Merge "Bump version to 7.70.0"
diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
new file mode 100644
index 0000000..29f278c
--- /dev/null
+++ b/.azure-pipelines.yml
@@ -0,0 +1,393 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+# Starter pipeline
+# Start with a minimal pipeline that you can customize to build and deploy your code.
+# Add steps that build, run tests, deploy, and more:
+# https://aka.ms/yaml
+
+trigger:
+  branches:
+    include:
+    - 'master'
+    - '*/ci'
+
+pr:
+  branches:
+    include:
+    - 'master'
+
+stages:
+
+##########################################
+### Linux jobs first
+##########################################
+
+- stage: linux
+  dependsOn: []
+  jobs:
+  - job: vanilla
+    displayName: ubuntu default
+    timeoutInMinutes: 20
+    pool:
+      vmImage: 'ubuntu-latest'
+    steps:
+    - script: sudo apt install stunnel4 python-impacket
+      displayName: 'apt install'
+
+    - script: ./buildconf && ./configure --enable-debug --enable-werror
+      displayName: 'configure debug'
+
+    - script: make
+      displayName: 'make'
+
+    - script: make test-nonflaky
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: ""
+
+  - job: disable_ipv6
+    displayName: ubuntu w/o IPv6
+    timeoutInMinutes: 20
+    pool:
+      vmImage: 'ubuntu-latest'
+    steps:
+    - script: sudo apt install stunnel4 python-impacket
+      displayName: 'apt install'
+
+    - script: ./buildconf && ./configure --disable-ipv6
+      displayName: 'configure disable ipv6'
+
+    - script: make
+      displayName: 'make'
+
+    - script: make test-nonflaky
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: ""
+
+  - job: disable_http_smtp_imap
+    displayName: ubuntu w/o HTTP/SMTP/IMAP
+    timeoutInMinutes: 20
+    pool:
+      vmImage: 'ubuntu-latest'
+    steps:
+    - script: sudo apt install stunnel4 python-impacket
+      displayName: 'apt install'
+
+    - script: ./buildconf && ./configure --disable-http --disable-smtp --disable-imap
+      displayName: 'configure disable http/smtp/imap'
+
+    - script: make
+      displayName: 'make'
+
+    - script: make test-nonflaky
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+
+  - job: disable_thredres
+    displayName: ubuntu sync resolver
+    timeoutInMinutes: 20
+    pool:
+      vmImage: 'ubuntu-latest'
+    steps:
+    - script: sudo apt install stunnel4 python-impacket
+      displayName: 'apt install'
+
+    - script: ./buildconf && ./configure --disable-threaded-resolver
+      displayName: 'configure disable threaded-resolver'
+
+    - script: make
+      displayName: 'make'
+
+    - script: make test-nonflaky
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: ""
+
+  - job: http_only
+    displayName: ubuntu HTTP only
+    timeoutInMinutes: 20
+    pool:
+      vmImage: 'ubuntu-latest'
+    steps:
+    - script: sudo apt install stunnel4 python-impacket
+      displayName: 'apt install'
+
+    - script: ./buildconf && ./configure --disable-dict --disable-file --disable-ftp --disable-gopher --disable-imap --disable-ldap --disable-pop3 --disable-rtmp --disable-rtsp --disable-scp --disable-sftp --disable-smb --disable-smtp --disable-telnet --disable-tftp
+      displayName: 'configure disable non-http'
+
+    - script: make
+      displayName: 'make'
+
+    - script: make test-nonflaky
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: ""
+
+- stage: linux_torture
+  dependsOn: linux
+  jobs:
+  - job: torture
+    displayName: ubuntu torture tests
+    timeoutInMinutes: 60
+    pool:
+      vmImage: 'ubuntu-latest'
+    steps:
+    - script: sudo apt install stunnel4 python-impacket libnghttp2-dev
+      displayName: 'apt install'
+
+    - script: ./buildconf && ./configure --enable-debug --disable-shared --disable-threaded-resolver --enable-alt-svc
+      displayName: 'configure torture'
+
+    - script: make
+      displayName: 'make'
+
+    - script: make test-nonflaky
+      displayName: 'torture test'
+      env:
+        TFLAGS: "-n -t --shallow=40 !FTP"
+
+##########################################
+### Windows jobs below
+##########################################
+
+- stage: windows
+  dependsOn: []
+  variables:
+    agent.preferPowerShellOnContainers: true
+  jobs:
+  - job: windows_msys2_mingw32_debug_openssl
+    displayName: msys2 mingw32 debug openssl
+    timeoutInMinutes: 90
+    pool:
+      vmImage: 'windows-2019'
+    container:
+      image: mback2k/curl-docker-winbuildenv-msys2-mingw32:ltsc2019
+      env:
+        MSYSTEM: MINGW32
+        MSYS2_PATH_TYPE: inherit
+    steps:
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && ./buildconf && ./configure --host=i686-w64-mingw32 --build=i686-w64-mingw32 --enable-debug --enable-werror"
+      displayName: 'configure debug'
+
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && make"
+      displayName: 'make'
+
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && make test-nonflaky"
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: "~1056 ~1299"
+
+  - job: windows_msys2_mingw64_debug_openssl
+    displayName: msys2 mingw64 debug openssl
+    timeoutInMinutes: 90
+    pool:
+      vmImage: 'windows-2019'
+    container:
+      image: mback2k/curl-docker-winbuildenv-msys2-mingw64:ltsc2019
+      env:
+        MSYSTEM: MINGW64
+        MSYS2_PATH_TYPE: inherit
+    steps:
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && ./buildconf && ./configure --host=x86_64-w64-mingw32 --build=x86_64-w64-mingw32 --enable-debug --enable-werror"
+      displayName: 'configure debug'
+
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && make"
+      displayName: 'make'
+
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && make test-nonflaky"
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: "~1056 ~1299"
+
+  - job: windows_msys1_mingw_debug_openssl
+    displayName: msys1 mingw debug openssl
+    timeoutInMinutes: 90
+    pool:
+      vmImage: 'windows-2019'
+    container:
+      image: mback2k/curl-docker-winbuildenv-msys1-mingw:ltsc2019
+    steps:
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && ./buildconf && ./configure --host=i686-pc-mingw32 --build=i686-pc-mingw32 --prefix=/mingw --enable-debug"
+      displayName: 'configure debug'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make"
+      displayName: 'make'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make test-nonflaky"
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: "~203 ~1056 ~1143"
+
+  - job: windows_msys1_mingw32_debug_openssl
+    displayName: msys1 mingw32 debug openssl
+    timeoutInMinutes: 90
+    pool:
+      vmImage: 'windows-2019'
+    container:
+      image: mback2k/curl-docker-winbuildenv-msys1-mingw32:ltsc2019
+    steps:
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && ./buildconf && ./configure --host=i686-w64-mingw32 --build=i686-w64-mingw32 --prefix=/mingw32 --enable-debug --enable-werror --without-zlib --enable-mqtt"
+      displayName: 'configure debug without zlib'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make"
+      displayName: 'make'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make test-nonflaky"
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: "~203 ~1056 ~1143 ~1299"
+
+  - job: windows_msys1_mingw64_debug_openssl
+    displayName: msys1 mingw64 debug openssl
+    timeoutInMinutes: 90
+    pool:
+      vmImage: 'windows-2019'
+    container:
+      image: mback2k/curl-docker-winbuildenv-msys1-mingw64:ltsc2019
+    steps:
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && ./buildconf && ./configure --host=x86_64-w64-mingw32 --build=x86_64-w64-mingw32 --prefix=/mingw64 --enable-debug --enable-werror --without-zlib"
+      displayName: 'configure debug without zlib'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make"
+      displayName: 'make'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make test-nonflaky"
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: "~203 ~1056 ~1143 ~1299"
+
+  - job: windows_msys2_mingw32_debug_schannel
+    displayName: msys2 mingw32 debug schannel
+    timeoutInMinutes: 90
+    pool:
+      vmImage: 'windows-2019'
+    container:
+      image: mback2k/curl-docker-winbuildenv-msys2-mingw32:ltsc2019
+      env:
