7.18.1

132 - Xponaut's CURLFORM_STREAM option to curl_formadd()
I'm officially pushing the two remaining issues to the next release instead,
2008-03-30 09:11:35 +00:00 · 2008-03-30 09:08:40 +00:00 · 2008-03-30 09:07:08 +00:00 · 2008-03-28 18:19:11 +00:00 · 2008-03-27 23:13:57 +00:00 · 2008-03-27 23:10:24 +00:00
136 changed files with 4834 additions and 6568 deletions
--- a/266
+++ b/266
@@ -6,6 +6,272 @@

                                  Changelog

+Version 7.18.1 (30 March 2008)
+
+Daniel Stenberg (28 Mar 2008)
+- Stephen Collyer pointed out that configure --with-libssh2 without a given
+  path didn't work properly.
+
+Daniel Stenberg (27 Mar 2008)
+- As found out and reported by Dan Petitt, libcurl didn't show progress/call
+  the progress callback for the first (potentially huge) piece of body data
+  sent together with the POST request headers in the initial send().
+
+Daniel Stenberg (25 Mar 2008)
+- Made setting the CURLOPT_SSL_CTX_FUNCTION option return a failure in case
+  libcurl wasn't built to use OpenSSL as that is a prerequisite for this
+  option to function!
+
+Daniel Stenberg (22 Mar 2008)
+- Fixed the problem with doing a zero byte SCP transfer, verified with test
+  case 617 (which was added by Daniel Fandrich 5 Mar 2008).
+
+Daniel Fandrich (20 Mar 2008)
+- Fixed a problem where curl-config --protocols could erroneously show LDAPS
+  support when curl didn't even have regular LDAP support.  It looks like
+  this could happen when the --enable-ldaps configure switch is given but
+  configure couldn't find the LDAP headers or libraries.
+
+Michal Marek (20 Mar 2008)
+- Added --with-ca-path=DIRECTORY configure option to use an openSSL CApath by
+  default instead of a ca bundle. The configure script will also look for a
+  ca path if no ca bundle is found and no option given.
+
+- Fixed detection of previously installed curl-ca-bundle.crt
+
+Daniel Fandrich (18 Mar 2008)
+- Added test 626 to reproduce an infinite loop when given an invalid
+  SFTP quote command reported by Vincent Le Normand, and fixed it.
+
+Michal Marek (18 Mar 2008)
+- Added curl_easy_getinfo typechecker.
+
+- Added macros for curl_share_setopt and curl_multi_setopt to check at least
+  the correct number of arguments.
+
+Daniel Fandrich (13 Mar 2008)
+- Added tests 622-625 to test SFTP/SCP uploads. Test 625 was an attempt to
+  reproduce the --ftp-create-dirs problem reported by Brian Ulm, but that
+  seems to need a call curl_easy_reset() which this test case doesn't do.
+
+Daniel Stenberg (13 Mar 2008)
+- Brian Ulm figured out that if you did an SFTP upload with
+  CURLOPT_FTP_CREATE_MISSING_DIRS to create a directory, and then re-used the
+  handle and uploaded another file to another directory that needed to be
+  created, the second upload would fail. Another case of a state variable that
+  wasn't properly reset between requests.
+
+- I rewrote the 100-continue code to use a single state variable instead of
+  the previous two ones. I think it made the logic somewhat clearer.
+
+Daniel Stenberg (11 Mar 2008)
+- Dmitry Popov filed bug report #1911069
+  (http://curl.haxx.se/bug/view.cgi?id=1911069) that identified a race
+  condition in the name resolver code when the DNS cache is shared between
+  multiple easy handles, each running in simultaneous threads that could cause
+  crashes.
+
+- Added a macro for curl_easy_setopt() that accepts three arguments and simply
+  does nothing with them, just to make sure libcurl users always use three
+  arguments to this function. Due to its use of ... for the third argument, it
+  is otherwise hard to detect abuse.
+
+Michal Marek (11 Mar 2008)
+- Added a type checking macro for curl_easy_setopt(), needs gcc-4.3 and only
+  works in C mode atm (http://curl.haxx.se/mail/lib-2008-02/0267.html ,
+  http://curl.haxx.se/mail/lib-2008-02/0292.html )
+
+Daniel Fandrich (10 Mar 2008)
+- Added tests 618-621 to test SFTP/SCP transfers of more than one file
+  (test 620 tests the just-fixed problem reported by Brian Ulm).
+
+Daniel Stenberg (9 Mar 2008)
+- Brian Ulm reported a crash when doing a second SFTP transfer on a re-used
+  easy handle if curl_easy_reset() was used between them. I fixed it and Brian
+  verified that it cured his problem.
+
+- Brian Ulm reported that if you first tried to download a non-existing SFTP
+  file and then fetched an existing one and re-used the handle, libcurl would
+  still report the second one as non-existing as well! I fixed it and Brian
+  verified that it cured his problem.
+
+Michal Marek (6 Mar 2008)
+- Fix the gssapi configure check to detect newer MIT Kerberos (patch by
+  Michael Calmer)
+
+Yang Tse (6 Mar 2008)
+- Fix regression on Curl_socket_ready() and Curl_poll() so that these will
+  again fail on select/poll errors different than EINTR.
+
+Daniel Fandrich (5 Mar 2008)
+- Fixed the test harness so it will write out zero-length data files.
+
+- Added tests 616 and 617 to see how SFTP and SCP cope with zero-length
+  files, as questioned by Mike Protts. SFTP does for me but SCP doesn't
+  so test 617 is disabled for now.
+
+Daniel S (4 Mar 2008)
+- Mike Protts brought a patch that makes resumed transfers work with SFTP.
+
+Daniel S (1 Mar 2008)
+- Anatoli Tubman found and fixed a crash with Negotiate authentication used on
+  a re-used connection where both requests used Negotiate.
+
+Guenter Knauf (26 Feb 2008)
+- Kaspar Brand provided a patch to support server name indication (RFC 4366).
+
+Daniel S (25 Feb 2008)
+- Kaspar Brand made GnuTLS-built libcurl properly acknowledge the option that
+  forces it to prefer SSLv3.
+
+Daniel S (23 Feb 2008)
+- Sam Listopad provided a patch in feature-request #1900014
+  http://curl.haxx.se/bug/feature.cgi?id=1900014 that makes libcurl (built to
+  use OpenSSL) support a full chain of certificates in a given PKCS12
+  certificate.
+
+Daniel S (22 Feb 2008)
+- Georg Lippitsch made the src/Makefile.vc6 makefile use the same memory model
+  options as the lib/Makefile.vc6 already did.
+
+Daniel S (21 Feb 2008)
+- Zmey Petroff found a crash when libcurl accessed a NULL pointer, which
+  happened if you set the connection cache size to 1 and for example failed to
+  login to an FTP site. Bug report #1896698
+  (http://curl.haxx.se/bug/view.cgi?id=1896698)
+
+Daniel S (20 Feb 2008)
+- Fixed test case 405 to not fail when libcurl is built with GnuTLS
+
+- Based on initial work done by Gautam Kachroo to address a bug, we now keep
+  better control at the exact state of the connection's SSL status so that we
+  know exactly when it has completed the SSL negotiation or not so that there
+  won't be accidental re-uses of connections that are wrongly believed to be
+  in SSL-completed-negotiate state.
+
+- We no longer support setting the CURLOPT_URL option from inside a callback
+  such as the CURLOPT_SSL_CTX_FUNCTION one treat that as if it was a Location:
+  following. The patch that introduced this feature was done for 7.11.0, but
+  this code and functionality has been broken since about 7.15.4 (March 2006)
+  with the introduction of non-blocking OpenSSL "connects".
+
+  It was a hack to begin with and since it doesn't work and hasn't worked
+  correctly for a long time and nobody has even noticed, I consider it a very
+  suitable subject for plain removal. And so it was done.
+
+Guenter Knauf (19 Feb 2008)
+- We do no longer support SSLv2 by default since it has known flaws.
+  Kaspar Brand provided a patch for all supported SSL toolkits.
+ 
+Daniel Fandrich (19 Feb 2008)
+- Added test309 to test HTTP redirect to HTTPS URL
+
+Daniel S (18 Feb 2008)
+- We're no longer providing a very old ca-bundle in the curl tarball. You can
+  get a fresh one downloaded and created with 'make ca-bundle' or you can get
+  one from here => http://curl.haxx.se/docs/caextract.html if you want a fresh
+  new one extracted from Mozilla's recent list of ca certs.
+
+  The configure option --with-ca-bundle now lets you specify what file to use
+  as default ca bundle for your build. If not specified, the configure script
+  will check a few known standard places for a global ca cert to use.
+
+Daniel S (17 Feb 2008)
+- Jerome Muffat-Meridol helped me fix Curl_done() to close the current
+  connection by force when it was called before the entire request is
+  completed, simply because we can't know if the connection really can be
+  re-used safely at that point.
+
+- Based on the same debugging logic, I've also made Curl_http_done() not
+  return CURLE_GOT_NOTHING if called "prematurely". This should have no real
+  effect to anything but the code makes more sense like this.
+  
+Daniel S (15 Feb 2008)
+- Made the gnutls code path not even try to get the server cert if no peer
+  verification is requested. Previously it would even return failure if gnutls
+  failed to get the server cert even though no verification was asked for.
+  Public server showing the problem: https://www.net222.caisse-epargne.fr
+
+- Fix my Curl_timeleft() leftover mistake in the gnutls code
+
+- Pooyan McSporran found and fixed a flaw where you first would do a normal
+  http request and then you'd reuse the handle and replace the Accept: header,
+  as then libcurl would send two Accept: headers!
+
+Daniel S (11 Feb 2008)
+- Yang Tse pointed out a few remaining quirks from my timeout refactoring from
+  Feb 7 that didn't abort properly on timeouts. These are actually old
+  problems but now they should be fixed.
+
+Yang Tse (10 Feb 2008)
+- Bug report #1888932 (http://curl.haxx.se/bug/view.cgi?id=1888932) points out
+  and provides test program that demonstrates that libcurl might not set error
+  description message for error CURLE_COULDNT_RESOLVE_HOST for Windows threaded
+  name resolver builds. Fixed now.
+
+Daniel Fandrich (8 Feb 2007)
+- Added key words to all SSL-using tests so they can be skipped if necessary.
+  Removed a few unnecessary requires SSL statements.
+
+Daniel S (8 Feb 2008)
+- Mike Hommey filed and fixed bug report #1889856
+  (http://curl.haxx.se/bug/view.cgi?id=1889856): When using the gnutls ssl
+  layer, cleaning-up and reinitializing curl ends up with https requests
+  failing with "ASN1 parser: Element was not found" errors. Obviously a
+  regression added in 7.16.3.
+
+Yang Tse (8 Feb 2008)
+- Improved test harness SCP/SFTP start up server verification, doing a real
+  connection to the sftp server, authenticating and running a simple sftp
+  pwd command using the test harness generated configuration and key files.
+
+Daniel S (8 Feb 2008)
+- G<>nter Knauf added lib/mk-ca-bundle.pl which gets the Firefox ca bundle and
+  creates a suitable ca-bundle.crt file in PEM format for use with curl. The
+  recommended way to run it is to use 'make ca-bundle' in the build tree root.
+
+Daniel Fandrich (7 Feb 2007)
+- Added tests 1022 and 1023 to validate output of curl-config --version and
+  --vernum
+
+Daniel S (7 Feb 2008)
+- Refactored a lot of timeout code into a few functions in an attempt to make
+  them all use the same (hopefully correct) logic to make it less error-prone
+  and easier to introduce library-wide where it should be used.
+
+Yang Tse (6 Feb 2008)
+- Fix an issue in strdup replacement function when dealing with absolutely
+  huge strings. Only systems without a standard strdup would be affected.
+
+Daniel S (3 Feb 2008)
+- Dmitry Kurochkin cleaned up the pipelining code and removed the need for and
+  use of the "is_in_pipeline" struct field.
+
+- I wrote up and added the threaded-ssl.c example source code that shows how
+  to do multi-threaded downloads of HTTPS files with a libcurl that is built
+  with OpenSSL. It uses pthreads for the threading.
+
+Daniel S (31 Jan 2008)
+- Niklas Angebrand made the cookie support in libcurl properly deal with the
+  "HttpOnly" feature introduced by Microsoft and apparently also supported by
+  Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly
+  is now supported when received from servers in HTTP headers, when written to
+  cookie jars and when read from existing cookie jars.
+
+  I modified test case 31 and 46 to also do some basic HttpOnly testing.
+
+- Dmitry Kurochkin moved several struct fields from the connectdata struct to
+  the SingleRequest one to make pipelining better. It is a bit tricky to keep
+  them in the right place, to keep things related to the actual request or to
+  the actual connection in the right place.
+
+Daniel S (29 Jan 2008)
+- Dmitry Kurochkin fixed Curl_done() for pipelining, as it could previously
+  crash!
+
+- Michal Marek fixed minor mistake in test case 553 that prevented it from
+  working on other IP-addresses or port numbers.
+
 Version 7.18.0 (28 January 2008)

 Daniel S (27 Jan 2008)
--- a/9
+++ b/9
@@ -12,8 +12,8 @@ inner sanctum.

 Compile and build instructions follow below.

-  CHANGES.0     contains ancient changes.
-  CHANGES.$year contains changes for the particular year.
+  CHANGES.0     contains ancient changes
+  CHANGES       contains the most recent changes

  Makefile.dist is included as the root Makefile in distribution archives

@@ -49,9 +49,8 @@ installed:

   If you don't have nroff and perl and you for some reason don't want to
   install them, you can rename the source file src/hugehelp.c.cvs to
-   src/hugehelp.c and avoid having to generate this file. This will of course
-   give you an older version of the file that isn't up-to-date. That file was
-   checked in once and won't be updated very regularly.
+   src/hugehelp.c and avoid having to generate this file. This will give you
+   a stubbed version of the file that doesn't contain actual content.

 MAC OS X

--- a/Makefile.am
+++ b/Makefile.am
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -131,3 +131,7 @@ install-data-hook:
 uninstall-hook:
 	cd include && $(MAKE) uninstall
 	cd docs && $(MAKE) uninstall
+
+ca-bundle: lib/mk-ca-bundle.pl
+	@echo "generate a fresh ca-bundle.crt"
+	@perl $< -b -l -u lib/ca-bundle.crt
--- a/Makefile.dist
+++ b/Makefile.dist
@@ -257,6 +257,12 @@ linux: all
 linux-ssl: ssl

 vc8:
-	echo "generate VC8 makefiles"
-	sed -e "s#/GX /DWIN32 /YX#/EHsc /DWIN32#" -e "s#/GZ#/RTC1#" -e "s/wsock32.lib/wsock32.lib bufferoverflowu.lib/g" -e "s/VC6/VC8/g" lib/Makefile.vc6 > lib/Makefile.vc8
-	sed -e "s#/GX /DWIN32 /YX#/EHsc /DWIN32#" -e "s#/GZ#/RTC1#" -e "s/wsock32.lib/wsock32.lib bufferoverflowu.lib/g" -e "s/VC6/VC8/g" src/Makefile.vc6 > src/Makefile.vc8
+	@echo "generate VC8 makefiles"
+	@sed -e "s#/GX /DWIN32 /YX#/EHsc /DWIN32#" -e "s#/GZ#/RTC1#" -e "s/wsock32.lib/wsock32.lib bufferoverflowu.lib/g" -e "s/VC6/VC8/g" lib/Makefile.vc6 > lib/Makefile.vc8
+	@sed -e "s#/GX /DWIN32 /YX#/EHsc /DWIN32#" -e "s#/GZ#/RTC1#" -e "s/wsock32.lib/wsock32.lib bufferoverflowu.lib/g" -e "s/VC6/VC8/g" src/Makefile.vc6 > src/Makefile.vc8
+
+ca-bundle: lib/mk-ca-bundle.pl
+	@echo "generate a fresh ca-bundle.crt"
+	@perl $< -b -l -u lib/ca-bundle.crt
+
+
--- a/119
+++ b/119
@@ -1,68 +1,59 @@
-Curl and libcurl 7.18.0
+Curl and libcurl 7.18.1

- Public curl releases:         103
+ Public curl releases:         104
 Command line options:         126
 curl_easy_setopt() options:   150
 Public functions in libcurl:  56
- Public web site mirrors:      43
+ Public web site mirrors:      39
 Known libcurl bindings:       36
- Contributors:                 597
+ Contributors:                 621

 This release includes the following changes:
 
- o --data-urlencode
- o CURLOPT_PROXY_TRANSFER_MODE
- o --no-keepalive - now curl does connections with keep-alive enabled by
-   default
- o --socks4a added (proxy type CURLPROXY_SOCKS4A for libcurl)
- o --socks5-hostname added (CURLPROXY_SOCKS5_HOSTNAME for libcurl)
- o curl_easy_pause()
- o CURLOPT_SEEKFUNCTION and CURLOPT_SEEKDATA
- o --keepalive-time
- o curl --help output was re-ordered
+ o added support for HttpOnly cookies
+ o 'make ca-bundle' downloads and generates an updated ca bundle file
+ o we no longer distribute or install a ca cert bundle
+ o SSLv2 is now disabled by default for SSL operations
+ o the test509-style setting URL in callback is officially no longer supported
+ o support a full chain of certificates in a given PKCS12 certificate
+ o resumed transfers work with SFTP
+ o added type checking macros for curl_easy_setopt() and curl_easy_getinfo(),
+   watch out for new warnings in code using libcurl (needs gcc-4.3 and
+   currently only works in C mode)
+ o curl_easy_setopt(), curl_easy_getinfo(), curl_share_setopt() and
+   curl_multi_setopt() uses are now checked to use exactly three arguments
+ o --with-ca-path=DIR configure option allows to set an openSSL CApath instead
+   of a default ca bundle.

 This release includes the following bugfixes:

- o curl-config --features and --protocols show the correct output when built
-   with NSS, and also when SCP, SFTP and libz are not available
- o free problem in the curl tool for users with empty home dir
- o curl.h version 7.17.1 problem when building C++ apps with MSVC
- o SFTP and SCP use persistent connections
- o segfault on bad URL
- o variable wrapping when using absolutely huge send buffer sizes
- o variable wrapping when using debug callback and the HTTP request wasn't sent
-   in one go
- o SSL connections with NSS done with the multi-interface
- o setting a share no longer activates cookies
- o Negotiate now works on auth and proxy simultanouesly
- o support HTTP Digest nonces up to 1023 letters
- o resumed ftp upload no longer requires the read callback to return full
-   buffers
- o no longer default-appends ;type= on FTP URLs thru proxies
- o SSL session id caching
- o POST with callback over proxy requiring NTLM or Digest
- o Expect: 100-continue flaw on re-used connection with POSTs
- o build fix for MSVC 9.0 (VS2008)
- o Windows curl builds failed file truncation when retry downloading
- o SSL session ID cache memory leak
- o bad connection re-use check with environment variable-activated proxy use
- o --libcurl now generates a return statement as well
- o socklen_t is no longer used in the public includes
- o time zone offsets from -1400 to +1400 are now accepted by the date parser
- o allows more spaces in WWW/Proxy-Authenticate: headers
- o curl-config --libs skips /usr/lib64
- o range support for file:// transfers
- o libcurl hang with huge POST request and request-body read from callback
- o removed extra newlines from many error messages
 o improved pipelining
- o improved OOM handling for data url encoded HTTP POSTs when read from a file
- o test suite could pick wrong tool(s) if more than one existed in the PATH
- o curl_multi_fdset() failed to return socket while doing CONNECT over proxy
- o curl_multi_remove_handle() on a handle that is in used for a pipeline now
-   break that pipeline
- o CURLOPT_COOKIELIST memory leaks
- o progress meter/callback during http proxy CONNECT requests
- o auth for http proxy when the proxy closes connection after first response
+ o improved strdup replacement
+ o GnuTLS-built libcurl failed when doing global cleanup and reinit
+ o error message problem when unable to resolve a host on Windows
+ o Accept: header replacing
+ o not verifying server certs with GnuTLS still failed if gnutls had
+   problems with the cert
+ o when using the multi interface and a handle is removed while still having
+   a transfer going on, the connection is now closed by force
+ o bad re-use of SSL connections in non-complete state
+ o test case 405 failures with GnuTLS builds
+ o crash when connection cache size is 1 and Curl_do() failed
+ o GnuTLS-built libcurl can now be forced to prefer SSLv3
+ o crash when doing Negotiate again on a re-used connection
+ o select/poll regression
+ o better MIT kerberos configure check
+ o curl_easy_reset() + SFTP re-used connection download crash
+ o SFTP non-existing file + SFTP existing file error
+ o sharing DNS cache between easy handles running in multiple threads could
+   lead to crash
+ o SFTP upload with CURLOPT_FTP_CREATE_MISSING_DIRS on re-used connection
+ o SFTP infinite loop when given an invalid quote command
+ o curl-config erroneously reported LDAPS support with missing LDAP libraries
+ o SCP infinite loop when downloading a zero byte file
+ o setting the CURLOPT_SSL_CTX_FUNCTION with libcurl built without OpenSSL
+   now makes curl_easy_setopt() properly return failure
+ o configure --with-libssh2 (with no given path)

 This release includes the following known bugs:

@@ -70,25 +61,19 @@ This release includes the following known bugs:

 Other curl-related news:

- o TclCurl 7.17.1 => http://personal1.iddeo.es/andresgarci/tclcurl/english/
- o Ruby Curl::Multi 0.1 => http://curl-multi.rubyforge.org/ 
- o curl-java 0.2.1 => http://curl.haxx.se/libcurl/java/
+ o 

 New curl mirrors:

- o http://curl.gominet.net/ is new mirror in Vizcaya, Portugal
- o http://curl.very-clever.com/ is a new mirror in Nuremberg, Germany
+ o http://curl.cuendet.com/ is a new mirror in Atlanta, USA

 This release would not have looked like this without help, code, reports and
 advice from friends like these:

- Dan Fandrich, Gisle Vanem, Toby Peterson, Yang Tse, Daniel Black,
- Robin Johnson, Michal Marek, Ates Goral, Andres Garcia, Rob Crittenden,
- Emil Romanus, Alessandro Vesely, Ray Pekowski, Spacen Jasset, Andrew Moise,
- Gilles Blanc, David Wright, Vikram Saxena, Mateusz Loskot, Gary Maxwell,
- Dmitry Kurochkin, Mohun Biswas, Richard Atterer, Maxim Perenesenko,
- Daniel Egger, Jeff Johnson, Nikitinskit Dmitriy, Georg Lippitsch, Eric Landes,
- Joe Malicki, Nathan Coulter, Lau Hang Kin, Judson Bishop, Igor Franchuk,
- Kevin Reed
- 
+ Michal Marek, Dmitry Kurochkin, Niklas Angebrand, G<>nter Knauf, Yang Tse,
+ Dan Fandrich, Mike Hommey, Pooyan McSporran, Jerome Muffat-Meridol,
+ Kaspar Brand, Gautam Kachroo, Zmey Petroff, Georg Lippitsch, Sam Listopad,
+ Anatoli Tubman, Mike Protts, Michael Calmer, Brian Ulm, Dmitry Popov,
+ Jes Badwal, Dan Petitt, Stephen Collyer
+
        Thanks! (and sorry if I forgot to mention someone)
--- a/17
+++ b/17
@@ -1,4 +1,17 @@
-To be addressed before 7.18.0 (planned release: January 2008)
+To be addressed before 7.18.2 (planned release: June 2008)
 =============================

-118 - 
+128 - Phil Blundell's ares and ipv6 fix (feedback lacking)
+
+129 - Pierre Reiss' libcurl + https + multi = lost information (awaiting
+     better example/clarification on how to figure out when the claimed
+     problem occurs)
+
+130 - Vincent Le Normand's SFTP patch for touch
+
+131 - Scott Barrett's Support for CURLOPT_NOBODY with SFTP
+
+132 - Xponaut's CURLFORM_STREAM option to curl_formadd()
+
+133 - 
+
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -2491,3 +2491,106 @@ AC_DEFUN([CURL_CHECK_NATIVE_WINDOWS], [
  esac
 ])

+
+dnl CURL_CHECK_CA_BUNDLE
+dnl -------------------------------------------------
+dnl Check if a default ca-bundle should be used
+dnl
+dnl regarding the paths this will scan:
+dnl /etc/ssl/certs/ca-certificates.crt Debian systems
+dnl /etc/pki/tls/certs/ca-bundle.crt Redhat and Mandriva
+dnl /usr/share/ssl/certs/ca-bundle.crt old(er) Redhat
+dnl /etc/ssl/certs/ (ca path) SUSE
+
+AC_DEFUN([CURL_CHECK_CA_BUNDLE], [
+
+  AC_MSG_CHECKING([default CA cert bundle/path])
+
+  AC_ARG_WITH(ca-bundle,
+AC_HELP_STRING([--with-ca-bundle=FILE], [File name to use as CA bundle])
+AC_HELP_STRING([--without-ca-bundle], [Don't use a default CA bundle]),
+  [
+    want_ca="$withval"
+    if test "x$want_ca" = "xyes"; then
+      AC_MSG_ERROR([--with-ca-bundle=FILE requires a path to the CA bundle])
+    fi
+  ],
+  [ want_ca="unset" ])
+  AC_ARG_WITH(ca-path,
+AC_HELP_STRING([--with-ca-path=DIRECTORY], [Directory to use as CA path])
+AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
+  [
+    want_capath="$withval"
+    if test "x$want_capath" = "xyes"; then
+      AC_MSG_ERROR([--with-ca-path=DIRECTORY requires a path to the CA path directory])
+    fi
+  ],
+  [ want_capath="unset"])
+
+  if test "x$want_ca" != "xno" -a "x$want_ca" != "xunset" -a \
+          "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
+    dnl both given
+    AC_MSG_ERROR([Can't specify both --with-ca-bundle and --with-ca-path.])
+  elif test "x$want_ca" != "xno" -a "x$want_ca" != "xunset"; then
+    dnl --with-ca-bundle given
+    ca="$want_ca"
+    capath="no"
+  elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
+    dnl --with-ca-path given
+    if test "x$OPENSSL_ENABLED" != "x1"; then
+      AC_MSG_ERROR([--with-ca-path only works with openSSL])
+    fi
+    capath="$want_capath"
+    ca="no"
+  else
+    dnl neither of --with-ca-* given
+    dnl first try autodetecting a CA bundle , then a CA path
+    dnl both autodetections can be skipped by --without-ca-*
+    ca="no"
+    capath="no"
+    if test "x$want_ca" = "xunset"; then
+      dnl the path we previously would have installed the curl ca bundle
+      dnl to, and thus we now check for an already existing cert in that place
+      dnl in case we find no other
+      if test "x$prefix" != xNONE; then
+        cac="${prefix}/share/curl/curl-ca-bundle.crt"
+      else
+        cac="$ac_default_prefix/share/curl/curl-ca-bundle.crt"
+      fi
+
+      for a in /etc/ssl/certs/ca-certificates.crt \
+               /etc/pki/tls/certs/ca-bundle.crt \
+               /usr/share/ssl/certs/ca-bundle.crt \
+               "$cac"; do
+        if test -f "$a"; then
+          ca="$a"
+          break
+        fi
+      done
+    fi
+    if test "x$want_capath" = "xunset" -a "x$ca" = "xno" -a \
+            "x$OPENSSL_ENABLED" = "x1"; then
+      for a in /etc/ssl/certs/; do
+        if test -d "$a" && ls "$a"/[[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]].0 >/dev/null 2>/dev/null; then
+          capath="$a"
+          break
+        fi
+      done
+    fi
+  fi
+        
+    
+
+  if test "x$ca" != "xno"; then
+    CURL_CA_BUNDLE='"'$ca'"'
+    AC_SUBST(CURL_CA_BUNDLE)
+    AC_MSG_RESULT([$ca])
+  elif test "x$capath" != "xno"; then
+    CURL_CA_PATH="\"$capath\""
+    AC_SUBST(CURL_CA_PATH)
+    AC_MSG_RESULT([$capath (capath)])
+  else
+    AC_MSG_RESULT([no])
+  fi
+])
+
--- a/ares/Makefile.am
+++ b/ares/Makefile.am
@@ -18,8 +18,9 @@ noinst_PROGRAMS =$(PROGS)

 # adig and ahost are just sample programs and thus not mentioned with the
 # regular sources and headers
-EXTRA_DIST = CHANGES README.cares Makefile.inc adig.c ahost.c $(man_MANS) \
- $(MSVCFILES) AUTHORS config-win32.h RELEASE-NOTES libcares.pc.in
+EXTRA_DIST = AUTHORS CHANGES README.cares Makefile.inc Makefile.dj \
+ Makefile.m32 Makefile.netware Makefile.vc6 adig.c ahost.c $(man_MANS) \
+ $(MSVCFILES) config-win32.h RELEASE-NOTES libcares.pc.in

 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcares.pc
--- a/ares/Makefile.netware
+++ b/ares/Makefile.netware
@@ -14,7 +14,7 @@ NDKBASE	= c:/novell
 endif

 ifndef INSTDIR
-INSTDIR	= ../curl-$(LIBCURL_VERSION_STR)-bin-nw
+INSTDIR	= ../ares-$(LIBCARES_VERSION_STR)-bin-nw
 endif

 # Edit the vars below to change NLM target settings.
@@ -63,14 +63,15 @@ else
 	CC = gcc
 endif
 # a native win32 awk can be downloaded from here:
-# http://www.gknw.net/development/prgtools/awk-20050424.zip
+# http://www.gknw.net/development/prgtools/awk-20070501.zip
 AWK	= awk
 YACC	= bison -y
 CP	= cp -afv
+MKDIR	= mkdir
 # RM	= rm -f
 # if you want to mark the target as MTSAFE you will need a tool for
 # generating the xdc data for the linker; here's a minimal tool:
-# http://www.gknw.com/development/prgtools/mkxdc.zip
+# http://www.gknw.net/development/prgtools/mkxdc.zip
 MPKXDC	= mkxdc

 # Global flags for all compilers
@@ -161,10 +162,6 @@ nlm: prebuild $(TARGETS)

 prebuild: $(OBJDIR) $(OBJDIR)/version.inc config.h arpa/nameser.h

-dist: all
-	-$(RM) $(OBJLIB) $(OBJDIR)/*.map $(OBJDIR)/*.ncv
-	-$(RM) $(OBJDIR)/*.def $(OBJDIR)/*.xdc $(OBJDIR)/version.inc
-
 install: $(INSTDIR) all
 	@$(CP) *.nlm $(INSTDIR)
 	@$(CP) ../CHANGES $(INSTDIR)
@@ -190,11 +187,8 @@ endif
 	@-$(RM) $@
 	@$(LD) $(LDFLAGS) $<

-$(INSTDIR):
-	@mkdir $(INSTDIR)
-
-$(OBJDIR):
-	@mkdir $(OBJDIR)
+$(OBJDIR) $(INSTDIR):
+	@$(MKDIR) $@

 $(OBJDIR)/%.o: %.c
 #	@echo Compiling $<
@@ -202,7 +196,7 @@ $(OBJDIR)/%.o: %.c

 $(OBJDIR)/version.inc: ares_version.h $(OBJDIR)
 	@echo Creating $@
-	@$(AWK) -f ../packages/NetWare/get_ver.awk $< > $@
+	@$(AWK) -f get_ver.awk $< > $@

 $(OBJDIR)/%.xdc: Makefile.netware
 	@echo Creating $@
@@ -269,8 +263,9 @@ ifdef IMPORTS
 	@echo $(DL)import $(IMPORTS)$(DL) >> $@
 endif
 ifeq ($(LD),nlmconv)
-	@echo $(DL)input $(OBJEXE)$(DL) >> $@
 	@echo $(DL)input $(PRELUDE)$(DL) >> $@
+	@echo $(DL)input $(OBJEXE)$(DL) >> $@
+	@echo $(DL)input $(@:.def=.o)$(DL) >> $@
 	@echo $(DL)output $(notdir $(@:.def=.nlm))$(DL) >> $@
 endif

--- a/ares/configure.ac
+++ b/ares/configure.ac
@@ -342,6 +342,9 @@ if test "x$RECENTAIX" = "xyes"; then
         dnl the optimizer assumes that pointers can only point to
         dnl an object of the same type.
         CFLAGS="$CFLAGS -qnoansialias"
+         dnl Force AIX xlc to stop after the compilation phase, and not
+         dnl generate object code, when the source compiles with errors.
+         CFLAGS="$CFLAGS -qhalt=e"
       )
 fi

