Resolve conflicts

.github/workflows/checkdocs.yml

@@ -117,7 +117,7 @@ jobs:
         run: grep -v '^#' .github/scripts/spellcheck.words > wordlist.txt
 
       - name: 'check Spelling'
-        uses: rojopolis/spellcheck-github-actions@35a02bae020e6999c5c37fabaf447f2eb8822ca7 # v0
+        uses: rojopolis/spellcheck-github-actions@739a1e3ceb79a98a5d4a9bf76f351137f9d78892 # v0
         with:
           config_path: .github/scripts/spellcheck.yaml
 

.github/workflows/codeql.yml

@@ -52,10 +52,10 @@ jobs:
           persist-credentials: false
 
       - name: 'initialize'
-        uses: github/codeql-action/init@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3
         with:
           languages: actions, python
           queries: security-extended
 
       - name: 'perform analysis'
-        uses: github/codeql-action/analyze@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3

.github/workflows/http3-linux.yml

@@ -193,7 +193,10 @@ jobs:
           sudo rm -f /var/lib/man-db/auto-update
           sudo apt-get -o Dpkg::Use-Pty=0 install \
             libtool autoconf automake pkgconf \
-            nettle-dev libp11-kit-dev libev-dev autopoint bison gperf gtk-doc-tools libtasn1-bin  # for gnutls
+            libbrotli-dev libzstd-dev zlib1g-dev \
+            libev-dev \
+            libc-ares-dev \
+            nettle-dev libp11-kit-dev autopoint bison gperf gtk-doc-tools libtasn1-bin  # for GnuTLS
           echo 'CC=gcc-12' >> "$GITHUB_ENV"
           echo 'CXX=g++-12' >> "$GITHUB_ENV"
 
@@ -256,6 +259,7 @@ jobs:
           cd ~
           git clone --quiet --depth=1 -b "${GNUTLS_VERSION}" https://github.com/gnutls/gnutls.git
           cd gnutls
+          # required: nettle-dev libp11-kit-dev libev-dev autopoint bison gperf gtk-doc-tools libtasn1-bin
           ./bootstrap
           ./configure --disable-dependency-tracking --prefix="$PWD"/build \
             LDFLAGS="-Wl,-rpath,$PWD/build/lib -L$PWD/build/lib" \
@@ -332,10 +336,13 @@ jobs:
           cd nghttp2
           git submodule update --init --depth=1
           autoreconf -fi
+          # required (for nghttpx application): libc-ares-dev libev-dev zlib1g-dev
+          # optional (for nghttpx application): libbrotli-dev
           ./configure --disable-dependency-tracking --prefix="$PWD"/build \
             PKG_CONFIG_PATH=/home/runner/quictls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig \
             LDFLAGS=-Wl,-rpath,/home/runner/quictls/build/lib \
-            --enable-http3
+            --with-libbrotlienc --with-libbrotlidec \
+            --enable-app --enable-http3
           make install
 
   linux:
@@ -476,6 +483,7 @@ jobs:
 
           - name: 'quiche'
             install_steps: skipall
+            PKG_CONFIG_PATH: /home/runner/nghttp2/build/lib/pkgconfig
             configure: >-
               LDFLAGS=-Wl,-rpath,/home/runner/quiche/target/release
               --with-openssl=/home/runner/quiche/quiche/deps/boringssl/src
@@ -484,7 +492,7 @@ jobs:
               --enable-unity
 
           - name: 'quiche'
-            PKG_CONFIG_PATH: /home/runner/quiche/target/release
+            PKG_CONFIG_PATH: /home/runner/nghttp2/build/lib/pkgconfig:/home/runner/quiche/target/release
             generate: >-
               -DOPENSSL_ROOT_DIR=/home/runner/quiche/quiche/deps/boringssl/src
               -DUSE_QUICHE=ON
@@ -495,15 +503,15 @@ jobs:
         env:
           INSTALL_PACKAGES: >-
             ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') && 'stunnel4 ' || '' }}
-            ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') && 'apache2 apache2-dev libnghttp2-dev vsftpd dante-server' || '' }}
+            ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') && 'apache2 apache2-dev libnghttp2-dev vsftpd dante-server libev-dev' || '' }}
 
         run: |
           sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
           sudo apt-get -o Dpkg::Use-Pty=0 update
           sudo rm -f /var/lib/man-db/auto-update
           sudo apt-get -o Dpkg::Use-Pty=0 install \
             libtool autoconf automake pkgconf \
-            libpsl-dev libbrotli-dev libzstd-dev zlib1g-dev libidn2-0-dev libuv1-dev \
+            libpsl-dev libbrotli-dev libzstd-dev zlib1g-dev libidn2-0-dev libldap-dev libuv1-dev \
             ${INSTALL_PACKAGES} \
             ${MATRIX_INSTALL_PACKAGES}
           python3 -m venv ~/venv