+        MSYSTEM: MINGW32
+        MSYS2_PATH_TYPE: inherit
+    steps:
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && ./buildconf && ./configure --host=i686-w64-mingw32 --build=i686-w64-mingw32 --enable-debug --enable-werror --enable-sspi --without-ssl --with-schannel --with-winidn"
+      displayName: 'configure debug with sspi/schannel/winidn'
+
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && make"
+      displayName: 'make'
+
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && make test-nonflaky"
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: "~165 ~310 ~1013 ~1056 ~1299 ~1448 ~2034 ~2037 ~2041 ~2046 ~2047 ~3000 ~3001"
+
+  - job: windows_msys2_mingw64_debug_schannel
+    displayName: msys2 mingw64 debug schannel
+    timeoutInMinutes: 90
+    pool:
+      vmImage: 'windows-2019'
+    container:
+      image: mback2k/curl-docker-winbuildenv-msys2-mingw64:ltsc2019
+      env:
+        MSYSTEM: MINGW64
+        MSYS2_PATH_TYPE: inherit
+    steps:
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && ./buildconf && ./configure --host=x86_64-w64-mingw32 --build=x86_64-w64-mingw32 --enable-debug --enable-werror --enable-sspi --without-ssl --with-schannel --with-winidn"
+      displayName: 'configure debug with sspi/schannel/winidn'
+
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && make"
+      displayName: 'make'
+
+    - script: C:\msys64\usr\bin\sh -l -c "cd $(echo '%cd%') && make test-nonflaky"
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: "~165 ~310 ~1013 ~1056 ~1299 ~1448 ~2034 ~2037 ~2041 ~2046 ~2047 ~3000 ~3001"
+
+  - job: windows_msys1_mingw_debug_schannel
+    displayName: msys1 mingw debug schannel
+    timeoutInMinutes: 90
+    pool:
+      vmImage: 'windows-2019'
+    container:
+      image: mback2k/curl-docker-winbuildenv-msys1-mingw:ltsc2019
+    steps:
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && ./buildconf && ./configure --host=i686-pc-mingw32 --build=i686-pc-mingw32 --prefix=/mingw --enable-debug --enable-sspi --without-ssl --with-schannel --with-winidn"
+      displayName: 'configure debug with sspi/schannel/winidn'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make"
+      displayName: 'make'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make test-nonflaky"
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: "~203 ~305 ~310 ~311 ~312 ~313 ~404 ~1013 ~1056 ~1143 ~2034 ~2035 ~2037 ~2038 ~2041 ~2042 ~2048 ~3000 ~3001"
+
+  - job: windows_msys1_mingw32_debug_schannel
+    displayName: msys1 mingw32 debug schannel
+    timeoutInMinutes: 90
+    pool:
+      vmImage: 'windows-2019'
+    container:
+      image: mback2k/curl-docker-winbuildenv-msys1-mingw32:ltsc2019
+    steps:
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && ./buildconf && ./configure --host=i686-w64-mingw32 --build=i686-w64-mingw32 --prefix=/mingw32 --enable-debug --enable-werror --enable-sspi --without-ssl --with-schannel --with-winidn --without-zlib"
+      displayName: 'configure debug with sspi/schannel/winidn without zlib'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make"
+      displayName: 'make'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make test-nonflaky"
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: "~203 ~310 ~1013 ~1056 ~1143 ~1299 ~2034 ~2037 ~2041 ~3000 ~3001"
+
+  - job: windows_msys1_mingw64_debug_schannel
+    displayName: msys1 mingw64 debug schannel
+    timeoutInMinutes: 90
+    pool:
+      vmImage: 'windows-2019'
+    container:
+      image: mback2k/curl-docker-winbuildenv-msys1-mingw64:ltsc2019
+    steps:
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && ./buildconf && ./configure --host=x86_64-w64-mingw32 --build=x86_64-w64-mingw32 --prefix=/mingw64  --enable-debug --enable-werror --enable-sspi --without-ssl --with-schannel --with-winidn --without-zlib"
+      displayName: 'configure debug with sspi/schannel/winidn without zlib'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make"
+      displayName: 'make'
+
+    - script: C:\MinGW\msys\1.0\bin\sh -l -c "cd $(echo '%cd%') && make test-nonflaky"
+      displayName: 'test'
+      env:
+        AZURE_ACCESS_TOKEN: "$(System.AccessToken)"
+        TFLAGS: "~203 ~310 ~1013 ~1056 ~1143 ~1299 ~2034 ~2037 ~2041 ~3000 ~3001"
diff --git a/.cirrus.yml b/.cirrus.yml
new file mode 100644
index 0000000..4a541c9
--- /dev/null
+++ b/.cirrus.yml
@@ -0,0 +1,78 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+# Cirrus CI configuration
+# https://cirrus-ci.com/github/curl/curl
+
+task:
+  name: FreeBSD
+  freebsd_instance:
+    matrix:
+      # A stable 13.0 image likely won't be available before early 2021
+      image_family: freebsd-13-0-snap
+      image_family: freebsd-12-1
+      # The stable 11.3 image causes "Agent is not responding" so use a snapshot
+      image_family: freebsd-11-3-snap
+
+  env:
+    CIRRUS_CLONE_DEPTH: 10
+    MAKE_FLAGS: -j 2
+
+  pkginstall_script:
+    - pkg update -f
+    - pkg install -y autoconf automake libtool pkgconf brotli openldap-client heimdal libpsl libmetalink libssh2 openssh-portable libidn2 librtmp libnghttp2 nghttp2 stunnel
+    - case `python -V` in
+        Python?3.7*) pkg install -y py37-impacket ;;
+        Python?2.7*) pkg install -y py27-impacket ;;
+      esac
+    - pkg delete -y curl
+  configure_script:
+    - ./buildconf
+    - case `uname -r` in
+        12.1*)
+        export CC=clang;
+        export CFLAGS="-fsanitize=address,undefined,signed-integer-overflow -fno-sanitize-recover=undefined,integer -Wformat -Werror=format-security -Werror=array-bounds -g";
+        export CXXFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=undefined,integer -Wformat -Werror=format-security -Werror=array-bounds -g";
+        export LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=undefined,integer" ;;
+      esac
+    - ./configure --prefix="${HOME}"/install --enable-debug --with-libssh2 --with-brotli --with-gssapi --with-libidn2 --enable-manual --enable-ldap --enable-ldaps --with-librtmp --with-libmetalink --with-libpsl --with-nghttp2 || { tail -300 config.log; false; }
+  compile_script:
+    - make V=1
+  test_script:
+    # blackhole?
+    - sysctl net.inet.tcp.blackhole
+    # make sure we don't run blackhole != 0
+    - sudo sysctl net.inet.tcp.blackhole=0
+    # Some tests won't run if run as root so run them as another user.
+    # Make directories world writable so the test step can write wherever it needs.
+    - find . -type d -exec chmod 777 {} \;
+    # TODO: A number of tests are failing on different FreeBSD versions and so
+    # are disabled.  This should be investigated.
+    - SKIP_TESTS=''
+    - uname -r
+    - case `uname -r` in
+        13.0*) SKIP_TESTS='~1242 ~1243 ~2002 ~2003';;
+        12.1*) SKIP_TESTS='~1242 ~1243 ~2002 ~2003';;
+        11.3*) SKIP_TESTS='~1242 ~1243 ~2002 ~2003';;
+      esac
+    - sudo -u nobody make V=1 TFLAGS="-n -a -p !flaky ${SKIP_TESTS}" test-nonflaky
+  install_script:
+    - make V=1 install
diff --git a/.dir-locals.el b/.dir-locals.el
index ed91b12..7c20935 100644
--- a/.dir-locals.el
+++ b/.dir-locals.el
@@ -1,3 +1,24 @@
+;;;***************************************************************************
+;;;                                  _   _ ____  _
+;;;  Project                     ___| | | |  _ \| |
+;;;                             / __| | | | |_) | |
+;;;                            | (__| |_| |  _ <| |___
+;;;                             \___|\___/|_| \_\_____|
+;;;
+;;; Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+;;;
+;;; This software is licensed as described in the file COPYING, which
+;;; you should have received as part of this distribution. The terms
+;;; are also available at https://curl.haxx.se/docs/copyright.html.
+;;;
+;;; You may opt to use, copy, modify, merge, publish, distribute and/or sell
+;;; copies of the Software, and permit persons to whom the Software is
+;;; furnished to do so, under the terms of the COPYING file.
+;;;
+;;; This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+;;; KIND, either express or implied.
+;;;
+;;;***************************************************************************
 ;;; Directory Local Variables
 ;;; See Info node `(emacs) Directory Variables' for more information.
 