--- a/ares/get_ver.awk
+++ b/ares/get_ver.awk
@@ -0,0 +1,36 @@
+# ***************************************************************************
+# *  Project: c-ares
+# *
+# * $Id$
+# ***************************************************************************
+# awk script which fetches c-ares version number and string from input
+# file and writes them to STDOUT. Here you can get an awk version for Win32:
+# http://www.gknw.net/development/prgtools/awk-20070501.zip
+#
+BEGIN {
+  if (match (ARGV[1], /ares_version.h/)) {
+    while ((getline < ARGV[1]) > 0) {
+      if (match ($0, /^#define ARES_COPYRIGHT "[^"]+"$/)) {
+        libcares_copyright_str = substr($0, 25, length($0)-25);
+      }
+      else if (match ($0, /^#define ARES_VERSION_STR "[^"]+"$/)) {
+        libcares_ver_str = substr($3, 2, length($3)-2);
+      }
+      else if (match ($0, /^#define ARES_VERSION_MAJOR [0-9]+$/)) {
+        libcares_ver_major = substr($3, 1, length($3));
+      }
+      else if (match ($0, /^#define ARES_VERSION_MINOR [0-9]+$/)) {
+        libcares_ver_minor = substr($3, 1, length($3));
+      }
+      else if (match ($0, /^#define ARES_VERSION_PATCH [0-9]+$/)) {
+        libcares_ver_patch = substr($3, 1, length($3));
+      }
+    }
+    libcares_ver = libcares_ver_major "," libcares_ver_minor "," libcares_ver_patch;
+    print "LIBCARES_VERSION = " libcares_ver "";
+    print "LIBCARES_VERSION_STR = " libcares_ver_str "";
+    print "LIBCARES_COPYRIGHT_STR = " libcares_copyright_str "";
+  }
+}
+
+
--- a/configure.ac
+++ b/configure.ac
@@ -625,6 +625,8 @@ if test x$CURL_DISABLE_LDAP != x1 ; then
      AC_MSG_WARN(["$LDAPLIBNAME" is not an LDAP library: LDAP disabled])
      AC_DEFINE(CURL_DISABLE_LDAP, 1, [to disable LDAP])
      AC_SUBST(CURL_DISABLE_LDAP, [1])])
+      AC_DEFINE(CURL_DISABLE_LDAPS, 1, [to disable LDAPS])
+      AC_SUBST(CURL_DISABLE_LDAPS, [1])
  else
    dnl Try to find the right ldap libraries for this system
    CURL_CHECK_LIBS_LDAP
@@ -633,6 +635,8 @@ if test x$CURL_DISABLE_LDAP != x1 ; then
        AC_MSG_WARN([Cannot find libraries for LDAP support: LDAP disabled])
        AC_DEFINE(CURL_DISABLE_LDAP, 1, [to disable LDAP])
        AC_SUBST(CURL_DISABLE_LDAP, [1])
+        AC_DEFINE(CURL_DISABLE_LDAPS, 1, [to disable LDAPS])
+        AC_SUBST(CURL_DISABLE_LDAPS, [1])
        ;;
    esac
  fi
@@ -648,6 +652,8 @@ if test x$CURL_DISABLE_LDAP != x1 ; then
        AC_MSG_WARN(["$LBERLIBNAME" is not an LBER library: LDAP disabled])
        AC_DEFINE(CURL_DISABLE_LDAP, 1, [to disable LDAP])
        AC_SUBST(CURL_DISABLE_LDAP, [1])])
+        AC_DEFINE(CURL_DISABLE_LDAPS, 1, [to disable LDAPS])
+        AC_SUBST(CURL_DISABLE_LDAPS, [1])
    fi
  fi
 fi
@@ -977,18 +983,18 @@ if test x"$want_gss" = xyes; then
      gnu_gss=yes
    ],
    [
-      dnl not found, check Heimdal
-      AC_CHECK_HEADER(gssapi.h,
+      dnl not found, check MIT
+      AC_CHECK_HEADER(gssapi/gssapi.h,
        [
          dnl found in the given dirs
-          AC_DEFINE(HAVE_GSSHEIMDAL, 1, [if you have the Heimdal gssapi libraries])
+          AC_DEFINE(HAVE_GSSMIT, 1, [if you have the MIT gssapi libraries])
        ],
        [
-          dnl not found, check in gssapi/ subdir
-          AC_CHECK_HEADER(gssapi/gssapi.h,
+          dnl not found, check for Heimdal
+          AC_CHECK_HEADER(gssapi.h,
            [
              dnl found
-              AC_DEFINE(HAVE_GSSMIT, 1, [if you have the MIT gssapi libraries])
+              AC_DEFINE(HAVE_GSSHEIMDAL, 1, [if you have the Heimdal gssapi libraries])
            ],
            [
              dnl no header found, disabling GSS
@@ -1010,18 +1016,23 @@ if test x"$want_gss" = xyes; then

  if test -n "$gnu_gss"; then
    curl_gss_msg="enabled (GNU GSS)"
-    LDFLAGS="$LDFLAGS $GSSAPI_LIB_DIR -lgss"
+    LDFLAGS="$LDFLAGS $GSSAPI_LIB_DIR"
+    LIBS="$LIBS -lgss"
  elif test -z "$GSSAPI_LIB_DIR"; then
     if test -f "$GSSAPI_ROOT/bin/krb5-config"; then
-        gss_ldflags=`$GSSAPI_ROOT/bin/krb5-config --libs gssapi`
-        LDFLAGS="$LDFLAGS $gss_ldflags"
+        dnl krb5-config doesn't have --libs-only-L or similar, put everything
+        dnl into LIBS
+        gss_libs=`$GSSAPI_ROOT/bin/krb5-config --libs gssapi`
+        LIBS="$LIBS $gss_libs"
     elif test "$GSSAPI_ROOT" != "yes"; then
-        LDFLAGS="$LDFLAGS -L$GSSAPI_ROOT/lib$libsuff -lgssapi"
+        LDFLAGS="$LDFLAGS -L$GSSAPI_ROOT/lib$libsuff"
+        LIBS="$LIBS -lgssapi"
     else
-        LDFLAGS="$LDFLAGS -lgssapi"
+        LIBS="$LIBS -lgssapi"
     fi
  else
-     LDFLAGS="$LDFLAGS $GSSAPI_LIB_DIR -lgssapi"
+     LDFLAGS="$LDFLAGS $GSSAPI_LIB_DIR"
+     LIBS="$LIBS -lgssapi"
  fi
 else
  CPPFLAGS="$save_CPPFLAGS"
@@ -1369,7 +1380,7 @@ if test X"$OPT_LIBSSH2" != Xno; then
  yes)
    dnl --with-libssh2 (without path) used
    PREFIX_LIBSSH2=/usr/local/lib
-    LIB_LIBSSH2="$PREFIX_LIBSSH2/lib$libsuff"
+    LIB_LIBSSH2="$PREFIX_LIBSSH2$libsuff"
    ;;
  off)
    dnl no --with-libssh2 option given, just check default places
@@ -1610,30 +1621,10 @@ dnl **********************************************************************
 dnl Check for the CA bundle
 dnl **********************************************************************

-if test X"$SSL_ENABLED" != "X"; then
-
-  AC_MSG_CHECKING([CA cert bundle install path])
-
-  AC_ARG_WITH(ca-bundle,
-AC_HELP_STRING([--with-ca-bundle=FILE], [File name to install the CA bundle as])
-AC_HELP_STRING([--without-ca-bundle], [Don't install the CA bundle]),
-    [ ca="$withval" ],
-    [
-      if test "x$prefix" != xNONE; then
-        ca="\${prefix}/share/curl/curl-ca-bundle.crt"
-      else
-        ca="$ac_default_prefix/share/curl/curl-ca-bundle.crt"
-      fi
-    ] )
-
-    if test "x$ca" != "xno"; then
-      CURL_CA_BUNDLE='"'$ca'"'
-      AC_SUBST(CURL_CA_BUNDLE)
-    fi
-    AC_MSG_RESULT([$ca])
-fi dnl only done if some kind of SSL was enabled
+CURL_CHECK_CA_BUNDLE

 AM_CONDITIONAL(CABUNDLE, test x$ca != xno)
+AM_CONDITIONAL(CAPATH, test x$capath != xno)

 dnl **********************************************************************
 dnl Check for the presence of IDN libraries and headers
@@ -1771,6 +1762,9 @@ if test "x$RECENTAIX" = "xyes"; then
         dnl the optimizer assumes that pointers can only point to
         dnl an object of the same type.
         CFLAGS="$CFLAGS -qnoansialias"
+         dnl Force AIX xlc to stop after the compilation phase, and not
+         dnl generate object code, when the source compiles with errors.
+         CFLAGS="$CFLAGS -qhalt=e"
       )


@@ -2002,6 +1996,7 @@ AC_CHECK_FUNCS( strtoll \
                strlcat \
                getpwuid \
                geteuid \
+                getppid \
                utime \
                sigsetjmp \
                basename \
@@ -2500,7 +2495,8 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
  Built-in manual: ${curl_manual_msg}
  Verbose errors:  ${curl_verbose_msg}
  SSPI support:    ${curl_sspi_msg}
-  ca cert path:    ${ca}
+  ca cert bundle:  ${ca}
+  ca cert path:    ${capath}
  LDAP support:    ${curl_ldap_msg}
  LDAPS support:   ${curl_ldaps_msg}
 ])
--- a/docs/FAQ
+++ b/docs/FAQ
@@ -1,4 +1,4 @@
-Updated: Dec 10, 2007 (http://curl.haxx.se/docs/faq.html)
+Updated: Feb 18, 2008 (http://curl.haxx.se/docs/faq.html)
                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
@@ -18,6 +18,7 @@ FAQ
  1.8 I have a problem who do I mail?
  1.9 Where do I buy commercial support for curl?
  1.10 How many are using curl?
+  1.11 Why don't you update ca-bundle.crt

 2. Install Related Problems
  2.1 configure doesn't find OpenSSL even when it is installed
@@ -296,7 +297,7 @@ FAQ
  as used by numerous applications that include libcurl binaries in their
  distribution packages (like Adobe Acrobat Reader and Google Earth).

-  More than 70 known named companies use curl in commercial environments and
+  More than 80 known named companies use curl in commercial environments and
  products. More than 100 known named open source projects depend on
  (lib)curl.

@@ -317,6 +318,29 @@ FAQ
  http://counter.li.org/estimates.php
  http://news.netcraft.com/archives/2005/03/14/fedora_makes_rapid_progress.html

+  1.11 Why don't you update ca-bundle.crt
+
+  The ca-bundle.crt file that used to be bundled with curl was very outdated
+  (it being last modified year 2000 should tell) and must be replaced with a
+  much more modern and up-to-date version by anyone who wants to verify peers
+  anyway. It is no longer provided, the last curl release that shipped it was
+  curl 7.18.0.
+
+  In the cURL project we've decided not to attempt to keep this file updated
+  (or even present anymore) since deciding what to add to a ca cert bundle is
+  an undertaking we've not been ready to accept, and the one we can get from
+  Mozilla is perfectly fine so there's no need to duplicate that work.
+
+  Today, with many services performed over HTTPS, every operating system
+  should come with a default ca cert bundle that can be deemed somewhat
+  trustworthy and that collection (if reasonably updated) should be deemed to
+  be a lot better than a private curl version.
+
+  If you want the most recent collection of ca certs that Mozilla Firefox
+  uses, we recommend that you extract the collection yourself from Mozilla
+  Firefox (by running 'make ca-bundle), or by using our online service setup
+  for this purpose: http://curl.haxx.se/docs/caextract.html
+

 2. Install Related Problems

--- a/docs/KNOWN_BUGS
+++ b/docs/KNOWN_BUGS
@@ -8,13 +8,6 @@ may have been fixed since this was written!
  SSL-negoatiated:
  http://curl.haxx.se/mail/lib-2008-01/0277.html

-51.Kevin Reed's reported problem with a proxy when doing CONNECT and it
-  wants NTLM and close the connection to the initial CONNECT response:
-  http://curl.haxx.se/bug/view.cgi?id=1879375
-
-50. Curl_done() and pipelning aren't totally cool together:
-  http://curl.haxx.se/mail/lib-2008-01/0330.html
-
 49. If using --retry and the transfer timeouts (possibly due to using -m or
  -y/-Y) the next attempt doesn't resume the transfer properly from what was
  downloaded in the previous attempt but will truncate and restart at the
--- a/docs/SSLCERTS
+++ b/docs/SSLCERTS
@@ -1,21 +1,25 @@
                      Peer SSL Certificate Verification
                      =================================

-libcurl performs peer SSL certificate verification by default. This is done by
-installing a default CA cert bundle on 'make install' (or similar), that CA
-bundle package is used by default on operations against SSL servers.
+libcurl performs peer SSL certificate verification by default.  This is done
+by using CA cert bundle that the SSL library can use to make sure the peer's
+server certificate is valid.

 If you communicate with HTTPS or FTPS servers using certificates that are
 signed by CAs present in the bundle, you can be sure that the remote server
 really is the one it claims to be.

-If the remote server uses a self-signed certificate, if you don't install
-curl's CA cert bundle, if the server uses a certificate signed by a CA that
-isn't included in the bundle or if the remote host is an impostor
+Until 7.18.0, curl bundled a severely outdated ca bundle file that was
+installed by default. These days, the curl archives include no ca certs at
+all. You need to get them elsewhere. See below for example.
+
+If the remote server uses a self-signed certificate, if you don't install a CA
+cert bundle, if the server uses a certificate signed by a CA that isn't
+included in the bundle you use or if the remote host is an impostor
 impersonating your favorite site, and you want to transfer files from this
 server, do one of the following:

- 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with
+ 1. Tell libcurl to *not* verify the peer. With libcurl you disable this with
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);

    With the curl command line tool, you disable this with -k/--insecure.
@@ -27,10 +31,8 @@ server, do one of the following:
    With the curl command line tool: --cacert [file]

 3. Add the CA cert for your server to the existing default CA cert bundle.
-    The default path of the CA bundle installed with the curl package is:
-    /usr/local/share/curl/curl-ca-bundle.crt, which can be changed by running
-    configure with the --with-ca-bundle option pointing out the path of your
-    choice.
+    The default path of the CA bundle used can be changed by running configure
+    with the --with-ca-bundle option pointing out the path of your choice.

    To do this, you need to get the CA cert for your server in PEM format and
    then append that to your CA cert bundle.
@@ -48,8 +50,6 @@ server, do one of the following:
     o Append the 'outcert.pem' to the CA cert bundle or use it stand-alone
       as described below.

-     (Thanks to Frankie V for this description)
-
    If you use the 'openssl' tool, this is one way to get extract the CA cert
    for a particular server:

@@ -64,8 +64,6 @@ server, do one of the following:
       cert_bundle or use it stand-alone as described. Just remember that the
       security is no better than the way you obtained the certificate.

-     (Thanks to Doug Kaufman for this description)
-
 4. If you're using the curl command line tool, you can specify your own CA
    cert path by setting the environment variable CURL_CA_BUNDLE to the path
    of your choice.
@@ -80,8 +78,9 @@ server, do one of the following:
      5. all directories along %PATH%

 5. Get a better/different/newer CA cert bundle! One option is to extract the
-    one a recent Mozilla browser uses, by following the instruction found
-    here:
+    one a recent Mozilla browser uses by running 'make ca-bundle' in the curl
+    build tree root, or possibly download a version that was generated this
+    way for you:

        http://curl.haxx.se/docs/caextract.html

--- a/docs/THANKS
+++ b/docs/THANKS
@@ -12,6 +12,7 @@ Albert Chin-A-Young
 Albert Choy
 Ale Vesely
 Aleksandar Milivojevic
+Alessandro Vesely
 Alex Fishman
 Alex Neblett
 Alex Suykov
@@ -38,6 +39,7 @@ Andrew Biggs
 Andrew Bushnell
 Andrew Francis
 Andrew Fuller
+Andrew Moise
 Andrew Wansink
 Andr<EFBFBD>s Garc<72>a
 Andy Cedilnik
@@ -105,6 +107,7 @@ Dan Torop
 Dan Zitter
 Daniel Black
 Daniel Cater
+Daniel Egger
 Daniel Johnson
 Daniel Stenberg
 Daniel at touchtunes
@@ -130,6 +133,7 @@ David Phillips
 David Shaw
 David Tarendash
 David Thiel
+David Wright
 David Yan
 Detlef Schmier
 Diego Casorran
@@ -140,6 +144,7 @@ Dirk Eddelbuettel
 Dirk Manske
 Dmitriy Sergeyev
 Dmitry Bartsevich
+Dmitry Kurochkin
 Dmitry Rechkin
 Dolbneff A.V
 Domenico Andreoli
@@ -157,10 +162,12 @@ Dylan Salisbury
 Early Ehlinger
 Edin Kadribasic
 Ellis Pritchard
+Emil Romanus
 Emiliano Ida
 Enrico Scholz
 Enrik Berkhan
 Eric Cooper
+Eric Landes
 Eric Lavigne
 Eric Melville
 Eric Rautman
@@ -185,11 +192,13 @@ Frank Ticheler
 Fred New
 Fred Noz
 Frederic Lepied
+Gary Maxwell
 Gautam Mani
 Gavrie Philipson
 Gaz Iqbal
 Georg Horn
 Georg Huettenegger
+Georg Lippitsch
 Georg Wicherski
 Gerd v. Egidy
 Gerhard Herre
@@ -198,6 +207,7 @@ Giancarlo Formicuccia
 Giaslas Georgios
 Gilad
 Gilbert Ramirez Jr.
+Gilles Blanc
 Gisle Vanem
 Giuseppe Attardi
 Giuseppe D'Ambrosio
@@ -228,6 +238,7 @@ Ian Gulliver
 Ian Turner
 Ian Wilkes
 Ignacio Vazquez-Abrams
+Igor Franchuk
 Igor Polyakov
 Ilguiz Latypov
 Ilja van Sprundel
@@ -259,6 +270,7 @@ Jean-Claude Chauve
 Jean-Louis Lemaire
 Jean-Marc Ranger
 Jean-Philippe Barrette-LaPierre
+Jeff Johnson
 Jeff Lawson
 Jeff Phillips
 Jeff Pohlmeyer
@@ -268,6 +280,7 @@ Jesper Jensen
 Jesse Noller
 Jim Drash
 Joe Halpin
+Joe Malicki
 Joel Chen
 Jofell Gallardo
 Johan Anderson
@@ -289,6 +302,7 @@ Jose Kahan
 Josh Kapell
 Juan F. Codagnone
 Juan Ignacio Herv<72>s
+Judson Bishop
 Juergen Wilke
 Jukka Pihl
 Julian Noble
@@ -311,6 +325,7 @@ Ken Rastatter
 Kent Boortz
 Kevin Fisk
 Kevin Lussier
+Kevin Reed
 Kevin Roth
 Kim Rinnewitz
 Kimmo Kinnunen
@@ -329,6 +344,7 @@ Lars Gustafsson
 Lars J. Aas
 Lars Nilsson
 Lars Torben Wilson
+Lau Hang Kin
 Legoff Vincent
 Lehel Bernadt
 Len Krause
@@ -366,6 +382,7 @@ Martin Skinner
 Marty Kuhrt
 Maruko
 Massimiliano Ziccardi
+Mateusz Loskot
 Mathias Axelsson
 Mats Lidell
 Matt Kraai
@@ -375,6 +392,7 @@ Matthew Blain
 Matthew Clarke
 Maurice Barnum
 Max Katsev
+Maxim Perenesenko
 Mekonikum
 Mettgut Jamalla
 Michael Benedict
@@ -396,6 +414,7 @@ Mitz Wark
 Mohamed Lrhazi
 Mohun Biswas
 Moonesamy
+Nathan Coulter
 Nathan O'Sullivan
 Nathanael Nerode
 Naveen Noel
@@ -411,6 +430,7 @@ Nicolas Croiset
 Nicolas Fran<61>ois
 Niels van Tongeren
 Nikita Schmidt
+Nikitinskit Dmitriy
 Nir Soffer
 Nis Jorgensen
 Nodak Sodak
@@ -461,6 +481,7 @@ Ralph Mitchell
 Ramana Mokkapati
 Randy McMurchy
 Ravi Pratap
+Ray Pekowski
 Reinout van Schouwen
 Renaud Chaillat
 Renaud Duhaut
@@ -487,6 +508,7 @@ Robert Foreman
 Robert Iakobashvili
 Robert Olson
 Robert Weaver
+Robin Johnson
 Robin Kay
 Robson Braga Araujo
 Rodney Simmons
@@ -522,6 +544,7 @@ Simon Josefsson
 Simon Liu
 Song Ma
 Sonia Subramanian
+Spacen Jasset
 Spiridonoff A.V
 Stadler Stephan
 Stefan Esser
@@ -579,6 +602,7 @@ Ulf H
 Ulrich Zadow
 Venkat Akella
 Victor Snezhko
+Vikram Saxena
 Vilmos Nebehaj
 Vincent Bronner
 Vincent Penquerc'h
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -361,9 +361,10 @@ DER and ENG are recognized types.  If not specified, PEM is assumed.

 If this option is used several times, the last one will be used.
 .IP "--cacert <CA certificate>"
-(SSL) Tells curl to use the specified certificate file to verify the
-peer. The file may contain multiple CA certificates. The certificate(s) must
-be in PEM format.
+(SSL) Tells curl to use the specified certificate file to verify the peer. The
+file may contain multiple CA certificates. The certificate(s) must be in PEM
+format. Normally curl is built to use a default file for this, so this option
+is typically used to alter that default file.

 curl recognizes the environment variable named 'CURL_CA_BUNDLE' if that is
 set, and uses the given path as a path to a CA cert bundle. This option
@@ -408,9 +409,10 @@ has been provided, this data is sent off using the ACCT command. (Added in

 If this option is used twice, the second will override the previous use.
 .IP "--ftp-create-dirs"
-(FTP) When an FTP or SFTP URL/operation uses a path that doesn't currently exist on
-the server, the standard behavior of curl is to fail. Using this option, curl
-will instead attempt to create missing directories.
+(FTP/SFTP) When an FTP or SFTP URL/operation uses a path that doesn't
+currently exist on the server, the standard behavior of curl is to
+fail. Using this option, curl will instead attempt to create missing
+directories.

 If this option is used twice, the second will again disable directory creation.
 .IP "--ftp-method [method]"
--- a/docs/examples/10-at-a-time.c
+++ b/docs/examples/10-at-a-time.c
@@ -77,7 +77,7 @@ static const char *urls[] = {
 #define MAX 10 /* number of simultaneous transfers */
 #define CNT sizeof(urls)/sizeof(char*) /* total number of transfers to do */

-static int cb(char *d, size_t n, size_t l, void *p)
+static size_t cb(char *d, size_t n, size_t l, void *p)
 {
  /* take care of the data here, ignored in this example */
  (void)d;
--- a/docs/examples/Makefile.am
+++ b/docs/examples/Makefile.am
@@ -4,7 +4,8 @@

 AUTOMAKE_OPTIONS = foreign nostdinc

-EXTRA_DIST = README Makefile.example makefile.dj $(COMPLICATED_EXAMPLES)
+EXTRA_DIST = README Makefile.example Makefile.inc Makefile.m32 \
+	makefile.dj $(COMPLICATED_EXAMPLES)

 INCLUDES = -I$(top_srcdir)/include

@@ -20,18 +21,7 @@ CPPFLAGS = -DCURL_NO_OLDIES $(STATICCPPFLAGS)
 # Dependencies
 LDADD = $(LIBDIR)/libcurl.la

-# These are all libcurl example programs to be test compiled
-noinst_PROGRAMS = 10-at-a-time anyauthput cookie_interface \
-  debug fileupload fopen ftpget ftpgetresp ftpupload \
-  getinfo getinmemory http-post httpput \
-  https multi-app multi-debugcallback multi-double \
-  multi-post multi-single persistant post-callback \
-  postit2 sepheaders simple simplepost simplessl
+# Makefile.inc provides the noinst_PROGRAMS and COMPLICATED_EXAMPLES defines
+include Makefile.inc

-# These examples require external dependencies that may not be commonly
-# available on POSIX systems, so don't bother attempting to compile them here.
-COMPLICATED_EXAMPLES = \
- curlgtk.c curlx.c htmltitle.cc cacertinmem.c ftpuploadresume.c \
- ghiper.c hiperfifo.c htmltidy.c multithread.c \
- opensslthreadlock.c sampleconv.c synctime.c

--- a/docs/examples/Makefile.inc
+++ b/docs/examples/Makefile.inc
@@ -0,0 +1,16 @@
+# These are all libcurl example programs to be test compiled
+noinst_PROGRAMS = 10-at-a-time anyauthput cookie_interface \
+  debug fileupload fopen ftpget ftpgetresp ftpupload \
+  getinfo getinmemory http-post httpput \
+  https multi-app multi-debugcallback multi-double \
+  multi-post multi-single persistant post-callback \
+  postit2 sepheaders simple simplepost simplessl
+
+# These examples require external dependencies that may not be commonly
+# available on POSIX systems, so don't bother attempting to compile them here.
+COMPLICATED_EXAMPLES = \
+ curlgtk.c curlx.c htmltitle.cc cacertinmem.c ftpuploadresume.c \
+ ghiper.c hiperfifo.c htmltidy.c multithread.c \
+ opensslthreadlock.c sampleconv.c synctime.c threaded-ssl.c
+
+
--- a/docs/examples/Makefile.m32
+++ b/docs/examples/Makefile.m32
@@ -0,0 +1,135 @@
+#########################################################################
+# $Id$
+#
+## Makefile for building curl examples with MingW32
+## and optionally OpenSSL (0.9.8), libssh2 (0.18), zlib (1.2.3)
+##
+## Usage:
+## mingw32-make -f Makefile.m32 [SSL=1] [SSH2=1] [ZLIB=1] [SSPI=1] [IPV6=1] [DYN=1]
+##
+## Hint: you can also set environment vars to control the build, f.e.:
+## set ZLIB_PATH=c:/zlib-1.2.3
+## set ZLIB=1
+##
+#########################################################################
+
+# Edit the path below to point to the base of your Zlib sources.
+ifndef ZLIB_PATH
+ZLIB_PATH = ../../zlib-1.2.3
+endif
+# Edit the path below to point to the base of your OpenSSL package.
+ifndef OPENSSL_PATH
+OPENSSL_PATH = ../../openssl-0.9.8g
+endif
+# Edit the path below to point to the base of your LibSSH2 package.
+ifndef LIBSSH2_PATH
+LIBSSH2_PATH = ../../libssh2-0.18
+endif
+# Edit the path below to point to the base of your Novell LDAP NDK.
+ifndef LDAP_SDK
+LDAP_SDK = c:/novell/ndk/cldapsdk/win32
+endif
+
+PROOT = ../..
+ARES_LIB = $(PROOT)/ares
+
+SSL = 1
+ZLIB = 1
+
+CC = gcc
+CFLAGS = -g -O2 -Wall
+# comment LDFLAGS below to keep debug info
+LDFLAGS = -s
+RC = windres
+RCFLAGS = --include-dir=$(PROOT)/include -O COFF -i
+RM = del /q /f > NUL 2>&1
+CP = copy
+
+########################################################
+## Nothing more to do below this line!
+
+INCLUDES = -I. -I$(PROOT) -I$(PROOT)/include -I$(PROOT)/lib
+LINK = $(CC) $(LDFLAGS) -o $@
+
+curl_PROGRAMS = curl.exe
+ifdef DYN
+  curl_DEPENDENCIES = $(PROOT)/lib/libcurldll.a $(PROOT)/lib/libcurl.dll
+  curl_LDADD = -L$(PROOT)/lib -lcurldll
+else
+  curl_DEPENDENCIES = $(PROOT)/lib/libcurl.a
+  curl_LDADD = -L$(PROOT)/lib -lcurl
+  CFLAGS += -DCURL_STATICLIB
+endif
+ifdef ARES
+  ifndef DYN
+    curl_DEPENDENCIES += $(ARES_LIB)/libcares.a
+  endif
+  CFLAGS += -DUSE_ARES
+  curl_LDADD += -L$(ARES_LIB) -lcares
+endif
+ifdef SSH2
+  CFLAGS += -DUSE_LIBSSH2 -DHAVE_LIBSSH2_H
+  curl_LDADD += -L$(LIBSSH2_PATH)/win32 -lssh2
+endif
+ifdef SSL
+  INCLUDES += -I"$(OPENSSL_PATH)/outinc"
+  CFLAGS += -DUSE_SSLEAY -DHAVE_OPENSSL_ENGINE_H
+  ifdef DYN
+    curl_LDADD += -L$(OPENSSL_PATH)/out -leay32 -lssl32
+  else
+    curl_LDADD += -L$(OPENSSL_PATH)/out -lssl -lcrypto -lgdi32
+  endif
+endif
+ifdef ZLIB
+  INCLUDES += -I"$(ZLIB_PATH)"
+  CFLAGS += -DHAVE_LIBZ -DHAVE_ZLIB_H
+  curl_LDADD += -L$(ZLIB_PATH) -lz
+endif
+ifdef SSPI
+  CFLAGS += -DUSE_WINDOWS_SSPI
+endif
+ifdef IPV6
+  CFLAGS += -DENABLE_IPV6
+endif
+ifdef LDAPS
+  CFLAGS += -DHAVE_LDAP_SSL
+endif
+ifdef USE_LDAP_NOVELL
+  CFLAGS += -DCURL_HAS_NOVELL_LDAPSDK
+  curl_LDADD += -L"$(LDAP_SDK)/lib/mscvc" -lldapsdk -lldapssl -lldapx
+endif
+ifdef USE_LDAP_OPENLDAP
+  CFLAGS += -DCURL_HAS_OPENLDAP_LDAPSDK
+  curl_LDADD += -L"$(LDAP_SDK)/lib" -lldap -llber
+endif
+ifndef USE_LDAP_NOVELL
+ifndef USE_LDAP_OPENLDAP
+curl_LDADD += -lwldap32
+endif
+endif
+curl_LDADD += -lws2_32 -lwinmm
+COMPILE = $(CC) $(INCLUDES) $(CFLAGS)
+
+# Makefile.inc provides the noinst_PROGRAMS and COMPLICATED_EXAMPLES defines
+include Makefile.inc
+
+example_PROGRAMS := $(patsubst %,%.exe,$(strip $(noinst_PROGRAMS)))
+
+.SUFFIXES: .rc .res .o .exe
+
+
+all: $(example_PROGRAMS)
+
+.o.exe: $(curl_DEPENDENCIES)
+	$(LINK) $< $(curl_LDADD)
+
+.c.o:
+	$(COMPILE) -c $<
+
+.rc.res:
+	$(RC) $(RCFLAGS) $< -o $@
+
+clean:
+	$(RM) $(example_PROGRAMS)
+
+
--- a/docs/examples/anyauthput.c
+++ b/docs/examples/anyauthput.c
@@ -37,7 +37,7 @@
 /* ioctl callback function */
 static curlioerr my_ioctl(CURL *handle, curliocmd cmd, void *userp)
 {
-  int fd = (int)userp;
+  intptr_t fd = (intptr_t)userp;

  (void)handle; /* not used in here */

@@ -61,7 +61,7 @@ static size_t read_callback(void *ptr, size_t size, size_t nmemb, void *stream)
 {
  size_t retcode;

-  int fd = (int)stream;
+  intptr_t fd = (intptr_t)stream;

  retcode = read(fd, ptr, size * nmemb);

@@ -74,7 +74,7 @@ int main(int argc, char **argv)
 {
  CURL *curl;
  CURLcode res;
-  int hd ;
+  intptr_t hd ;
  struct stat file_info;

  char *file;
@@ -100,13 +100,13 @@ int main(int argc, char **argv)
    curl_easy_setopt(curl, CURLOPT_READFUNCTION, read_callback);

    /* which file to upload */
-    curl_easy_setopt(curl, CURLOPT_READDATA, hd);
+    curl_easy_setopt(curl, CURLOPT_READDATA, (void*)hd);

    /* set the ioctl function */
    curl_easy_setopt(curl, CURLOPT_IOCTLFUNCTION, my_ioctl);

    /* pass the file descriptor to the ioctl callback as well */
-    curl_easy_setopt(curl, CURLOPT_IOCTLDATA, hd);
+    curl_easy_setopt(curl, CURLOPT_IOCTLDATA, (void*)hd);

    /* enable "uploading" (which means PUT when doing HTTP) */
    curl_easy_setopt(curl, CURLOPT_UPLOAD, TRUE) ;
--- a/docs/examples/debug.c
+++ b/docs/examples/debug.c
@@ -65,7 +65,7 @@ void dump(const char *text,

 static
 int my_trace(CURL *handle, curl_infotype type,
-             unsigned char *data, size_t size,
+             char *data, size_t size,
             void *userp)
 {
  struct data *config = (struct data *)userp;
@@ -98,7 +98,7 @@ int my_trace(CURL *handle, curl_infotype type,
    break;
  }