.github/workflows/windows.yml

@@ -721,11 +721,9 @@ jobs:
           - { build: 'cmake'    , compiler: 'clang-tidy' }
     steps:
       - name: 'install packages'
-        env:
-          INSTALL_PACKAGES: ${{ matrix.compiler == 'clang-tidy' && 'clang' || '' }}
         run: |
           sudo rm -f /var/lib/man-db/auto-update
-          sudo apt-get -o Dpkg::Use-Pty=0 install gcc-mingw-w64-x86-64-win32 ${INSTALL_PACKAGES}
+          sudo apt-get -o Dpkg::Use-Pty=0 install gcc-mingw-w64-x86-64-win32
 
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
@@ -952,9 +950,8 @@ jobs:
               # Use Ninja when running tests to avoid MSBuild heuristics picking
               # up "error messages" in the test log output and making the job fail.
               # Officially this requires the vcvarsall.bat MS-DOS batch file (as of
-              # VS2022). Since it integrates badly with CI steps and shell scripts
-              # scripts, reproduce the necessary build configuration manually, and
-              # without envs.
+              # VS2022). Since it integrates badly with CI steps and shell scripts,
+              # reproduce the necessary build configuration manually, without envs.
               [[ "$(uname -s)" = *'ARM64'* ]] && MSVC_HOST='arm64' || MSVC_HOST='x64'  # x86
               MSVC_ROOTD="$(cygpath --mixed --short-name "$PROGRAMFILES/Microsoft Visual Studio")"  # to avoid spaces in directory names
               MSVC_ROOTU="$(/usr/bin/find "$(cygpath --unix "$MSVC_ROOTD/2022/Enterprise/vc/tools/msvc")" -mindepth 1 -maxdepth 1 -type d -name '*.*' | sort | tail -n 1)"

docs/cmdline-opts/ssl-sessions.md

@@ -8,6 +8,7 @@ Help: Load/save SSL session tickets from/to this file
 Added: 8.12.0
 Category: tls
 Multi: single
+Experimental: yes
 See-also:
   - tls-earlydata
 Example:

docs/libcurl/opts/CURLOPT_MAXLIFETIME_CONN.md

@@ -35,16 +35,18 @@ connection to have to be considered for reuse for this request.
 
 libcurl features a connection cache that holds previously used connections.
 When a new request is to be done, libcurl considers any connection that
-matches for reuse. The CURLOPT_MAXLIFETIME_CONN(3) limit prevents
-libcurl from trying too old connections for reuse. This can be used for
-client-side load balancing. If a connection is found in the cache that is
-older than this set *maxlifetime*, it is instead marked for closure.
+matches for reuse. The CURLOPT_MAXLIFETIME_CONN(3) limit prevents libcurl from
+trying too old connections for reuse. This can be used for client-side load
+balancing. If a connection is found in the cache that is older than this set
+*maxlifetime*, it is instead marked for closure.
 
-If set to 0, this behavior is disabled: all connections are eligible for reuse.
+If set to 0, this behavior is disabled: all connections are eligible for
+reuse.
 
 # DEFAULT
 
-0 seconds (i.e., disabled)
+24 hours (since 8.17.0). Before that, the default was 0 seconds (i.e.,
+disabled)
 
 # %PROTOCOLS%
 

lib/url.c

@@ -488,7 +488,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
   set->upkeep_interval_ms = CURL_UPKEEP_INTERVAL_DEFAULT;
   set->maxconnects = DEFAULT_CONNCACHE_SIZE; /* for easy handles */
   set->conn_max_idle_ms = 118 * 1000;
-  set->conn_max_age_ms = 0;
+  set->conn_max_age_ms = 24 * 3600 * 1000;
   set->http09_allowed = FALSE;
   set->httpwant = CURL_HTTP_VERSION_NONE
     ;

lib/urldata.h

@@ -116,7 +116,7 @@ typedef unsigned int curl_prot_t;
 #define PROTO_FAMILY_SSH  (CURLPROTO_SCP|CURLPROTO_SFTP)
 
 #if !defined(CURL_DISABLE_FTP) || defined(USE_SSH) ||   \
-  !defined(CURL_DISABLE_POP3) || !defined(CURL_DISABLE_FILE)
+  !defined(CURL_DISABLE_POP3)
 /* these protocols support CURLOPT_DIRLISTONLY */
 #define CURL_LIST_ONLY_PROTOCOL 1
 #endif
@@ -1390,9 +1390,9 @@ struct UserDefined {
   void *progress_client; /* pointer to pass to the progress callback */
   void *ioctl_client;   /* pointer to pass to the ioctl callback */
   timediff_t conn_max_idle_ms; /* max idle time to allow a connection that
-                           is to be reused */
+                                  is to be reused */
   timediff_t conn_max_age_ms; /* max time since creation to allow a
-                            connection that is to be reused */
+                                 connection that is to be reused */
   curl_off_t filesize;  /* size of file to upload, -1 means unknown */
   long low_speed_limit; /* bytes/second */
   long low_speed_time;  /* number of seconds */