diff --git a/.gitattributes b/.gitattributes
index a7b3f6a..cd3fde9 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -3,3 +3,6 @@
 configure.ac eol=lf
 *.m4 eol=lf
 *.in eol=lf
+*.am eol=lf
+*.sh eol=lf
+*.[ch] whitespace=tab-in-indent
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..fb9cb5b
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+open_collective: curl
diff --git a/.github/ISSUE_TEMPLATE b/.github/ISSUE_TEMPLATE
index 3a93c5b..452cafb 100644
--- a/.github/ISSUE_TEMPLATE
+++ b/.github/ISSUE_TEMPLATE
@@ -1,5 +1,6 @@
-<!-- Only file bugs here! Questions should be taken on the mailing list,
-     see https://curl.haxx.se/mail/
+<!-- Only file bugs here! Ask questions on the mailing lists https://curl.haxx.se/mail/
+
+     SECURITY RELATED? Post it here: https://hackerone.com/curl
 
      There are collections of known issues to be aware of:
      https://curl.haxx.se/docs/knownbugs.html
@@ -14,3 +15,5 @@
 [curl -V output]
 
 ### operating system
+
+<!-- On Unix please post the output of "uname -a" -->
diff --git a/.github/lock.yml b/.github/lock.yml
new file mode 100644
index 0000000..66e7912
--- /dev/null
+++ b/.github/lock.yml
@@ -0,0 +1,8 @@
+# Configuration for lock-threads - https://github.com/dessant/lock-threads
+
+# Number of days of inactivity before a closed issue or pull request is locked
+daysUntilLock: 90
+# Comment to post before locking. Set to `false` to disable
+lockComment: false
+# Limit to only `issues` or `pulls`
+# only: issues
diff --git a/.github/stale.yml b/.github/stale.yml
new file mode 100644
index 0000000..9bcd4eb
--- /dev/null
+++ b/.github/stale.yml
@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 180
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 14
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: stale
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
new file mode 100644
index 0000000..f46fa6c
--- /dev/null
+++ b/.github/workflows/fuzz.yml
@@ -0,0 +1,36 @@
+name: CI
+
+on:
+  # Trigger the workflow on push or pull requests, but only for the
+  # master branch
+  push:
+    branches:
+      - master
+      - '*/ci'
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  fuzzing:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Build Fuzzers
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'curl'
+        dry-run: false
+
+    - name: Run Fuzzers
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'curl'
+        fuzz-seconds: 2400
+        dry-run: false
+
+    - name: Upload Crash
+      uses: actions/upload-artifact@v1
+      if: failure()
+      with:
+        name: artifacts
+        path: ./out/artifacts
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
new file mode 100644
index 0000000..666c499
--- /dev/null
+++ b/.github/workflows/macos.yml
@@ -0,0 +1,97 @@
+name: CI
+
+on:
+  # Trigger the workflow on push or pull requests, but only for the
+  # master branch
+  push:
+    branches:
+    - master
+    - '*/ci'
+  pull_request:
+    branches:
+    - master
+
+jobs:
+  autotools:
+    name: macos ${{ matrix.build.name }}
+    runs-on: 'macos-latest'
+    strategy:
+      fail-fast: false
+      matrix:
+        build:
+        - name: normal
+          install: nghttp2
+        - name: debug
+          install: nghttp2
+          configure: --enable-debug --enable-werror --without-brotli --enable-mqtt
+        - name: libssh2
+          install: nghttp2 libssh2
+          configure: --enable-debug --with-libssh2
+        - name: c-ares
+          install: nghttp2
+          configure: --enable-debug --enable-ares
+        - name: HTTP only
+          install: nghttp2
+          configure: --enable-debug --enable-werror --enable-maintainer-mode --disable-dict --disable-file --disable-ftp --disable-gopher --disable-imap --disable-ldap --disable-pop3 --disable-rtmp --disable-rtsp --disable-scp --disable-sftp --disable-smb --disable-smtp --disable-telnet --disable-tftp --disable-unix-sockets --disable-shared --without-brotli --without-gssapi --without-libidn2 --without-libmetalink --without-libpsl --without-librtmp --without-libssh2 --without-nghttp2 --without-ntlm-auth --without-ssl --without-zlib
+        - name: SecureTransport metalink
+          install: nghttp2 openssl libmetalink
+          configure: --enable-debug --without-ssl --with-darwinssl --with-libmetalink
+        - name: OpenSSL metalink
+          install: nghttp2 openssl libmetalink
+          configure: --enable-debug --with-ssl=/usr/local/opt/openssl --with-libmetalink
+        - name: LibreSSL metalink
+          install: nghttp2 libressl libmetalink
+          configure: --enable-debug --with-ssl=/usr/local/opt/libressl --with-libmetalink
+        - name: torture
+          install: nghttp2 openssl
+          configure: --enable-debug --disable-shared --disable-threaded-resolver --enable-alt-svc
+          tflags: -n -t --shallow=25 !FTP
+    steps:
+    - uses: actions/checkout@v2
+
+    - run: brew update && brew install libtool autoconf automake pkg-config ${{ matrix.build.install }}
+      name: 'brew install'
+
+    - run: ./buildconf && ./configure ${{ matrix.build.configure }}
+      name: 'configure'
+
+    - run: make
+      name: 'make'
+
+    - run: make test-nonflaky
+      name: 'test'
+      env:
+        TFLAGS: "${{ matrix.build.tflags }} ~1452"
+
+  cmake:
+    name: macos cmake ${{ matrix.compiler.CC }} ${{ matrix.build.name }}
+    runs-on: 'macos-latest'
+    env: ${{ matrix.compiler }}
+    strategy:
+      fail-fast: false
+      matrix:
+        compiler:
+        - CC: clang
+          CXX: clang++
+        - CC: gcc-8
+          CXX: g++-8
+        - CC: gcc-9
+          CXX: g++-9
+        build:
+        - name: OpenSSL
+          install: nghttp2 openssl
+          generate: -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl -DCURL_DISABLE_LDAP=ON -DCURL_DISABLE_LDAPS=ON
+        - name: LibreSSL
+          install: nghttp2 libressl
+          generate: -DOPENSSL_ROOT_DIR=/usr/local/opt/libressl -DCURL_DISABLE_LDAP=ON -DCURL_DISABLE_LDAPS=ON
+    steps:
+    - uses: actions/checkout@v2
+
+    - run: brew update && brew install libtool autoconf automake pkg-config ${{ matrix.build.install }}
+      name: 'brew install'
+
+    - run: cmake -H. -Bbuild ${{ matrix.build.generate }}
+      name: 'cmake generate'
+
+    - run: cmake --build build
+      name: 'cmake build'
diff --git a/.gitignore b/.gitignore
index 183136a..9b040fe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,16 +8,19 @@
 *.o
 *.obj
 *.pdb
+*.pyc
 *~
-.*.swp
+.*.sw?
 .cproject
 .deps
 .dirstamp
 .libs
 .project
 .settings
+/.vs
 /build/
 /builds/
+__pycache__
 CHANGES.dist
 Debug
 INSTALL
@@ -37,7 +40,7 @@
 configure
 curl-*.tar.bz2
 curl-*.tar.gz
-curl-*.tar.lzma
+curl-*.tar.xz
 curl-*.zip
 curl-config
 depcomp
@@ -50,3 +53,8 @@
 tags
 test-driver
 scripts/_curl
+scripts/curl.fish
+curl_fuzzer
+curl_fuzzer_seed_corpus.zip
+libstandaloneengine.a
+.checksrc
diff --git a/.lgtm.yml b/.lgtm.yml
new file mode 100644
index 0000000..4063cd3
--- /dev/null
+++ b/.lgtm.yml
@@ -0,0 +1,31 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+extraction:
+  cpp:
+    prepare:
+      packages: # to avoid confusion with libopenafs-dev which also provides a des.h
+        - libssl-dev
+    after_prepare: # make sure lgtm.com doesn't use CMake (which generates and runs tests)
+      - rm -f CMakeLists.txt
+      - ./buildconf
+    configure: # enable as many optional features as possible
+      command: ./configure --enable-ares --with-libssh2 --with-gssapi --with-librtmp --with-libmetalink
diff --git a/.mailmap b/.mailmap
new file mode 100644
index 0000000..884446c
--- /dev/null
+++ b/.mailmap
@@ -0,0 +1,66 @@
+Guenter Knauf <lists@gknw.net> <gk@gknw.de>
+Gisle Vanem <gisle.vanem@gmail.com> <gvanem@yahoo.no>
+Gisle Vanem <gisle.vanem@gmail.com> <gvanem@broadpark.no>
+Alessandro Ghedini <alessandro@ghedini.me> <alessandro@cloudflare.com>
+Alessandro Ghedini <alessandro@ghedini.me> <al3xbio@gmail.com>
+Björn Stenberg <bjorn@haxx.se>
+Björn Stenberg <bjorn@haxx.se> <bjst@bjorn>
+Viktor Szakats <commit@vszakats.net>
+Viktor Szakats <commit@vszakats.net> <vszakats@users.noreply.github.com>
+Daniel Gustafsson <daniel@yesql.se> <dgustafsson@pivotal.io>
+Daniel Gustafsson <daniel@yesql.se> <daniel@hobbit.se>
+Linus Nielsen <linus@haxx.se>
+Yamada Yasuharu <yasuharu.yamada@access-company.com>
+Ulion <ulion2002@gmail.com>
+Tim Rühsen <tim.ruehsen@gmx.de>
+Steve Holme <steve_holme@hotmail.com> <steven.holme@cubic.com>
+Claes Jakobsson <claes@surfar.nu> <claes@versed.se>
+Sergei Nikulov <sergey.nikulov@gmail.com> <snikulov@users.noreply.github.com>
+Patrick Monnerat <patrick@monnerat.net> <Patrick.Monnerat@datasphere.ch>
+Patrick Monnerat <patrick@monnerat.net> <patrick.monnerat@dh.com>
+Patrick Monnerat <patrick@monnerat.net> <pm@datasphere.ch>
+Patrick Monnerat <patrick@monnerat.net> <monnerat@users.noreply.github.com>
+Nick Zitzmann <nickzman@gmail.com> <nick@chronosnet.com>
+Peter Wu <peter@lekensteyn.nl> <peter_at_lekensteyn.nl>
+David Woodhouse <David.Woodhouse@intel.com> <dwmw2@infradead.org>
+Marcel Raad <Marcel.Raad@teamviewer.com> <raad@teamviewer.com>
+Marcel Raad <Marcel.Raad@teamviewer.com> <MarcelRaad@users.noreply.github.com>
+Marcel Raad <Marcel.Raad@teamviewer.com> <marcelraad@users.sf.net>
+Anthony Bryan <anthonybryan@gmail.com> <ant@localhost.localdomain>
+Travis Burtrum <admin@moparisthebest.com>
+Dmitry Kostjuchenko <dmitrykos@neutroncode.com>
+Richard Alcock <richard.alcock@gmail.com>
+Richard Alcock <richard.alcock@gmail.com> <richard.alcock@mathworks.co.uk>
+Jan Ehrhardt <github@ehrhardt.nl>
+Florin Petriuc <petriuc.florin@gmail.com> <pfl@northq.com>
+Pavel Pavlov <pavlov.pavel@gmail.com>
+Jason Juang <jasjuang@gmail.com>
+Carlo Teubner <carlo.teubner@gmail.com>
+Joel Depooter <joel.depooter@safe.com>
+Sebastian Mundry <mundry@outlook.com>
+Rainer Canavan <rainer.canavan@sevenval.com> <canavan@users.noreply.github.com>
+Dan Fandrich <dan@coneharvesters.com>
+Henrik S. Gaßmann <henrik@gassmann.onl>
+Jiří Malák <malak.jiri@gmail.com>
+Nick Zitzmann <nickzman@gmail.com>
+Kees Dekker <kees.dekker@infor.com>
+Max Savenkov <max.savenkov@gmail.com>
+Daniel Jelinski <daniel.jelinski@thomsonreuters.com> <30433125+djelinski@users.noreply.github.com>
+Amit Katyal <amkatyal@cisco.com>
+Giorgos Oikonomou <giorgos.n.oikonomou@gmail.com>
+Evgeny Grin <k2k@narod.ru>
+Peter Pih <railsnewbie257@gmail.com>
+Anton Malov <malov.anton@gmail.com>
+Marquis de Muesli <marquis.de.muesli@gmail.com>
+Kyohei Kadota <lufia@lufia.org>
+Lucas Pardue <lucaspardue.24.7@gmail.com> <lucas@cloudflare.com>
+Massimiliano Fantuzzi <superfantuz@gmail.com>
+Niall O'Reilly <Niall.oReilly@ucd.ie>
+Mohammad Hasbini <mohammad.hasbini@gmail.com>
+Andrew Ishchuk <andrew_ishchuk@office.targem.ru>