-  dump(text, stderr, data, size, config->trace_ascii);
+  dump(text, stderr, (unsigned char *)data, size, config->trace_ascii);
  return 0;
 }

--- a/docs/examples/ftpget.c
+++ b/docs/examples/ftpget.c
@@ -26,7 +26,7 @@ struct FtpFile {
  FILE *stream;
 };

-static int my_fwrite(void *buffer, size_t size, size_t nmemb, void *stream)
+static size_t my_fwrite(void *buffer, size_t size, size_t nmemb, void *stream)
 {
  struct FtpFile *out=(struct FtpFile *)stream;
  if(out && !out->stream) {
--- a/docs/examples/ftpupload.c
+++ b/docs/examples/ftpupload.c
@@ -14,7 +14,12 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <errno.h>
+#ifdef WIN32
+#include <io.h>
+#else
 #include <unistd.h>
+#endif

 /*
 * This example shows an FTP upload, with a rename of the file just after
@@ -28,12 +33,26 @@
 #define REMOTE_URL      "ftp://localhost/"  UPLOAD_FILE_AS
 #define RENAME_FILE_TO  "renamed-and-fine.txt"

+/* NOTE: if you want this example to work on Windows with libcurl as a
+   DLL, you MUST also provide a read callback with CURLOPT_READFUNCTION.
+   Failing to do so will give you a crash since a DLL may not use the
+   variable's memory when passed in to it from an app like this. */
+static size_t read_callback(void *ptr, size_t size, size_t nmemb, void *stream)
+{
+  /* in real-world cases, this would probably get this data differently
+     as this fread() stuff is exactly what the library already would do
+     by default internally */
+  size_t retcode = fread(ptr, size, nmemb, stream);
+
+  fprintf(stderr, "*** We read %d bytes from file\n", retcode);
+  return retcode;
+}
+
 int main(int argc, char **argv)
 {
  CURL *curl;
  CURLcode res;
-  FILE * hd_src ;
-  int hd ;
+  FILE *hd_src;
  struct stat file_info;

  struct curl_slist *headerlist=NULL;
@@ -41,13 +60,13 @@ int main(int argc, char **argv)
  static const char buf_2 [] = "RNTO " RENAME_FILE_TO;

  /* get the file size of the local file */
-  hd = open(LOCAL_FILE, O_RDONLY) ;
-  fstat(hd, &file_info);
-  close(hd) ;
+  if(stat(LOCAL_FILE, &file_info)) {
+    printf("Couldnt open '%s': %s\n", LOCAL_FILE, strerror(errno));
+    return 1;
+  }
+  printf("Local file size: %ld bytes.\n", file_info.st_size);

-  /* get a FILE * of the same file, could also be made with
-     fdopen() from the previous descriptor, but hey this is just
-     an example! */
+  /* get a FILE * of the same file */
  hd_src = fopen(LOCAL_FILE, "rb");

  /* In windows, this will init the winsock stuff */
@@ -60,6 +79,9 @@ int main(int argc, char **argv)
    headerlist = curl_slist_append(headerlist, buf_1);
    headerlist = curl_slist_append(headerlist, buf_2);

+    /* we want to use our own read function */
+    curl_easy_setopt(curl, CURLOPT_READFUNCTION, read_callback);
+
    /* enable uploading */
    curl_easy_setopt(curl, CURLOPT_UPLOAD, 1) ;

@@ -72,12 +94,6 @@ int main(int argc, char **argv)
    /* now specify which file to upload */
    curl_easy_setopt(curl, CURLOPT_READDATA, hd_src);

-    /* NOTE: if you want this example to work on Windows with libcurl as a
-       DLL, you MUST also provide a read callback with
-       CURLOPT_READFUNCTION. Failing to do so will give you a crash since a
-       DLL may not use the variable's memory when passed in to it from an app
-       like this. */
-
    /* Set the size of the file to upload (optional).  If you give a *_LARGE
       option you MUST make sure that the type of the passed-in argument is a
       curl_off_t. If you use CURLOPT_INFILESIZE (without _LARGE) you must
--- a/docs/examples/multi-debugcallback.c
+++ b/docs/examples/multi-debugcallback.c
@@ -74,7 +74,7 @@ void dump(const char *text,

 static
 int my_trace(CURL *handle, curl_infotype type,
-             unsigned char *data, size_t size,
+             char *data, size_t size,
             void *userp)
 {
  const char *text;
--- a/docs/examples/post-callback.c
+++ b/docs/examples/post-callback.c
@@ -75,7 +75,7 @@ int main(void)
    */
 #ifdef USE_CHUNKED
    {
-      curl_slist *chunk = NULL;
+      struct curl_slist *chunk = NULL;

      chunk = curl_slist_append(chunk, "Transfer-Encoding: chunked");
      res = curl_easy_setopt(curl, CURLOPT_HTTPHEADER, chunk);
@@ -98,7 +98,7 @@ int main(void)
    /* A less good option would be to enforce HTTP 1.0, but that might also
       have other implications. */
    {
-      curl_slist *chunk = NULL;
+      struct curl_slist *chunk = NULL;

      chunk = curl_slist_append(chunk, "Expect:");
      res = curl_easy_setopt(curl, CURLOPT_HTTPHEADER, chunk);
--- a/docs/examples/threaded-ssl.c
+++ b/docs/examples/threaded-ssl.c
@@ -0,0 +1,145 @@
+/*****************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * $Id$
+ *
+ * A multi-threaded example that uses pthreads and fetches 4 remote files at
+ * once over HTTPS. The lock callbacks and stuff assume OpenSSL or GnuTLS
+ * (libgcrypt) so far.
+ *
+ * OpenSSL docs for this:
+ *   http://www.openssl.org/docs/crypto/threads.html
+ * gcrypt docs for this:
+ *   http://gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html
+ */
+
+#define USE_OPENSSL /* or USE_GNUTLS accordingly */
+
+#include <stdio.h>
+#include <pthread.h>
+#include <curl/curl.h>
+
+/* we have this global to let the callback get easy access to it */
+static pthread_mutex_t *lockarray;
+
+#ifdef USE_OPENSSL
+#include <openssl/crypto.h>
+static void lock_callback(int mode, int type, char *file, int line)
+{
+  (void)file;
+  (void)line;
+  if (mode & CRYPTO_LOCK) {
+    pthread_mutex_lock(&(lockarray[type]));
+  }
+  else {
+    pthread_mutex_unlock(&(lockarray[type]));
+  }
+}
+
+static unsigned long thread_id(void)
+{
+  unsigned long ret;
+
+  ret=(unsigned long)pthread_self();
+  return(ret);
+}
+
+static void init_locks(void)
+{
+  int i;
+
+  lockarray=(pthread_mutex_t *)OPENSSL_malloc(CRYPTO_num_locks() *
+                                            sizeof(pthread_mutex_t));
+  for (i=0; i<CRYPTO_num_locks(); i++) {
+    pthread_mutex_init(&(lockarray[i]),NULL);
+  }
+
+  CRYPTO_set_id_callback((unsigned long (*)())thread_id);
+  CRYPTO_set_locking_callback((void (*)())lock_callback);
+}
+
+static void kill_locks(void)
+{
+  int i;
+
+  CRYPTO_set_locking_callback(NULL);
+  for (i=0; i<CRYPTO_num_locks(); i++)
+    pthread_mutex_destroy(&(lockarray[i]));
+
+  OPENSSL_free(lockarray);
+}
+#endif
+
+#ifdef USE_GNUTLS
+#include <gcrypt.h>
+#include <errno.h>
+
+GCRY_THREAD_OPTION_PTHREAD_IMPL;
+
+void init_locks(void)
+{
+  gcry_control(GCRYCTL_SET_THREAD_CBS);
+}
+
+#define kill_locks()
+#endif
+
+/* List of URLs to fetch.*/
+const char *urls[]= {
+  "https://www.sf.net/",
+  "https://www.openssl.org/",
+  "https://www.sf.net/",
+  "https://www.openssl.org/",
+};
+
+static void *pull_one_url(void *url)
+{
+  CURL *curl;
+
+  curl = curl_easy_init();
+  curl_easy_setopt(curl, CURLOPT_URL, url);
+  /* this example doesn't verify the server's certificate, which means we
+     might be downloading stuff from an impostor */
+  curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+  curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
+  curl_easy_perform(curl); /* ignores error */
+  curl_easy_cleanup(curl);
+
+  return NULL;
+}
+
+int main(int argc, char **argv)
+{
+  pthread_t tid[4];
+  int i;
+  int error;
+  (void)argc; /* we don't use any arguments in this example */
+  (void)argv;
+
+  init_locks();
+
+  for(i=0; i< 4; i++) {
+    error = pthread_create(&tid[i],
+                           NULL, /* default attributes please */
+                           pull_one_url,
+                           (void *)urls[i]);
+    if(0 != error)
+      fprintf(stderr, "Couldn't run thread number %d, errno %d\n", i, error);
+    else
+      fprintf(stderr, "Thread %d, gets %s\n", i, urls[i]);
+  }
+
+  /* now wait for all threads to terminate */
+  for(i=0; i< 4; i++) {
+    error = pthread_join(tid[i], NULL);
+    fprintf(stderr, "Thread %d terminated\n", i);
+  }
+
+  kill_locks();
+
+  return 0;
+}
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -310,6 +310,9 @@ Pass a pointer to whatever you want passed in to your
 \fICURLOPT_DEBUGFUNCTION\fP in the last void * argument. This pointer is not
 used by libcurl, it is only passed to the callback.
 .IP CURLOPT_SSL_CTX_FUNCTION
+This option does only function for libcurl powered by OpenSSL. If libcurl was
+built against another SSL library, this functionality is absent.
+
 Function pointer that should match the following prototype: \fBCURLcode
 sslctxfun(CURL *curl, void *sslctx, void *parm);\fP This function gets called
 by libcurl just before the initialization of an SSL connection after having
@@ -1374,15 +1377,19 @@ operations.

 If the crypto device cannot be set, \fICURLE_SSL_ENGINE_SETFAILED\fP is
 returned.
+
+Note that even though this option doesn't need any parameter, in some
+configurations \fIcurl_easy_setopt\fP might be defined as a macro taking
+exactly three arguments. Therefore, it's recommended to pass 1 as parameter to
+this option.
 .IP CURLOPT_SSLVERSION
 Pass a long as parameter to control what version of SSL/TLS to attempt to use.
 The available options are:
 .RS
 .IP CURL_SSLVERSION_DEFAULT
-The default action. When libcurl built with OpenSSL or NSS, this will attempt
-to figure out the remote SSL protocol version. Unfortunately there are a lot of
-ancient and broken servers in use which cannot handle this technique and will
-fail to connect. When libcurl is built with GnuTLS, this will mean SSLv3.
+The default action. This will attempt to figure out the remote SSL protocol
+version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
+by default with 7.18.1).
 .IP CURL_SSLVERSION_TLSv1
 Force TLSv1
 .IP CURL_SSLVERSION_SSLv2
--- a/docs/libcurl/curl_multi_socket.3
+++ b/docs/libcurl/curl_multi_socket.3
@@ -27,7 +27,7 @@ application has detected action on a socket handled by libcurl, it should call
 socket with the action. When the events on a socket are known, they can be
 passed as an events bitmask \fBev_bitmask\fP by first setting \fBev_bitmask\fP
 to 0, and then adding using bitwise OR (|) any combination of events to be
-choosen from CURL_CSELECT_IN, CURL_CSELECT_OUT or CURL_CSELECT_ERR. When the
+chosen from CURL_CSELECT_IN, CURL_CSELECT_OUT or CURL_CSELECT_ERR. When the
 events on a socket are unknown, pass 0 instead, and libcurl will test the
 descriptor internally.

@@ -45,17 +45,20 @@ socket callback function set with the CURLMOPT_SOCKETFUNCTION option to
 \fIcurl_multi_setopt(3)\fP. They update the status with changes since the
 previous time this function was called.

-To force libcurl to (re-)check all its internal sockets and transfers instead
-of just a single one, you call \fBcurl_multi_socket_all(3)\fP. This is
-typically done as the first function call before the application has any
-knowledge about what sockets libcurl uses.
+Force libcurl to (re-)check all its internal sockets and transfers instead of
+just a single one by calling \fBcurl_multi_socket_all(3)\fP. This is typically
+done as the first function call before the application has any knowledge about
+what sockets libcurl uses.

-Applications should call \fBcurl_multi_timeout(3)\fP to figure out how long to
-wait for socket actions \- at most \- before doing the timeout action: call
-the \fBcurl_multi_socket(3)\fP function with the \fBsockfd\fP argument set to
-CURL_SOCKET_TIMEOUT.
+Get the timeout time - how long to wait for socket actions at most before
+doing the timeout action: call the \fBcurl_multi_socket(3)\fP function with
+the \fBsockfd\fP argument set to CURL_SOCKET_TIMEOUT, by setting the
+\fICURLMOPT_TIMERFUNCTION\fP option with \fIcurl_multi_setopt(3)\fP. You can
+also use the \fIcurl_multi_timeout(3)\fP function to poll the value at any
+given time, but for an event-based system using the callback is far better
+than relying on polling the timeout value.

-Usage of \fIcurl_multi_socket(3)\fP is depricated, whereas the function is
+Usage of \fIcurl_multi_socket(3)\fP is deprecated, whereas the function is
 equivalent to \fIcurl_multi_socket_action(3)\fP, when \fBev_bitmask\fP is set 
 to 0.

@@ -91,7 +94,7 @@ register, interested in write readiness
 .IP "CURL_POLL_INOUT (3)"
 register, interested in both read and write readiness
 .IP "CURL_POLL_REMOVE (4)"
-deregister
+unregister
 .RE

 The \fIsocketp\fP argument is a private pointer you have previously set with
@@ -131,7 +134,7 @@ them for activity. This can be done through your application code, or by way
 of an external library such as libevent or glib.

 7. Wait for activity on any of libcurl's sockets, use the timeout value your
-calback has been told
+callback has been told

 8, When activity is detected, call curl_multi_socket_action() for the
 socket(s) that got action. If no activity is detected and the timeout expires,
--- a/docs/libcurl/curl_multi_timeout.3
+++ b/docs/libcurl/curl_multi_timeout.3
@@ -34,7 +34,7 @@ Call \fBcurl_multi_timeout(3)\fP, then wait for action on the sockets. You
 figure out which sockets to wait for by calling \fBcurl_multi_fdset(3)\fP or
 by a previous call to \fBcurl_multi_socket(3)\fP.
 .SH AVAILABILITY
-This function was added in libcurl 7.15.4, although not deemed stable yet.
+This function was added in libcurl 7.15.4.
 .SH "SEE ALSO"
 .BR curl_multi_cleanup "(3), " curl_multi_init "(3), "
 .BR curl_multi_fdset "(3), " curl_multi_info_read "(3), "
--- a/include/curl/Makefile.am
+++ b/include/curl/Makefile.am
@@ -1,5 +1,6 @@
 pkginclude_HEADERS = \
-	curl.h curlver.h easy.h mprintf.h stdcheaders.h types.h multi.h
+	curl.h curlver.h easy.h mprintf.h stdcheaders.h types.h multi.h \
+	typecheck-gcc.h
 pkgincludedir= $(includedir)/curl

 CLEANFILES = *dist
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1791,4 +1791,20 @@ CURL_EXTERN CURLcode curl_easy_pause(CURL *handle, int bitmask);
 #include "easy.h" /* nothing in curl is fun without the easy stuff */
 #include "multi.h"

+/* the typechecker doesn't work in C++ (yet) */
+#if (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 3)) && \
+    !defined(__cplusplus)
+#include "typecheck-gcc.h"
+#else
+#if defined(__STDC__) && (__STDC__ >= 1) 
+/* This preprocessor magic that replaces a call with the exact same call is
+   only done to make sure application authors pass exactly three arguments
+   to these functions. */
+#define curl_easy_setopt(handle,opt,param) curl_easy_setopt(handle,opt,param)
+#define curl_easy_getinfo(handle,info,arg) curl_easy_getinfo(handle,info,arg)
+#define curl_share_setopt(share,opt,param) curl_share_setopt(share,opt,param)
+#define curl_multi_setopt(handle,opt,param) curl_multi_setopt(handle,opt,param)
+#endif /* __STDC__ >= 1 */
+#endif /* gcc >= 4.3 && !__cplusplus */
+
 #endif /* __CURL_CURL_H */
--- a/include/curl/curlver.h
+++ b/include/curl/curlver.h
@@ -31,13 +31,13 @@

 /* This is the version number of the libcurl package from which this header
   file origins: */
-#define LIBCURL_VERSION "7.18.0-CVS"
+#define LIBCURL_VERSION "7.18.1-CVS"

 /* The numeric version number is also available "in parts" by using these
   defines: */
 #define LIBCURL_VERSION_MAJOR 7
 #define LIBCURL_VERSION_MINOR 18
-#define LIBCURL_VERSION_PATCH 0
+#define LIBCURL_VERSION_PATCH 1

 /* This is the numeric version of the libcurl version number, meant for easier
   parsing and comparions by programs. The LIBCURL_VERSION_NUM define will
@@ -54,7 +54,7 @@
   and it is always a greater number in a more recent release. It makes
   comparisons with greater than and less than work.
 */
-#define LIBCURL_VERSION_NUM 0x071200
+#define LIBCURL_VERSION_NUM 0x071201

 /*
 * This is the date and time when the full source package was created. The
--- a/include/curl/typecheck-gcc.h
+++ b/include/curl/typecheck-gcc.h
@@ -0,0 +1,539 @@
+#ifndef __CURL_TYPECHECK_GCC_H
+#define __CURL_TYPECHECK_GCC_H
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * $Id$
+ ***************************************************************************/
+
+/* wraps curl_easy_setopt() with typechecking */
+
+/* To add a new kind of warning, add an
+ *   if(_curl_is_sometype_option(_curl_opt) && ! _curl_is_sometype(value))
+ *     _curl_easy_setopt_err_sometype();
+ * block and define _curl_is_sometype_option, _curl_is_sometype and
+ * _curl_easy_setopt_err_sometype below
+ *
+ * To add an option that uses the same type as an existing option, you'll just
+ * need to extend the appropriate _curl_*_option macro
+ */
+#define curl_easy_setopt(handle, option, value)                               \
+__extension__ ({                                                              \
+  __typeof__ (option) _curl_opt = option;                                     \
+  if (__builtin_constant_p(_curl_opt)) {                                      \
+    if (_curl_is_long_option(_curl_opt) && !_curl_is_long(value))             \
+      _curl_easy_setopt_err_long();                                           \
+    if (_curl_is_off_t_option(_curl_opt) && !_curl_is_off_t(value))           \
+      _curl_easy_setopt_err_curl_off_t();                                     \
+    if (_curl_is_string_option(_curl_opt) && !_curl_is_string(value))         \
+      _curl_easy_setopt_err_string();                                         \
+    if (_curl_is_write_cb_option(_curl_opt) && !_curl_is_write_cb(value))     \
+      _curl_easy_setopt_err_write_callback();                                 \
+    if ((_curl_opt) == CURLOPT_READFUNCTION && !_curl_is_read_cb(value))      \
+      _curl_easy_setopt_err_read_cb();                                        \
+    if ((_curl_opt) == CURLOPT_IOCTLFUNCTION && !_curl_is_ioctl_cb(value))    \
+      _curl_easy_setopt_err_ioctl_cb();                                       \
+    if ((_curl_opt) == CURLOPT_SOCKOPTFUNCTION && !_curl_is_sockopt_cb(value))\
+      _curl_easy_setopt_err_sockopt_cb();                                     \
+    if ((_curl_opt) == CURLOPT_OPENSOCKETFUNCTION &&                          \
+            !_curl_is_opensocket_cb(value))                                   \
+      _curl_easy_setopt_err_opensocket_cb();                                  \
+    if ((_curl_opt) == CURLOPT_PROGRESSFUNCTION &&                            \
+            !_curl_is_progress_cb(value))                                     \
+      _curl_easy_setopt_err_progress_cb();                                    \
+    if ((_curl_opt) == CURLOPT_DEBUGFUNCTION && !_curl_is_debug_cb(value))    \
+      _curl_easy_setopt_err_debug_cb();                                       \
+    if ((_curl_opt) == CURLOPT_SSL_CTX_FUNCTION &&                            \
+            !_curl_is_ssl_ctx_cb(value))                                      \
+      _curl_easy_setopt_err_ssl_ctx_cb();                                     \
+    if (_curl_is_conv_cb_option(_curl_opt) && !_curl_is_conv_cb(value))       \
+      _curl_easy_setopt_err_conv_cb();                                        \
+    if ((_curl_opt) == CURLOPT_SEEKFUNCTION && !_curl_is_seek_cb(value))      \
+      _curl_easy_setopt_err_seek_cb();                                        \
+    if (_curl_is_cb_data_option(_curl_opt) && !_curl_is_cb_data(value))       \
+      _curl_easy_setopt_err_cb_data();                                        \
+    if ((_curl_opt) == CURLOPT_ERRORBUFFER && !_curl_is_error_buffer(value))  \
+      _curl_easy_setopt_err_error_buffer();                                   \
+    if ((_curl_opt) == CURLOPT_STDERR && !_curl_is_FILE(value))               \
+      _curl_easy_setopt_err_FILE();                                           \
+    if (_curl_is_postfields_option(_curl_opt) && !_curl_is_postfields(value)) \
+      _curl_easy_setopt_err_postfields();                                     \
+    if ((_curl_opt) == CURLOPT_HTTPPOST &&                                    \
+            !_curl_is_arr((value), struct curl_httppost))                     \
+      _curl_easy_setopt_err_curl_httpost();                                   \
+    if (_curl_is_slist_option(_curl_opt) &&                                   \
+            !_curl_is_arr((value), struct curl_slist))                        \
+      _curl_easy_setopt_err_curl_slist();                                     \
+    if ((_curl_opt) == CURLOPT_SHARE && !_curl_is_ptr((value), CURLSH))       \
+      _curl_easy_setopt_err_CURLSH();                                         \
+  }                                                                           \
+  curl_easy_setopt(handle, _curl_opt, value);                                 \
+})
+
+/* wraps curl_easy_getinfo() with typechecking */
+/* FIXME: don't allow const pointers */
+#define curl_easy_getinfo(handle, info, arg)                                  \
+__extension__ ({                                                              \
+  __typeof__ (info) _curl_info = info;                                        \
+  if (__builtin_constant_p(_curl_info)) {                                     \
+    if (_curl_is_string_info(_curl_info) && !_curl_is_arr((arg), char *))     \
+      _curl_easy_getinfo_err_string();                                        \
+    if (_curl_is_long_info(_curl_info) && !_curl_is_arr((arg), long))         \
+      _curl_easy_getinfo_err_long();                                          \
+    if (_curl_is_double_info(_curl_info) && !_curl_is_arr((arg), double))     \
+      _curl_easy_getinfo_err_double();                                        \
+    if (_curl_is_slist_info(_curl_info) &&                                    \
+           !_curl_is_arr((arg), struct curl_slist *))                         \
+      _curl_easy_getinfo_err_curl_slist();                                    \
+  }                                                                           \
+  curl_easy_getinfo(handle, _curl_info, arg);                                 \
+})
+
+/* TODO: typechecking for curl_share_setopt() and curl_multi_setopt(),
+ * for now just make sure that the functions are called with three
+ * arguments
+ */
+#define curl_share_setopt(share,opt,param) curl_share_setopt(share,opt,param)
+#define curl_multi_setopt(handle,opt,param) curl_multi_setopt(handle,opt,param)
+
+
+/* the actual warnings, triggered by calling the _curl_easy_setopt_err*
+ * functions */
+
+/* To define a new warning, use _CURL_WARNING(identifier, "message") */
+#define _CURL_WARNING(id, message)                                            \
+  static void __attribute__((warning(message))) __attribute__((unused))       \
+  __attribute__((noinline)) id(void) { __asm__(""); }
+
+_CURL_WARNING(_curl_easy_setopt_err_long,
+  "curl_easy_setopt expects a long argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_curl_off_t,
+  "curl_easy_setopt expects a curl_off_t argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_string,
+  "curl_easy_setopt expects a string (char* or char[]) argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_write_callback,
+  "curl_easy_setopt expects a curl_write_callback argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_read_cb,
+  "curl_easy_setopt expects a curl_read_callback argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_ioctl_cb,
+  "curl_easy_setopt expects a curl_ioctl_callback argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_sockopt_cb,
+  "curl_easy_setopt expects a curl_sockopt_callback argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_opensocket_cb,
+  "curl_easy_setopt expects a curl_opensocket_callback argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_progress_cb,
+  "curl_easy_setopt expects a curl_progress_callback argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_debug_cb,
+  "curl_easy_setopt expects a curl_debug_callback argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_ssl_ctx_cb,
+  "curl_easy_setopt expects a curl_ssl_ctx_callback argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_conv_cb,
+  "curl_easy_setopt expects a curl_conv_callback argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_seek_cb,
+  "curl_easy_setopt expects a curl_seek_callback argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_cb_data,
+  "curl_easy_setopt expects a private data pointer as argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_error_buffer,
+  "curl_easy_setopt expects a char buffer of CURL_ERROR_SIZE as argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_FILE,
+  "curl_easy_setopt expects a FILE* argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_postfields,
+  "curl_easy_setopt expects a void* or char* argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_curl_httpost,
+  "curl_easy_setopt expects a struct curl_httppost* argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_curl_slist,
+  "curl_easy_setopt expects a struct curl_slist* argument for this option")
+_CURL_WARNING(_curl_easy_setopt_err_CURLSH,
+  "curl_easy_setopt expects a CURLSH* argument for this option")
+
+_CURL_WARNING(_curl_easy_getinfo_err_string,
+  "curl_easy_getinfo expects a pointer to char * for this info")
+_CURL_WARNING(_curl_easy_getinfo_err_long,
+  "curl_easy_getinfo expects a pointer to long for this info")
+_CURL_WARNING(_curl_easy_getinfo_err_double,
+  "curl_easy_getinfo expects a pointer to double for this info")
+_CURL_WARNING(_curl_easy_getinfo_err_curl_slist,
+  "curl_easy_getinfo expects a pointer to struct curl_slist * for this info")
+
+/* groups of curl_easy_setops options that take the same type of argument */
+
+/* To add a new option to one of the groups, just add
+ *   (option) == CURLOPT_SOMETHING
+ * to the or-expression. If the option takes a long or curl_off_t, you don't
+ * have to do anything
+ */
+
+/* evaluates to true if option takes a long argument */
+#define _curl_is_long_option(option)                                          \
+  (0 < (option) && (option) < CURLOPTTYPE_OBJECTPOINT)
+
+#define _curl_is_off_t_option(option)                                         \
+  ((option) > CURLOPTTYPE_OFF_T)
+
+/* evaluates to true if option takes a char* argument */
+#define _curl_is_string_option(option)                                        \
+  ((option) == CURLOPT_URL ||                                                 \
+   (option) == CURLOPT_PROXY ||                                               \
+   (option) == CURLOPT_INTERFACE ||                                           \
+   (option) == CURLOPT_NETRC_FILE ||                                          \
+   (option) == CURLOPT_USERPWD ||                                             \
+   (option) == CURLOPT_PROXYUSERPWD ||                                        \
+   (option) == CURLOPT_ENCODING ||                                            \
+   (option) == CURLOPT_REFERER ||                                             \
+   (option) == CURLOPT_USERAGENT ||                                           \
+   (option) == CURLOPT_COOKIE ||                                              \
+   (option) == CURLOPT_COOKIEFILE ||                                          \
+   (option) == CURLOPT_COOKIEJAR ||                                           \
+   (option) == CURLOPT_COOKIELIST ||                                          \
+   (option) == CURLOPT_FTPPORT ||                                             \
+   (option) == CURLOPT_FTP_ALTERNATIVE_TO_USER ||                             \
+   (option) == CURLOPT_FTP_ACCOUNT ||                                         \
+   (option) == CURLOPT_RANGE ||                                               \
+   (option) == CURLOPT_CUSTOMREQUEST ||                                       \
+   (option) == CURLOPT_SSLCERT ||                                             \
+   (option) == CURLOPT_SSLCERTTYPE ||                                         \
+   (option) == CURLOPT_SSLKEY ||                                              \
+   (option) == CURLOPT_SSLKEYTYPE ||                                          \
+   (option) == CURLOPT_KEYPASSWD ||                                           \
+   (option) == CURLOPT_SSLENGINE ||                                           \
+   (option) == CURLOPT_CAINFO ||                                              \
+   (option) == CURLOPT_CAPATH ||                                              \
+   (option) == CURLOPT_RANDOM_FILE ||                                         \
+   (option) == CURLOPT_EGDSOCKET ||                                           \
+   (option) == CURLOPT_SSL_CIPHER_LIST ||                                     \
+   (option) == CURLOPT_KRBLEVEL ||                                            \
+   (option) == CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 ||                             \
+   (option) == CURLOPT_SSH_PUBLIC_KEYFILE ||                                  \
+   (option) == CURLOPT_SSH_PRIVATE_KEYFILE ||                                 \
+   0)
+
+/* evaluates to true if option takes a curl_write_callback argument */
+#define _curl_is_write_cb_option(option)                                      \
+  ((option) == CURLOPT_HEADERFUNCTION ||                                      \
+   (option) == CURLOPT_WRITEFUNCTION)
+
+/* evaluates to true if option takes a curl_conv_callback argument */
+#define _curl_is_conv_cb_option(option)                                       \
+  ((option) == CURLOPT_CONV_TO_NETWORK_FUNCTION ||                            \
+   (option) == CURLOPT_CONV_FROM_NETWORK_FUNCTION ||                          \
+   (option) == CURLOPT_CONV_FROM_UTF8_FUNCTION)
+
+/* evaluates to true if option takes a data argument to pass to a callback */
+#define _curl_is_cb_data_option(option)                                       \
+  ((option) == CURLOPT_WRITEDATA ||                                           \
+   (option) == CURLOPT_READDATA ||                                            \
+   (option) == CURLOPT_IOCTLDATA ||                                           \
+   (option) == CURLOPT_SOCKOPTDATA ||                                         \
+   (option) == CURLOPT_OPENSOCKETDATA ||                                      \
+   (option) == CURLOPT_PROGRESSDATA ||                                        \
+   (option) == CURLOPT_WRITEHEADER ||                                         \
+   (option) == CURLOPT_DEBUGDATA ||                                           \
+   (option) == CURLOPT_SSL_CTX_DATA ||                                        \
+   (option) == CURLOPT_SEEKDATA ||                                            \
+   (option) == CURLOPT_PRIVATE ||                                             \
+   0)
+
+/* evaluates to true if option takes a POST data argument (void* or char*) */
+#define _curl_is_postfields_option(option)                                    \
+  ((option) == CURLOPT_POSTFIELDS ||                                          \
+   (option) == CURLOPT_COPYPOSTFIELDS ||                                      \
+   0)
+
+/* evaluates to true if option takes a struct curl_slist * argument */
+#define _curl_is_slist_option(option)                                         \
+  ((option) == CURLOPT_HTTPHEADER ||                                          \
+   (option) == CURLOPT_HTTP200ALIASES ||                                      \
+   (option) == CURLOPT_QUOTE ||                                               \
+   (option) == CURLOPT_POSTQUOTE ||                                           \
+   (option) == CURLOPT_PREQUOTE ||                                            \
+   (option) == CURLOPT_TELNETOPTIONS ||                                       \
+   0)
+
+/* groups of curl_easy_getinfo infos that take the same type of argument */
+
+/* evaluates to true if info expects a pointer to char * argument */
+#define _curl_is_string_info(info)                                            \
+  (CURLINFO_STRING < (info) && (info) < CURLINFO_LONG)
+
+/* evaluates to true if info expects a pointer to long argument */
+#define _curl_is_long_info(info)                                              \
+  (CURLINFO_LONG < (info) && (info) < CURLINFO_DOUBLE)
+
+/* evaluates to true if info expects a pointer to double argument */
+#define _curl_is_double_info(info)                                            \
+  (CURLINFO_DOUBLE < (info) && (info) < CURLINFO_SLIST)
+
+/* evaluates to true if info expects a pointer to struct curl_slist * argument */
+#define _curl_is_slist_info(info)                                             \
+  (CURLINFO_SLIST < (info))
+
+
+/* typecheck helpers -- check whether given expression has requested type*/
+
+/* For pointers, you can use the _curl_is_ptr/_curl_is_arr macros,
+ * otherwise define a new macro. Search for __builtin_types_compatible_p
+ * in the GCC manual.
+ * NOTE: these macros MUST NOT EVALUATE their arguments! The argument is
+ * the actual expression passed to the curl_easy_setopt macro. This
+ * means that you can only apply the sizeof and __typeof__ operators, no
+ * == or whatsoever.
+ */
+
+/* XXX: should evaluate to true iff expr is a pointer */
+#define _curl_is_any_ptr(expr)                                                \
+  (sizeof(expr) == sizeof(void*))
+
+/* evaluates to true if expr is NULL */
+/* XXX: must not evaluate expr, so this check is not accurate */
+#define _curl_is_NULL(expr)                                                   \
+  (__builtin_types_compatible_p(__typeof__(expr), __typeof__(NULL)))
+
+/* evaluates to true if expr is type*, const type* or NULL */
+#define _curl_is_ptr(expr, type)                                              \
+  (_curl_is_NULL(expr) ||                                                     \
+   __builtin_types_compatible_p(__typeof__(expr), type *) ||                  \
+   __builtin_types_compatible_p(__typeof__(expr), const type *))
+
+/* evaluates to true if expr is one of type[], type*, NULL or const type* */
+#define _curl_is_arr(expr, type)                                              \
+  (_curl_is_ptr((expr), type) ||                                              \
+   __builtin_types_compatible_p(__typeof__(expr), type []))
+
+/* evaluates to true if expr is a string */
+#define _curl_is_string(expr)                                                 \
+  (_curl_is_arr((expr), char) ||                                              \
+   _curl_is_arr((expr), signed char) ||                                       \
+   _curl_is_arr((expr), unsigned char))
+
+/* evaluates to true if expr is a long (no matter the signedness)
+ * XXX: for now, int is also accepted (and therefore short and char, which
+ * are promoted to int when passed to a variadic function) */
+#define _curl_is_long(expr)                                                   \
+  (__builtin_types_compatible_p(__typeof__(expr), long) ||                    \
+   __builtin_types_compatible_p(__typeof__(expr), signed long) ||             \
+   __builtin_types_compatible_p(__typeof__(expr), unsigned long) ||           \
+   __builtin_types_compatible_p(__typeof__(expr), int) ||                     \
+   __builtin_types_compatible_p(__typeof__(expr), signed int) ||              \
+   __builtin_types_compatible_p(__typeof__(expr), unsigned int) ||            \
+   __builtin_types_compatible_p(__typeof__(expr), short) ||                   \
+   __builtin_types_compatible_p(__typeof__(expr), signed short) ||            \
+   __builtin_types_compatible_p(__typeof__(expr), unsigned short) ||          \
+   __builtin_types_compatible_p(__typeof__(expr), char) ||                    \
+   __builtin_types_compatible_p(__typeof__(expr), signed char) ||             \
+   __builtin_types_compatible_p(__typeof__(expr), unsigned char))
+
+/* evaluates to true if expr is of type curl_off_t */
+#define _curl_is_off_t(expr)                                                  \
+  (__builtin_types_compatible_p(__typeof__(expr), curl_off_t))
+
+/* evaluates to true if expr is abuffer suitable for CURLOPT_ERRORBUFFER */
+/* XXX: also check size of an char[] array? */
+#define _curl_is_error_buffer(expr)                                           \
+  (__builtin_types_compatible_p(__typeof__(expr), char *) ||                  \
+   __builtin_types_compatible_p(__typeof__(expr), char[]))
+
+/* evaluates to true if expr is of type (const) void* or (const) FILE* */
+#if 0
+#define _curl_is_cb_data(expr)                                                \
+  (_curl_is_ptr((expr), void) ||                                              \
+   _curl_is_ptr((expr), FILE))
+#else /* be less strict */
+#define _curl_is_cb_data(expr)                                                \
+  _curl_is_any_ptr(expr)
+#endif
+
+/* evaluates to true if expr is of type FILE* */
+#define _curl_is_FILE(expr)                                                   \
+  (__builtin_types_compatible_p(__typeof__(expr), FILE *))
+
+/* evaluates to true if expr can be passed as POST data (void* or char*) */
+#define _curl_is_postfields(expr)                                             \
+  (_curl_is_ptr((expr), void) ||                                              \
+   _curl_is_arr((expr), char))
+
+/* FIXME: the whole callback checking is messy...
+ * The idea is to tolerate char vs. void and const vs. not const
+ * pointers in arguments at least
+ */
+/* helper: __builtin_types_compatible_p distinguishes between functions and
+ * function pointers, hide it */
+#define _curl_callback_compatible(func, type)                                 \
+  (__builtin_types_compatible_p(__typeof__(func), type) ||                    \
+   __builtin_types_compatible_p(__typeof__(func), type*))
+
+/* evaluates to true if expr is of type curl_read_callback or "similar" */
+#define _curl_is_read_cb(expr)                                          \
+  (_curl_is_NULL(expr) ||                                                     \
+   __builtin_types_compatible_p(__typeof__(expr), __typeof__(fread)) ||       \
+   __builtin_types_compatible_p(__typeof__(expr), curl_read_callback) ||      \
+   _curl_callback_compatible((expr), _curl_read_callback1) ||                 \
+   _curl_callback_compatible((expr), _curl_read_callback2) ||                 \
+   _curl_callback_compatible((expr), _curl_read_callback3) ||                 \
+   _curl_callback_compatible((expr), _curl_read_callback4) ||                 \
+   _curl_callback_compatible((expr), _curl_read_callback5) ||                 \
+   _curl_callback_compatible((expr), _curl_read_callback6))
+typedef size_t (_curl_read_callback1)(char *, size_t, size_t, void*);
+typedef size_t (_curl_read_callback2)(char *, size_t, size_t, const void*);
+typedef size_t (_curl_read_callback3)(char *, size_t, size_t, FILE*);
+typedef size_t (_curl_read_callback4)(void *, size_t, size_t, void*);
+typedef size_t (_curl_read_callback5)(void *, size_t, size_t, const void*);
+typedef size_t (_curl_read_callback6)(void *, size_t, size_t, FILE*);
+
+/* evaluates to true if expr is of type curl_write_callback or "similar" */
+#define _curl_is_write_cb(expr)                                               \
+  (_curl_is_read_cb(expr) ||                                            \
+   __builtin_types_compatible_p(__typeof__(expr), __typeof__(fwrite)) ||      \
+   __builtin_types_compatible_p(__typeof__(expr), curl_write_callback) ||     \
+   _curl_callback_compatible((expr), _curl_write_callback1) ||                \
+   _curl_callback_compatible((expr), _curl_write_callback2) ||                \
+   _curl_callback_compatible((expr), _curl_write_callback3) ||                \
+   _curl_callback_compatible((expr), _curl_write_callback4) ||                \
+   _curl_callback_compatible((expr), _curl_write_callback5) ||                \
+   _curl_callback_compatible((expr), _curl_write_callback6))
+typedef size_t (_curl_write_callback1)(const char *, size_t, size_t, void*);
+typedef size_t (_curl_write_callback2)(const char *, size_t, size_t, const void*);
+typedef size_t (_curl_write_callback3)(const char *, size_t, size_t, FILE*);
+typedef size_t (_curl_write_callback4)(const void *, size_t, size_t, void*);
+typedef size_t (_curl_write_callback5)(const void *, size_t, size_t, const void*);
+typedef size_t (_curl_write_callback6)(const void *, size_t, size_t, FILE*);
+
+/* evaluates to true if expr is of type curl_ioctl_callback or "similar" */
+#define _curl_is_ioctl_cb(expr)                                         \
+  (_curl_is_NULL(expr) ||                                                     \
+   __builtin_types_compatible_p(__typeof__(expr), curl_ioctl_callback) ||     \
+   _curl_callback_compatible((expr), _curl_ioctl_callback1) ||                \
+   _curl_callback_compatible((expr), _curl_ioctl_callback2) ||                \
+   _curl_callback_compatible((expr), _curl_ioctl_callback3) ||                \
+   _curl_callback_compatible((expr), _curl_ioctl_callback4))
+typedef curlioerr (_curl_ioctl_callback1)(CURL *, int, void*);
+typedef curlioerr (_curl_ioctl_callback2)(CURL *, int, const void*);
+typedef curlioerr (_curl_ioctl_callback3)(CURL *, curliocmd, void*);
+typedef curlioerr (_curl_ioctl_callback4)(CURL *, curliocmd, const void*);
+
+/* evaluates to true if expr is of type curl_sockopt_callback or "similar" */
+#define _curl_is_sockopt_cb(expr)                                       \
+  (_curl_is_NULL(expr) ||                                                     \
+   __builtin_types_compatible_p(__typeof__(expr), curl_sockopt_callback) ||   \
+   _curl_callback_compatible((expr), _curl_sockopt_callback1) ||              \
+   _curl_callback_compatible((expr), _curl_sockopt_callback2))
+typedef int (_curl_sockopt_callback1)(void *, curl_socket_t, curlsocktype);
+typedef int (_curl_sockopt_callback2)(const void *, curl_socket_t, curlsocktype);
+
+/* evaluates to true if expr is of type curl_opensocket_callback or "similar" */
+#define _curl_is_opensocket_cb(expr)                                    \
+  (_curl_is_NULL(expr) ||                                                     \
+   __builtin_types_compatible_p(__typeof__(expr), curl_opensocket_callback) ||\
+   _curl_callback_compatible((expr), _curl_opensocket_callback1) ||           \
+   _curl_callback_compatible((expr), _curl_opensocket_callback2) ||           \
+   _curl_callback_compatible((expr), _curl_opensocket_callback3) ||           \
+   _curl_callback_compatible((expr), _curl_opensocket_callback4))
+typedef curl_socket_t (_curl_opensocket_callback1)
+  (void *, curlsocktype, struct curl_sockaddr *);
+typedef curl_socket_t (_curl_opensocket_callback2)
+  (void *, curlsocktype, const struct curl_sockaddr *);
+typedef curl_socket_t (_curl_opensocket_callback3)
+  (const void *, curlsocktype, struct curl_sockaddr *);
+typedef curl_socket_t (_curl_opensocket_callback4)
+  (const void *, curlsocktype, const struct curl_sockaddr *);
+
+/* evaluates to true if expr is of type curl_progress_callback or "similar" */
+#define _curl_is_progress_cb(expr)                                      \
+  (_curl_is_NULL(expr) ||                                                     \
+   __builtin_types_compatible_p(__typeof__(expr), curl_progress_callback) ||  \
+   _curl_callback_compatible((expr), _curl_progress_callback1) ||             \
+   _curl_callback_compatible((expr), _curl_progress_callback2))
+typedef int (_curl_progress_callback1)(void *,
+    double, double, double, double);
+typedef int (_curl_progress_callback2)(const void *,
+    double, double, double, double);
+
+/* evaluates to true if expr is of type curl_debug_callback or "similar" */
+#define _curl_is_debug_cb(expr)                                         \
+  (_curl_is_NULL(expr) ||                                                     \
+   __builtin_types_compatible_p(__typeof__(expr), curl_debug_callback) ||     \
+   _curl_callback_compatible((expr), _curl_debug_callback1) ||                \
+   _curl_callback_compatible((expr), _curl_debug_callback2) ||                \
+   _curl_callback_compatible((expr), _curl_debug_callback3) ||                \
+   _curl_callback_compatible((expr), _curl_debug_callback4))
+typedef int (_curl_debug_callback1) (CURL *,
+    curl_infotype, char *, size_t, void *);
+typedef int (_curl_debug_callback2) (CURL *,
+    curl_infotype, char *, size_t, const void *);
+typedef int (_curl_debug_callback3) (CURL *,
+    curl_infotype, const char *, size_t, void *);
+typedef int (_curl_debug_callback4) (CURL *,
+    curl_infotype, const char *, size_t, const void *);
+
+/* evaluates to true if expr is of type curl_ssl_ctx_callback or "similar" */
+/* this is getting even messier... */
+#define _curl_is_ssl_ctx_cb(expr)                                       \
+  (_curl_is_NULL(expr) ||                                                     \
+   __builtin_types_compatible_p(__typeof__(expr), curl_ssl_ctx_callback) ||   \
+   _curl_callback_compatible((expr), _curl_ssl_ctx_callback1) ||              \
+   _curl_callback_compatible((expr), _curl_ssl_ctx_callback2) ||              \
+   _curl_callback_compatible((expr), _curl_ssl_ctx_callback3) ||              \
+   _curl_callback_compatible((expr), _curl_ssl_ctx_callback4) ||              \
+   _curl_callback_compatible((expr), _curl_ssl_ctx_callback5) ||              \
+   _curl_callback_compatible((expr), _curl_ssl_ctx_callback6) ||              \
+   _curl_callback_compatible((expr), _curl_ssl_ctx_callback7) ||              \
+   _curl_callback_compatible((expr), _curl_ssl_ctx_callback8))
+typedef CURLcode (_curl_ssl_ctx_callback1)(CURL *, void *, void *);
+typedef CURLcode (_curl_ssl_ctx_callback2)(CURL *, void *, const void *);
+typedef CURLcode (_curl_ssl_ctx_callback3)(CURL *, const void *, void *);
+typedef CURLcode (_curl_ssl_ctx_callback4)(CURL *, const void *, const void *);
+#ifdef HEADER_SSL_H
+/* hack: if we included OpenSSL's ssl.h, we know about SSL_CTX
+ * this will of course break if we're included before OpenSSL headers...
+ */
+typedef CURLcode (_curl_ssl_ctx_callback5)(CURL *, SSL_CTX, void *);
+typedef CURLcode (_curl_ssl_ctx_callback6)(CURL *, SSL_CTX, const void *);
+typedef CURLcode (_curl_ssl_ctx_callback7)(CURL *, const SSL_CTX, void *);
+typedef CURLcode (_curl_ssl_ctx_callback8)(CURL *, const SSL_CTX, const void *);
+#else
+typedef _curl_ssl_ctx_callback1 _curl_ssl_ctx_callback5;
+typedef _curl_ssl_ctx_callback1 _curl_ssl_ctx_callback6;
+typedef _curl_ssl_ctx_callback1 _curl_ssl_ctx_callback7;
+typedef _curl_ssl_ctx_callback1 _curl_ssl_ctx_callback8;
+#endif
+
+/* evaluates to true if expr is of type curl_conv_callback or "similar" */
+#define _curl_is_conv_cb(expr)                                          \
+  (_curl_is_NULL(expr) ||                                                     \
+   __builtin_types_compatible_p(__typeof__(expr), curl_conv_callback) ||      \
+   _curl_callback_compatible((expr), _curl_conv_callback1) ||                 \
+   _curl_callback_compatible((expr), _curl_conv_callback2) ||                 \
+   _curl_callback_compatible((expr), _curl_conv_callback3) ||                 \
+   _curl_callback_compatible((expr), _curl_conv_callback4))
+typedef CURLcode (*_curl_conv_callback1)(char *, size_t length);
+typedef CURLcode (*_curl_conv_callback2)(const char *, size_t length);
+typedef CURLcode (*_curl_conv_callback3)(void *, size_t length);
+typedef CURLcode (*_curl_conv_callback4)(const void *, size_t length);
+
+/* evaluates to true if expr is of type curl_seek_callback or "similar" */
+#define _curl_is_seek_cb(expr)                                          \
+  (_curl_is_NULL(expr) ||                                                     \
+   __builtin_types_compatible_p(__typeof__(expr), curl_seek_callback) ||      \
+   _curl_callback_compatible((expr), _curl_seek_callback1) ||                 \
+   _curl_callback_compatible((expr), _curl_seek_callback2))
+typedef CURLcode (*_curl_seek_callback1)(void *, curl_off_t, int);
+typedef CURLcode (*_curl_seek_callback2)(const void *, curl_off_t, int);
+
+
+#endif /* __CURL_TYPECHECK_GCC_H */
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -30,12 +30,12 @@ DOCS = README.encoding README.memoryleak README.ares README.curlx	\