lib/vquic/curl_ngtcp2.c

@@ -2578,11 +2578,31 @@ static CURLcode cf_ngtcp2_connect(struct Curl_cfilter *cf,
 out:
   if(result == CURLE_RECV_ERROR && ctx->qconn &&
      ngtcp2_conn_in_draining_period(ctx->qconn)) {
-    /* When a QUIC server instance is shutting down, it may send us a
-     * CONNECTION_CLOSE right away. Our connection then enters the DRAINING
-     * state. The CONNECT may work in the near future again. Indicate
-     * that as a "weird" reply. */
-    result = CURLE_WEIRD_SERVER_REPLY;
+    const ngtcp2_ccerr *cerr = ngtcp2_conn_get_ccerr(ctx->qconn);
+
+    result = CURLE_COULDNT_CONNECT;
+    if(cerr) {
+      CURL_TRC_CF(data, cf, "connect error, type=%d, code=%"
+                  FMT_PRIu64,
+                  cerr->type, (curl_uint64_t)cerr->error_code);
+      switch(cerr->type) {
+      case NGTCP2_CCERR_TYPE_VERSION_NEGOTIATION:
+        CURL_TRC_CF(data, cf, "error in version negotiation");
+        break;
+      default:
+        if(cerr->error_code >= NGTCP2_CRYPTO_ERROR) {
+          CURL_TRC_CF(data, cf, "crypto error, tls alert=%u",
+                      (unsigned int)(cerr->error_code & 0xffu));
+        }
+        else if(cerr->error_code == NGTCP2_CONNECTION_REFUSED) {
+          CURL_TRC_CF(data, cf, "connection refused by server");
+          /* When a QUIC server instance is shutting down, it may send us a
+           * CONNECTION_CLOSE with this code right away. We want
+            * to keep on trying in this case. */
+          result = CURLE_WEIRD_SERVER_REPLY;
+        }
+      }
+    }
   }
 
 #ifndef CURL_DISABLE_VERBOSE_STRINGS

lib/vtls/openssl.c

@@ -2865,11 +2865,12 @@ static void ossl_trace(int direction, int ssl_ver, int content_type,
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 */
 static CURLcode
-ossl_set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx)
+ossl_set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx,
+                             unsigned int ssl_version_min)
 {
   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
   /* first, TLS min version... */
-  long curl_ssl_version_min = conn_config->version;
+  long curl_ssl_version_min = (long)ssl_version_min;
   long curl_ssl_version_max;
 
   /* convert curl min SSL version option to OpenSSL constant */
@@ -4110,7 +4111,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
     ctx_options |= SSL_OP_NO_SSLv3;
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 */
-    result = ossl_set_ssl_version_min_max(cf, octx->ssl_ctx);
+    result = ossl_set_ssl_version_min_max(cf, octx->ssl_ctx, ssl_version_min);
 #else
     result = ossl_set_ssl_version_min_max_legacy(&ctx_options, cf, data);
 #endif

scripts/managen

@@ -728,7 +728,8 @@ sub single {
     }
 
     if($experimental) {
-        push @leading, "**WARNING**: this option is experimental. Do not use in production.\n\n";
+        my $pref = $manpage ? "" : "[1]";
+        push @leading, "$pref**WARNING**: this option is experimental. Do not use in production.\n\n";
     }
 
     my $pre = $manpage ? "\n": "[1]";

tests/http/testenv/nghttpx.py

@@ -124,15 +124,16 @@ def reload(self, timeout: timedelta = timedelta(seconds=Env.SERVER_TIMEOUT)):
             running = self._process
             self._process = None
             os.kill(running.pid, signal.SIGQUIT)
-            end_wait = datetime.now() + timeout
+            end_wait = datetime.now() + timedelta(seconds=5)
             if not self.start(wait_live=False):
                 self._process = running
                 return False
             while datetime.now() < end_wait:
                 try:
                     log.debug(f'waiting for nghttpx({running.pid}) to exit.')
-                    running.wait(2)
+                    running.wait(1)
                     log.debug(f'nghttpx({running.pid}) terminated -> {running.returncode}')
+                    running = None
                     break
                 except subprocess.TimeoutExpired:
                     log.warning(f'nghttpx({running.pid}), not shut down yet.')
@@ -142,7 +143,7 @@ def reload(self, timeout: timedelta = timedelta(seconds=Env.SERVER_TIMEOUT)):
                 os.kill(running.pid, signal.SIGKILL)
                 running.terminate()
                 running.wait(1)
-            return self.wait_live(timeout=timedelta(seconds=Env.SERVER_TIMEOUT))
+            return self.wait_live(timeout=timeout)
         return False
 
     def wait_dead(self, timeout: timedelta):