+Nicolas Guillier <59726521+nicoguillier@users.noreply.github.com>
+Julian Z <julianz@example.com> <jzinn@users.noreply.github.com>
+Jessa Chandler <jessachandler@gmail.com>
+Gökhan Şengün <gsengun@linux-5d7d.site> <gokhansengun@gmai.com>
+Svyatoslav Mishyn <juef@openmailbox.org>
+Douglas Steinwand <dzs-curl@dzs.fx.org>
diff --git a/.travis.yml b/.travis.yml
index bdd21b0..59f075f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,24 +1,467 @@
-os:
-  - linux
-  - osx
-
-sudo: false
-
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 language: c
+sudo: required
+cache:
+    directories:
+        - $HOME/wolfssl-4.4.0-stable
+        - $HOME/mesalink-1.0.0
+        - $HOME/nghttp2-1.39.2
+
+env:
+    global:
+        - LD_LIBRARY_PATH=/usr/local/lib
+
+addons:
+    apt:
+        config:
+            retries: true
+        sources: &common_sources
+            - ubuntu-toolchain-r-test
+        packages: &common_packages
+            - cmake
+            - gcc-8
+            - valgrind
+            - libev-dev
+            - libc-ares-dev
+            - g++-8
+            - libstdc++-8-dev
+            - stunnel4
+            - libidn2-0-dev
+            - gnutls-bin
+            - python-impacket
+
+matrix:
+    include:
+        - os: linux
+          compiler: gcc
+          dist: trusty
+          env:
+              - T=normal C="--with-gssapi --with-libssh2" CHECKSRC=1
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - krb5-user
+                      - libssh2-1-dev
+        - os: linux
+          compiler: gcc
+          dist: trusty
+          env:
+              - T=normal C=--with-libssh
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - libssh-dev
+        - os: linux
+          compiler: gcc
+          dist: trusty
+          env:
+              - T=normal C="--enable-ares"
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+        - os: linux
+          compiler: gcc
+          dist: trusty
+          env:
+              - T=normal C="--enable-mqtt"
+        - os: linux
+          compiler: gcc
+          dist: bionic
+          env:
+              - T=normal C="--disable-verbose" CPPFLAGS="-Wno-variadic-macros" NOTESTS=1
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: gcc
+          dist: bionic
+          before_install:
+              # Install and use the current stable release of Go
+              - gimme --list
+              - eval "$(gimme stable)"
+              - gimme --list
+          env:
+              - T=novalgrind BORINGSSL=yes C="--with-ssl=$HOME/boringssl" LD_LIBRARY_PATH=/home/travis/boringssl/lib:/usr/local/lib
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - ppa:longsleep/golang-backports
+                      - *common_sources
+                  packages:
+                      - *common_packages
+        - os: linux
+          compiler: gcc
+          dist: bionic
+          before_install:
+              # Install and use the current stable release of Go
+              - gimme --list
+              - eval "$(gimme stable)"
+              - gimme --list
+          env:
+              - T=novalgrind BORINGSSL=yes QUICHE="yes" C="--with-ssl=$HOME/boringssl --with-quiche=$HOME/quiche/target/release --enable-alt-svc" LD_LIBRARY_PATH=/home/travis/boringssl/lib:$HOME/quiche/target/release:/usr/local/lib
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: gcc
+          dist: xenial
+          env:
+              - T=novalgrind NGTCP2=yes C="--with-ssl=$HOME/ngbuild --with-ngtcp2=$HOME/ngbuild --with-nghttp3=$HOME/ngbuild --enable-alt-svc" NOTESTS=
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: gcc
+          dist: xenial
+          env:
+              - T=novalgrind NGTCP2=yes GNUTLS=yes C="PKG_CONFIG_PATH=$HOME/ngbuild --without-ssl --with-gnutls=$HOME/ngbuild --with-ngtcp2=$HOME/ngbuild --with-nghttp3=$HOME/ngbuild --enable-alt-svc" NOTESTS=
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - libpsl-dev
+                      - libbrotli-dev
+                      - autogen
+                      - automake
+                      - autopoint
+                      - bison
+                      - gperf
+                      - libgmp-dev
+                      - libopts25-dev
+                      - libp11-kit-dev
+                      - libtasn1-6-dev
+                      - nettle-dev
+        - os: linux
+          compiler: gcc
+          dist: bionic
+          env:
+              - T=debug-wolfssl C="--with-wolfssl --without-ssl"
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: gcc
+          dist: bionic
+          env:
+              - T=debug-mesalink C="--with-mesalink --without-ssl"
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: clang
+          dist: xenial
+          env:
+              - T=debug
+              - OVERRIDE_CC="CC=clang-7" OVERRIDE_CXX="CXX=clang++-7"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                      - llvm-toolchain-xenial-7
+                  packages:
+                      - *common_packages
+                      - clang-7
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: clang
+          dist: xenial
+          env:
+              - T=debug C="--enable-alt-svc"
+              - OVERRIDE_CC="CC=clang-7" OVERRIDE_CXX="CXX=clang++-7"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                      - llvm-toolchain-xenial-7
+                  packages:
+                      - *common_packages
+                      - clang-7
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: clang
+          dist: xenial
+          env:
+              - T=debug C="--with-mbedtls --without-ssl"
+              - OVERRIDE_CC="CC=clang-7" OVERRIDE_CXX="CXX=clang++-7"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                      - llvm-toolchain-xenial-7
+                  packages:
+                      - *common_packages
+                      - clang-7
+                      - libpsl-dev
+                      - libbrotli-dev
+                      - libmbedtls-dev
+        - os: linux
+          compiler: clang
+          dist: bionic
+          env:
+              - T=debug C="--with-gnutls --without-ssl"
+              - OVERRIDE_CC="CC=clang-7" OVERRIDE_CXX="CXX=clang++-7"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                      - llvm-toolchain-bionic-7
+                  packages:
+                      - *common_packages
+                      - clang-7
+                      - libgnutls28-dev
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: clang
+          dist: bionic
+          env:
+              - T=debug C="--with-nss --without-ssl" NOTESTS=1 CPPFLAGS="-isystem /usr/include/nss"
+              - OVERRIDE_CC="CC=clang-7" OVERRIDE_CXX="CXX=clang++-7"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                      - llvm-toolchain-bionic-7
+                  packages:
+                      - *common_packages
+                      - clang-7
+                      - libnss3-dev
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: gcc
+          dist: trusty
+          env:
+              - T=iconv
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+        - os: linux
+          compiler: gcc
+          dist: bionic
+          env:
+              - T=cmake
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: clang
+          dist: bionic
+          env:
+              - T=cmake
+              - OVERRIDE_CC="CC=clang-7" OVERRIDE_CXX="CXX=clang++-7"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                      - llvm-toolchain-bionic-7
+                  packages:
+                      - *common_packages
+                      - clang-7
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: gcc
+          dist: xenial
+          env:
+              - T=torture
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - lcov
+                      - libpsl-dev
+                      - libbrotli-dev
+                      - libssh2-1-dev
+        - os: linux
+          compiler: gcc
+          dist: bionic
+          env:
+              - T=distcheck
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: clang
+          dist: bionic
+          env:
+              - T=fuzzer
+              - OVERRIDE_CC="CC=clang-7" OVERRIDE_CXX="CXX=clang++-7"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                      - llvm-toolchain-bionic-7
+                  packages:
+                      - *common_packages
+                      - clang-7
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: clang
+          dist: bionic
+          env:
+              - T=tidy
+              - OVERRIDE_CC="CC=clang-7" OVERRIDE_CXX="CXX=clang++-7"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                      - llvm-toolchain-bionic-7
+                  packages:
+                      - *common_packages
+                      - clang-7
+                      - clang-tidy-7
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: clang
+          dist: bionic
+          env:
+              - T=scan-build
+              - OVERRIDE_CC="CC=clang-7" OVERRIDE_CXX="CXX=clang++-7"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                      - llvm-toolchain-bionic-7
+                  packages:
+                      - *common_packages
+                      - clang-7
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          compiler: clang
+          dist: xenial
+          env:
+              - T=debug CFLAGS="-fsanitize=address,undefined,signed-integer-overflow -fno-sanitize-recover=undefined,integer -Wformat -Werror=format-security -Werror=array-bounds -g" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=undefined,integer" LIBS="-ldl -lubsan"
+              - OVERRIDE_CC="CC=clang-7" OVERRIDE_CXX="CXX=clang++-7"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                      - llvm-toolchain-xenial-7
+                  packages:
+                      - *common_packages
+                      - clang-7
+                      - libpsl-dev
+                      - libbrotli-dev
+        - os: linux
+          arch: arm64
+          compiler: gcc
+          dist: bionic
+          env:
+              - T=debug C="--enable-alt-svc"
+              - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
+          addons:
+              apt:
+                  sources:
+                      - *common_sources
+                  packages:
+                      - *common_packages
+                      - libpsl-dev
+                      - libbrotli-dev
+                      - libev-dev
+                      - libssl-dev
+                      - libtool
+                      - pkg-config
+                      - zlib1g-dev
+
+before_install:
+  - export "${OVERRIDE_CC-blank=}"
+  - export "${OVERRIDE_CXX-blank=}"
 