 EXTRA_DIST = Makefile.b32 Makefile.m32 Makefile.vc6 Makefile.riscos	\
 $(DSP) curllib.dsw config-win32.h config-win32ce.h config-riscos.h	\
- config-mac.h config.h.in ca-bundle.crt makefile.dj config.dos		\
+ config-mac.h config.h.in makefile.dj config.dos		\
 libcurl.framework.make libcurl.plist libcurl.rc config-amigaos.h	\
 amigaos.c amigaos.h makefile.amiga Makefile.netware nwlib.c nwos.c	\
 libcurl.imp msvcproj.head msvcproj.foot config-win32ce.h		\
 config-os400.h setup-os400.h \
- Makefile.Watcom config-tpf.h $(DOCS) $(VCPROJ)
+ Makefile.Watcom config-tpf.h $(DOCS) $(VCPROJ) mk-ca-bundle.pl

 CLEANFILES = $(DSP) $(VCPROJ)

@@ -111,14 +111,13 @@ $(top_builddir)/lib/ca-bundle.h: Makefile.in Makefile
 if CABUNDLE
 	echo '#define CURL_CA_BUNDLE @CURL_CA_BUNDLE@' >> $@
 else
-	echo '#undef CURL_CA_BUNDLE /* unknown */' >> $@
+	echo '#undef CURL_CA_BUNDLE /* unknown default path */' >> $@
+endif
+if CAPATH
+	echo '#define CURL_CA_PATH @CURL_CA_PATH@' >> $@
+else
+	echo '#undef CURL_CA_PATH /* unknown default path */' >>$@
 endif
-
-install-data-hook:
-	@if test -n "@CURL_CA_BUNDLE@"; then \
-	  $(mkinstalldirs) `dirname $(DESTDIR)@CURL_CA_BUNDLE@`; \
-	  @INSTALL_DATA@ $(srcdir)/ca-bundle.crt $(DESTDIR)@CURL_CA_BUNDLE@; \
-        fi

 # this hook is mainly for non-unix systems to build even if configure
 # isn't run
--- a/lib/Makefile.m32
+++ b/lib/Makefile.m32
@@ -1,8 +1,8 @@
 #########################################################################
 # $Id$
 #
-## Makefile for building libcurl.a with MingW32 (GCC-3.2) and
-## optionally OpenSSL (0.9.8), libssh2 (0.17), zlib (1.2.3)
+## Makefile for building libcurl.a with MingW32 (GCC-3.2)
+## and optionally OpenSSL (0.9.8), libssh2 (0.18), zlib (1.2.3)
 ##
 ## Usage:
 ## mingw32-make -f Makefile.m32 [SSL=1] [SSH2=1] [ZLIB=1] [SSPI=1] [IPV6=1] [DYN=1]
@@ -41,7 +41,7 @@ LDFLAGS = -s
 RANLIB = ranlib
 RC = windres
 RCFLAGS = --include-dir=../include -DCURLDEBUG=0 -O COFF -i
-RM = del /q /f
+RM = del /q /f > NUL 2>&1
 STRIP = strip -g

 ########################################################
--- a/lib/Makefile.netware
+++ b/lib/Makefile.netware
@@ -42,6 +42,9 @@ STACK	= 64000
 SCREEN	= none
 EXPORTS	= @libcurl.imp

+# Uncomment the next line to enable linking with POSIX semantics.
+# POSIXFL = 1
+
 # Edit the var below to point to your lib architecture.
 ifndef LIBARCH
 LIBARCH = LIBC
@@ -71,11 +74,13 @@ ifdef METROWERKS
 else
 	CC = gcc
 endif
+PERL	= perl
 # a native win32 awk can be downloaded from here:
 # http://www.gknw.net/development/prgtools/awk-20070501.zip
 AWK	= awk
 YACC	= bison -y
 CP	= cp -afv
+MKDIR	= mkdir
 # RM	= rm -f
 # if you want to mark the target as MTSAFE you will need a tool for
 # generating the xdc data for the linker; here's a minimal tool:
@@ -102,7 +107,11 @@ CFLAGS	+= -msgstyle gcc -gccinc -inline off -opt nointrinsics -proc 586
 CFLAGS	+= -relax_pointers
 #CFLAGS	+= -w on
 ifeq ($(LIBARCH),LIBC)
+ifeq ($(POSIXFL),1)
+	PRELUDE = $(SDK_LIBC)/imports/posixpre.o
+else
 	PRELUDE = $(SDK_LIBC)/imports/libcpre.o
+endif
 	CFLAGS += -align 4
 else
 	# PRELUDE = $(SDK_CLIB)/imports/clibpre.o
@@ -121,7 +130,11 @@ RANLIB	= ranlib
 CFLAGS	+= -fno-builtin -fpcc-struct-return -fno-strict-aliasing
 CFLAGS	+= -Wall # -pedantic
 ifeq ($(LIBARCH),LIBC)
+ifeq ($(POSIXFL),1)
+	PRELUDE = $(SDK_LIBC)/imports/posixpre.gcc.o
+else
 	PRELUDE = $(SDK_LIBC)/imports/libcpre.gcc.o
+endif
 else
 	PRELUDE = $(SDK_CLIB)/imports/clibpre.gcc.o
 	# to avoid the __init_* / __deinit_* whoes dont use prelude from NDK
@@ -159,6 +172,7 @@ ifdef WITH_SSL
 	LDLIBS += $(OPENSSL_PATH)/out_nw_$(LIBARCH_L)/ssl.$(LIBEXT)
 	LDLIBS += $(OPENSSL_PATH)/out_nw_$(LIBARCH_L)/crypto.$(LIBEXT)
 	IMPORTS += GetProcessSwitchCount RunningProcess
+	INSTDEP += ca-bundle.crt
 endif
 ifdef WITH_ZLIB
 	INCLUDES += -I$(ZLIB_PATH)
@@ -226,11 +240,7 @@ $(OBJDIR)/version.inc: ../include/curl/curlver.h $(OBJDIR)
 	@echo Creating $@
 	@$(AWK) -f ../packages/NetWare/get_ver.awk $< > $@

-dist: all
-	-$(RM) $(OBJDIR)/*.o $(OBJDIR)/$(TARGET).map $(OBJDIR)/$(TARGET).ncv
-	-$(RM) $(OBJDIR)/$(TARGET).def $(OBJDIR)/version.inc $(XDCDATA)
-
-install: $(INSTDIR) all
+install: $(INSTDIR) all $(INSTDEP)
 	@$(CP) $(TARGET).nlm $(INSTDIR)
 	@$(CP) $(TARGET).$(LIBEXT) $(INSTDIR)
 	@$(CP) ../CHANGES $(INSTDIR)
@@ -238,7 +248,7 @@ install: $(INSTDIR) all
 	@$(CP) ../README $(INSTDIR)
 	@$(CP) ../RELEASE-NOTES $(INSTDIR)
 ifdef WITH_SSL
-	@$(CP) ca-bundle.crt $(INSTDIR)
+	@-$(CP) ca-bundle.crt $(INSTDIR)/ca-bundle.crt
 endif

 clean:
@@ -246,13 +256,11 @@ clean:
 	-$(RM) -r $(OBJDIR)

 distclean: clean
-	-$(RM) -r $(TARGET).$(LIBEXT) $(TARGET).nlm
+	-$(RM) $(TARGET).$(LIBEXT) $(TARGET).nlm
+	-$(RM) certdata.txt ca-bundle.crt

-$(INSTDIR):
-	@mkdir $(INSTDIR)
-
-$(OBJDIR):
-	@mkdir $(OBJDIR)
+$(OBJDIR) $(INSTDIR):
+	@$(MKDIR) $@

 $(TARGET).$(LIBEXT): $(OBJS)
 	@echo Creating $@
@@ -305,27 +313,36 @@ ifeq ($(LIBARCH),CLIB)
 	@echo $(DL)import @$(SDK_CLIB)/imports/threads.imp$(DL) >> $@
 	@echo $(DL)import @$(SDK_CLIB)/imports/nlmlib.imp$(DL) >> $@
 	@echo $(DL)import @$(SDK_CLIB)/imports/socklib.imp$(DL) >> $@
+	@echo $(DL)module clib$(DL) >> $@
 ifndef DISABLE_LDAP
 	@echo $(DL)import @$(SDK_LDAP)/clib/imports/ldapsdk.imp$(DL) >> $@
 	@echo $(DL)import @$(SDK_LDAP)/clib/imports/ldapssl.imp$(DL) >> $@
-	@echo $(DL)import @$(SDK_LDAP)/clib/imports/ldapx.imp$(DL) >> $@
-	@echo $(DL)module ldapsdk ldapssl ldapx$(DL) >> $@
+#	@echo $(DL)import @$(SDK_LDAP)/clib/imports/ldapx.imp$(DL) >> $@
+	@echo $(DL)module ldapsdk ldapssl$(DL) >> $@
 endif
-	@echo $(DL)module clib$(DL) >> $@
 else
+ifeq ($(POSIXFL),1)
+	@echo $(DL)flag_on 4194304$(DL) >> $@
+endif
 	@echo $(DL)pseudopreemption$(DL) >> $@
+ifeq ($(findstring posixpre,$(PRELUDE)),posixpre)
+	@echo $(DL)start POSIX_Start$(DL) >> $@
+	@echo $(DL)exit POSIX_Stop$(DL) >> $@
+	@echo $(DL)check POSIX_CheckUnload$(DL) >> $@
+else
 	@echo $(DL)start _LibCPrelude$(DL) >> $@
 	@echo $(DL)exit _LibCPostlude$(DL) >> $@
 	@echo $(DL)check _LibCCheckUnload$(DL) >> $@
+endif
 	@echo $(DL)import @$(SDK_LIBC)/imports/libc.imp$(DL) >> $@
 	@echo $(DL)import @$(SDK_LIBC)/imports/netware.imp$(DL) >> $@
+	@echo $(DL)module libc$(DL) >> $@
 ifndef DISABLE_LDAP
 	@echo $(DL)import @$(SDK_LDAP)/libc/imports/lldapsdk.imp$(DL) >> $@
 	@echo $(DL)import @$(SDK_LDAP)/libc/imports/lldapssl.imp$(DL) >> $@
-	@echo $(DL)import @$(SDK_LDAP)/libc/imports/lldapx.imp$(DL) >> $@
-	@echo $(DL)module lldapsdk lldapssl lldapx$(DL) >> $@
+#	@echo $(DL)import @$(SDK_LDAP)/libc/imports/lldapx.imp$(DL) >> $@
+	@echo $(DL)module lldapsdk lldapssl$(DL) >> $@
 endif
-	@echo $(DL)module libc$(DL) >> $@
 endif
 ifdef MODULES
 	@echo $(DL)module $(MODULES)$(DL) >> $@
@@ -554,4 +571,8 @@ endif
 $(ARES_LIB)/libcares.$(LIBEXT):
 	$(MAKE) -C $(ARES_LIB) -f Makefile.netware lib

+ca-bundle.crt: mk-ca-bundle.pl
+	@echo Creating $@
+	@-$(PERL) $< -b -n $@
+

--- a/lib/Makefile.vc6
+++ b/lib/Makefile.vc6
@@ -58,7 +58,7 @@ MACHINE  = X86
 # It can be downloaded from:
 # http://www.microsoft.com/msdownload/platformsdk/sdkupdate/

-# USE_WINDOWS_SSPI = 1
+# WINDOWS_SSPI = 1

 !IFDEF WINDOWS_SSPI
 !IFNDEF WINDOWS_SDK_PATH
--- a/lib/ca-bundle.crt
+++ b/lib/ca-bundle.crt
--- a/lib/config-win32.h
+++ b/lib/config-win32.h
@@ -353,6 +353,16 @@
 #define _CRT_NONSTDC_NO_DEPRECATE 1
 #endif

+/* VS2005 and later dafault size for time_t is 64-bit, unless */
+/* _USE_32BIT_TIME_T has been defined to get a 32-bit time_t. */
+#if defined(_MSC_VER) && (_MSC_VER >= 1400)
+#  ifndef _USE_32BIT_TIME_T
+#    define SIZEOF_TIME_T 8
+#  else
+#    define SIZEOF_TIME_T 4
+#  endif
+#endif
+
 /* VS2008 does not support Windows build targets prior to WinXP, */
 /* so, if no build target has been defined we will target WinXP. */
 #if defined(_MSC_VER) && (_MSC_VER >= 1500)
--- a/lib/config-win32ce.h
+++ b/lib/config-win32ce.h
@@ -314,6 +314,16 @@
 #define _CRT_NONSTDC_NO_DEPRECATE 1
 #endif

+/* VS2005 and later dafault size for time_t is 64-bit, unless */
+/* _USE_32BIT_TIME_T has been defined to get a 32-bit time_t. */
+#if defined(_MSC_VER) && (_MSC_VER >= 1400)
+#  ifndef _USE_32BIT_TIME_T
+#    define SIZEOF_TIME_T 8
+#  else
+#    define SIZEOF_TIME_T 4
+#  endif
+#endif
+
 /* ---------------------------------------------------------------- */
 /*                           LDAP SUPPORT                           */
 /* ---------------------------------------------------------------- */
--- a/lib/connect.c
+++ b/lib/connect.c
@@ -101,6 +101,66 @@ singleipconnect(struct connectdata *conn,
                long timeout_ms,
                bool *connected);

+/*
+ * Curl_timeleft() returns the amount of milliseconds left allowed for the
+ * transfer/connection. If the value is negative, the timeout time has already
+ * elapsed.
+ *
+ * If 'nowp' is non-NULL, it points to the current time.
+ * 'duringconnect' is FALSE if not during a connect, as then of course the
+ * connect timeout is not taken into account!
+ */
+long Curl_timeleft(struct connectdata *conn,
+                   struct timeval *nowp,
+                   bool duringconnect)
+{
+  struct SessionHandle *data = conn->data;
+  int timeout_set = 0;
+  long timeout_ms = duringconnect?DEFAULT_CONNECT_TIMEOUT:0;
+  struct timeval now;
+
+  /* if a timeout is set, use the most restrictive one */
+
+  if(data->set.timeout > 0)
+    timeout_set |= 1;
+  if(duringconnect && (data->set.connecttimeout > 0))
+    timeout_set |= 2;
+
+  switch (timeout_set) {
+  case 1:
+    timeout_ms = data->set.timeout;
+    break;
+  case 2:
+    timeout_ms = data->set.connecttimeout;
+    break;
+  case 3:
+    if(data->set.timeout < data->set.connecttimeout)
+      timeout_ms = data->set.timeout;
+    else
+      timeout_ms = data->set.connecttimeout;
+    break;
+  default:
+    /* use the default */
+    if(!duringconnect)
+      /* if we're not during connect, there's no default timeout so if we're
+         at zero we better just return zero and not make it a negative number
+         by the math below */
+      return 0;
+    break;
+  }
+
+  if(!nowp) {
+    now = Curl_tvnow();
+    nowp = &now;
+  }
+
+  /* substract elapsed time */
+  timeout_ms -= Curl_tvdiff(*nowp, data->progress.t_startsingle);
+
+  return timeout_ms;
+}
+
+
 /*
 * Curl_nonblock() set the given socket to either blocking or non-blocking
 * mode based on the 'nonblock' boolean argument. This function is highly
@@ -533,42 +593,33 @@ CURLcode Curl_is_connected(struct connectdata *conn,
  CURLcode code = CURLE_OK;
  curl_socket_t sockfd = conn->sock[sockindex];
  long allow = DEFAULT_CONNECT_TIMEOUT;
-  long allow_total = 0;
-  long has_passed;

  DEBUGASSERT(sockindex >= FIRSTSOCKET && sockindex <= SECONDARYSOCKET);

  *connected = FALSE; /* a very negative world view is best */

-  /* Evaluate in milliseconds how much time that has passed */
-  has_passed = Curl_tvdiff(Curl_tvnow(), data->progress.t_startsingle);
-
-  /* subtract the most strict timeout of the ones */
-  if(data->set.timeout && data->set.connecttimeout) {
-    if(data->set.timeout < data->set.connecttimeout)
-      allow_total = allow = data->set.timeout;
-    else
-      allow = data->set.connecttimeout;
-  }
-  else if(data->set.timeout) {
-    allow_total = allow = data->set.timeout;
-  }
-  else if(data->set.connecttimeout) {
-    allow = data->set.connecttimeout;
-  }
-
-  if(has_passed > allow ) {
-    /* time-out, bail out, go home */
-    failf(data, "Connection time-out after %ld ms", has_passed);
-    return CURLE_OPERATION_TIMEDOUT;
-  }
  if(conn->bits.tcpconnect) {
    /* we are connected already! */
+    long allow_total = 0;
+
+    /* subtract the most strict timeout of the ones */
+    if(data->set.timeout)
+      allow_total = data->set.timeout;
+
    Curl_expire(data, allow_total);
    *connected = TRUE;
    return CURLE_OK;
  }

+  /* figure out how long time we have left to connect */
+  allow = Curl_timeleft(conn, NULL, TRUE);
+
+  if(allow < 0) {
+    /* time-out, bail out, go home */
+    failf(data, "Connection time-out");
+    return CURLE_OPERATION_TIMEDOUT;
+  }
+
  Curl_expire(data, allow);

  /* check for connect without timeout as we want to return immediately */
@@ -821,7 +872,6 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */
  int num_addr;
  Curl_addrinfo *ai;
  Curl_addrinfo *curr_addr;
-  int timeout_set = 0;

  struct timeval after;
  struct timeval before = Curl_tvnow();
@@ -834,39 +884,13 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */

