... noticed with mbedTLS.

closes #496

Use libpsl to check the domain value of Set-Cookie headers (and cookie
jar entries) for not being a Publix Suffix.

The configure script checks for "libpsl" by default. Disable the check
with --without-libpsl.

Ref: https://publicsuffix.org/
Ref: https://github.com/publicsuffix/list
Ref: https://github.com/rockdaboot/libpsl

bug introduced by 18691642.

Closes #493

introduced in c6aedf68. It needs to be CURLM_STATE_LAST big since it
must hande the range 0 .. CURLM_STATE_MSGSENT (18) and CURLM_STATE_LAST
is 19 right now.

Reported-by: Dan Fandrich
Bug: http://curl.haxx.se/mail/lib-2015-10/0069.html

... and assign it from the set.fread_func_set pointer in the
Curl_init_CONNECT function. This A) avoids that we have code that
assigns fields in the 'set' struct (which we always knew was bad) and
more importantly B) it makes it impossibly to accidentally leave the
wrong value for when the handle is re-used etc.

Introducing a state-init functionality in multi.c, so that we can set a
specific function to get called when we enter a state. The
Curl_init_CONNECT is thus called when switching to the CONNECT state.

Bug: https://github.com/bagder/curl/issues/346

Closes #346

sk_X509_pop will decrease the size of the stack which means that the loop would
end after having added only half of the certificates.

Also make sure that the X509 certificate is freed in case
SSL_CTX_add_extra_chain_cert fails.

It makes it a clearer message for developers reaching that point without
the necessary support.

Thanks-by: Jay Satiro

Closes #78

follow-up from 6f8ecea0

... as in the polarssl TLS backend for example it uses memory functions.

If the underlying recv called by http2_recv returns -1 then that is the
value http2_recv returns to the caller.

... since some compilers don't have it and instead use other types, such
as __int64.

Reported by: gkinseyhpw
Closes #478

Follow up to 613e5022.

- If a CURLINFO option is unknown return CURLE_UNKNOWN_OPTION.

Prior to this change CURLE_BAD_FUNCTION_ARGUMENT was returned on
unknown. That return value is contradicted by the CURLINFO option
documentation which specifies a return of CURLE_UNKNOWN_OPTION on
unknown.

Closes #466

- Change algorithm init to happen after OpenSSL config load.

Additional algorithms may be available due to the user's config so we
initialize the algorithms after the user's config is loaded.

Bug: https://github.com/bagder/curl/issues/447
Reported-by: Denis Feklushkin

For a single-stream download from localhost, we managed to increase
transfer speed from 1.6MB/sec to around 400MB/sec, mostly because of
this single fix.

... only call it when there is data arriving for another handle than the
one that is currently driving it.

Improves single-stream download performance quite a lot.

Thanks-to: Tatsuhiro Tsujikawa
Bug: http://curl.haxx.se/mail/lib-2015-09/0097.html

... as otherwise a really fast pipe can "lock" one transfer for some
protocols, like with HTTP/2.

... don't try to increase the supposed file size on newlines if we don't
know what file size it is!

Patch-by: lzsiga

Closes #457

If GnuTLS fails to read the certificate then include whatever reason it
provides in the failure message reported to the client.

Signed-off-by: Mike Crowe <mac@mcrowe.com>

The gnutls vtls back-end was previously ignoring any password set via
CURLOPT_KEYPASSWD. Presumably this was because
gnutls_certificate_set_x509_key_file did not support encrypted keys.

gnutls now has a gnutls_certificate_set_x509_key_file2 function that
does support encrypted keys. Let's determine at compile time whether the
available gnutls supports this new function. If it does then use it to
pass the password. If it does not then emit a helpful diagnostic if a
password is set. This is preferable to the previous behaviour of just
failing to read the certificate without giving a reason in that case.

Signed-off-by: Mike Crowe <mac@mcrowe.com>

... even for those that don't support providing anything in the
'internals' struct member since it offers a convenient way for
applications to figure this out.

- Change the designator name we use to show the base64 encoded sha256
hash of the server's public key from 'pinnedpubkey' to
'public key hash'.

Though the server's public key hash is only shown when comparing pinned
public key hashes, the server's hash may not match one of the pinned.

With NTLM a new connection will always require authentication.
Fixes #435

Add a "pinnedpubkey" section to the "Server Certificate" verbose

Bug: https://github.com/bagder/curl/issues/410
Reported-by: W. Mark Kubacki

Closes #430
Closes #410

Introduced with commit 65d141e6

Closes #440

Fixes #427

Without this workaround, NSS re-uses a session cache entry despite the
server name does not match.  This causes SNI host name to differ from
the actual host name.  Consequently, certain servers (e.g. github.com)
respond by 400 to such requests.

Bug: https://bugzilla.mozilla.org/1202264

... without sha256 support and no define saying so.

Reported-by: Rajkumar Mandal

Bug: https://github.com/bagder/curl/pull/411
Reported-by: Viktor Szakats

If the port number in the proxy string ended weirdly or the number is
too large, skip it. Mostly as a means to bail out early if a "bare" IPv6
numerical address is used without enclosing brackets.

Also mention the bracket requirement for IPv6 numerical addresses to the
man page for CURLOPT_PROXY.

Closes #415

Reported-by: Marcel Raad

In some timing-dependnt cases when a 4xx response immediately followed
after a 150 when a STOR was issued, this function would wrongly return
'complete == true' while 'wait_data_conn' was still set.

Closes #405

Reported-by: Patricia Muscalu

It causes dynamic linking issues at run-time after an update of NSS.

Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html