 install:
-  - if [ "$TRAVIS_OS_NAME" == "osx" ]; then brew update > /dev/null; fi
-  - if [ "$TRAVIS_OS_NAME" == "osx" ]; then brew reinstall libtool > /dev/null; fi
-  - if [ "$TRAVIS_OS_NAME" == "osx" ]; then brew install openssl libidn rtmpdump libssh2 c-ares libmetalink libressl nghttp2; fi
+  - if [ "$T" = "coverage" ]; then pip2 install --user cpp-coveralls; fi
 
+# before_script and script:
+# Travis isn't reliable catching errors in inline script commands (#3730).
+# Do not add anything here, instead add to the respective script.
 before_script:
-  - ./buildconf
+  - ./scripts/travis/before_script.sh || travis_terminate 1
+script:
+  - ./scripts/travis/script.sh || travis_terminate 1
 
-script: ./configure --enable-debug && make && make test-full
-
-compiler:
-  - clang
-  - gcc
+# whitelist branches to avoid testing feature branches twice (as branch and as pull request)
+branches:
+    only:
+        - master
+        - /\/ci$/
 
 notifications:
   email: false
diff --git a/BUILD.gn b/BUILD.gn
index c2c4a9c..5aeb395 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -67,32 +67,17 @@
   ]
 }
 
-copy("copy_curlbuild") {
-  visibility = [ ":*" ]
-  if (is_fuchsia) {
-    sources = [
-      "include/curl/curlbuild.h.fuchsia",
-    ]
-  } else {
-    sources = [
-      "include/curl/curlbuild.h",
-    ]
-  }
-  outputs = [
-    "$target_gen_dir/curl/curlbuild.h",
-  ]
-}
-
 target(default_library_type, "libcurl") {
   output_name = "curl"
 
   sources = [
+    "lib/altsvc.c",
     "lib/amigaos.c",
     "lib/amigaos.h",
     "lib/arpa_telnet.h",
     "lib/asyn-ares.c",
-    "lib/asyn-thread.c",
     "lib/asyn.h",
+    "lib/asyn-thread.c",
     "lib/base64.c",
     "lib/conncache.c",
     "lib/conncache.h",
@@ -105,6 +90,8 @@
     "lib/curl_addrinfo.c",
     "lib/curl_addrinfo.h",
     "lib/curl_base64.h",
+    "lib/curl_ctype.c",
+    "lib/curl_ctype.h",
     "lib/curl_des.c",
     "lib/curl_des.h",
     "lib/curl_endian.c",
@@ -113,6 +100,8 @@
     "lib/curl_fnmatch.h",
     "lib/curl_gethostname.c",
     "lib/curl_gethostname.h",
+    "lib/curl_get_line.c",
+    "lib/curl_get_line.h",
     "lib/curl_gssapi.c",
     "lib/curl_gssapi.h",
     "lib/curl_hmac.h",
@@ -129,6 +118,8 @@
     "lib/curl_ntlm_wb.c",
     "lib/curl_ntlm_wb.h",
     "lib/curl_printf.h",
+    "lib/curl_range.c",
+    "lib/curl_range.h",
     "lib/curl_rtmp.c",
     "lib/curl_rtmp.h",
     "lib/curl_sasl.c",
@@ -136,6 +127,7 @@
     "lib/curl_sec.h",
     "lib/curl_setup.h",
     "lib/curl_setup_once.h",
+    "lib/curl_sha256.h",
     "lib/curl_sspi.c",
     "lib/curl_sspi.h",
     "lib/curl_threads.c",
@@ -143,6 +135,8 @@
     "lib/curlx.h",
     "lib/dict.c",
     "lib/dict.h",
+    "lib/doh.c",
+    "lib/doh.h",
     "lib/dotdot.c",
     "lib/dotdot.h",
     "lib/easy.c",
@@ -170,19 +164,19 @@
     "lib/hostasyn.c",
     "lib/hostcheck.c",
     "lib/hostcheck.h",
-    "lib/hostip.c",
-    "lib/hostip.h",
     "lib/hostip4.c",
     "lib/hostip6.c",
+    "lib/hostip.c",
+    "lib/hostip.h",
     "lib/hostsyn.c",
-    "lib/http.c",
-    "lib/http.h",
     "lib/http2.c",
     "lib/http2.h",
+    "lib/http.c",
     "lib/http_chunks.c",
     "lib/http_chunks.h",
     "lib/http_digest.c",
     "lib/http_digest.h",
+    "lib/http.h",
     "lib/http_negotiate.c",
     "lib/http_negotiate.h",
     "lib/http_ntlm.c",
@@ -206,6 +200,8 @@
     "lib/md5.c",
     "lib/memdebug.c",
     "lib/memdebug.h",
+    "lib/mime.c",
+    "lib/mime.h",
     "lib/mprintf.c",
     "lib/multi.c",
     "lib/multihandle.h",
@@ -221,14 +217,14 @@
     "lib/parsedate.h",
     "lib/pingpong.c",
     "lib/pingpong.h",
-    "lib/pipeline.c",
-    "lib/pipeline.h",
     "lib/pop3.c",
     "lib/pop3.h",
     "lib/progress.c",
     "lib/progress.h",
     "lib/rand.c",
     "lib/rand.h",
+    "lib/rename.c",
+    "lib/rename.h",
     "lib/rtsp.c",
     "lib/rtsp.h",
     "lib/security.c",
@@ -236,7 +232,10 @@
     "lib/select.h",
     "lib/sendf.c",
     "lib/sendf.h",
+    "lib/setopt.c",
+    "lib/setopt.h",
     "lib/setup-vms.h",
+    "lib/sha256.c",
     "lib/share.c",
     "lib/share.h",
     "lib/sigpipe.h",
@@ -248,15 +247,13 @@
     "lib/smtp.h",
     "lib/sockaddr.h",
     "lib/socks.c",
-    "lib/socks.h",
     "lib/socks_gssapi.c",
+    "lib/socks.h",
     "lib/socks_sspi.c",
     "lib/speedcheck.c",
     "lib/speedcheck.h",
     "lib/splay.c",
     "lib/splay.h",
-    "lib/ssh.c",
-    "lib/ssh.h",
     "lib/strcase.c",
     "lib/strcase.h",
     "lib/strdup.c",
@@ -277,9 +274,10 @@
     "lib/timeval.h",
     "lib/transfer.c",
     "lib/transfer.h",
+    "lib/urlapi.c",
     "lib/url.c",
-    "lib/url.h",
     "lib/urldata.h",
+    "lib/url.h",
     "lib/vauth/cleartext.c",
     "lib/vauth/cram.c",
     "lib/vauth/digest.c",
@@ -296,12 +294,6 @@
     "lib/vauth/vauth.c",
     "lib/vauth/vauth.h",
     "lib/version.c",
-    "lib/vtls/axtls.c",
-    "lib/vtls/axtls.h",
-    "lib/vtls/cyassl.c",
-    "lib/vtls/cyassl.h",
-    "lib/vtls/darwinssl.c",
-    "lib/vtls/darwinssl.h",
     "lib/vtls/gskit.c",
     "lib/vtls/gskit.h",
     "lib/vtls/gtls.c",
@@ -312,10 +304,6 @@
     "lib/vtls/nssg.h",
     "lib/vtls/openssl.c",
     "lib/vtls/openssl.h",
-    "lib/vtls/polarssl.c",
-    "lib/vtls/polarssl.h",
-    "lib/vtls/polarssl_threadlock.c",
-    "lib/vtls/polarssl_threadlock.h",
     "lib/vtls/schannel.c",
     "lib/vtls/schannel.h",
     "lib/vtls/vtls.c",
@@ -329,7 +317,6 @@
   ]
   deps = [
     ":copy_curl_config",
-    ":copy_curlbuild",
     "//third_party/boringssl",
     "//third_party/zlib",
   ]
@@ -355,6 +342,8 @@
   output_name = "curl"
   sources = [
     "lib/curl_setup.h",
+    "lib/curl_ctype.c",
+    "lib/curl_ctype.h",
     "lib/nonblock.c",
     "lib/nonblock.h",
     "lib/strtoofft.c",
@@ -389,6 +378,8 @@
     "src/tool_doswin.h",
     "src/tool_easysrc.c",
     "src/tool_easysrc.h",
+    "src/tool_filetime.c",
+    "src/tool_filetime.h",
     "src/tool_formparse.c",
     "src/tool_formparse.h",
     "src/tool_getparam.c",
@@ -409,8 +400,6 @@
     "src/tool_main.h",
     "src/tool_metalink.c",
     "src/tool_metalink.h",
-    "src/tool_mfiles.c",
-    "src/tool_mfiles.h",
     "src/tool_msgs.c",
     "src/tool_msgs.h",
     "src/tool_operate.c",
@@ -423,6 +412,8 @@
     "src/tool_paramhlp.h",
     "src/tool_parsecfg.c",
     "src/tool_parsecfg.h",
+    "src/tool_progress.c",
+    "src/tool_progress.h",
     "src/tool_sdecls.h",
     "src/tool_setopt.c",
     "src/tool_setopt.h",
@@ -438,16 +429,15 @@
     "src/tool_version.h",
     "src/tool_vms.c",
     "src/tool_vms.h",
-    "src/tool_writeenv.c",
-    "src/tool_writeenv.h",
     "src/tool_writeout.c",
     "src/tool_writeout.h",
+    "src/tool_writeout_json.c",
+    "src/tool_writeout_json.h",
     "src/tool_xattr.c",
     "src/tool_xattr.h",
   ]
   deps = [
     ":copy_curl_config",
-    ":copy_curlbuild",
     ":libcurl",
     "//third_party/zlib",
   ]
diff --git a/CMake/CMakeConfigurableFile.in b/CMake/CMakeConfigurableFile.in
index 4cf74a1..2bafe2c 100644
--- a/CMake/CMakeConfigurableFile.in
+++ b/CMake/CMakeConfigurableFile.in
@@ -1,2 +1,22 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 @CMAKE_CONFIGURABLE_FILE_CONTENT@
-
diff --git a/CMake/CurlSymbolHiding.cmake b/CMake/CurlSymbolHiding.cmake
index 9f7d296..aaac9fe 100644
--- a/CMake/CurlSymbolHiding.cmake
+++ b/CMake/CurlSymbolHiding.cmake
@@ -1,60 +1,75 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 include(CheckCSourceCompiles)
 