  *connected = FALSE; /* default to not connected */

-  /* if a timeout is set, use the most restrictive one */
+  /* get the timeout left */
+  timeout_ms = Curl_timeleft(conn, &before, TRUE);

-  if(data->set.timeout > 0)
-    timeout_set += 1;
-  if(data->set.connecttimeout > 0)
-    timeout_set += 2;
-
-  switch (timeout_set) {
-  case 1:
-    timeout_ms = data->set.timeout;
-    break;
-  case 2:
-    timeout_ms = data->set.connecttimeout;
-    break;
-  case 3:
-    if(data->set.timeout < data->set.connecttimeout)
-      timeout_ms = data->set.timeout;
-    else
-      timeout_ms = data->set.connecttimeout;
-    break;
-  default:
-    timeout_ms = DEFAULT_CONNECT_TIMEOUT;
-    break;
-  }
-
-  if(timeout_set > 0) {
-    /* if a timeout was already set, substract elapsed time */
-    timeout_ms -= Curl_tvdiff(before, data->progress.t_startsingle);
-    if(timeout_ms < 0) {
-      /* a precaution, no need to continue if time already is up */
-      failf(data, "Connection time-out");
-      return CURLE_OPERATION_TIMEDOUT;
-    }
+  if(timeout_ms < 0) {
+    /* a precaution, no need to continue if time already is up */
+    failf(data, "Connection time-out");
+    return CURLE_OPERATION_TIMEDOUT;
  }
  Curl_expire(data, timeout_ms);

--- a/lib/connect.h
+++ b/lib/connect.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -31,14 +31,20 @@ CURLcode Curl_is_connected(struct connectdata *conn,
                           bool *connected);

 CURLcode Curl_connecthost(struct connectdata *conn,
-                          const struct Curl_dns_entry *host, /* connect to this */
+                          const struct Curl_dns_entry *host, /* connect to
+                                                                this */
                          curl_socket_t *sockconn, /* not set if error */
                          Curl_addrinfo **addr, /* the one we used */
-                          bool *connected /* truly connected? */
-                          );
+                          bool *connected); /* truly connected? */

 CURLcode Curl_store_ip_addr(struct connectdata *conn);

+/* generic function that returns how much time there's left to run, according
+   to the timeouts set */
+long Curl_timeleft(struct connectdata *conn,
+                   struct timeval *nowp,
+                   bool duringconnect);
+
 #define DEFAULT_CONNECT_TIMEOUT 300000 /* milliseconds == five minutes */

 #endif
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -367,8 +367,12 @@ Curl_cookie_add(struct SessionHandle *data,
      else {
        if(sscanf(ptr, "%" MAX_COOKIE_LINE_TXT "[^;\r\n]",
                  what)) {
-          if(strequal("secure", what))
+          if(strequal("secure", what)) {
            co->secure = TRUE;
+          }
+          else if (strequal("httponly", what)) {
+            co->httponly = TRUE;
+          }
          /* else,
             unsupported keyword without assign! */

@@ -433,6 +437,19 @@ Curl_cookie_add(struct SessionHandle *data,
    char *tok_buf;
    int fields;

+    /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies 
+       marked with httpOnly after the domain name are not accessible  
+       from javascripts, but since curl does not operate at javascript  
+       level, we include them anyway. In Firefox's cookie files, these 
+       lines are preceeded with #HttpOnly_ and then everything is
+       as usual, so we skip 10 characters of the line..
+    */
+    if (strncmp(lineptr, "#HttpOnly_", 10) == 0) {
+      lineptr += 10;
+      co->httponly = TRUE;
+    }
+
+
    if(lineptr[0]=='#') {
      /* don't even try the comments */
      free(co);
@@ -918,6 +935,7 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
 static char *get_netscape_format(const struct Cookie *co)
 {
  return aprintf(
+    "%s"     /* httponly preamble */
    "%s%s\t" /* domain */
    "%s\t"   /* tailmatch */
    "%s\t"   /* path */
@@ -925,6 +943,7 @@ static char *get_netscape_format(const struct Cookie *co)
    "%" FORMAT_OFF_T "\t"   /* expires */
    "%s\t"   /* name */
    "%s",    /* value */
+    co->httponly?"#HttpOnly_":"",
    /* Make sure all domains are prefixed with a dot if they allow
       tailmatching. This is Mozilla-style. */
    (co->tailmatch && co->domain && co->domain[0] != '.')? ".":"",
--- a/lib/cookie.h
+++ b/lib/cookie.h
@@ -50,6 +50,7 @@ struct Cookie {

  bool secure;       /* whether the 'secure' keyword was used */
  bool livecookie;   /* updated from a server, not a stored file */
+  bool httponly;     /* true if the httponly directive is present */
 };

 struct CookieInfo {
--- a/lib/easy.c
+++ b/lib/easy.c
@@ -348,6 +348,7 @@ CURL *curl_easy_init(void)
 * easy handle.
 */

+#undef curl_easy_setopt
 CURLcode curl_easy_setopt(CURL *curl, CURLoption tag, ...)
 {
  va_list arg;
@@ -547,6 +548,7 @@ void Curl_easy_initHandleData(struct SessionHandle *data)
 * curl_easy_getinfo() is an external interface that allows an app to retrieve
 * information from a performed transfer and similar.
 */
+#undef curl_easy_getinfo
 CURLcode curl_easy_getinfo(CURL *curl, CURLINFO info, ...)
 {
  va_list arg;
@@ -743,9 +745,11 @@ void curl_easy_reset(CURL *curl)
   */
  data->set.ssl.verifypeer = TRUE;
  data->set.ssl.verifyhost = 2;
-#ifdef CURL_CA_BUNDLE
-  /* This is our prefered CA cert bundle since install time */
+  /* This is our prefered CA cert bundle/path since install time */
+#if defined(CURL_CA_BUNDLE)
  (void) curl_easy_setopt(curl, CURLOPT_CAINFO, (char *) CURL_CA_BUNDLE);
+#elif defined(CURL_CA_PATH)
+  (void) curl_easy_setopt(curl, CURLOPT_CAPATH, (char *) CURL_CA_PATH);
 #endif

  data->set.ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
--- a/lib/file.c
+++ b/lib/file.c
@@ -454,7 +454,7 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
  /* If we have selected NOBODY and HEADER, it means that we only want file
     information. Which for FILE can't be much more than the file size and
     date. */
-  if(conn->bits.no_body && data->set.include_header && fstated) {
+  if(data->set.opt_no_body && data->set.include_header && fstated) {
    CURLcode result;
    snprintf(buf, sizeof(data->state.buffer),
             "Content-Length: %" FORMAT_OFF_T "\r\n", expected_size);
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -300,43 +300,14 @@ static bool isBadFtpString(const char *string)
 */
 static CURLcode AllowServerConnect(struct connectdata *conn)
 {
-  long timeout_ms;
  struct SessionHandle *data = conn->data;
  curl_socket_t sock = conn->sock[SECONDARYSOCKET];
-  int timeout_set = 0;
+  long timeout_ms = Curl_timeleft(conn, NULL, TRUE);

-  /* if a timeout is set, use the most restrictive one */
-
-  if(data->set.timeout > 0)
-    timeout_set += 1;
-  if(data->set.connecttimeout > 0)
-    timeout_set += 2;
-
-  switch (timeout_set) {
-  case 1:
-    timeout_ms = data->set.timeout;
-    break;
-  case 2:
-    timeout_ms = data->set.connecttimeout;
-    break;
-  case 3:
-    if(data->set.timeout < data->set.connecttimeout)
-      timeout_ms = data->set.timeout;
-    else
-      timeout_ms = data->set.connecttimeout;
-    break;
-  default:
-    timeout_ms = 60000; /* 60 seconds default timeout */
-    break;
-  }
-
-  if(timeout_set > 0) {
-    /* if a timeout was already set, substract elapsed time */
-    timeout_ms -= Curl_tvdiff(Curl_tvnow(), conn->now);
-    if(timeout_ms < 0) {
-      failf(data, "Timed out before server could connect to us");
-      return CURLE_OPERATION_TIMEDOUT;
-    }
+  if(timeout_ms < 0) {
+    /* if a timeout was already reached, bail out */
+    failf(data, "Timed out before server could connect to us");
+    return CURLE_OPERATION_TIMEDOUT;
  }

  switch (Curl_socket_ready(sock, CURL_SOCKET_BAD, (int)timeout_ms)) {
@@ -1473,7 +1444,7 @@ static CURLcode ftp_state_post_mdtm(struct connectdata *conn)
  /* If we have selected NOBODY and HEADER, it means that we only want file
     information. Which in FTP can't be much more than the file size and
     date. */
-  if(conn->bits.no_body && ftpc->file &&
+  if(data->set.opt_no_body && ftpc->file &&
     ftp_need_type(conn, data->set.prefer_ascii)) {
    /* The SIZE command is _not_ RFC 959 specified, and therefor many servers
       may not support it! It is however the only way we have to get a file's
@@ -2007,7 +1978,7 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn,
      /* If we asked for a time of the file and we actually got one as well,
         we "emulate" a HTTP-style header in our output. */

-      if(conn->bits.no_body &&
+      if(data->set.opt_no_body &&
         ftpc->file &&
         data->set.get_filetime &&
         (data->info.filetime>=0) ) {
@@ -3575,7 +3546,7 @@ CURLcode ftp_perform(struct connectdata *conn,

  DEBUGF(infof(conn->data, "DO phase starts\n"));

-  if(conn->bits.no_body) {
+  if(conn->data->set.opt_no_body) {
    /* requested no body means no transfer... */
    struct FTP *ftp = conn->data->state.proto.ftp;
    ftp->transfer = FTPTRANSFER_INFO;
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -43,6 +43,7 @@

 #include "urldata.h"
 #include "sendf.h"
+#include "inet_pton.h"
 #include "gtls.h"
 #include "sslgen.h"
 #include "parsedate.h"
@@ -110,8 +111,10 @@ static int _Curl_gtls_init(void)

 int Curl_gtls_cleanup(void)
 {
-  if(gtls_inited)
+  if(gtls_inited) {
    gnutls_global_deinit();
+    gtls_inited = FALSE;
+  }
  return 1;
 }

@@ -154,23 +157,7 @@ static CURLcode handshake(struct connectdata *conn,
    rc = gnutls_handshake(session);

    if((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)) {
-      long timeout_ms = DEFAULT_CONNECT_TIMEOUT;
-      long has_passed;
-
-      if(duringconnect && data->set.connecttimeout)
-        timeout_ms = data->set.connecttimeout;
-
-      if(data->set.timeout) {
-        /* get the strictest timeout of the ones converted to milliseconds */
-        if(data->set.timeout < timeout_ms)
-          timeout_ms = data->set.timeout;
-      }
-
-      /* Evaluate in milliseconds how much time that has passed */
-      has_passed = Curl_tvdiff(Curl_tvnow(), data->progress.t_startsingle);
-
-      /* subtract the passed time */
-      timeout_ms -= has_passed;
+      long timeout_ms = Curl_timeleft(conn, NULL, duringconnect);

      if(timeout_ms < 0) {
        /* a precaution, no need to continue if time already is up */
@@ -239,13 +226,20 @@ Curl_gtls_connect(struct connectdata *conn,
  size_t size;
  unsigned int algo;
  unsigned int bits;
-  time_t clock;
+  time_t certclock;
  const char *ptr;
  void *ssl_sessionid;
  size_t ssl_idsize;
+#ifdef ENABLE_IPV6
+  struct in6_addr addr;
+#else
+  struct in_addr addr;
+#endif

-  if(!gtls_inited) _Curl_gtls_init();
-  /* GnuTLS only supports TLSv1 (and SSLv3?) */
+  if(!gtls_inited)
+    _Curl_gtls_init();
+
+  /* GnuTLS only supports SSLv3 and TLSv1 */
  if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
    failf(data, "GnuTLS does not support SSLv2");
    return CURLE_SSL_CONNECT_ERROR;
@@ -287,11 +281,27 @@ Curl_gtls_connect(struct connectdata *conn,
  /* convenient assign */
  session = conn->ssl[sockindex].session;

+  if ((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
+#ifdef ENABLE_IPV6
+      (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
+#endif
+      (gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
+                              strlen(conn->host.name)) < 0))
+    infof(data, "WARNING: failed to configure server name indication (SNI) "
+          "TLS extension\n");
+
  /* Use default priorities */
  rc = gnutls_set_default_priority(session);
  if(rc < 0)
    return CURLE_SSL_CONNECT_ERROR;

+  if(data->set.ssl.version == CURL_SSLVERSION_SSLv3) {
+    int protocol_priority[] = { GNUTLS_SSL3, 0 };
+    gnutls_protocol_set_priority(session, protocol_priority);
+    if(rc < 0)
+      return CURLE_SSL_CONNECT_ERROR;
+  }
+
  /* Sets the priority on the certificate types supported by gnutls. Priority
     is higher for types specified before others. After specifying the types
     you want, you must append a 0. */
@@ -350,38 +360,42 @@ Curl_gtls_connect(struct connectdata *conn,

  chainp = gnutls_certificate_get_peers(session, &cert_list_size);
  if(!chainp) {
-    if(data->set.ssl.verifyhost) {
+    if(data->set.ssl.verifypeer) {
      failf(data, "failed to get server cert");
      return CURLE_PEER_FAILED_VERIFICATION;
    }
    infof(data, "\t common name: WARNING couldn't obtain\n");
  }

-  /* This function will try to verify the peer's certificate and return its
-     status (trusted, invalid etc.). The value of status should be one or more
-     of the gnutls_certificate_status_t enumerated elements bitwise or'd. To
-     avoid denial of service attacks some default upper limits regarding the
-     certificate key size and chain size are set. To override them use
-     gnutls_certificate_set_verify_limits(). */
+  if(data->set.ssl.verifypeer) {
+    /* This function will try to verify the peer's certificate and return its
+       status (trusted, invalid etc.). The value of status should be one or
+       more of the gnutls_certificate_status_t enumerated elements bitwise
+       or'd. To avoid denial of service attacks some default upper limits
+       regarding the certificate key size and chain size are set. To override
+       them use gnutls_certificate_set_verify_limits(). */

-  rc = gnutls_certificate_verify_peers2(session, &verify_status);
-  if(rc < 0) {
-    failf(data, "server cert verify failed: %d", rc);
-    return CURLE_SSL_CONNECT_ERROR;
-  }
+    rc = gnutls_certificate_verify_peers2(session, &verify_status);
+    if(rc < 0) {
+      failf(data, "server cert verify failed: %d", rc);
+      return CURLE_SSL_CONNECT_ERROR;
+    }

-  /* verify_status is a bitmask of gnutls_certificate_status bits */
-  if(verify_status & GNUTLS_CERT_INVALID) {
-    if(data->set.ssl.verifypeer) {
-      failf(data, "server certificate verification failed. CAfile: %s",
-            data->set.ssl.CAfile?data->set.ssl.CAfile:"none");
-      return CURLE_SSL_CACERT;
+    /* verify_status is a bitmask of gnutls_certificate_status bits */
+    if(verify_status & GNUTLS_CERT_INVALID) {
+      if(data->set.ssl.verifypeer) {
+        failf(data, "server certificate verification failed. CAfile: %s",
+              data->set.ssl.CAfile?data->set.ssl.CAfile:"none");
+        return CURLE_SSL_CACERT;
+      }
+      else
+        infof(data, "\t server certificate verification FAILED\n");
    }
    else
-      infof(data, "\t server certificate verification FAILED\n");
+      infof(data, "\t server certificate verification OK\n");
  }
  else
-      infof(data, "\t server certificate verification OK\n");
+    infof(data, "\t server certificate verification SKIPPED\n");

  /* initialize an X.509 certificate structure. */
  gnutls_x509_crt_init(&x509_cert);
@@ -423,14 +437,14 @@ Curl_gtls_connect(struct connectdata *conn,
    infof(data, "\t common name: %s (matched)\n", certbuf);

  /* Check for time-based validity */
-  clock = gnutls_x509_crt_get_expiration_time(x509_cert);
+  certclock = gnutls_x509_crt_get_expiration_time(x509_cert);

-  if(clock == (time_t)-1) {
+  if(certclock == (time_t)-1) {
    failf(data, "server cert expiration date verify failed");
    return CURLE_SSL_CONNECT_ERROR;
  }

-  if(clock < time(NULL)) {
+  if(certclock < time(NULL)) {
    if(data->set.ssl.verifypeer) {
      failf(data, "server certificate expiration date has passed.");
      return CURLE_PEER_FAILED_VERIFICATION;
@@ -441,14 +455,14 @@ Curl_gtls_connect(struct connectdata *conn,
  else
    infof(data, "\t server certificate expiration date OK\n");

-  clock = gnutls_x509_crt_get_activation_time(x509_cert);
+  certclock = gnutls_x509_crt_get_activation_time(x509_cert);

-  if(clock == (time_t)-1) {
+  if(certclock == (time_t)-1) {
    failf(data, "server cert activation date verify failed");
    return CURLE_SSL_CONNECT_ERROR;
  }

-  if(clock > time(NULL)) {
+  if(certclock > time(NULL)) {
    if(data->set.ssl.verifypeer) {
      failf(data, "server certificate not activated yet.");
      return CURLE_PEER_FAILED_VERIFICATION;
@@ -484,11 +498,11 @@ Curl_gtls_connect(struct connectdata *conn,
  gnutls_x509_crt_get_dn(x509_cert, certbuf, &size);
  infof(data, "\t subject: %s\n", certbuf);

-  clock = gnutls_x509_crt_get_activation_time(x509_cert);
-  showtime(data, "start date", clock);
+  certclock = gnutls_x509_crt_get_activation_time(x509_cert);
+  showtime(data, "start date", certclock);

-  clock = gnutls_x509_crt_get_expiration_time(x509_cert);
-  showtime(data, "expire date", clock);
+  certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
+  showtime(data, "expire date", certclock);

  size = sizeof(certbuf);
  gnutls_x509_crt_get_issuer_dn(x509_cert, certbuf, &size);
@@ -509,6 +523,8 @@ Curl_gtls_connect(struct connectdata *conn,
  ptr = gnutls_mac_get_name(gnutls_mac_get(session));
  infof(data, "\t MAC: %s\n", ptr);

+  conn->ssl[sockindex].state = ssl_connection_complete;
+
  if(!ssl_sessionid) {
    /* this session was not previously in the cache, add it now */

@@ -553,16 +569,16 @@ void Curl_gtls_close_all(struct SessionHandle *data)
 }

 static void close_one(struct connectdata *conn,
-                      int index)
+                      int idx)
 {
-  if(conn->ssl[index].session) {
-    gnutls_bye(conn->ssl[index].session, GNUTLS_SHUT_RDWR);
-    gnutls_deinit(conn->ssl[index].session);
-    conn->ssl[index].session = NULL;
+  if(conn->ssl[idx].session) {
+    gnutls_bye(conn->ssl[idx].session, GNUTLS_SHUT_RDWR);
+    gnutls_deinit(conn->ssl[idx].session);
+    conn->ssl[idx].session = NULL;
  }
-  if(conn->ssl[index].cred) {
-    gnutls_certificate_free_credentials(conn->ssl[index].cred);
-    conn->ssl[index].cred = NULL;
+  if(conn->ssl[idx].cred) {
+    gnutls_certificate_free_credentials(conn->ssl[idx].cred);
+    conn->ssl[idx].cred = NULL;
  }
 }

--- a/lib/hostip.c
+++ b/lib/hostip.c
@@ -268,6 +268,9 @@ void Curl_hostcache_prune(struct SessionHandle *data)
    Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
 }

+/*
+ * Check if the entry should be pruned. Assumes a locked cache.
+ */
 static int
 remove_entry_if_stale(struct SessionHandle *data, struct Curl_dns_entry *dns)
 {
@@ -284,19 +287,10 @@ remove_entry_if_stale(struct SessionHandle *data, struct Curl_dns_entry *dns)
  if( !hostcache_timestamp_remove(&user,dns) )
    return 0;

-  /* ok, we do need to clear the cache. although we need to remove just a
-     single entry we clean the entire hash, as no explicit delete function
-     is provided */
-  if(data->share)
-    Curl_share_lock(data, CURL_LOCK_DATA_DNS, CURL_LOCK_ACCESS_SINGLE);
-
  Curl_hash_clean_with_criterium(data->dns.hostcache,
                                 (void *) &user,
                                 hostcache_timestamp_remove);

-  if(data->share)
-    Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
-
  return 1;
 }

@@ -397,7 +391,7 @@ int Curl_resolv(struct connectdata *conn,
  size_t entry_len;
  struct SessionHandle *data = conn->data;
  CURLcode result;
-  int rc;
+  int rc = CURLRESOLV_ERROR; /* default to failure */
  *entry = NULL;

 #ifdef HAVE_SIGSETJMP
@@ -407,7 +401,7 @@ int Curl_resolv(struct connectdata *conn,
    if(sigsetjmp(curl_jmpenv, 1)) {
      /* this is coming from a siglongjmp() */
      failf(data, "name lookup timed out");
-      return CURLRESOLV_ERROR;
+      return rc;
    }
  }
 #endif
@@ -416,7 +410,7 @@ int Curl_resolv(struct connectdata *conn,
  entry_id = create_hostcache_id(hostname, port);
  /* If we can't create the entry id, fail */
  if(!entry_id)
-    return CURLRESOLV_ERROR;
+    return rc;

  entry_len = strlen(entry_id);

@@ -426,19 +420,21 @@ int Curl_resolv(struct connectdata *conn,
  /* See if its already in our dns cache */
  dns = Curl_hash_pick(data->dns.hostcache, entry_id, entry_len+1);

+  /* See whether the returned entry is stale. Done before we release lock */
+  if( remove_entry_if_stale(data, dns) )
+    dns = NULL; /* the memory deallocation is being handled by the hash */
+
+  if(dns) {
+    dns->inuse++; /* we use it! */
+    rc = CURLRESOLV_RESOLVED;
+  }
+
  if(data->share)
    Curl_share_unlock(data, CURL_LOCK_DATA_DNS);

  /* free the allocated entry_id again */
  free(entry_id);

-  /* See whether the returned entry is stale. Deliberately done after the
-     locked block */
-  if( remove_entry_if_stale(data,dns) )
-    dns = NULL; /* the memory deallocation is being handled by the hash */
-
-  rc = CURLRESOLV_ERROR; /* default to failure */
-
  if(!dns) {
    /* The entry was not in the cache. Resolve it to IP address */

@@ -486,14 +482,6 @@ int Curl_resolv(struct connectdata *conn,
        rc = CURLRESOLV_RESOLVED;
    }
  }
-  else {
-    if(data->share)
-      Curl_share_lock(data, CURL_LOCK_DATA_DNS, CURL_LOCK_ACCESS_SINGLE);
-    dns->inuse++; /* we use it! */
-    if(data->share)
-      Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
-    rc = CURLRESOLV_RESOLVED;
-  }

  *entry = dns;

--- a/lib/hostthre.c
+++ b/lib/hostthre.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -682,6 +682,8 @@ CURLcode Curl_wait_for_resolv(struct connectdata *conn,
 CURLcode Curl_is_resolved(struct connectdata *conn,
                          struct Curl_dns_entry **entry)
 {
+  struct SessionHandle *data = conn->data;
+
  *entry = NULL;

  if(conn->async.done) {
@@ -689,6 +691,8 @@ CURLcode Curl_is_resolved(struct connectdata *conn,
    Curl_destroy_thread_data(&conn->async);
    if(!conn->async.dns) {
      TRACE(("Curl_is_resolved(): CURLE_COULDNT_RESOLVE_HOST\n"));
+      failf(data, "Could not resolve host: %s; %s",
+            conn->host.name, Curl_strerror(conn, conn->async.status));
      return CURLE_COULDNT_RESOLVE_HOST;
    }
    *entry = conn->async.dns;
--- a/lib/http.c
+++ b/lib/http.c
--- a/lib/http_chunks.c
+++ b/lib/http_chunks.c
@@ -181,7 +181,7 @@ CHUNKcode Curl_httpchunk_read(struct connectdata *conn,
      if(*datap == 0x0a) {
        /* we're now expecting data to come, unless size was zero! */
        if(0 == ch->datasize) {
-          if(conn->bits.trailerhdrpresent!=TRUE) {
+          if(k->trailerhdrpresent!=TRUE) {
            /* No Trailer: header found - revert to original Curl processing */
            ch->state = CHUNK_STOPCR;

--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -255,7 +255,6 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
 {
  struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg:
    &conn->data->state.negotiate;
-  OM_uint32 minor_status;
  char *encoded = NULL;
  int len;

@@ -309,7 +308,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
    aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "",
            neg_ctx->protocol, encoded);
  free(encoded);
-  gss_release_buffer(&minor_status, &neg_ctx->output_token);
+  Curl_cleanup_negotiate (conn->data);
  return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
 }

--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -0,0 +1,187 @@
+#!/usr/bin/perl -w
+# ***************************************************************************
+# *                                  _   _ ____  _
+# *  Project                     ___| | | |  _ \| |
+# *                             / __| | | | |_) | |
+# *                            | (__| |_| |  _ <| |___
+# *                             \___|\___/|_| \_\_____|
+# *
+# * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
+# *
+# * This software is licensed as described in the file COPYING, which
+# * you should have received as part of this distribution. The terms
+# * are also available at http://curl.haxx.se/docs/copyright.html.
+# *
+# * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# * copies of the Software, and permit persons to whom the Software is
+# * furnished to do so, under the terms of the COPYING file.
+# *
+# * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# * KIND, either express or implied.
+# *
+# * $Id$
+# ***************************************************************************
+# This Perl script creates a fresh ca-bundle.crt file for use with libcurl. 
+# It downloads certdata.txt from Mozilla's source tree (see URL below),
+# then parses certdata.txt and extracts CA Root Certificates into PEM format.
+# These are then processed with the OpenSSL commandline tool to produce the
+# final ca-bundle.crt file.
+# The script is based on the parse-certs script written by Roland Krikava.
+# This Perl script works on almost any platform since its only external
+# dependency is the OpenSSL commandline tool for optional text listing.
+# Hacked by Guenter Knauf.
+#
+use Getopt::Std;
+use MIME::Base64;
+use LWP::UserAgent;
+use strict;
+use vars qw($opt_b $opt_h $opt_i $opt_l $opt_n $opt_q $opt_t $opt_u $opt_v);  
+
+my $url = 'http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1';
+# If the OpenSSL commandline is not in search path you can configure it here!
+my $openssl = 'openssl';
+
+my $version = $1 if ('$Revision$' =~ /\s(\d+\.\d+)\s/);
+
+getopts('bhilnqtuv');
+
+if ($opt_i) {
+  print ("=" x 78 . "\n");
+  print "Script Version            : $version\n";
+  print "Perl Version              : $]\n";
+  print "Operating System Name     : $^O\n";
+  print "Getopt::Std.pm Version    : ${Getopt::Std::VERSION}\n";
+  print "MIME::Base64.pm Version   : ${MIME::Base64::VERSION}\n";
+  print "LWP::UserAgent.pm Version : ${LWP::UserAgent::VERSION}\n";
+  print "LWP.pm Version            : ${LWP::VERSION}\n";
+  print ("=" x 78 . "\n");
+}
+
+$0 =~ s/\\/\//g;
+$0 = substr($0, rindex($0, '/') + 1);
+if ($opt_h) {
+  printf("Usage:\t%s [-b] [-i] [-l] [-n] [-q] [-t] [-u] [-v] [<outputfile>]\n", $0);
+  print "\t-b\tbackup an existing version of ca-bundle.crt\n";
+  print "\t-i\tprint version info about used modules\n";
+  print "\t-l\tprint license info about certdata.txt\n";
+  print "\t-n\tno download of certdata.txt (to use existing)\n";
+  print "\t-q\tbe really quiet (no progress output at all)\n";
+  print "\t-t\tinclude plain text listing of certificates\n";
+  print "\t-u\tunlink (remove) certdata.txt after processing\n";
+  print "\t-v\tbe verbose and print out processed CAs\n";
+  exit;
+}
+
+my $crt = $ARGV[0] || 'ca-bundle.crt';
+my $txt = substr($url, rindex($url, '/') + 1);
+$txt =~ s/\?.*//;
+
+if (!$opt_n || !-e $txt) {
+  print "Downloading '$txt' ...\n" if (!$opt_q);
+  my $ua  = new LWP::UserAgent(agent => "$0/$version");
+  my $req = new HTTP::Request('GET', $url);
+  my $res = $ua->request($req);
+  if ($res->is_success) {
+    open(TXT,">$txt") or die "Couldn't open $txt: $!";
+    print TXT $res->content . "\n";
+    close(TXT) or die "Couldn't close $txt: $!";
+  } else {
+    die $res->status_line;
+  }
+}
+
+if ($opt_b && -e $crt) {
+  my $bk = 1;
+  while (-e "$crt.~${bk}~") {
+    $bk++;
+  }
+  rename $crt, "$crt.~${bk}~";
+}
+
+my $format = $opt_t ? "plain text and " : "";
+my $currentdate = scalar gmtime() . " UTC";
+open(CRT,">$crt") or die "Couldn't open $crt: $!";
+print CRT <<EOT;
+##
+## $crt -- Bundle of CA Root Certificates
+##
+## Converted at: ${currentdate}
+##
+## This is a bundle of X.509 certificates of public Certificate Authorities
+## (CA). These were automatically extracted from Mozilla's root certificates
+## file (certdata.txt).  This file can be found in the mozilla source tree:
+## '/mozilla/security/nss/lib/ckfw/builtins/certdata.txt'
+##
+## It contains the certificates in ${format}PEM format and therefore
+## can be directly used with curl / libcurl / php_curl, or with
+## an Apache+mod_ssl webserver for SSL client authentication.
+## Just configure this file as the SSLCACertificateFile.
+##
+
+EOT
+
+close(CRT) or die "Couldn't close $crt: $!";
+
+print "Processing  '$txt' ...\n" if (!$opt_q);
+my $caname;
+my $certnum = 0;
+open(TXT,"$txt") or die "Couldn't open $txt: $!";
+while (<TXT>) {
+  if (/\*\*\*\*\* BEGIN LICENSE BLOCK \*\*\*\*\*/) {
+    open(CRT, ">>$crt") or die "Couldn't open $crt: $!";
+    print CRT;
+    print if ($opt_l);
+    while (<TXT>) {
+      print CRT;
+      print if ($opt_l);
+      last if (/\*\*\*\*\* END LICENSE BLOCK \*\*\*\*\*/);
+    }
+    close(CRT) or die "Couldn't close $crt: $!";
+  }
+  next if /^#|^\s*$/;
+  chomp;
+  if (/^CVS_ID\s+\"(.*)\"/) {
+    open(CRT, ">>$crt") or die "Couldn't open $crt: $!";
+    print CRT "# $1\n";
+    close(CRT) or die "Couldn't close $crt: $!";
+  }
+  if (/^CKA_LABEL\s+[A-Z0-9]+\s+\"(.*)\"/) {
+    $caname = $1;
+  }
+  if (/^CKA_VALUE MULTILINE_OCTAL/) {
+    my $data;
+    while (<TXT>) {
+      last if (/^END/);
+      chomp;
+      my @octets = split(/\\/);
+      shift @octets;
+      for (@octets) {
+        $data .= chr(oct);
+      }
+    }
+    my $pem = "-----BEGIN CERTIFICATE-----\n"
+            . MIME::Base64::encode($data)
+            . "-----END CERTIFICATE-----\n";
+    open(CRT, ">>$crt") or die "Couldn't open $crt: $!";
+    print CRT "\n$caname\n";
+    print CRT ("=" x length($caname) . "\n");
+    if (!$opt_t) {
+      print CRT $pem;
+    }
+    close(CRT) or die "Couldn't close $crt: $!";
+    if ($opt_t) {
+      open(TMP, "|$openssl x509 -md5 -fingerprint -text -inform PEM >> $crt") or die "Couldn't open openssl pipe: $!";
+      print TMP $pem;
+      close(TMP) or die "Couldn't close openssl pipe: $!";
+    }
+    print "Parsing: $caname\n" if ($opt_v);
+    $certnum ++;
+  }
+}
+close(TXT) or die "Couldn't close $txt: $!";
+unlink $txt if ($opt_u);
+print "Done ($certnum CA certs processed).\n" if (!$opt_q);
+
+exit;
+
+
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -585,7 +585,8 @@ CURLMcode curl_multi_remove_handle(CURLM *multi_handle,
      multi->num_alive--;

    if(easy->easy_conn &&
-        easy->easy_handle->state.is_in_pipeline &&
+        (easy->easy_conn->send_pipe->size +
+         easy->easy_conn->recv_pipe->size > 1) &&
        easy->state > CURLM_STATE_WAITDO &&
        easy->state < CURLM_STATE_COMPLETED) {
      /* If the handle is in a pipeline and has started sending off its
@@ -614,8 +615,11 @@ CURLMcode curl_multi_remove_handle(CURLM *multi_handle,
       (easy->easy_conn->data == easy->easy_handle)) {

