holme (9 Feb 2014)
- tests: Added test for IMAP LSUB command

- tests: Removed test 807 as it has been superseded by tests 815 and 816

- tests: Updated the titles of tests 815 and 816

Daniel Stenberg (9 Feb 2014)
- tool_metalink: fix compiler warning when built without metalink

Steve Holme (9 Feb 2014)
- tool_operate: Move the trace and error file closure to tool_cfgable

- TODO: Removed url-specific options

- tests: Re-enabled IMAP tests that require URL specific option support

- RELEASE-NOTES: Synced with 8e62f7a6503a

Marc Hoersken (9 Feb 2014)
- secureserver: FIPS option is only supported since stunnel 5.00

Steve Holme (9 Feb 2014)
- tool_operate: Added support for performing URL specific operations

- tool_operate: Let curl handle cleanup take place in config_free()

Dan Fandrich (9 Feb 2014)
- formdata: Must use Curl_safefree instead of free

Daniel Stenberg (8 Feb 2014)
- test96: updated according to recent changes

- runtests: allow <strippart> to remove lines
  
  For verify file, if the strippart condition removes the line completely
  it is now removed from the array.

Steve Holme (8 Feb 2014)
- tool_getparam: Added support for parsing of specific URL options

Dan Fandrich (8 Feb 2014)
- secureserver: Disable FIPS mode for stunnel
  
  It's unnecessary for curl testing, and it can otherwise cause
  stunnel to fail to start if OpenSSL doesn't support FIPS mode.

- formdata: Fixed memory leak on OOM condition

- runtests: Disable valgrind when debugging
  
  This was already mostly being done, except that analysis after the
  test still assumed that the valgrind log files would be available. An
  alternative way to handle the valgrind + gdb combination could be to
  enable one of the valgrind debugger hooks.

Steve Holme (7 Feb 2014)
- tool_cfgable: For consistency renamed init_config() to config_init()

- tool_cfgable: Introduced config_free() function

Daniel Stenberg (7 Feb 2014)
- --help: add missing --tlsv1.x options

Steve Holme (7 Feb 2014)
- lib1515.c: Fixed various compilation warnings
  
  lib1515.c:38:26 warning: unused parameter 'curl'
  lib1515.c:38:81 warning: unused parameter 'ptr'
  lib1515.c:38:5 warning: no previous prototype for 'debug_callback'
  lib1515.c:46:5 warning: no previous prototype for 'do_one_request'
  lib1515.c:120:3  warning: ISO C90 forbids mixed declarations and code
  
  As well as some code policing such as white space and braces.

Daniel Stenberg (7 Feb 2014)
- http2: updated README after NSS addition
  
  Changed the support to a little matrix and added brief explanation of
  what ALPN and NPN are for.

- nss: support pre-ALPN versions

- [Fabian Frank brought this change]

  nss: ALPN and NPN support
  
  Add ALPN and NPN support for NSS. This allows cURL to negotiate
  HTTP/2.0 connections when built with NSS.

- formpost: use semicolon in multipart/mixed
  
  Not comma, which is an inconsistency and a mistake probably inherited
  from the examples section of RFC1867.
  
  This bug has been present since the day curl started to support
  multipart formposts, back in the 90s.
  
  Reported-by: Rob Davies
  Bug: http://curl.haxx.se/bug/view.cgi?id=1333

Dan Fandrich (6 Feb 2014)
- tests: Document use of the MEMDEBUG_LOG_SYNC macro

- ssh: Fixed a NULL pointer dereference on OOM condition

Steve Holme (6 Feb 2014)
- nss: Updated copyright year for recent edits

Daniel Stenberg (6 Feb 2014)
- [Remi Gacogne brought this change]

  100-continue: fix timeout condition
  
[--snip--]