 option(CURL_HIDDEN_SYMBOLS "Set to ON to hide libcurl internal symbols (=hide all symbols that aren't officially external)." ON)
 mark_as_advanced(CURL_HIDDEN_SYMBOLS)
 
 if(CURL_HIDDEN_SYMBOLS)
-    set(SUPPORTS_SYMBOL_HIDING FALSE)
+  set(SUPPORTS_SYMBOL_HIDING FALSE)
 
-    if(CMAKE_C_COMPILER_ID MATCHES "Clang")
-        set(SUPPORTS_SYMBOL_HIDING TRUE)
-        set(_SYMBOL_EXTERN "__attribute__ ((__visibility__ (\"default\")))")
-        set(_CFLAG_SYMBOLS_HIDE "-fvisibility=hidden")
-    elseif(CMAKE_COMPILER_IS_GNUCC)
-        if(NOT CMAKE_VERSION VERSION_LESS 2.8.10)
-            set(GCC_VERSION ${CMAKE_C_COMPILER_VERSION})
-        else()
-            execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
-                            OUTPUT_VARIABLE GCC_VERSION)
-        endif()
-        if(NOT GCC_VERSION VERSION_LESS 3.4)
-            # note: this is considered buggy prior to 4.0 but the autotools don't care, so let's ignore that fact
-            set(SUPPORTS_SYMBOL_HIDING TRUE)
-            set(_SYMBOL_EXTERN "__attribute__ ((__visibility__ (\"default\")))")
-            set(_CFLAG_SYMBOLS_HIDE "-fvisibility=hidden")
-        endif()
-    elseif(CMAKE_C_COMPILER_ID MATCHES "SunPro" AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 8.0)
-        set(SUPPORTS_SYMBOL_HIDING TRUE)
-        set(_SYMBOL_EXTERN "__global")
-        set(_CFLAG_SYMBOLS_HIDE "-xldscope=hidden")
-    elseif(CMAKE_C_COMPILER_ID MATCHES "Intel" AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 9.0)
-        # note: this should probably just check for version 9.1.045 but I'm not 100% sure
-        #       so let's to it the same way autotools do.
-        set(SUPPORTS_SYMBOL_HIDING TRUE)
-        set(_SYMBOL_EXTERN "__attribute__ ((__visibility__ (\"default\")))")
-        set(_CFLAG_SYMBOLS_HIDE "-fvisibility=hidden")
-        check_c_source_compiles("#include <stdio.h>
-            int main (void) { printf(\"icc fvisibility bug test\"); return 0; }" _no_bug)
-        if(NOT _no_bug)
-            set(SUPPORTS_SYMBOL_HIDING FALSE)
-            set(_SYMBOL_EXTERN "")
-            set(_CFLAG_SYMBOLS_HIDE "")
-        endif()
-    elseif(MSVC)
-        set(SUPPORTS_SYMBOL_HIDING TRUE)
+  if(CMAKE_C_COMPILER_ID MATCHES "Clang")
+    set(SUPPORTS_SYMBOL_HIDING TRUE)
+    set(_SYMBOL_EXTERN "__attribute__ ((__visibility__ (\"default\")))")
+    set(_CFLAG_SYMBOLS_HIDE "-fvisibility=hidden")
+  elseif(CMAKE_COMPILER_IS_GNUCC)
+    if(NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 3.4)
+      # note: this is considered buggy prior to 4.0 but the autotools don't care, so let's ignore that fact
+      set(SUPPORTS_SYMBOL_HIDING TRUE)
+      set(_SYMBOL_EXTERN "__attribute__ ((__visibility__ (\"default\")))")
+      set(_CFLAG_SYMBOLS_HIDE "-fvisibility=hidden")
     endif()
+  elseif(CMAKE_C_COMPILER_ID MATCHES "SunPro" AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 8.0)
+    set(SUPPORTS_SYMBOL_HIDING TRUE)
+    set(_SYMBOL_EXTERN "__global")
+    set(_CFLAG_SYMBOLS_HIDE "-xldscope=hidden")
+  elseif(CMAKE_C_COMPILER_ID MATCHES "Intel" AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 9.0)
+    # note: this should probably just check for version 9.1.045 but I'm not 100% sure
+    #       so let's do it the same way autotools do.
+    set(SUPPORTS_SYMBOL_HIDING TRUE)
+    set(_SYMBOL_EXTERN "__attribute__ ((__visibility__ (\"default\")))")
+    set(_CFLAG_SYMBOLS_HIDE "-fvisibility=hidden")
+    check_c_source_compiles("#include <stdio.h>
+        int main (void) { printf(\"icc fvisibility bug test\"); return 0; }" _no_bug)
+    if(NOT _no_bug)
+      set(SUPPORTS_SYMBOL_HIDING FALSE)
+      set(_SYMBOL_EXTERN "")
+      set(_CFLAG_SYMBOLS_HIDE "")
+    endif()
+  elseif(MSVC)
+    set(SUPPORTS_SYMBOL_HIDING TRUE)
+  endif()
 