      /* Curl_done() clears the conn->data field to lose the association
-         between the easy handle and the connection */
-      Curl_done(&easy->easy_conn, easy->result, premature);
+         between the easy handle and the connection
+
+         Note that this ignores the return code simply because there's nothing
+         really useful to do with it anyway! */
+      (void)Curl_done(&easy->easy_conn, easy->result, premature);

      if(easy->easy_conn)
        /* the connection is still alive, set back the association to enable
@@ -856,11 +860,13 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
  CURLMcode result = CURLM_OK;
  struct SingleRequest *k;

-  do {
-    bool disconnect_conn = FALSE;
+  if(!GOOD_EASY_HANDLE(easy->easy_handle))
+    return CURLM_BAD_EASY_HANDLE;

-    if(!GOOD_EASY_HANDLE(easy->easy_handle))
-      return CURLM_BAD_EASY_HANDLE;
+  do {
+    /* this is a do-while loop just to allow a break to skip to the end
+       of it */
+    bool disconnect_conn = FALSE;

    /* Handle the case when the pipe breaks, i.e., the connection
       we're using gets cleaned up and we're left with nothing. */
@@ -868,17 +874,12 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
      infof(easy->easy_handle, "Pipe broke: handle 0x%x, url = %s\n",
            easy, easy->easy_handle->state.path);

-      if(easy->easy_handle->state.is_in_pipeline) {
+      if(easy->state != CURLM_STATE_COMPLETED) {
        /* Head back to the CONNECT state */
        multistate(easy, CURLM_STATE_CONNECT);
-        easy->easy_handle->state.is_in_pipeline = FALSE;
        result = CURLM_CALL_MULTI_PERFORM;
        easy->result = CURLE_OK;
      }
-      else {
-        easy->result = CURLE_COULDNT_CONNECT;
-        multistate(easy, CURLM_STATE_COMPLETED);
-      }

      easy->easy_handle->state.pipe_broke = FALSE;
      easy->easy_conn = NULL;
@@ -886,40 +887,9 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
    }

    if(easy->state > CURLM_STATE_CONNECT &&
-        easy->state < CURLM_STATE_COMPLETED) {
+       easy->state < CURLM_STATE_COMPLETED)
      /* Make sure we set the connection's current owner */
      easy->easy_conn->data = easy->easy_handle;
-    }
-
-    if(CURLM_STATE_WAITCONNECT <= easy->state &&
-        easy->state <= CURLM_STATE_DO &&
-        easy->easy_handle->change.url_changed) {
-      char *gotourl;
-      Curl_posttransfer(easy->easy_handle);
-
-      easy->result = Curl_done(&easy->easy_conn, CURLE_OK, FALSE);
-      /* We make sure that the pipe broken flag is reset
-         because in this case, it isn't an actual break */
-      easy->easy_handle->state.pipe_broke = FALSE;
-      if(CURLE_OK == easy->result) {
-        gotourl = strdup(easy->easy_handle->change.url);
-        if(gotourl) {
-          easy->easy_handle->change.url_changed = FALSE;
-          easy->result = Curl_follow(easy->easy_handle, gotourl, FALSE);
-          if(CURLE_OK == easy->result)
-            multistate(easy, CURLM_STATE_CONNECT);
-          else
-            free(gotourl);
-        }
-        else {
-          easy->result = CURLE_OUT_OF_MEMORY;
-          multistate(easy, CURLM_STATE_COMPLETED);
-          break;
-        }
-      }
-    }
-
-    easy->easy_handle->change.url_changed = FALSE;

    switch(easy->state) {
    case CURLM_STATE_INIT:
@@ -946,32 +916,24 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
        easy->result = addHandleToSendOrPendPipeline(easy->easy_handle,
                                                     easy->easy_conn);
        if(CURLE_OK == easy->result) {
-          if (easy->easy_handle->state.is_in_pipeline) {
-            multistate(easy, CURLM_STATE_WAITDO);
-            if(isHandleAtHead(easy->easy_handle,
-                              easy->easy_conn->send_pipe))
-              result = CURLM_CALL_MULTI_PERFORM;
-          }
+          if(async)
+            /* We're now waiting for an asynchronous name lookup */
+            multistate(easy, CURLM_STATE_WAITRESOLVE);
          else {
-            if(async)
-              /* We're now waiting for an asynchronous name lookup */
-              multistate(easy, CURLM_STATE_WAITRESOLVE);
-            else {
-              /* after the connect has been sent off, go WAITCONNECT unless the
-                 protocol connect is already done and we can go directly to
-                 WAITDO! */
-              result = CURLM_CALL_MULTI_PERFORM;
+            /* after the connect has been sent off, go WAITCONNECT unless the
+               protocol connect is already done and we can go directly to
+               WAITDO! */
+            result = CURLM_CALL_MULTI_PERFORM;

-              if(protocol_connect)
-                multistate(easy, CURLM_STATE_WAITDO);
-              else {
+            if(protocol_connect)
+              multistate(easy, CURLM_STATE_WAITDO);
+            else {
 #ifndef CURL_DISABLE_HTTP
-                if(easy->easy_conn->bits.tunnel_connecting)
-                  multistate(easy, CURLM_STATE_WAITPROXYCONNECT);
-                else
+              if(easy->easy_conn->bits.tunnel_connecting)
+                multistate(easy, CURLM_STATE_WAITPROXYCONNECT);
+              else
 #endif
-                  multistate(easy, CURLM_STATE_WAITCONNECT);
-              }
+                multistate(easy, CURLM_STATE_WAITCONNECT);
            }
          }
        }
@@ -1287,7 +1249,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
        easy->easy_conn->bits.close = TRUE;
        Curl_removeHandleFromPipeline(easy->easy_handle,
                                      easy->easy_conn->recv_pipe);
-        easy->easy_handle->state.is_in_pipeline = FALSE;

        if(CURL_SOCKET_BAD != easy->easy_conn->sock[SECONDARYSOCKET]) {
          /* if we failed anywhere, we must clean up the secondary socket if
@@ -1311,7 +1272,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
                                        easy->easy_conn->recv_pipe);
          /* Check if we can move pending requests to send pipe */
          checkPendPipeline(easy->easy_conn);
-          easy->easy_handle->state.is_in_pipeline = FALSE;
+
          if(!retry) {
            /* if the URL is a follow-location and not just a retried request
               then figure out the URL here */
@@ -1345,7 +1306,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
                                    easy->easy_conn->recv_pipe);
      /* Check if we can move pending requests to send pipe */
      checkPendPipeline(easy->easy_conn);
-      easy->easy_handle->state.is_in_pipeline = FALSE;

      if(easy->easy_conn->bits.stream_was_rewound) {
          /* This request read past its response boundary so we quickly
@@ -1388,7 +1348,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
        /* NOTE: no attempt to disconnect connections must be made
           in the case blocks above - cleanup happens only here */

-        easy->easy_handle->state.is_in_pipeline = FALSE;
        easy->easy_handle->state.pipe_broke = FALSE;

        if(easy->easy_conn) {
@@ -1415,9 +1374,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
        multistate(easy, CURLM_STATE_COMPLETED);
      }
    }
-
-  } while(easy->easy_handle->change.url_changed);
-
+  } while(0);
  if((CURLM_STATE_COMPLETED == easy->state) && !easy->msg) {
    if(easy->easy_handle->dns.hostcachetype == HCACHE_MULTI) {
      /* clear out the usage of the shared DNS cache */
@@ -1821,6 +1778,7 @@ static CURLMcode multi_socket(struct Curl_multi *multi,
  return result;
 }

+#undef curl_multi_setopt
 CURLMcode curl_multi_setopt(CURLM *multi_handle,
                            CURLMoption option, ...)
 {
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -873,7 +873,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
  switch (data->set.ssl.version) {
  default:
  case CURL_SSLVERSION_DEFAULT:
-    ssl2 = ssl3 = tlsv1 = PR_TRUE;
+    ssl3 = tlsv1 = PR_TRUE;
    break;
  case CURL_SSLVERSION_TLSv1:
    tlsv1 = PR_TRUE;
@@ -893,6 +893,9 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
  if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
    goto error;

+  if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
+    goto error;
+
  if(data->set.ssl.cipher_list) {
    if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
      curlerr = CURLE_SSL_CIPHER;
@@ -1019,6 +1022,8 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
    goto error;
  }

+  connssl->state = ssl_connection_complete;
+
  display_conn_info(conn, connssl->handle);

  return CURLE_OK;
--- a/lib/qssl.c
+++ b/lib/qssl.c
@@ -90,7 +90,7 @@ static CURLcode Curl_qsossl_init_session(struct SessionHandle * data)
  memset((char *) &initappstr, 0, sizeof initappstr);
  initappstr.applicationID = certname;
  initappstr.applicationIDLen = strlen(certname);
-  initappstr.protocol = SSL_VERSION_CURRENT;
+  initappstr.protocol = TLSV1_SSLV3;
  initappstr.sessionType = SSL_REGISTERED_AS_CLIENT;
  rc = SSL_Init_Application(&initappstr);

@@ -172,20 +172,16 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
  if(!data->set.ssl.verifyhost)
    h->exitPgm = Curl_qsossl_trap_cert;

-  if(data->set.connecttimeout) {
-    timeout_ms = data->set.connecttimeout;
+  /* figure out how long time we should wait at maximum */
+  timeout_ms = Curl_timeleft(conn, NULL, TRUE);

-    if(data->set.timeout)
-      if(timeout_ms > data->set.timeout)
-        timeout_ms = data->set.timeout;
-    }
-  else if(data->set.timeout)
-    timeout_ms = data->set.timeout;
-  else
-    timeout_ms = DEFAULT_CONNECT_TIMEOUT;
+  if(timeout_ms < 0) {
+    /* time-out, bail out, go home */
+    failf(data, "Connection time-out");
+    return CURLE_OPERATION_TIMEDOUT;
+  }

  /* SSL_Handshake() timeout resolution is second, so round up. */
-
  h->timeout = (timeout_ms + 1000 - 1) / 1000;

  /* Set-up protocol. */
@@ -194,7 +190,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)

  default:
  case CURL_SSLVERSION_DEFAULT:
-    h->protocol = SSL_VERSION_CURRENT;
+    h->protocol = TLSV1_SSLV3;
    break;

  case CURL_SSLVERSION_TLSv1:
@@ -262,8 +258,11 @@ CURLcode Curl_qsossl_connect(struct connectdata * conn, int sockindex)
      SSL_Destroy(connssl->handle);
      connssl->handle = NULL;
      connssl->use = FALSE;
+      connssl->state = ssl_connection_none;
    }
  }
+  if (rc == CURLE_OK)
+    connssl->state = ssl_connection_complete;

  return rc;
 }
@@ -438,7 +437,7 @@ ssize_t Curl_qsossl_recv(struct connectdata * conn, int num, char * buf,
    case SSL_ERROR_IO:
      switch (errno) {
      case EWOULDBLOCK:
-	*wouldblock = TRUE;
+        *wouldblock = TRUE;
        return -1;
        }

--- a/lib/select.c
+++ b/lib/select.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -68,9 +68,9 @@
 #define elapsed_ms  (int)curlx_tvdiff(curlx_tvnow(), initial_tv)

 #ifdef CURL_ACKNOWLEDGE_EINTR
-#define error_is_EINTR  (error == EINTR)
+#define error_not_EINTR (1)
 #else
-#define error_is_EINTR  (0)
+#define error_not_EINTR (error != EINTR)
 #endif

 /*
@@ -129,7 +129,7 @@ static int wait_ms(int timeout_ms)
    if(r != -1)
      break;
    error = SOCKERRNO;
-    if((error == EINVAL) || error_is_EINTR)
+    if(error && error_not_EINTR)
      break;
    pending_ms = timeout_ms - elapsed_ms;
    if(pending_ms <= 0)
@@ -219,7 +219,7 @@ int Curl_socket_ready(curl_socket_t readfd, curl_socket_t writefd,
    if(r != -1)
      break;
    error = SOCKERRNO;
-    if((error == EINVAL) || error_is_EINTR)
+    if(error && error_not_EINTR)
      break;
    if(timeout_ms > 0) {
      pending_ms = timeout_ms - elapsed_ms;
@@ -288,7 +288,7 @@ int Curl_socket_ready(curl_socket_t readfd, curl_socket_t writefd,
    if(r != -1)
      break;
    error = SOCKERRNO;
-    if((error == EINVAL) || (error == EBADF) || error_is_EINTR)
+    if(error && error_not_EINTR)
      break;
    if(timeout_ms > 0) {
      pending_ms = timeout_ms - elapsed_ms;
@@ -389,7 +389,7 @@ int Curl_poll(struct pollfd ufds[], unsigned int nfds, int timeout_ms)
    if(r != -1)
      break;
    error = SOCKERRNO;
-    if((error == EINVAL) || error_is_EINTR)
+    if(error && error_not_EINTR)
      break;
    if(timeout_ms > 0) {
      pending_ms = timeout_ms - elapsed_ms;
@@ -438,7 +438,7 @@ int Curl_poll(struct pollfd ufds[], unsigned int nfds, int timeout_ms)
    if(r != -1)
      break;
    error = SOCKERRNO;
-    if((error == EINVAL) || (error == EBADF) || error_is_EINTR)
+    if(error && error_not_EINTR)
      break;
    if(timeout_ms > 0) {
      pending_ms = timeout_ms - elapsed_ms;
--- a/lib/sendf.c
+++ b/lib/sendf.c
@@ -355,7 +355,7 @@ CURLcode Curl_write(struct connectdata *conn,
  CURLcode retcode;
  int num = (sockfd == conn->sock[SECONDARYSOCKET]);

-  if(conn->ssl[num].use)
+  if(conn->ssl[num].state == ssl_connection_complete)
    /* only TRUE if SSL enabled */
    bytes_written = Curl_ssl_send(conn, num, mem, len);
 #ifdef USE_LIBSSH2
@@ -567,7 +567,7 @@ int Curl_read(struct connectdata *conn, /* connection data */
    buffertofill = buf;
  }

-  if(conn->ssl[num].use) {
+  if(conn->ssl[num].state == ssl_connection_complete) {
    nread = Curl_ssl_recv(conn, num, buffertofill, bytesfromsocket);

    if(nread == -1) {
--- a/lib/share.c
+++ b/lib/share.c
@@ -46,6 +46,7 @@ curl_share_init(void)
  return share;
 }

+#undef curl_share_setopt
 CURLSHcode
 curl_share_setopt(CURLSH *sh, CURLSHoption option, ...)
 {
--- a/lib/socks.c
+++ b/lib/socks.c
@@ -138,18 +138,13 @@ CURLcode Curl_SOCKS4(const char *proxy_name,
  struct SessionHandle *data = conn->data;

  /* get timeout */
-  if(data->set.timeout && data->set.connecttimeout) {
-    if(data->set.timeout < data->set.connecttimeout)
-      timeout = data->set.timeout;
-    else
-      timeout = data->set.connecttimeout;
+  timeout = Curl_timeleft(conn, NULL, TRUE);
+
+  if(timeout < 0) {
+    /* time-out, bail out, go home */
+    failf(data, "Connection time-out");
+    return CURLE_OPERATION_TIMEDOUT;
  }
-  else if(data->set.timeout)
-    timeout = data->set.timeout;
-  else if(data->set.connecttimeout)
-    timeout = data->set.connecttimeout;
-  else
-    timeout = DEFAULT_CONNECT_TIMEOUT;

  Curl_nonblock(sock, FALSE);

@@ -403,18 +398,13 @@ CURLcode Curl_SOCKS5(const char *proxy_name,
  }

  /* get timeout */
-  if(data->set.timeout && data->set.connecttimeout) {
-    if(data->set.timeout < data->set.connecttimeout)
-      timeout = data->set.timeout;
-    else
-      timeout = data->set.connecttimeout;
+  timeout = Curl_timeleft(conn, NULL, TRUE);
+
+  if(timeout < 0) {
+    /* time-out, bail out, go home */
+    failf(data, "Connection time-out");
+    return CURLE_OPERATION_TIMEDOUT;
  }
-  else if(data->set.timeout)
-    timeout = data->set.timeout;
-  else if(data->set.connecttimeout)
-    timeout = data->set.connecttimeout;
-  else
-    timeout = DEFAULT_CONNECT_TIMEOUT;

  Curl_nonblock(sock, TRUE);

--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -132,7 +132,7 @@ static LIBSSH2_ALLOC_FUNC(libssh2_malloc);
 static LIBSSH2_REALLOC_FUNC(libssh2_realloc);
 static LIBSSH2_FREE_FUNC(libssh2_free);

-static int get_pathname(const char **cpp, char **path);
+static CURLcode get_pathname(const char **cpp, char **path);

 static CURLcode ssh_connect(struct connectdata *conn, bool *done);
 static CURLcode ssh_multi_statemach(struct connectdata *conn, bool *done);
@@ -234,6 +234,9 @@ static CURLcode sftp_libssh2_error_to_CURLE(unsigned long err)
    case LIBSSH2_FX_OK:
      return CURLE_OK;

+    case LIBSSH2_ERROR_ALLOC:
+      return CURLE_OUT_OF_MEMORY;
+
    case LIBSSH2_FX_NO_SUCH_FILE:
    case LIBSSH2_FX_NO_SUCH_PATH:
      return CURLE_REMOTE_FILE_NOT_FOUND;
@@ -274,20 +277,20 @@ static CURLcode libssh2_session_error_to_CURLE(int err)

 static LIBSSH2_ALLOC_FUNC(libssh2_malloc)
 {
+  (void)abstract; /* arg not used */
  return malloc(count);
-  (void)abstract;
 }

 static LIBSSH2_REALLOC_FUNC(libssh2_realloc)
 {
+  (void)abstract; /* arg not used */
  return realloc(ptr, count);
-  (void)abstract;
 }

 static LIBSSH2_FREE_FUNC(libssh2_free)
 {
+  (void)abstract; /* arg not used */
  free(ptr);
-  (void)abstract;
 }

 /*
@@ -628,6 +631,10 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
      state(conn, SSH_AUTH_DONE);
    }
    else {
+      char *err_msg;
+      (void)libssh2_session_last_error(sshc->ssh_session,
+                                       &err_msg, NULL, 0);
+      infof(data, "SSH public key authentication failed: %s\n", err_msg);
      state(conn, SSH_AUTH_PASS_INIT);
    }
    break;
@@ -837,7 +844,6 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
      break;
    }
    else if(sshc->quote_item->data) {
-      fprintf(stderr, "data: %s\n", sshc->quote_item->data);
      /*
       * the arguments following the command must be separated from the
       * command with a space so we can check for it unconditionally
@@ -854,14 +860,14 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
       * also, every command takes at least one argument so we get that
       * first argument right now
       */
-      err = get_pathname(&cp, &sshc->quote_path1);
-      if(err) {
-        if(err == CURLE_OUT_OF_MEMORY)
+      result = get_pathname(&cp, &sshc->quote_path1);
+      if(result) {
+        if(result == CURLE_OUT_OF_MEMORY)
          failf(data, "Out of memory");
        else
          failf(data, "Syntax error: Bad first parameter");
        state(conn, SSH_SFTP_CLOSE);
-        sshc->actualcode = err;
+        sshc->actualcode = result;
        break;
      }

@@ -878,9 +884,9 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)

        /* sshc->quote_path1 contains the mode to set */
        /* get the destination */
-        err = get_pathname(&cp, &sshc->quote_path2);
-        if(err) {
-          if(err == CURLE_OUT_OF_MEMORY)
+        result = get_pathname(&cp, &sshc->quote_path2);
+        if(result) {
+          if(result == CURLE_OUT_OF_MEMORY)
            failf(data, "Out of memory");
          else
            failf(data, "Syntax error in chgrp/chmod/chown: "
@@ -888,7 +894,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
          Curl_safefree(sshc->quote_path1);
          sshc->quote_path1 = NULL;
          state(conn, SSH_SFTP_CLOSE);
-          sshc->actualcode = err;
+          sshc->actualcode = result;
          break;
        }
        memset(&sshc->quote_attrs, 0, sizeof(LIBSSH2_SFTP_ATTRIBUTES));
@@ -900,9 +906,9 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
        /* symbolic linking */
        /* sshc->quote_path1 is the source */
        /* get the destination */
-        err = get_pathname(&cp, &sshc->quote_path2);
-        if(err) {
-          if(err == CURLE_OUT_OF_MEMORY)
+        result = get_pathname(&cp, &sshc->quote_path2);
+        if(result) {
+          if(result == CURLE_OUT_OF_MEMORY)
            failf(data, "Out of memory");
          else
            failf(data,
@@ -910,7 +916,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
          Curl_safefree(sshc->quote_path1);
          sshc->quote_path1 = NULL;
          state(conn, SSH_SFTP_CLOSE);
-          sshc->actualcode = err;
+          sshc->actualcode = result;
          break;
        }
        state(conn, SSH_SFTP_QUOTE_SYMLINK);
@@ -925,16 +931,16 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
        /* rename file */
        /* first param is the source path */
        /* second param is the dest. path */
-        err = get_pathname(&cp, &sshc->quote_path2);
-        if(err) {
-          if(err == CURLE_OUT_OF_MEMORY)
+        result = get_pathname(&cp, &sshc->quote_path2);
+        if(result) {
+          if(result == CURLE_OUT_OF_MEMORY)
            failf(data, "Out of memory");
          else
            failf(data, "Syntax error in rename: Bad second parameter");
          Curl_safefree(sshc->quote_path1);
          sshc->quote_path1 = NULL;
          state(conn, SSH_SFTP_CLOSE);
-          sshc->actualcode = err;
+          sshc->actualcode = result;
          break;
        }
        state(conn, SSH_SFTP_QUOTE_RENAME);
@@ -950,14 +956,14 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
        break;
      }

-      if(sshc->quote_path1) {
-        Curl_safefree(sshc->quote_path1);
-        sshc->quote_path1 = NULL;
-      }
-      if(sshc->quote_path2) {
-        Curl_safefree(sshc->quote_path2);
-        sshc->quote_path2 = NULL;
-      }
+      failf(data, "Unknown SFTP command");
+      Curl_safefree(sshc->quote_path1);
+      sshc->quote_path1 = NULL;
+      Curl_safefree(sshc->quote_path2);
+      sshc->quote_path2 = NULL;
+      state(conn, SSH_SFTP_CLOSE);
+      sshc->actualcode = CURLE_QUOTE_ERROR;
+      break;
    }
  }
  if(!sshc->quote_item) {
@@ -1188,10 +1194,31 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
     *          If this is not done the destination file will be named the
     *          same name as the last directory in the path.
     */
+
+    if(data->state.resume_from != 0) {
+      LIBSSH2_SFTP_ATTRIBUTES attrs;
+      if(data->state.resume_from< 0) {
+        rc = libssh2_sftp_stat(sshc->sftp_session, sftp_scp->path, &attrs);
+        if(rc == LIBSSH2_ERROR_EAGAIN) {
+          break;
+        }
+        else if(rc) {
+          data->state.resume_from = 0;
+        }
+        else {
+          data->state.resume_from = attrs.filesize;
+        }
+      }
+    }
+
    sshc->sftp_handle =
      libssh2_sftp_open(sshc->sftp_session, sftp_scp->path,
+                        /* If we have restart position then open for append */
+                        (data->state.resume_from > 0)?
+                        LIBSSH2_FXF_WRITE|LIBSSH2_FXF_APPEND:
                        LIBSSH2_FXF_WRITE|LIBSSH2_FXF_CREAT|LIBSSH2_FXF_TRUNC,
                        data->set.new_file_perms);
+
    if(!sshc->sftp_handle) {
      if(libssh2_session_last_errno(sshc->ssh_session) ==
         LIBSSH2_ERROR_EAGAIN) {
@@ -1199,10 +1226,11 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
      }
      else {
        err = libssh2_sftp_last_error(sshc->sftp_session);
-        failf(data, "Upload failed: %s", sftp_libssh2_strerror(err));
        if(sshc->secondCreateDirs) {
          state(conn, SSH_SFTP_CLOSE);
-          sshc->actualcode = err;
+          sshc->actualcode = sftp_libssh2_error_to_CURLE(err);
+          failf(data, "Creating the dir/file failed: %s",
+                sftp_libssh2_strerror(err));
          break;
        }
        else if(((err == LIBSSH2_FX_NO_SUCH_FILE) ||
@@ -1217,10 +1245,61 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
        }
        state(conn, SSH_SFTP_CLOSE);
        sshc->actualcode = sftp_libssh2_error_to_CURLE(err);
+        failf(data, "Upload failed: %s", sftp_libssh2_strerror(err));
        break;
      }
    }

+    /* If we have restart point then we need to seek to the correct position. */
+    if(data->state.resume_from > 0) {
+      /* Let's read off the proper amount of bytes from the input. */
+      if(conn->seek_func) {
+        curl_off_t readthisamountnow = data->state.resume_from;
+
+        if(conn->seek_func(conn->seek_client,
+                           readthisamountnow, SEEK_SET) != 0) {
+          failf(data, "Could not seek stream");
+          return CURLE_FTP_COULDNT_USE_REST;
+        }
+      }
+      else {
+        curl_off_t passed=0;
+        curl_off_t readthisamountnow;
+        curl_off_t actuallyread;
+        do {
+          readthisamountnow = (data->state.resume_from - passed);
+
+          if(readthisamountnow > BUFSIZE)
+            readthisamountnow = BUFSIZE;
+
+          actuallyread =
+            (curl_off_t) conn->fread_func(data->state.buffer, 1,
+                                          (size_t)readthisamountnow,
+                                          conn->fread_in);
+
+          passed += actuallyread;
+          if((actuallyread <= 0) || (actuallyread > readthisamountnow)) {
+            /* this checks for greater-than only to make sure that the
+               CURL_READFUNC_ABORT return code still aborts */
+             failf(data, "Failed to read data");
+            return CURLE_FTP_COULDNT_USE_REST;
+          }
+        } while(passed < data->state.resume_from);
+      }
+
+      /* now, decrease the size of the read */
+      if(data->set.infilesize>0) {
+        data->set.infilesize -= data->state.resume_from;
+        data->req.size = data->set.infilesize;
+        Curl_pgrsSetUploadSize(data, data->set.infilesize);
+      }
+
+      libssh2_sftp_seek(sshc->sftp_handle, data->state.resume_from);
+    }
+    if(data->set.infilesize>0) {
+      data->req.size = data->set.infilesize;
+      Curl_pgrsSetUploadSize(data, data->set.infilesize);
+    }
    /* upload data */
    result = Curl_setup_transfer(conn, -1, -1, FALSE, NULL,
                                 FIRSTSOCKET, NULL);
@@ -1411,7 +1490,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
    }
    else if(sshc->readdir_len <= 0) {
      err = libssh2_sftp_last_error(sshc->sftp_session);
-      sshc->actualcode = err;
+      sshc->actualcode = sftp_libssh2_error_to_CURLE(err);
      failf(data, "Could not open remote file for reading: %s :: %d",
            sftp_libssh2_strerror(err),
            libssh2_session_last_errno(sshc->ssh_session));
@@ -1545,11 +1624,49 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
      data->req.maxdownload = attrs.filesize;
      Curl_pgrsSetDownloadSize(data, attrs.filesize);
    }
-  }

+    /* We can resume if we can seek to the resume position */
+    if(data->state.resume_from) {
+      if(data->state.resume_from< 0) {
+        /* We're supposed to download the last abs(from) bytes */
+        if((curl_off_t)attrs.filesize < -data->state.resume_from) {
+          failf(data, "Offset (%"
+                FORMAT_OFF_T ") was beyond file size (%" FORMAT_OFF_T ")",
+                data->state.resume_from, attrs.filesize);
+          return CURLE_BAD_DOWNLOAD_RESUME;
+        }
+        /* download from where? */
+        data->state.resume_from = attrs.filesize - data->state.resume_from;
+      }
+      else {
+        if((curl_off_t)attrs.filesize < data->state.resume_from) {
+          failf(data, "Offset (%" FORMAT_OFF_T
+                ") was beyond file size (%" FORMAT_OFF_T ")",
+                data->state.resume_from, attrs.filesize);
+          return CURLE_BAD_DOWNLOAD_RESUME;
+        }
+      }
+      /* Does a completed file need to be seeked and started or closed ? */
+      /* Now store the number of bytes we are expected to download */
+      data->req.size = attrs.filesize - data->state.resume_from;
+      data->req.maxdownload = attrs.filesize - data->state.resume_from;
+      Curl_pgrsSetDownloadSize(data,
+                               attrs.filesize - data->state.resume_from);
+      libssh2_sftp_seek(sshc->sftp_handle, data->state.resume_from);
+    }
+  }
  /* Setup the actual download */
-  result = Curl_setup_transfer(conn, FIRSTSOCKET, data->req.size,
-                               FALSE, NULL, -1, NULL);
+  if(data->req.size == 0) {
+    /* no data to transfer */
+    result = Curl_setup_transfer(conn, -1, -1, FALSE, NULL, -1, NULL);
+    infof(data, "File already completely downloaded\n");
+    state(conn, SSH_STOP);
+    break;
+  }
+  else {
+    result = Curl_setup_transfer(conn, FIRSTSOCKET, data->req.size,
+                                 FALSE, NULL, -1, NULL);
+  }
  if(result) {
    state(conn, SSH_SFTP_CLOSE);
    sshc->actualcode = result;
@@ -1643,10 +1760,9 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)

        ssh_err = libssh2_session_last_error(sshc->ssh_session,
                                             &err_msg, NULL, 0);
-        err = libssh2_session_error_to_CURLE(ssh_err);
        failf(conn->data, "%s", err_msg);
        state(conn, SSH_SCP_CHANNEL_FREE);
-        sshc->actualcode = err;
+        sshc->actualcode = libssh2_session_error_to_CURLE(ssh_err);
        break;
      }
    }
@@ -1690,10 +1806,9 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)

        ssh_err = libssh2_session_last_error(sshc->ssh_session,
                                             &err_msg, NULL, 0);
-        err = libssh2_session_error_to_CURLE(ssh_err);
        failf(conn->data, "%s", err_msg);
        state(conn, SSH_SCP_CHANNEL_FREE);
-        sshc->actualcode = err;
+        sshc->actualcode = libssh2_session_error_to_CURLE(ssh_err);
        break;
      }
    }
@@ -1853,6 +1968,11 @@ static CURLcode ssh_init(struct connectdata *conn)
 {
  struct SessionHandle *data = conn->data;
  struct SSHPROTO *ssh;
+  struct ssh_conn *sshc = &conn->proto.sshc;
+
+  sshc->actualcode = CURLE_OK; /* reset error code */
+  sshc->secondCreateDirs =0;   /* reset the create dir attempt state variable */
+
  if(data->state.proto.ssh)
    return CURLE_OK;

@@ -1871,8 +1991,10 @@ static CURLcode ssh_init(struct connectdata *conn)
 */
 static CURLcode ssh_connect(struct connectdata *conn, bool *done)
 {
-  struct ssh_conn *ssh;
+#ifdef CURL_LIBSSH2_DEBUG
  curl_socket_t sock;
+#endif
+  struct ssh_conn *ssh;
  CURLcode result;
  struct SessionHandle *data = conn->data;

@@ -1897,8 +2019,9 @@ static CURLcode ssh_connect(struct connectdata *conn, bool *done)
  if(conn->passwd) {
    infof(data, "Password: %s\n", conn->passwd);
  }
-#endif /* CURL_LIBSSH2_DEBUG */
  sock = conn->sock[FIRSTSOCKET];
+#endif /* CURL_LIBSSH2_DEBUG */
+
  ssh->ssh_session = libssh2_session_init_ex(libssh2_malloc, libssh2_free,
                                             libssh2_realloc, conn);
  if(ssh->ssh_session == NULL) {
@@ -1993,6 +2116,18 @@ static CURLcode ssh_do(struct connectdata *conn, bool *done)

  *done = FALSE; /* default to false */

+  /*
+    Since connections can be re-used between SessionHandles, this might be a
+    connection already existing but on a fresh SessionHandle struct so we must
+    make sure we have a good 'struct SSHPROTO' to play with. For new
+    connections, the struct SSHPROTO is allocated and setup in the
+    ssh_connect() function.
+  */
+  Curl_reset_reqproto(conn);
+  res = ssh_init(conn);
+  if(res)
+    return res;
+
  data->req.size = -1; /* make sure this is unknown at this point */

