Closes #1283
Fixes #1277

synced with df665f4df0f7a352

Reported-by:  <shachaf@users.noreply.github.com>

Fixes #1281

curl.1 is generated by the cmdline-opts script since 4c49b835.

f77dabef broke builds in Windows using Windows SSPI but not Windows SSL.

Bug: https://github.com/curl/curl/issues/1276


Reported-by:  <jveazey@users.noreply.github.com>

- Change CURLOPT_PROXY_CAPATH to return CURLE_NOT_BUILT_IN if the option
  is not supported, which is the same as what we already do for
  CURLOPT_CAPATH.

- Change the curl tool to handle CURLOPT_PROXY_CAPATH error
  CURLE_NOT_BUILT_IN as a warning instead of as an error, which is the
  same as what we already do for CURLOPT_CAPATH.

- Fix CAPATH docs to show that CURLE_NOT_BUILT_IN is returned when the
  respective CAPATH option is not supported by the SSL library.

Ref: https://github.com/curl/curl/pull/1257

The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
and thus even if the status couldn't be verified, the connection would
be allowed and the user would not be told about the failed verification.

Regression since cb4e2be7

CVE-2017-2629
Bug: https://curl.haxx.se/docs/adv_20170222.html

Reported-by: Marcus Hoffmann

- If the server has provided another challenge use it as the replacement
  input token if stale=TRUE. Otherwise previous credentials have failed
  so return CURLE_LOGIN_DENIED.

Prior to this change the stale directive was ignored and if another
challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING.

Ref: https://tools.ietf.org/html/rfc2617#page-10

Bug: https://github.com/curl/curl/issues/928


Reported-by:  <tarek112@users.noreply.github.com>

Source: https://github.com/Microsoft/vcpkg/blob/7676b8780db1e1e591c4fc7eba4f96f73c428cb4/ports/curl/0002_fix_uwp.patch

Closes #1264

Since negative values are errors and not only -1. This makes SFTP upload
with --create-dirs work (again).

Closes #1269

- on the first invocation: keep security context returned by
  InitializeSecurityContext()

- on subsequent invocations: use MakeSignature() instead of
  InitializeSecurityContext() to generate HTTP digest response

Bug: https://github.com/curl/curl/issues/870
Reported-by: Andreas Roth

Closes https://github.com/curl/curl/pull/1251

Follow-up to 4b86113f

Fixes https://github.com/curl/curl/issues/793
Fixes https://github.com/curl/curl/issues/942

Properly resolve, convert and log the proxy host names.
Support the "--connect-to" feature for SOCKS proxies and for passive FTP
data transfers.

Follow-up to cb4e2be7

Reported-by: Jay Satiro
Fixes https://github.com/curl/curl/issues/1248

- While negotiating auth during PUT/POST if a user-specified
  Content-Length header is set send 'Content-Length: 0'.

This is what we do already in HTTPREQ_POST_FORM and what we did in the
HTTPREQ_POST case (regression since afd288b2).

Prior to this change no Content-Length header would be sent in such a
case.

Bug: https://curl.haxx.se/mail/lib-2017-02/0006.html
Reported-by: Dominik Hölzl

Closes https://github.com/curl/curl/pull/1242

Closes #1265

It isn't easily solved, but with some thinking someone could probably
come up with a working approach?

Closes #1241

For example allow ranges like [1-1] and [a-a] etc.

Regression since 5ca96cb8.

Bug: https://github.com/curl/curl/issues/1238
Reported-by: R. Dennis Steed

Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
< 2.1.0 (the older API)

... and fix the session_id mixup brought in 04b4ee54

Fixes #1220

The warning message had a typo. The argument long form is --time-cond
not --timecond

Closes #1263

When the threaded resolver option is specified for configure the default
thread library is pthreads. This change makes it possible to
--disable-pthreads and then configure can fall back on Win32 threads for
native Windows builds.

Closes https://github.com/curl/curl/pull/1260

Reported-by:  <zelinchen@users.noreply.github.com>
Fixes #1229

When CURLE_SSL_CACERT occurs the tool shows a lengthy error message to
the user explaining possible solutions such as --cacert and --insecure.

This change appends to that message similar options --proxy-cacert and
--proxy-insecure when there's a specified HTTPS proxy.

Closes https://github.com/curl/curl/issues/1258

Fixes #1252

- Document in --socks* opts they're still mutually exclusive of --proxy.

Partial revert of 423a93ce; I had misinterpreted the SOCKS proxy +
HTTP/HTTPS proxy combination.

- Document in --socks* opts that --preproxy can be used to specify a
  SOCKS proxy at the same time --proxy is used with an HTTP/HTTPS proxy.