-    set(HIDES_CURL_PRIVATE_SYMBOLS ${SUPPORTS_SYMBOL_HIDING})
+  set(HIDES_CURL_PRIVATE_SYMBOLS ${SUPPORTS_SYMBOL_HIDING})
 elseif(MSVC)
-    if(NOT CMAKE_VERSION VERSION_LESS 3.7)
-        set(CMAKE_WINDOWS_EXPORT_ALL_SYMBOLS TRUE) #present since 3.4.3 but broken
-        set(HIDES_CURL_PRIVATE_SYMBOLS FALSE)
-    else()
-        message(WARNING "Hiding private symbols regardless CURL_HIDDEN_SYMBOLS being disabled.")
-        set(HIDES_CURL_PRIVATE_SYMBOLS TRUE)
-    endif()
-elseif()
+  if(NOT CMAKE_VERSION VERSION_LESS 3.7)
+    set(CMAKE_WINDOWS_EXPORT_ALL_SYMBOLS TRUE) #present since 3.4.3 but broken
     set(HIDES_CURL_PRIVATE_SYMBOLS FALSE)
+  else()
+    message(WARNING "Hiding private symbols regardless CURL_HIDDEN_SYMBOLS being disabled.")
+    set(HIDES_CURL_PRIVATE_SYMBOLS TRUE)
+  endif()
+else()
+  set(HIDES_CURL_PRIVATE_SYMBOLS FALSE)
 endif()
 
 set(CURL_CFLAG_SYMBOLS_HIDE ${_CFLAG_SYMBOLS_HIDE})
diff --git a/CMake/CurlTests.c b/CMake/CurlTests.c
index bc36c8e..3ef35f0 100644
--- a/CMake/CurlTests.c
+++ b/CMake/CurlTests.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -125,6 +125,7 @@
 #if   defined(HAVE_GETHOSTBYADDR_R_5) || \
       defined(HAVE_GETHOSTBYADDR_R_5_REENTRANT)
   rc = gethostbyaddr_r(address, length, type, &h, &hdata);
+  (void)rc;
 #elif defined(HAVE_GETHOSTBYADDR_R_7) || \
       defined(HAVE_GETHOSTBYADDR_R_7_REENTRANT)
   hp = gethostbyaddr_r(address, length, type, &h, buffer, 8192, &h_errnop);
@@ -132,6 +133,7 @@
 #elif defined(HAVE_GETHOSTBYADDR_R_8) || \
       defined(HAVE_GETHOSTBYADDR_R_8_REENTRANT)
   rc = gethostbyaddr_r(address, length, type, &h, buffer, 8192, &hp, &h_errnop);
+  (void)rc;
 #endif
 
 #if   defined(HAVE_GETHOSTBYNAME_R_3) || \
@@ -240,6 +242,7 @@
 #ifndef inet_ntoa_r
   func_type func;
   func = (func_type)inet_ntoa_r;
+  (void)func;
 #endif
   return 0;
 }
@@ -255,6 +258,7 @@
 #ifndef inet_ntoa_r
   func_type func;
   func = (func_type)&inet_ntoa_r;
+  (void)func;
 #endif
   return 0;
 }
@@ -507,30 +511,30 @@
 #ifdef HAVE_GLIBC_STRERROR_R
 #include <string.h>
 #include <errno.h>
+
+void check(char c) {}
+
 int
 main () {
-  char buffer[1024]; /* big enough to play with */
-  char *string =
-    strerror_r(EACCES, buffer, sizeof(buffer));
-    /* this should've returned a string */
-    if(!string || !string[0])
-      return 99;
-    return 0;
+  char buffer[1024];
+  /* This will not compile if strerror_r does not return a char* */
+  check(strerror_r(EACCES, buffer, sizeof(buffer))[0]);
+  return 0;
 }
 #endif
 #ifdef HAVE_POSIX_STRERROR_R
 #include <string.h>
 #include <errno.h>
+
+/* float, because a pointer can't be implicitly cast to float */
+void check(float f) {}
+
 int
 main () {
-  char buffer[1024]; /* big enough to play with */
-  int error =
-    strerror_r(EACCES, buffer, sizeof(buffer));
-    /* This should've returned zero, and written an error string in the
-       buffer.*/
-    if(!buffer[0] || error)
-      return 99;
-    return 0;
+  char buffer[1024];
+  /* This will not compile if strerror_r does not return an int */
+  check(strerror_r(EACCES, buffer, sizeof(buffer)));
+  return 0;
 }
 #endif
 #ifdef HAVE_FSETXATTR_6
@@ -549,3 +553,65 @@
   return 0;
 }
 #endif
+#ifdef HAVE_CLOCK_GETTIME_MONOTONIC
+#include <time.h>
+int
+main() {
+  struct timespec ts = {0, 0};
+  clock_gettime(CLOCK_MONOTONIC, &ts);
+  return 0;
+}
+#endif
+#ifdef HAVE_BUILTIN_AVAILABLE
+int
+main() {
+  if(__builtin_available(macOS 10.12, *)) {}
+  return 0;
+}
+#endif
+#ifdef HAVE_VARIADIC_MACROS_C99
+#define c99_vmacro3(first, ...) fun3(first, __VA_ARGS__)
+#define c99_vmacro2(first, ...) fun2(first, __VA_ARGS__)
+
+int fun3(int arg1, int arg2, int arg3);
+int fun2(int arg1, int arg2);
+
+int fun3(int arg1, int arg2, int arg3) {
+  return arg1 + arg2 + arg3;
+}
+int fun2(int arg1, int arg2) {
+  return arg1 + arg2;
+}
+
+int
+main() {
+  int res3 = c99_vmacro3(1, 2, 3);
+  int res2 = c99_vmacro2(1, 2);
+  (void)res3;
+  (void)res2;
+  return 0;
+}
+#endif
+#ifdef HAVE_VARIADIC_MACROS_GCC
+#define gcc_vmacro3(first, args...) fun3(first, args)
+#define gcc_vmacro2(first, args...) fun2(first, args)
+
+int fun3(int arg1, int arg2, int arg3);
+int fun2(int arg1, int arg2);
+
+int fun3(int arg1, int arg2, int arg3) {
+  return arg1 + arg2 + arg3;
+}
+int fun2(int arg1, int arg2) {
+  return arg1 + arg2;
+}
+
+int
+main() {
+  int res3 = gcc_vmacro3(1, 2, 3);
+  int res2 = gcc_vmacro2(1, 2);
+  (void)res3;
+  (void)res2;
+  return 0;
+}
+#endif
diff --git a/CMake/FindBearSSL.cmake b/CMake/FindBearSSL.cmake
new file mode 100644
index 0000000..a8f72c9
--- /dev/null
+++ b/CMake/FindBearSSL.cmake
@@ -0,0 +1,30 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+find_path(BEARSSL_INCLUDE_DIRS bearssl.h)
+
+find_library(BEARSSL_LIBRARY bearssl)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(BEARSSL DEFAULT_MSG
+    BEARSSL_INCLUDE_DIRS BEARSSL_LIBRARY)
+
+mark_as_advanced(BEARSSL_INCLUDE_DIRS BEARSSL_LIBRARY)
diff --git a/CMake/FindBrotli.cmake b/CMake/FindBrotli.cmake
new file mode 100644
index 0000000..c43172b
--- /dev/null
+++ b/CMake/FindBrotli.cmake
@@ -0,0 +1,41 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+include(FindPackageHandleStandardArgs)
+
+find_path(BROTLI_INCLUDE_DIR "brotli/decode.h")
+
+find_library(BROTLICOMMON_LIBRARY NAMES brotlicommon)
+find_library(BROTLIDEC_LIBRARY NAMES brotlidec)
+
+find_package_handle_standard_args(BROTLI
+    FOUND_VAR
+      BROTLI_FOUND
+    REQUIRED_VARS
+      BROTLIDEC_LIBRARY
+      BROTLICOMMON_LIBRARY
+      BROTLI_INCLUDE_DIR
+    FAIL_MESSAGE
+      "Could NOT find BROTLI"
+)
+
+set(BROTLI_INCLUDE_DIRS ${BROTLI_INCLUDE_DIR})
+set(BROTLI_LIBRARIES ${BROTLICOMMON_LIBRARY} ${BROTLIDEC_LIBRARY})
diff --git a/CMake/FindCARES.cmake b/CMake/FindCARES.cmake
index c4ab5f1..9160ae5 100644
--- a/CMake/FindCARES.cmake
+++ b/CMake/FindCARES.cmake
@@ -1,3 +1,24 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 # - Find c-ares
 # Find the c-ares includes and library
 # This module defines
@@ -7,36 +28,18 @@
 # also defined, but not for general use are
 # CARES_LIBRARY, where to find the c-ares library.
 