  Curl_pgrsSetUploadCounter(data, 0);
@@ -2255,7 +2390,7 @@ ssize_t Curl_sftp_recv(struct connectdata *conn, int sockindex,
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-static int
+static CURLcode
 get_pathname(const char **cpp, char **path)
 {
  const char *cp = *cpp, *end;
@@ -2317,7 +2452,7 @@ get_pathname(const char **cpp, char **path)
    memcpy(*path, cp, end - cp);
    (*path)[end - cp] = '\0';
  }
-  return (0);
+  return CURLE_OK;

  fail:
    Curl_safefree(*path);
--- a/lib/sslgen.c
+++ b/lib/sslgen.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -207,6 +207,7 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex)
 #ifdef USE_SSL
  /* mark this is being ssl enabled from here on. */
  conn->ssl[sockindex].use = TRUE;
+  conn->ssl[sockindex].state = ssl_connection_negotiating;

 #ifdef USE_SSLEAY
  return Curl_ossl_connect(conn, sockindex);
@@ -473,6 +474,7 @@ CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex)
 #endif /* USE_SSLEAY */

  conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */
+  conn->ssl[sockindex].state = ssl_connection_none;

  return CURLE_OK;
 }
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -364,6 +364,8 @@ int cert_stuff(struct connectdata *conn,
      FILE *f;
      PKCS12 *p12;
      EVP_PKEY *pri;
+      STACK_OF(X509) *ca = NULL;
+      int i;

      f = fopen(cert_file,"rb");
      if(!f) {
@@ -373,10 +375,15 @@ int cert_stuff(struct connectdata *conn,
      p12 = d2i_PKCS12_fp(f, NULL);
      fclose(f);

+      if(!p12) {
+        failf(data, "error reading PKCS12 file '%s'", cert_file );
+        return 0;
+      }
+
      PKCS12_PBE_add();

      if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
-                        NULL)) {
+                        &ca)) {
        failf(data,
              "could not parse PKCS12 file, check password, OpenSSL error %s",
              ERR_error_string(ERR_get_error(), NULL) );
@@ -401,6 +408,32 @@ int cert_stuff(struct connectdata *conn,
        return 0;
      }

+      if (!SSL_CTX_check_private_key (ctx)) {
+        failf(data, "private key from PKCS12 file '%s' "
+              "does not match certificate in same file", cert_file);
+        EVP_PKEY_free(pri);
+        X509_free(x509);
+        return 0;
+      }
+      /* Set Certificate Verification chain */
+      if (ca && sk_num(ca)) {
+        for (i = 0; i < sk_X509_num(ca); i++) {
+          if (!SSL_CTX_add_extra_chain_cert(ctx,sk_X509_value(ca, i))) {
+            failf(data, "cannot add certificate to certificate chain");
+            EVP_PKEY_free(pri);
+            X509_free(x509);
+            return 0;
+          }
+          if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) {
+            failf(data, "cannot add certificate to client CA list",
+                  cert_file);
+            EVP_PKEY_free(pri);
+            X509_free(x509);
+            return 0;
+          }
+        }
+      }
+
      EVP_PKEY_free(pri);
      X509_free(x509);
      cert_done = 1;
@@ -1266,6 +1299,13 @@ ossl_connect_step1(struct connectdata *conn,
  void *ssl_sessionid=NULL;
  curl_socket_t sockfd = conn->sock[sockindex];
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#ifdef ENABLE_IPV6
+  struct in6_addr addr;
+#else
+  struct in_addr addr;
+#endif
+#endif

  DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);

@@ -1324,6 +1364,10 @@ ossl_connect_step1(struct connectdata *conn,
  */
  SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);

+  /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
+  if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+    SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);
+
 #if 0
  /*
   * Not sure it's needed to tell SSL_connect() that socket is
@@ -1419,6 +1463,16 @@ ossl_connect_step1(struct connectdata *conn,

  connssl->server_cert = 0x0;

+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+  if ((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
+#ifdef ENABLE_IPV6
+      (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
+#endif
+      !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
+    infof(data, "WARNING: failed to configure server name indication (SNI) "
+          "TLS extension\n");
+#endif
+
  /* Check if there's a cached ID we can/should use here! */
  if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
    /* we got a session id, use it! */
@@ -1448,40 +1502,17 @@ ossl_connect_step2(struct connectdata *conn,
 {
  struct SessionHandle *data = conn->data;
  int err;
-  long has_passed;
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];

  DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
             || ssl_connect_2_reading == connssl->connecting_state
             || ssl_connect_2_writing == connssl->connecting_state);

-  /* Find out if any timeout is set. If not, use 300 seconds.
-     Otherwise, figure out the most strict timeout of the two possible one
-     and then how much time that has elapsed to know how much time we
-     allow for the connect call */
-  if(data->set.timeout && data->set.connecttimeout) {
-    /* get the most strict timeout of the ones converted to milliseconds */
-    if(data->set.timeout<data->set.connecttimeout)
-      *timeout_ms = data->set.timeout;
-    else
-      *timeout_ms = data->set.connecttimeout;
-  }
-  else if(data->set.timeout)
-    *timeout_ms = data->set.timeout;
-  else if(data->set.connecttimeout)
-    *timeout_ms = data->set.connecttimeout;
-  else
-    /* no particular time-out has been set */
-    *timeout_ms = DEFAULT_CONNECT_TIMEOUT;
-
-  /* Evaluate in milliseconds how much time that has passed */
-  has_passed = Curl_tvdiff(Curl_tvnow(), data->progress.t_startsingle);
-
-  /* subtract the passed time */
-  *timeout_ms -= has_passed;
+  /* Find out how much more time we're allowed */
+  *timeout_ms = Curl_timeleft(conn, NULL, TRUE);

  if(*timeout_ms < 0) {
-    /* a precaution, no need to continue if time already is up */
+    /* no need to continue if time already is up */
    failf(data, "SSL connection timeout");
    return CURLE_OPERATION_TIMEDOUT;
  }
@@ -1756,7 +1787,8 @@ ossl_connect_common(struct connectdata *conn,
        connssl->connecting_state?sockfd:CURL_SOCKET_BAD;

      while(1) {
-        int what = Curl_socket_ready(readfd, writefd, nonblocking?0:(int)timeout_ms);
+        int what = Curl_socket_ready(readfd, writefd,
+                                     nonblocking?0:(int)timeout_ms);
        if(what > 0)
          /* readable or writable, go loop in the outer loop */
          break;
@@ -1794,11 +1826,11 @@ ossl_connect_common(struct connectdata *conn,
  }

  if(ssl_connect_done==connssl->connecting_state) {
+    connssl->state = ssl_connection_complete;
    *done = TRUE;
  }
-  else {
+  else
    *done = FALSE;
-  }

  /* Reset our connect state machine */
  connssl->connecting_state = ssl_connect_1;
--- a/lib/strdup.c
+++ b/lib/strdup.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -27,13 +27,17 @@
 #ifndef HAVE_STRDUP
 char *curlx_strdup(const char *str)
 {
-  int len;
+  size_t len;
  char *newstr;

  if(!str)
    return (char *)NULL;

  len = strlen(str);
+
+  if(len >= ((size_t)-1) / sizeof(char))
+    return (char *)NULL;
+
  newstr = (char *) malloc((len+1)*sizeof(char));
  if(!newstr)
    return (char *)NULL;
--- a/lib/tftp.c
+++ b/lib/tftp.c
@@ -114,7 +114,7 @@ typedef enum {
  TFTP_ERR_ILLEGAL,
  TFTP_ERR_UNKNOWNID,
  TFTP_ERR_EXISTS,
-  TFTP_ERR_NOSUCHUSER,	/* This will never be triggered by this code */
+  TFTP_ERR_NOSUCHUSER,  /* This will never be triggered by this code */

  /* The remaining error codes are internal to curl */
  TFTP_ERR_NONE = -100,
@@ -189,17 +189,25 @@ const struct Curl_handler Curl_handler_tftp = {
 *
 *
 **********************************************************/
-static void tftp_set_timeouts(tftp_state_data_t *state)
+static CURLcode tftp_set_timeouts(tftp_state_data_t *state)
 {
-
-  struct SessionHandle *data = state->conn->data;
  time_t maxtime, timeout;
+  long timeout_ms;

  time(&state->start_time);
+
+  /* Compute drop-dead time */
+  timeout_ms = Curl_timeleft(state->conn, NULL, TRUE);
+
+  if(timeout_ms < 0) {
+    /* time-out, bail out, go home */
+    failf(state->conn->data, "Connection time-out");
+    return CURLE_OPERATION_TIMEDOUT;
+  }
+
  if(state->state == TFTP_STATE_START) {
-    /* Compute drop-dead time */
-    maxtime = (time_t)(data->set.connecttimeout/1000L?
-                       data->set.connecttimeout/1000L:30);
+
+    maxtime = (time_t)(timeout_ms + 500) / 1000;
    state->max_time = state->start_time+maxtime;

    /* Set per-block timeout to total */
@@ -219,10 +227,11 @@ static void tftp_set_timeouts(tftp_state_data_t *state)

  }
  else {
+    if(timeout_ms > 0)
+      maxtime = (time_t)(timeout_ms + 500) / 1000;
+    else
+      maxtime = 3600;

-    /* Compute drop-dead time */
-    maxtime = (time_t)(data->set.timeout/1000L?
-                       data->set.timeout/1000L:3600);
    state->max_time = state->start_time+maxtime;

    /* Set per-block timeout to 10% of total */
@@ -243,9 +252,12 @@ static void tftp_set_timeouts(tftp_state_data_t *state)
  if(state->retry_time<1)
    state->retry_time=1;

-  infof(data, "set timeouts for state %d; Total %d, retry %d maxtry %d\n",
+  infof(state->conn->data,
+  	"set timeouts for state %d; Total %d, retry %d maxtry %d\n",
        state->state, (state->max_time-state->start_time),
        state->retry_time, state->retry_max);
+
+  return CURLE_OK;
 }

 /**********************************************************
@@ -339,13 +351,17 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
  case TFTP_EVENT_ACK: /* Connected for transmit */
    infof(data, "%s\n", "Connected for transmit");
    state->state = TFTP_STATE_TX;
-    tftp_set_timeouts(state);
+    res = tftp_set_timeouts(state);
+    if(res)
+      break;
    return tftp_tx(state, event);

  case TFTP_EVENT_DATA: /* connected for receive */
    infof(data, "%s\n", "Connected for receive");
    state->state = TFTP_STATE_RX;
-    tftp_set_timeouts(state);
+    res = tftp_set_timeouts(state);
+    if(res)
+      break;
    return tftp_rx(state, event);

  case TFTP_EVENT_ERROR:
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -119,7 +119,7 @@ CURLcode Curl_fillreadbuffer(struct connectdata *conn, int bytes, int *nreadp)
  size_t buffersize = (size_t)bytes;
  int nread;

-  if(conn->bits.upload_chunky) {
+  if(data->req.upload_chunky) {
    /* if chunked Transfer-Encoding */
    buffersize -= (8 + 2 + 2);   /* 32bit hex + CRLF + CRLF */
    data->req.upload_fromhere += 10; /* 32bit hex + CRLF */
@@ -143,7 +143,7 @@ CURLcode Curl_fillreadbuffer(struct connectdata *conn, int bytes, int *nreadp)
    /* the read function returned a too large value */
    return CURLE_READ_ERROR;

-  if(!conn->bits.forbidchunk && conn->bits.upload_chunky) {
+  if(!data->req.forbidchunk && data->req.upload_chunky) {
    /* if chunked Transfer-Encoding */
    char hexbuffer[11];
    int hexlen = snprintf(hexbuffer, sizeof(hexbuffer),
@@ -397,22 +397,30 @@ CURLcode Curl_readwrite(struct connectdata *conn,
            bytestoread = (size_t)totalleft;
        }

-        /* receive data from the network! */
-        readrc = Curl_read(conn, conn->sockfd, k->buf, bytestoread, &nread);
+        if(bytestoread) {
+          /* receive data from the network! */
+          readrc = Curl_read(conn, conn->sockfd, k->buf, bytestoread, &nread);

-        /* subzero, this would've blocked */
-        if(0 > readrc)
-          break; /* get out of loop */
+          /* subzero, this would've blocked */
+          if(0 > readrc)
+            break; /* get out of loop */

-        /* get the CURLcode from the int */
-        result = (CURLcode)readrc;
+          /* get the CURLcode from the int */
+          result = (CURLcode)readrc;

-        if(result>0)
-          return result;
+          if(result>0)
+            return result;
+        }
+        else {
+          /* read nothing but since we wanted nothing we consider this an OK
+             situation to proceed from */
+          nread = 0;
+          result = CURLE_OK;
+        }

        if((k->bytecount == 0) && (k->writebytecount == 0)) {
          Curl_pgrsTime(data, TIMER_STARTTRANSFER);
-          if(k->wait100_after_headers)
+          if(k->exp100 > EXP100_SEND_DATA)
            /* set time stamp to compare with when waiting for the 100 */
            k->start100 = Curl_tvnow();
        }
@@ -584,17 +592,17 @@ CURLcode Curl_readwrite(struct connectdata *conn,
                 */
                k->header = TRUE;
                k->headerline = 0; /* restart the header line counter */
-                /* if we did wait for this do enable write now! */
-                if(k->write_after_100_header) {

-                  k->write_after_100_header = FALSE;
+                /* if we did wait for this do enable write now! */
+                if(k->exp100) {
+                  k->exp100 = EXP100_SEND_DATA;
                  k->keepon |= KEEP_WRITE;
                }
              }
              else {
                k->header = FALSE; /* no more header to parse! */

-                if((k->size == -1) && !conn->bits.chunk && !conn->bits.close &&
+                if((k->size == -1) && !k->chunk && !conn->bits.close &&
                   (k->httpversion >= 11) ) {
                  /* On HTTP 1.1, when connection is not to get closed, but no
                     Content-Length nor Content-Encoding chunked have been
@@ -614,7 +622,7 @@ CURLcode Curl_readwrite(struct connectdata *conn,
                 * seems to cause a problem => abort the write operations
                 * (or prevent them from starting).
                 */
-                k->write_after_100_header = FALSE;
+                k->exp100 = EXP100_FAILED;
                k->keepon &= ~KEEP_WRITE;
              }

@@ -683,7 +691,7 @@ CURLcode Curl_readwrite(struct connectdata *conn,
                 * If we requested a "no body", this is a good time to get
                 * out and return home.
                 */
-                if(conn->bits.no_body)
+                if(data->set.opt_no_body)
                  stop_reading = TRUE;
                else {
                  /* If we know the expected size of this document, we set the
@@ -699,7 +707,7 @@ CURLcode Curl_readwrite(struct connectdata *conn,
                     Content-Length: headers if we are now receiving data
                     using chunked Transfer-Encoding.
                  */
-                  if(conn->bits.chunk)
+                  if(k->chunk)
                    k->size=-1;

                }
@@ -1002,7 +1010,7 @@ CURLcode Curl_readwrite(struct connectdata *conn,
               * with the previously mentioned size. There can be any amount
               * of chunks, and a chunk-data set to zero signals the
               * end-of-chunks. */
-              conn->bits.chunk = TRUE; /* chunks coming our way */
+              k->chunk = TRUE; /* chunks coming our way */

              /* init our chunky engine */
              Curl_httpchunk_init(conn);
@@ -1018,7 +1026,7 @@ CURLcode Curl_readwrite(struct connectdata *conn,
               *
               * It seems both Trailer: and Trailers: occur in the wild.
               */
-              conn->bits.trailerhdrpresent = TRUE;
+              k->trailerhdrpresent = TRUE;
            }

            else if(checkprefix("Content-Encoding:", k->p) &&
@@ -1258,7 +1266,7 @@ CURLcode Curl_readwrite(struct connectdata *conn,
          }

 #ifndef CURL_DISABLE_HTTP
-          if(conn->bits.chunk) {
+          if(k->chunk) {
            /*
             * Here comes a chunked transfer flying and we need to decode this
             * properly.  While the name says read, this function both reads
@@ -1326,7 +1334,7 @@ CURLcode Curl_readwrite(struct connectdata *conn,

          Curl_pgrsSetDownloadCounter(data, k->bytecount);

-          if(!conn->bits.chunk && (nread || k->badheader || is_empty_data)) {
+          if(!k->chunk && (nread || k->badheader || is_empty_data)) {
            /* If this is chunky transfer, it was already written */

            if(k->badheader && !k->ignorebody) {
@@ -1429,13 +1437,12 @@ CURLcode Curl_readwrite(struct connectdata *conn,
               protocol agnostic. */
            int fillcount;

-            if(k->wait100_after_headers &&
+            if((k->exp100 == EXP100_SENDING_REQUEST) &&
               (data->state.proto.http->sending == HTTPSEND_BODY)) {
              /* If this call is to send body data, we must take some action:
                 We have sent off the full HTTP 1.1 request, and we shall now
                 go into the Expect: 100 state and await such a header */
-              k->wait100_after_headers = FALSE; /* headers sent */
-              k->write_after_100_header = TRUE; /* wait for the header */
+              k->exp100 = EXP100_AWAITING_CONTINUE; /* wait for the header */
              k->keepon &= ~KEEP_WRITE;         /* disable writing */
              k->start100 = Curl_tvnow();       /* timeout count starts now */
              didwhat &= ~KEEP_WRITE;  /* we didn't write anything actually */
@@ -1578,9 +1585,9 @@ CURLcode Curl_readwrite(struct connectdata *conn,
  }
  else {
    /* no read no write, this is a timeout? */
-    if(k->write_after_100_header) {
+    if(k->exp100 == EXP100_AWAITING_CONTINUE) {
      /* This should allow some time for the header to arrive, but only a
-         very short time as otherwise it'll be too much wasted times too
+         very short time as otherwise it'll be too much wasted time too
         often. */

      /* Quoting RFC2616, section "8.2.3 Use of the 100 (Continue) Status":
@@ -1595,7 +1602,7 @@ CURLcode Curl_readwrite(struct connectdata *conn,
      long ms = Curl_tvdiff(k->now, k->start100);
      if(ms > CURL_TIMEOUT_EXPECT_100) {
        /* we've waited long enough, continue anyway */
-        k->write_after_100_header = FALSE;
+        k->exp100 = EXP100_SEND_DATA;
        k->keepon |= KEEP_WRITE;
      }
    }
@@ -1628,7 +1635,7 @@ CURLcode Curl_readwrite(struct connectdata *conn,
     * returning.
     */

-    if(!(conn->bits.no_body) && (k->size != -1) &&
+    if(!(data->set.opt_no_body) && (k->size != -1) &&
       (k->bytecount != k->size) &&
 #ifdef CURL_DO_LINEEND_CONV
       /* Most FTP servers don't adjust their file SIZE response for CRLFs,
@@ -1643,8 +1650,8 @@ CURLcode Curl_readwrite(struct connectdata *conn,
            k->size - k->bytecount);
      return CURLE_PARTIAL_FILE;
    }
-    else if(!(conn->bits.no_body) &&
-            conn->bits.chunk &&
+    else if(!(data->set.opt_no_body) &&
+            k->chunk &&
            (conn->chunk.state != CHUNK_STOP)) {
      /*
       * In chunked mode, return an error if the connection is closed prior to
@@ -1747,7 +1754,7 @@ Transfer(struct connectdata *conn)
    return CURLE_OK;

  /* we want header and/or body, if neither then don't do this! */
-  if(!conn->bits.getheader && conn->bits.no_body)
+  if(!k->getheader && data->set.opt_no_body)
    return CURLE_OK;

  while(!done) {
@@ -2260,44 +2267,24 @@ connect_host(struct SessionHandle *data,
             struct connectdata **conn)
 {
  CURLcode res = CURLE_OK;
-  int urlchanged = FALSE;

-  do {
-    bool async;
-    bool protocol_done=TRUE; /* will be TRUE always since this is only used
+  bool async;
+  bool protocol_done=TRUE; /* will be TRUE always since this is only used
                                within the easy interface */
-    Curl_pgrsTime(data, TIMER_STARTSINGLE);
-    data->change.url_changed = FALSE;
-    res = Curl_connect(data, conn, &async, &protocol_done);
+  Curl_pgrsTime(data, TIMER_STARTSINGLE);
+  res = Curl_connect(data, conn, &async, &protocol_done);

-    if((CURLE_OK == res) && async) {
-      /* Now, if async is TRUE here, we need to wait for the name
-         to resolve */
-      res = Curl_wait_for_resolv(*conn, NULL);
-      if(CURLE_OK == res)
-        /* Resolved, continue with the connection */
-        res = Curl_async_resolved(*conn, &protocol_done);
-      else
-        /* if we can't resolve, we kill this "connection" now */
-        (void)Curl_disconnect(*conn);
-    }
-    if(res)
-      break;
-
-    /* If a callback (or something) has altered the URL we should use within
-       the Curl_connect(), we detect it here and act as if we are redirected
-       to the new URL */
-    urlchanged = data->change.url_changed;
-    if((CURLE_OK == res) && urlchanged) {
-      res = Curl_done(conn, res, FALSE);
-      if(CURLE_OK == res) {
-        char *gotourl = strdup(data->change.url);
-        res = Curl_follow(data, gotourl, FALSE);
-        if(res)
-          free(gotourl);
-      }
-    }
-  } while(urlchanged && res == CURLE_OK);
+  if((CURLE_OK == res) && async) {
+    /* Now, if async is TRUE here, we need to wait for the name
+       to resolve */
+    res = Curl_wait_for_resolv(*conn, NULL);
+    if(CURLE_OK == res)
+      /* Resolved, continue with the connection */
+      res = Curl_async_resolved(*conn, &protocol_done);
+    else
+      /* if we can't resolve, we kill this "connection" now */
+      (void)Curl_disconnect(*conn);
+  }

  return res;
 }
@@ -2317,7 +2304,7 @@ bool Curl_retry_request(struct connectdata *conn,
  if((data->req.bytecount +
      data->req.headerbytecount == 0) &&
     conn->bits.reuse &&
-     !conn->bits.no_body) {
+     !data->set.opt_no_body) {
    /* We got no data, we attempted to re-use a connection and yet we want a
       "body". This might happen if the connection was left alive when we were
       done using it before, but that was closed when we wanted to read from
@@ -2409,8 +2396,12 @@ CURLcode Curl_perform(struct SessionHandle *data)
        if(CURLE_OK == res)
          res = res2;
      }
-      else
-        /* Curl_do() failed, clean up left-overs in the done-call */
+      else if(conn)
+        /* Curl_do() failed, clean up left-overs in the done-call, but note
+           that at some cases the conn pointer is NULL when Curl_do() failed
+           and the connection cache is very small so only call Curl_done() if
+           conn is still "alive".
+        */
        res2 = Curl_done(&conn, res, FALSE);

      /*
@@ -2486,7 +2477,7 @@ Curl_setup_transfer(
      CURL_SOCKET_BAD : conn->sock[sockindex];
  conn->writesockfd = writesockindex == -1 ?
      CURL_SOCKET_BAD:conn->sock[writesockindex];
-  conn->bits.getheader = getheader;
+  k->getheader = getheader;

  k->size = size;
  k->bytecountp = bytecountp;
@@ -2496,13 +2487,13 @@ Curl_setup_transfer(
     necessary input is not always known in do_complete() as this function may
     be called after that */

-  if(!conn->bits.getheader) {
+  if(!k->getheader) {
    k->header = FALSE;
    if(size > 0)
      Curl_pgrsSetDownloadSize(data, size);
  }
  /* we want header and/or body, if neither then don't do this! */
-  if(conn->bits.getheader || !conn->bits.no_body) {
+  if(k->getheader || !data->set.opt_no_body) {

    if(conn->sockfd != CURL_SOCKET_BAD) {
      k->keepon |= KEEP_READ;
@@ -2518,21 +2509,23 @@ Curl_setup_transfer(
         Thus, we must check if the request has been sent before we set the
         state info where we wait for the 100-return code
      */
-      if(data->state.expect100header &&
-          (data->state.proto.http->sending == HTTPSEND_BODY)) {
+      if((data->state.expect100header) &&
+         (data->state.proto.http->sending == HTTPSEND_BODY)) {
        /* wait with write until we either got 100-continue or a timeout */
-        k->write_after_100_header = TRUE;
+        k->exp100 = EXP100_AWAITING_CONTINUE;
        k->start100 = k->start;
      }
      else {
        if(data->state.expect100header)
          /* when we've sent off the rest of the headers, we must await a
-             100-continue */
-          k->wait100_after_headers = TRUE;
+             100-continue but first finish sending the request */
+          k->exp100 = EXP100_SENDING_REQUEST;
+
+        /* enable the write bit when we're not waiting for continue */
        k->keepon |= KEEP_WRITE;
      }
-    }
-  }
+    } /* if(conn->writesockfd != CURL_SOCKET_BAD) */
+  } /* if(k->getheader || !data->set.opt_no_body) */

  return CURLE_OK;
 }
--- a/lib/url.c
+++ b/lib/url.c
@@ -387,9 +387,6 @@ CURLcode Curl_close(struct SessionHandle *data)
  /* only for debugging, scan through all connections and see if there's a
     pipe reference still identifying this handle */

-  if(data->state.is_in_pipeline)
-    fprintf(stderr, "CLOSED when in pipeline!\n");
-
  if(data->state.connc && data->state.connc->type == CONNCACHE_MULTI) {
    struct conncache *c = data->state.connc;
    long i;
@@ -749,10 +746,12 @@ CURLcode Curl_open(struct SessionHandle **curl)
    data->set.ssl.verifypeer = TRUE;
    data->set.ssl.verifyhost = 2;
    data->set.ssl.sessionid = TRUE; /* session ID caching enabled by default */
-#ifdef CURL_CA_BUNDLE
-    /* This is our preferred CA cert bundle since install time */
+    /* This is our preferred CA cert bundle/path since install time */
+#if defined(CURL_CA_BUNDLE)
    res = setstropt(&data->set.str[STRING_SSL_CAFILE],
                         (char *) CURL_CA_BUNDLE);
+#elif defined(CURL_CA_PATH)
+    res = setstropt(&data->set.str[STRING_SSL_CAPATH], (char *) CURL_CA_PATH);
 #endif
  }

@@ -1484,8 +1483,6 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
    result = setstropt(&data->set.str[STRING_SET_URL],
                            va_arg(param, char *));
    data->change.url = data->set.str[STRING_SET_URL];
-    if(data->change.url)
-      data->change.url_changed = TRUE;
    break;
  case CURLOPT_PORT:
    /*
@@ -1772,6 +1769,11 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
     */
    data->set.ssl.verifyhost = va_arg(param, long);
    break;
+#ifdef USE_SSLEAY
+    /* since these two options are only possible to use on an OpenSSL-
+       powered libcurl we #ifdef them on this condition so that libcurls
+       built against other SSL libs will return a proper error when trying
+       to set this option! */
  case CURLOPT_SSL_CTX_FUNCTION:
    /*
     * Set a SSL_CTX callback
@@ -1784,6 +1786,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
     */
    data->set.ssl.fsslctxp = va_arg(param, void *);
    break;
+#endif
  case CURLOPT_CAINFO:
    /*
     * Set CA info for SSL connection. Specify file name of the CA certificate
@@ -2444,10 +2447,17 @@ ConnectionExists(struct SessionHandle *data,
             ssl options as well */
          if(!Curl_ssl_config_matches(&needle->ssl_config,
                                      &check->ssl_config)) {
-            infof(data,
-                  "Connection #%ld has different SSL parameters, "
-                  "can't reuse\n",
-                  check->connectindex );
+            DEBUGF(infof(data,
+                         "Connection #%ld has different SSL parameters, "
+                         "can't reuse\n",
+                         check->connectindex));
+            continue;
+          }
+          else if(check->ssl[FIRSTSOCKET].state != ssl_connection_complete) {
+            DEBUGF(infof(data,
+                         "Connection #%ld has not started ssl connect, "
+                         "can't reuse\n",
+                         check->connectindex));
            continue;
          }
        }
@@ -2477,9 +2487,9 @@ ConnectionExists(struct SessionHandle *data,
    }

    if(match) {
-      if(!check->is_in_pipeline) {
-        /* The check for a dead socket makes sense only in the
-           non-pipelining case */
+      if(pipeLen == 0) {
+        /* The check for a dead socket makes sense only if there
+           are no handles in pipeline */
        bool dead = SocketIsDead(check->sock[FIRSTSOCKET]);
        if(dead) {
          check->data = data;
@@ -2494,10 +2504,6 @@ ConnectionExists(struct SessionHandle *data,

      check->inuse = TRUE; /* mark this as being in use so that no other
                              handle in a multi stack may nick it */
-      if(canPipeline) {
-        /* Mark the connection as being in a pipeline */
-        check->is_in_pipeline = TRUE;
-      }

      *usethis = check;
      return TRUE; /* yes, we found one to use! */
@@ -2560,8 +2566,6 @@ static void
 ConnectionDone(struct connectdata *conn)
 {
  conn->inuse = FALSE;
-  if(!conn->send_pipe && !conn->recv_pipe && !conn->pend_pipe)
-    conn->is_in_pipeline = FALSE;
 }

 /*
@@ -3538,7 +3542,6 @@ static CURLcode CreateConnection(struct SessionHandle *data,

  conn->bits.user_passwd = (bool)(NULL != data->set.str[STRING_USERPWD]);
  conn->bits.proxy_user_passwd = (bool)(NULL != data->set.str[STRING_PROXYUSERPWD]);
-  conn->bits.no_body = data->set.opt_no_body;
  conn->bits.tunnel_proxy = data->set.tunnel_thru_httpproxy;
  conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
  conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
@@ -3692,7 +3695,8 @@ static CURLcode CreateConnection(struct SessionHandle *data,
      result = setup_range(data);
      if(result) {
        DEBUGASSERT(conn->handler->done);
-        conn->handler->done(conn, result, FALSE);
+        /* we ignore the return code for the protocol-specific DONE */
+        (void)conn->handler->done(conn, result, FALSE);
        return result;
      }

@@ -4007,9 +4011,6 @@ static CURLcode CreateConnection(struct SessionHandle *data,
    else
      free(old_conn->host.rawalloc); /* free the newly allocated name buffer */

-    /* get the newly set value, not the old one */
-    conn->bits.no_body = old_conn->bits.no_body;
-
    /* re-use init */
    conn->bits.reuse = TRUE; /* yes, we're re-using here */

@@ -4053,18 +4054,6 @@ static CURLcode CreateConnection(struct SessionHandle *data,
  conn->seek_func = data->set.seek_func;
  conn->seek_client = data->set.seek_client;

-  if((conn->protocol&PROT_HTTP) &&
-      data->set.upload &&
-      (data->set.infilesize == -1) &&
-      (data->set.httpversion != CURL_HTTP_VERSION_1_0)) {
-    /* HTTP, upload, unknown file size and not HTTP 1.0 */
-    conn->bits.upload_chunky = TRUE;
-  }
-  else {
-    /* else, no chunky upload */
-    conn->bits.upload_chunky = FALSE;
-  }
-
 #ifndef USE_ARES
  /*************************************************************
   * Set timeout if that is being used, and we're not using an asynchronous
@@ -4354,8 +4343,10 @@ CURLcode Curl_connect(struct SessionHandle *data,

  if(CURLE_OK == code) {
    /* no error */
-    if((*in_connect)->is_in_pipeline)
-      data->state.is_in_pipeline = TRUE;
+    if((*in_connect)->send_pipe->size +
+       (*in_connect)->recv_pipe->size != 0)
+      /* pipelining */
+      *protocol_done = TRUE;
    else {
      if(dns || !*asyncp)
        /* If an address is available it means that we already have the name
@@ -4409,16 +4400,16 @@ CURLcode Curl_done(struct connectdata **connp,
                   bool premature)
 {
  CURLcode result;
-  struct connectdata *conn = *connp;
-  struct SessionHandle *data = conn->data;
+  struct connectdata *conn;
+  struct SessionHandle *data;
+
+  DEBUGASSERT(*connp);
+
+  conn = *connp;
+  data = conn->data;

  Curl_expire(data, 0); /* stop timer */

-  if(conn->bits.done)
-    return CURLE_OK; /* Curl_done() has already been called */
-
-  conn->bits.done = TRUE; /* called just now! */
-
  if(Curl_removeHandleFromPipeline(data, conn->recv_pipe) &&
     conn->readchannel_inuse)
    conn->readchannel_inuse = FALSE;
@@ -4427,6 +4418,16 @@ CURLcode Curl_done(struct connectdata **connp,
    conn->writechannel_inuse = FALSE;
  Curl_removeHandleFromPipeline(data, conn->pend_pipe);

+  if(conn->bits.done ||
+     (conn->send_pipe->size + conn->recv_pipe->size != 0 &&
+      !data->set.reuse_forbid &&
+      !conn->bits.close))
+    /* Stop if Curl_done() has already been called or pipeline
+       is not empty and we do not have to close connection. */
+    return CURLE_OK;
+
+  conn->bits.done = TRUE; /* called just now! */
+
  /* Cleanup possible redirect junk */
  if(data->req.newurl) {
    free(data->req.newurl);
@@ -4462,8 +4463,15 @@ CURLcode Curl_done(struct connectdata **connp,

     if conn->bits.close is TRUE, it means that the connection should be
     closed in spite of all our efforts to be nice, due to protocol
-     restrictions in our or the server's end */
-  if(data->set.reuse_forbid || conn->bits.close) {
+     restrictions in our or the server's end
+
+     if premature is TRUE, it means this connection was said to be DONE before
+     the entire request operation is complete and thus we can't know in what
+     state it is for re-using, so we're forced to close it. In a perfect world
+     we can add code that keep track of if we really must close it here or not,
+     but currently we have no such detail knowledge.
+  */
+  if(data->set.reuse_forbid || conn->bits.close || premature) {
    CURLcode res2 = Curl_disconnect(conn); /* close the connection */

    /* If we had an error already, make sure we return that one. But
@@ -4537,8 +4545,8 @@ static CURLcode do_init(struct connectdata *conn)
 */
 static void do_complete(struct connectdata *conn)
 {
-  conn->bits.chunk=FALSE;
-  conn->bits.trailerhdrpresent=FALSE;
+  conn->data->req.chunk=FALSE;
+  conn->data->req.trailerhdrpresent=FALSE;

  conn->data->req.maxfd = (conn->sockfd>conn->writesockfd?
                               conn->sockfd:conn->writesockfd)+1;
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -168,11 +168,19 @@ typedef enum {
  ssl_connect_done
 } ssl_connect_state;

+typedef enum {
+  ssl_connection_none,
+  ssl_connection_negotiating,
+  ssl_connection_complete
+} ssl_connection_state;
+
 /* struct for data related to each SSL connection */
 struct ssl_connect_data {
-  bool use;        /* use ssl encrypted communications TRUE/FALSE, not
-                      necessarily using it atm but at least asked to or
-                      meaning to use it */
+  /* Use ssl encrypted communications TRUE/FALSE, not necessarily using it atm
+     but at least asked to or meaning to use it. See 'state' for the exact
+     current state of the connection. */
+  bool use;
+  ssl_connection_state state;
 #ifdef USE_SSLEAY
  /* these ones requires specific SSL-types */
  SSL_CTX* ctx;
@@ -552,7 +560,6 @@ struct FILEPROTO {
 struct ConnectBits {
  bool close; /* if set, we close the connection after this request */
  bool reuse; /* if set, this is a re-used connection */
-  bool chunk; /* if set, this is a chunked transfer-encoding */
  bool proxy; /* if set, this transfer is done through a proxy - any type */
  bool httpproxy;    /* if set, this transfer is done through a http proxy */
  bool user_passwd;    /* do we use user+password for this connection? */
@@ -564,14 +571,6 @@ struct ConnectBits {
  bool do_more; /* this is set TRUE if the ->curl_do_more() function is
                   supposed to be called, after ->curl_do() */

-  bool upload_chunky; /* set TRUE if we are doing chunked transfer-encoding
-                         on upload */
-  bool getheader;     /* TRUE if header parsing is wanted */
-
-  bool forbidchunk;   /* used only to explicitly forbid chunk-upload for
-                         specific upload buffers. See readmoredata() in
-                         http.c for details. */
-
  bool tcpconnect;    /* the TCP layer (or simimlar) is connected, this is set
                         the first time on the first connect function call */
  bool protoconnstart;/* the protocol layer has STARTED its operation after
@@ -579,7 +578,6 @@ struct ConnectBits {

  bool retry;         /* this connection is about to get closed and then
                         re-attempted at another connection. */
-  bool no_body;       /* CURLOPT_NO_BODY (or similar) was set */
  bool tunnel_proxy;  /* if CONNECT is used to "tunnel" through the proxy.
                         This is implicit when SSL-protocols are used through
                         proxies, but can also be enabled explicitly by
@@ -603,9 +601,6 @@ struct ConnectBits {
                         requests */
  bool netrc;         /* name+password provided by netrc */

-  bool trailerhdrpresent; /* Set when Trailer: header found in HTTP response.
-                             Required to determine whether to look for trailers
-                             in case of Transfer-Encoding: chunking */
  bool done;          /* set to FALSE when Curl_do() is called and set to TRUE
                         when Curl_done() is called, to prevent Curl_done() to
                         get invoked twice when the multi interface is
@@ -677,6 +672,14 @@ typedef CURLcode (*Curl_do_more_func)(struct connectdata *);
 typedef CURLcode (*Curl_done_func)(struct connectdata *, CURLcode, bool);


+enum expect100 {
+  EXP100_SEND_DATA,           /* enough waiting, just send the body now */
+  EXP100_AWAITING_CONTINUE,   /* waiting for the 100 Continue header */
+  EXP100_SENDING_REQUEST,     /* still sending the request but will wait for
+                                 the 100 header once done with the request */
+  EXP100_FAILED               /* used on 417 Expectation Failed */
+};
+
 /*
 * Request specific data in the easy handle (SessionHandle).  Previously,
 * these members were on the connectdata struct but since a conn struct may
@@ -726,12 +729,8 @@ struct SingleRequest {
  int httpcode;                 /* error code from the 'HTTP/1.? XXX' line */
  int httpversion;              /* the HTTP version*10 */
  struct timeval start100;      /* time stamp to wait for the 100 code from */
-  bool write_after_100_header;  /* TRUE = we enable the write after we
-                                   received a 100-continue/timeout or
-                                   FALSE = directly */
-  bool wait100_after_headers;   /* TRUE = after the request-headers have been
-                                   sent off properly, we go into the wait100
-                                   state, FALSE = don't */
+  enum expect100 exp100;        /* expect 100 continue state */
+
  int content_encoding;         /* What content encoding. sec 3.5, RFC2616. */

 #define IDENTITY 0              /* No encoding */
@@ -773,6 +772,18 @@ struct SingleRequest {
      and the 'upload_present' contains the number of bytes available at this
      position */
  char *upload_fromhere;
+
+  bool chunk; /* if set, this is a chunked transfer-encoding */
+  bool upload_chunky; /* set TRUE if we are doing chunked transfer-encoding
+                         on upload */
+  bool getheader;     /* TRUE if header parsing is wanted */
+
+  bool forbidchunk;   /* used only to explicitly forbid chunk-upload for
+                         specific upload buffers. See readmoredata() in
+                         http.c for details. */
+  bool trailerhdrpresent; /* Set when Trailer: header found in HTTP response.
+                             Required to determine whether to look for trailers
+                             in case of Transfer-Encoding: chunking */
 };

 /*
@@ -951,7 +962,6 @@ struct connectdata {
                              handle */
  bool writechannel_inuse; /* whether the write channel is in use by an easy
                              handle */
-  bool is_in_pipeline;     /* TRUE if this connection is in a pipeline */
  bool server_supports_pipelining; /* TRUE if server supports pipelining,
                                      set after first response */

@@ -1136,8 +1146,6 @@ struct UrlState {
                                bytes / second */
  bool this_is_a_follow; /* this is a followed Location: request */

-  bool is_in_pipeline; /* Indicates whether this handle is part of a pipeline */
-
  char *first_host; /* if set, this should be the host name that we will
                       sent authorization to, no else. Used to make Location:
                       following not keep sending user+password... This is
@@ -1254,10 +1262,6 @@ struct UrlState {
 struct DynamicStatic {
  char *url;        /* work URL, copied from UserDefined */
  bool url_alloc;   /* URL string is malloc()'ed */
-  bool url_changed; /* set on CURL_OPT_URL, used to detect if the URL was
-                       changed after the connect phase, as we allow callback
-                       to change it and if so, we reconnect to use the new
-                       URL instead */
  char *referer;    /* referer string */
  bool referer_alloc; /* referer sting is malloc()ed */
  struct curl_slist *cookielist; /* list of cookie files set by
--- a/4
+++ b/4
@@ -22,9 +22,9 @@ do
     esac

     if test ! -d "$pathcomp"; then
-        echo "mkdir $pathcomp" 1>&2
+        echo "mkdir -m0755 $pathcomp" 1>&2

-        mkdir "$pathcomp" || lasterr=$?
+        mkdir -m0755 "$pathcomp" || lasterr=$?

        if test ! -d "$pathcomp"; then
  	  errstatus=$lasterr
--- a/src/Makefile.m32
+++ b/src/Makefile.m32
@@ -1,8 +1,8 @@
 #########################################################################
 # $Id$
 #
-## Makefile for building curl.exe with MingW32 (GCC-3.2) and
-## optionally OpenSSL (0.9.8), libssh2 (0.17), zlib (1.2.3)
+## Makefile for building curl.exe with MingW32 (GCC-3.2)
+## and optionally OpenSSL (0.9.8), libssh2 (0.18), zlib (1.2.3)
 ##
 ## Usage:
 ## mingw32-make -f Makefile.m32 [SSL=1] [SSH2=1] [ZLIB=1] [SSPI=1] [IPV6=1] [DYN=1]
@@ -40,7 +40,7 @@ CFLAGS = -g -O2
 LDFLAGS = -s
 RC = windres
 RCFLAGS = --include-dir=../include -O COFF -i
-RM = del /q /f
+RM = del /q /f > NUL 2>&1
 CP = copy

 # We may need these someday
@@ -114,11 +114,13 @@ curl_OBJECTS := $(patsubst %.c,%.o,$(strip $(CURL_SOURCES)))
 # curlx_OBJECTS := $(patsubst %.c,%.o,$(notdir $(strip $(CURLX_ONES))))
 # vpath %.c ../lib

+RESOURCE = curl.res
+
 .SUFFIXES: .rc .res

 all: curl.exe

-curl.exe: curl.res $(curl_OBJECTS) $(curl_DEPENDENCIES)
+curl.exe: $(RESOURCE) $(curl_OBJECTS) $(curl_DEPENDENCIES)
 	-$(RM) $@
 	$(LINK) $< $(curl_OBJECTS) $(curl_LDADD)

@@ -141,7 +143,7 @@ clean:
 ifeq "$(wildcard hugehelp.c.cvs)" "hugehelp.c.cvs"
 	-$(RM) hugehelp.c
 endif
-	-$(RM) $(curl_OBJECTS)
+	-$(RM) $(curl_OBJECTS) $(RESOURCE)

 distrib: clean
 	-$(RM) $(curl_PROGRAMS)
--- a/src/Makefile.netware
+++ b/src/Makefile.netware
@@ -41,7 +41,10 @@ MTSAFE	= YES
 STACK	= 64000
 SCREEN	= $(TARGET) commandline utility
 # Comment the line below if you dont want to load protected automatically.
-#LDRING	= 3
+# LDRING = 3
+
+# Uncomment the next line to enable linking with POSIX semantics.
+# POSIXFL = 1

 # Edit the var below to point to your lib architecture.
 ifndef LIBARCH
@@ -72,10 +75,12 @@ ifdef METROWERKS
 else
 	CC = gcc
 endif
+PERL	= perl
 # a native win32 awk can be downloaded from here:
 # http://www.gknw.net/development/prgtools/awk-20070501.zip
 AWK	= awk
 CP	= cp -afv
+MKDIR	= mkdir
 # RM	= rm -f
 # if you want to mark the target as MTSAFE you will need a tool for
 # generating the xdc data for the linker; here's a minimal tool:
@@ -99,7 +104,11 @@ CFLAGS	+= -gccinc -inline off -opt nointrinsics -proc 586
 CFLAGS	+= -relax_pointers
 #CFLAGS	+= -w on
 ifeq ($(LIBARCH),LIBC)
+ifeq ($(POSIXFL),1)
+	PRELUDE = $(SDK_LIBC)/imports/posixpre.o
+else
 	PRELUDE = $(SDK_LIBC)/imports/libcpre.o
+endif
 	CFLAGS += -align 4
 else
 	# PRELUDE = $(SDK_CLIB)/imports/clibpre.o
@@ -115,7 +124,11 @@ LIBEXT	= a
 CFLAGS	+= -fno-builtin -fpcc-struct-return -fno-strict-aliasing
 CFLAGS	+= -Wall # -pedantic
 ifeq ($(LIBARCH),LIBC)
+ifeq ($(POSIXFL),1)
+	PRELUDE = $(SDK_LIBC)/imports/posixpre.gcc.o
+else
 	PRELUDE = $(SDK_LIBC)/imports/libcpre.gcc.o
+endif
 else
 	# PRELUDE = $(SDK_CLIB)/imports/clibpre.gcc.o
 	# to avoid the __init_* / __deinit_* whoes dont use prelude from NDK
@@ -220,12 +233,9 @@ $(OBJDIR)/version.inc: $(CURL_INC)/curl/curlver.h $(OBJDIR)
 	@echo Creating $@
 	@$(AWK) -f ../packages/NetWare/get_ver.awk $< > $@

-dist: all
-	-$(RM) $(OBJDIR)/*.o $(OBJDIR)/$(TARGET).map $(OBJDIR)/$(TARGET).ncv
-	-$(RM) $(OBJDIR)/$(TARGET).def $(OBJDIR)/version.inc $(XDCDATA)
-
 install: $(INSTDIR) all
 	@-$(CP) ../docs/$(TARGET).pdf $(INSTDIR)
+	@-$(CP) ../docs/$(TARGET).html $(INSTDIR)
 	@$(CP) $(TARGET).nlm $(INSTDIR)

 clean:
@@ -236,13 +246,10 @@ endif
 	-$(RM) -r $(OBJDIR)

 distclean: clean
-	-$(RM) -r $(TARGET).nlm
+	-$(RM) $(TARGET).nlm

-$(INSTDIR):
-	@mkdir $(INSTDIR)
-
-$(OBJDIR):
-	@mkdir $(OBJDIR)
+$(OBJDIR) $(INSTDIR):
+	@$(MKDIR) $@

 $(TARGET).nlm: $(OBJS) $(OBJX) $(OBJDIR)/$(TARGET).def $(XDCDATA)
 	@echo Linking $@
@@ -292,28 +299,37 @@ ifeq ($(LIBARCH),CLIB)
 	@echo $(DL)import @$(SDK_CLIB)/imports/threads.imp$(DL) >> $@
 	@echo $(DL)import @$(SDK_CLIB)/imports/nlmlib.imp$(DL) >> $@
 	@echo $(DL)import @$(SDK_CLIB)/imports/socklib.imp$(DL) >> $@
+	@echo $(DL)module clib$(DL) >> $@
 ifndef DISABLE_LDAP
 	@echo $(DL)import @$(SDK_LDAP)/clib/imports/ldapsdk.imp$(DL) >> $@
 	@echo $(DL)import @$(SDK_LDAP)/clib/imports/ldapssl.imp$(DL) >> $@
-	@echo $(DL)import @$(SDK_LDAP)/clib/imports/ldapx.imp$(DL) >> $@
-	@echo $(DL)module ldapsdk ldapssl ldapx$(DL) >> $@
+#	@echo $(DL)import @$(SDK_LDAP)/clib/imports/ldapx.imp$(DL) >> $@
+	@echo $(DL)module ldapsdk ldapssl$(DL) >> $@
 endif
-	@echo $(DL)module clib$(DL) >> $@
 else
+ifeq ($(POSIXFL),1)
+	@echo $(DL)flag_on 4194304$(DL) >> $@
+endif
 	@echo $(DL)flag_on 64$(DL) >> $@
 	@echo $(DL)pseudopreemption$(DL) >> $@
+ifeq ($(findstring posixpre,$(PRELUDE)),posixpre)
+	@echo $(DL)start POSIX_Start$(DL) >> $@
+	@echo $(DL)exit POSIX_Stop$(DL) >> $@
+	@echo $(DL)check POSIX_CheckUnload$(DL) >> $@
+else
 	@echo $(DL)start _LibCPrelude$(DL) >> $@
 	@echo $(DL)exit _LibCPostlude$(DL) >> $@
 	@echo $(DL)check _LibCCheckUnload$(DL) >> $@
+endif
 	@echo $(DL)import @$(SDK_LIBC)/imports/libc.imp$(DL) >> $@
 	@echo $(DL)import @$(SDK_LIBC)/imports/netware.imp$(DL) >> $@
+	@echo $(DL)module libc$(DL) >> $@
 ifndef DISABLE_LDAP
 	@echo $(DL)import @$(SDK_LDAP)/libc/imports/lldapsdk.imp$(DL) >> $@
 	@echo $(DL)import @$(SDK_LDAP)/libc/imports/lldapssl.imp$(DL) >> $@
-	@echo $(DL)import @$(SDK_LDAP)/libc/imports/lldapx.imp$(DL) >> $@
-	@echo $(DL)module lldapsdk lldapssl lldapx$(DL) >> $@
+#	@echo $(DL)import @$(SDK_LDAP)/libc/imports/lldapx.imp$(DL) >> $@
+	@echo $(DL)module lldapsdk lldapssl$(DL) >> $@
 endif
-	@echo $(DL)module libc$(DL) >> $@
 endif
 ifdef MODULES
 	@echo $(DL)module $(MODULES)$(DL) >> $@
--- a/src/Makefile.vc6
+++ b/src/Makefile.vc6
@@ -41,7 +41,7 @@ MACHINE  = X86
 # It can be downloaded from:
 # http://www.microsoft.com/msdownload/platformsdk/sdkupdate/

-# USE_WINDOWS_SSPI = 1
+# WINDOWS_SSPI = 1

 !IFDEF WINDOWS_SSPI
 !IFNDEF WINDOWS_SDK_PATH
@@ -61,13 +61,22 @@ SSL_LFLAGS     = /LIBPATH:"$(OPENSSL_PATH)/out32"
 SSL_IMP_LFLAGS = /LIBPATH:"$(OPENSSL_PATH)/out32dll"
 SSL_LIBS       = libeay32.lib ssleay32.lib gdi32.lib user32.lib advapi32.lib

+# Runtime library configuration
+RTLIB   = /MD
+RTLIBD  = /MDd
+
+!IF "$(RTLIBCFG)" == "static"
+RTLIB  = /MT
+RTLIBD = /MTd
+!ENDIF
+
 ## Release
-CCR   = cl.exe /MD /O2 /DNDEBUG
+CCR   = cl.exe $(RTLIB) /O2 /DNDEBUG
 LINKR = link.exe /incremental:no /libpath:"../lib"
 RCR   = rc.exe /dCURLDEBUG=0

 ## Debug
-CCD   = cl.exe /MDd /Gm /ZI /Od /D_DEBUG /GZ
+CCD   = cl.exe $(RTLIBD) /Gm /ZI /Od /D_DEBUG /GZ
 LINKD = link.exe /incremental:yes /debug /libpath:"../lib"
 RCD   = rc.exe /dCURLDEBUG=1

--- a/src/config-win32.h
+++ b/src/config-win32.h
@@ -187,6 +187,16 @@
 #define _CRT_NONSTDC_NO_DEPRECATE 1
 #endif

+/* VS2005 and later dafault size for time_t is 64-bit, unless */
+/* _USE_32BIT_TIME_T has been defined to get a 32-bit time_t. */
+#if defined(_MSC_VER) && (_MSC_VER >= 1400)
+#  ifndef _USE_32BIT_TIME_T
+#    define SIZEOF_TIME_T 8
+#  else
+#    define SIZEOF_TIME_T 4
+#  endif
+#endif
+
 /* VS2008 does not support Windows build targets prior to WinXP, */
 /* so, if no build target has been defined we will target WinXP. */
 #if defined(_MSC_VER) && (_MSC_VER >= 1500)
--- a/tests/.cvsignore
+++ b/tests/.cvsignore
@@ -5,11 +5,13 @@ log
 *.pid
 *.pdf
 *.html
-curl_client_knownhosts
 curl_client_key
 curl_client_key.pub
+curl_client_knownhosts
 curl_host_dsa_key
 curl_host_dsa_key.pub
-curl_sshd_config
+curl_sftp_cmds
+curl_sftp_config
 curl_ssh_config
+curl_sshd_config
 stunnel.conf
--- a/tests/FILEFORMAT
+++ b/tests/FILEFORMAT
@@ -36,7 +36,7 @@ statistical/informational purposes.
 <reply>
 <data [nocheck="1"] [sendzero="yes"] [base64="yes"]>
 data to be sent to the client on its request and later verified that it arrived
-safely. Set the nocheck=1 to prevent the test script to verify the arrival
+safely. Set nocheck="1" to prevent the test script from verifying the arrival
 of this data.

 If the data contains 'swsclose' anywhere within the start and end tag, and
--- a/tests/README
+++ b/tests/README
@@ -8,11 +8,9 @@ The cURL Test Suite

 Requires:
  perl (and a unix-style shell)
-  diff (when a test fail, a diff is shown)
+  diff (when a test fails, a diff is shown)
  stunnel (for HTTPS and FTPS tests)
-  sshd (for SCP and SFTP tests; OpenSSH ver. 3.8 is known to work)
-  ssh (for SOCKS4 and SOCK5 tests; OpenSSH ver. 4.5 is known to work.
-       OpenSSH version 3.7 or greater is needed for SOCKS5)
+  OpenSSH or SunSSH (for SCP, SFTP and SOCKS4/5 tests)

 TCP ports used by default:

@@ -54,6 +52,19 @@ Run:
  3 to 9. Any test numbers starting with ! are disabled, as are any test
  numbers found in the file data/DISABLED (one per line).

+Shell startup scripts:
+  Tests which use the ssh test server, SCP/SFTP/SOCKS tests, might be badly
+  influenced by the output of system wide or user specific shell startup scripts,
+  .bashrc, .profile, /etc/csh.cshrc, .login, /etc/bashrc, etc. which output text
+  messages or escape sequences on user login.  When these shell startup messages
+  or escape sequences are output they might corrupt the expected stream of data
+  which flows to the sftp-server or from the ssh client which can result in bad
+  test behaviour or even prevent the test server from running.
+
+  If the test suite ssh or sftp server fails to start up and logs the message
+  'Received message too long' then you are certainly suffering the unwanted
+  output of a shell startup script.  Locate, cleanup or adjust the shell script.
+
 Memory:
  The test script will check that all allocated memory is freed properly IF
  curl has been built with the CURLDEBUG define set. The script will
--- a/tests/data/DISABLED
+++ b/tests/data/DISABLED
@@ -3,4 +3,4 @@
 # test cases are run by runtests.pl. Just add the plain test case numbers, one
 # per line.
 # Lines starting with '#' letters are treated as comments.
-#1009
+
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -19,7 +19,7 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46	   \
 test505 test74 test75 test76 test77 test78 test147 test148 test506 test79 \
 test80 test81 test82 test83 test84 test85 test86 test87 test507 test149   \
 test88 test89 test90 test508 test91 test92 test203 test93 test94 test95   \
- test509 test510 test97 test98 test99 test150 test151 test152 test153	   \
+ test510 test97 test98 test99 test150 test151 test152 test153	   \
 test154 test155 test156 test157 test158 test159 test511 test160 test161   \
 test162 test163 test164 test512 test165 test166 test167 test168 test169   \
 test170 test171 test172 test204 test205 test173 test174 test175 test176   \
@@ -48,7 +48,8 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46	   \
 test2000 test2001 test2002 test2003 test35 test544 test545 test2004	   \
 test546 test1013 test1014 test1015 test547 test548 test549 test550	   \
 test551 test552 test1016 test1017 test1018 test1019 test1020 test553      \
- test1021
+ test1021 test1022 test1023 test309 test616 test617 test618 test619        \
+ test620 test621 test622 test623 test624 test625 test626

 filecheck:
 	@mkdir test-place; \
--- a/tests/data/test1022
+++ b/tests/data/test1022
@@ -0,0 +1,37 @@
+<testcase>
+<info>
+<keywords>
+curl-config
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+ <name>
+Compare curl --version with curl-config --version
+ </name>
+ <command>
+--version
+</command>
+<postcheck>
+%SRCDIR/libtest/test1022.pl ../curl-config log/stdout1022 version
+</postcheck>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+2
+</errorcode>
+</verify>
+</testcase>
--- a/tests/data/test1023
+++ b/tests/data/test1023
@@ -0,0 +1,37 @@
+<testcase>
+<info>
+<keywords>
+curl-config
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+ <name>
+Compare curl --version with curl-config --vernum
+ </name>
+ <command>
+--version
+</command>
+<postcheck>
+%SRCDIR/libtest/test1022.pl ../curl-config log/stdout1023 vernum
+</postcheck>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+2
+</errorcode>
+</verify>
+</testcase>
--- a/tests/data/test146
+++ b/tests/data/test146
@@ -3,9 +3,10 @@
 <keywords>
 FTP
 RETR
-persistant connection
+persistent connection
 </keywords>
 </info>
+
 # Server-side
 <reply>
 <data>
@@ -19,7 +20,7 @@ this is file contents
 ftp
 </server>
 <name>
-persistant FTP with different paths
+persistent FTP with different paths
 </name>
 <command>
 ftp://%HOSTIP:%FTPPORT/first/dir/here/146 ftp://%HOSTIP:%FTPPORT/146
--- a/tests/data/test164
+++ b/tests/data/test164
@@ -1,7 +1,8 @@
 <testcase>
 # Server-side
 # This particular response is an exact excerpt from an actual Apache
-# server when asked for a 0-10,12-15 range.
+# server when asked for a 0-10,12-15 range (except gt/lt changed to {}
+# to avoid XML escaping problems).
 <reply>
 <data>
 HTTP/1.1 206 Partial Content swsclose
@@ -17,15 +18,15 @@ Content-Type: multipart/byteranges; boundary=408a326132c
 Content-type: text/html
 Content-range: bytes 0-10/3781

-<html>
-<hea
+{html}
+{hea

 --408a326132c
 Content-type: text/html
 Content-range: bytes 12-15/3781

->
-<t
+}
+{t

 --408a326132c--
 </data>
--- a/tests/data/test183
+++ b/tests/data/test183
@@ -1,4 +1,12 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+persistent connection
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>
@@ -15,9 +23,6 @@ moo
 <server>
 http
 </server>
-<features>
-SSL
-</features>
 <name>
 HTTP GET two URLs over a single proxy with persistent connection
 </name>
--- a/tests/data/test184
+++ b/tests/data/test184
@@ -1,4 +1,12 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+followlocation
+</keywords>
+
+</info>
 # Server-side
 <reply>
 <data>
@@ -35,9 +43,6 @@ moo
 <server>
 http
 </server>
-<features>
-SSL
-</features>
 <name>
 HTTP replace Host: when following Location: to new host
 </name>
--- a/tests/data/test185
+++ b/tests/data/test185
@@ -1,4 +1,12 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+followlocation
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>
@@ -35,9 +43,6 @@ moo
 <server>
 http
 </server>
-<features>
-SSL
-</features>
 <name>
 HTTP replace Host: when following Location: on the same host
 </name>
--- a/tests/data/test29
+++ b/tests/data/test29
@@ -10,11 +10,11 @@ FAILURE
 # Server-side
 <reply>
 <data>
-HTTP/1.1 200 OK swsclose
-Date: Thu, 09 Nov 2010 14:49:00 GMT
-Connection: close
-
-<html>result</html>
+HTTP/1.1 200 OK swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Connection: close
+
+_data_result_data_
 </data>
 <postcmd>
 wait 10
--- a/tests/data/test300
+++ b/tests/data/test300
@@ -1,4 +1,11 @@
 <testcase>
+<info>
+<keywords>
+HTTPS
+HTTP GET
+</keywords>
+</info>
+
 #
 # Server-side
 <reply>
--- a/tests/data/test301
+++ b/tests/data/test301
@@ -1,4 +1,12 @@
 <testcase>
+<info>
+<keywords>
+HTTPS
+HTTP GET
+HTTP Basic auth
+</keywords>
+</info>
+
 #
 # Server-side
 <reply>
--- a/tests/data/test302
+++ b/tests/data/test302
@@ -1,4 +1,14 @@
 <testcase>
+<info>
+<keywords>
+HTTPS
+HTTP GET
+HTTP CONNECT
+HTTP proxy
+FAILURE
+</keywords>
+</info>
+
 # Client-side
 <client>
 <features>
--- a/tests/data/test303
+++ b/tests/data/test303
@@ -1,15 +1,23 @@
 <testcase>
+<info>
+<keywords>
+HTTPS
+HTTP GET
+timeout
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>
-HTTP/1.1 200 OK
-Date: Thu, 09 Nov 2010 14:49:00 GMT
-Connection: close
-
-<html>result</html>
+HTTP/1.1 200 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Connection: close
+
+_data_result_data_
 </data>
 <postcmd>
-wait 10
+wait 20
 </postcmd>
 </reply>

@@ -22,10 +30,10 @@ SSL
 https
 </server>
 <name>
-HTTPS with 2 secs timeout
+HTTPS with 7 secs timeout
 </name>
 <command>
-http://%HOSTIP:%HTTPPORT/want/303 -m 2
+-k https://%HOSTIP:%HTTPSPORT/want/303 -m 7
 </command>
 </client>

@@ -36,7 +44,7 @@ http://%HOSTIP:%HTTPPORT/want/303 -m 2
 </strip>
 <protocol>
 GET /want/303 HTTP/1.1
-Host: %HOSTIP:%HTTPPORT
+Host: %HOSTIP:%HTTPSPORT
 Accept: */*

 </protocol>
--- a/tests/data/test304
+++ b/tests/data/test304
@@ -1,4 +1,11 @@
 <testcase>
+<info>
+<keywords>
+HTTPS
+HTTP POST
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>
--- a/tests/data/test305
+++ b/tests/data/test305
@@ -1,4 +1,12 @@
 <testcase>
+<info>
+<keywords>
+HTTPS
+HTTP GET
+FAILURE
+</keywords>
+</info>
+
 # Client-side
 <client>
 <features>
--- a/tests/data/test306
+++ b/tests/data/test306
@@ -1,4 +1,11 @@
 <testcase>
+<info>
+<keywords>
+HTTPS
+HTTP GET
+</keywords>
+</info>
+
 #
 # Server-side
 <reply>
--- a/tests/data/test307
+++ b/tests/data/test307
@@ -1,4 +1,11 @@
 <testcase>
+<info>
+<keywords>
+HTTPS
+HTTP GET
+</keywords>
+</info>
+
 #
 # Server-side
 <reply>
--- a/tests/data/test308
+++ b/tests/data/test308
@@ -1,4 +1,12 @@
 <testcase>
+<info>
+<keywords>
+HTTPS
+HTTP GET
+FAILURE
+</keywords>
+</info>
+
 #
 # Client-side
 <client>
--- a/tests/data/test309
+++ b/tests/data/test309
@@ -0,0 +1,86 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTPS
+HTTP GET
+followlocation
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Location: https://127.0.0.1:8991/data/3090002.txt?coolsite=yes
+Connection: close
+
+This server reply is for testing a simple Location: following to HTTPS URL
+
+</data>
+<data2>
+HTTP/1.1 200 Followed here fine swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 52
+
+If this is received, the location following worked
+
+</data2>
+<datacheck>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Location: https://127.0.0.1:8991/data/3090002.txt?coolsite=yes
+Connection: close
+
+HTTP/1.1 200 Followed here fine swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 52
+
+If this is received, the location following worked
+
+</datacheck>
+</reply>
+
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+http
+https
+</server>
+ <name>
+HTTP Location: redirect to HTTPS URL
+ </name>
+ <command>
+-k http://%HOSTIP:%HTTPPORT/want/309 -L
+</command>
+# The data section doesn't do variable substitution, so we must assert this
+<precheck>
+perl -e "print 'Test requires default test server host and port' if ( '%HOSTIP' ne '127.0.0.1' || '%HTTPSPORT' ne '8991' );"
+</precheck>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /want/309 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
+GET /data/3090002.txt?coolsite=yes HTTP/1.1
+Host: %HOSTIP:%HTTPSPORT
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>
--- a/tests/data/test31
+++ b/tests/data/test31
@@ -26,6 +26,7 @@ Set-Cookie:   nodomain=value; expires=Fri Feb 2 11:56:27 GMT 2035
 Set-Cookie: novalue; domain=reallysilly
 Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030
 Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030
+Set-Cookie: magic=yessir; path=/silly/; HttpOnly

 boo
 </data>
@@ -69,6 +70,7 @@ Accept: */*
 .127.0.0.1	TRUE	/silly/	FALSE	0	ismatch	this
 .127.0.0.1	TRUE	/	FALSE	0	partmatch	present
 127.0.0.1	FALSE	/we/want/	FALSE	2054030187	nodomain	value
+#HttpOnly_127.0.0.1	FALSE	/silly/	FALSE	0	magic	yessir
 </file>
 </verify>
 </testcase>
--- a/Show More
+++ b/Show More