-FIND_PATH(CARES_INCLUDE_DIR ares.h
-  /usr/local/include
-  /usr/include
-  )
+find_path(CARES_INCLUDE_DIR ares.h)
 
-SET(CARES_NAMES ${CARES_NAMES} cares)
-FIND_LIBRARY(CARES_LIBRARY
+set(CARES_NAMES ${CARES_NAMES} cares)
+find_library(CARES_LIBRARY
   NAMES ${CARES_NAMES}
-  PATHS /usr/lib /usr/local/lib
   )
 
-IF (CARES_LIBRARY AND CARES_INCLUDE_DIR)
-  SET(CARES_LIBRARIES ${CARES_LIBRARY})
-  SET(CARES_FOUND "YES")
-ELSE (CARES_LIBRARY AND CARES_INCLUDE_DIR)
-  SET(CARES_FOUND "NO")
-ENDIF (CARES_LIBRARY AND CARES_INCLUDE_DIR)
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(CARES
+    REQUIRED_VARS CARES_LIBRARY CARES_INCLUDE_DIR)
 
-
-IF (CARES_FOUND)
-  IF (NOT CARES_FIND_QUIETLY)
-    MESSAGE(STATUS "Found c-ares: ${CARES_LIBRARIES}")
-  ENDIF (NOT CARES_FIND_QUIETLY)
-ELSE (CARES_FOUND)
-  IF (CARES_FIND_REQUIRED)
-    MESSAGE(FATAL_ERROR "Could not find c-ares library")
-  ENDIF (CARES_FIND_REQUIRED)
-ENDIF (CARES_FOUND)
-
-MARK_AS_ADVANCED(
+mark_as_advanced(
   CARES_LIBRARY
   CARES_INCLUDE_DIR
   )
diff --git a/CMake/FindGSS.cmake b/CMake/FindGSS.cmake
index dfaeaf3..02111a2 100644
--- a/CMake/FindGSS.cmake
+++ b/CMake/FindGSS.cmake
@@ -1,3 +1,24 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 # - Try to find the GSS Kerberos library
 # Once done this will define
 #
@@ -12,7 +33,7 @@
 #  GSS_LINKER_FLAGS - Additional linker flags
 #  GSS_COMPILER_FLAGS - Additional compiler flags
 #  GSS_VERSION - This is set to version advertised by pkg-config or read from manifest.
-#                In case the library is found but no version info availabe it'll be set to "unknown"
+#                In case the library is found but no version info available it'll be set to "unknown"
 
 set(_MIT_MODNAME mit-krb5-gssapi)
 set(_HEIMDAL_MODNAME heimdal-gssapi)
@@ -28,211 +49,213 @@
 
 # try to find library using system pkg-config if user didn't specify root dir
 if(NOT GSS_ROOT_DIR AND NOT "$ENV{GSS_ROOT_DIR}")
-    if(UNIX)
-        find_package(PkgConfig QUIET)
-        pkg_search_module(_GSS_PKG ${_MIT_MODNAME} ${_HEIMDAL_MODNAME})
-        list(APPEND _GSS_ROOT_HINTS "${_GSS_PKG_PREFIX}")
-    elseif(WIN32)
-        list(APPEND _GSS_ROOT_HINTS "[HKEY_LOCAL_MACHINE\\SOFTWARE\\MIT\\Kerberos;InstallDir]")
-    endif()
+  if(UNIX)
+    find_package(PkgConfig QUIET)
+    pkg_search_module(_GSS_PKG ${_MIT_MODNAME} ${_HEIMDAL_MODNAME})
+    list(APPEND _GSS_ROOT_HINTS "${_GSS_PKG_PREFIX}")
+  elseif(WIN32)
+    list(APPEND _GSS_ROOT_HINTS "[HKEY_LOCAL_MACHINE\\SOFTWARE\\MIT\\Kerberos;InstallDir]")
+  endif()
 endif()
 
 if(NOT _GSS_FOUND) #not found by pkg-config. Let's take more traditional approach.
-    find_file(_GSS_CONFIGURE_SCRIPT
+  find_file(_GSS_CONFIGURE_SCRIPT
+      NAMES
+          "krb5-config"
+      HINTS
+          ${_GSS_ROOT_HINTS}
+      PATH_SUFFIXES
+          bin
+      NO_CMAKE_PATH
+      NO_CMAKE_ENVIRONMENT_PATH
+  )
+
+  # if not found in user-supplied directories, maybe system knows better
+  find_file(_GSS_CONFIGURE_SCRIPT
+      NAMES
+          "krb5-config"
+      PATH_SUFFIXES
+          bin
+  )
+
+  if(_GSS_CONFIGURE_SCRIPT)
+    execute_process(
+          COMMAND ${_GSS_CONFIGURE_SCRIPT} "--cflags" "gssapi"
+          OUTPUT_VARIABLE _GSS_CFLAGS
+          RESULT_VARIABLE _GSS_CONFIGURE_FAILED
+          OUTPUT_STRIP_TRAILING_WHITESPACE
+      )
+    message(STATUS "CFLAGS: ${_GSS_CFLAGS}")
+    if(NOT _GSS_CONFIGURE_FAILED) # 0 means success
+      # should also work in an odd case when multiple directories are given
+      string(STRIP "${_GSS_CFLAGS}" _GSS_CFLAGS)
+      string(REGEX REPLACE " +-I" ";" _GSS_CFLAGS "${_GSS_CFLAGS}")
+      string(REGEX REPLACE " +-([^I][^ \\t;]*)" ";-\\1" _GSS_CFLAGS "${_GSS_CFLAGS}")
+
+      foreach(_flag ${_GSS_CFLAGS})
+        if(_flag MATCHES "^-I.*")
+          string(REGEX REPLACE "^-I" "" _val "${_flag}")
+          list(APPEND _GSS_INCLUDE_DIR "${_val}")
+        else()
+          list(APPEND _GSS_COMPILER_FLAGS "${_flag}")
+        endif()
+      endforeach()
+    endif()
+
+    execute_process(
+        COMMAND ${_GSS_CONFIGURE_SCRIPT} "--libs" "gssapi"
+        OUTPUT_VARIABLE _GSS_LIB_FLAGS
+        RESULT_VARIABLE _GSS_CONFIGURE_FAILED
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+    )
+    message(STATUS "LDFLAGS: ${_GSS_LIB_FLAGS}")
+
+    if(NOT _GSS_CONFIGURE_FAILED) # 0 means success
+      # this script gives us libraries and link directories. Blah. We have to deal with it.
+      string(STRIP "${_GSS_LIB_FLAGS}" _GSS_LIB_FLAGS)
+      string(REGEX REPLACE " +-(L|l)" ";-\\1" _GSS_LIB_FLAGS "${_GSS_LIB_FLAGS}")
+      string(REGEX REPLACE " +-([^Ll][^ \\t;]*)" ";-\\1" _GSS_LIB_FLAGS "${_GSS_LIB_FLAGS}")
+
+      foreach(_flag ${_GSS_LIB_FLAGS})
+        if(_flag MATCHES "^-l.*")
+          string(REGEX REPLACE "^-l" "" _val "${_flag}")
+          list(APPEND _GSS_LIBRARIES "${_val}")
+        elseif(_flag MATCHES "^-L.*")
+          string(REGEX REPLACE "^-L" "" _val "${_flag}")
+          list(APPEND _GSS_LINK_DIRECTORIES "${_val}")
+        else()
+          list(APPEND _GSS_LINKER_FLAGS "${_flag}")
+        endif()
+      endforeach()
+    endif()
+
+    execute_process(
+        COMMAND ${_GSS_CONFIGURE_SCRIPT} "--version"
+        OUTPUT_VARIABLE _GSS_VERSION
+        RESULT_VARIABLE _GSS_CONFIGURE_FAILED
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+    )
+
+    # older versions may not have the "--version" parameter. In this case we just don't care.
+    if(_GSS_CONFIGURE_FAILED)
+      set(_GSS_VERSION 0)
+    endif()
+
+    execute_process(
+        COMMAND ${_GSS_CONFIGURE_SCRIPT} "--vendor"
+        OUTPUT_VARIABLE _GSS_VENDOR
+        RESULT_VARIABLE _GSS_CONFIGURE_FAILED
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+    )
+
+    # older versions may not have the "--vendor" parameter. In this case we just don't care.
+    if(_GSS_CONFIGURE_FAILED)
+      set(GSS_FLAVOUR "Heimdal") # most probably, shouldn't really matter
+    else()
+      if(_GSS_VENDOR MATCHES ".*H|heimdal.*")
+        set(GSS_FLAVOUR "Heimdal")
+      else()
+        set(GSS_FLAVOUR "MIT")
+      endif()
+    endif()
+
+  else() # either there is no config script or we are on a platform that doesn't provide one (Windows?)
+
+    find_path(_GSS_INCLUDE_DIR
         NAMES
-            "krb5-config"
+            "gssapi/gssapi.h"
         HINTS
             ${_GSS_ROOT_HINTS}
         PATH_SUFFIXES
-            bin
-        NO_CMAKE_PATH
-        NO_CMAKE_ENVIRONMENT_PATH
+            include
+            inc
     )
 
-    # if not found in user-supplied directories, maybe system knows better
-    find_file(_GSS_CONFIGURE_SCRIPT
-        NAMES
-            "krb5-config"
-        PATH_SUFFIXES
-            bin
-    )
+    if(_GSS_INCLUDE_DIR) #jay, we've found something
+      set(CMAKE_REQUIRED_INCLUDES "${_GSS_INCLUDE_DIR}")
+      check_include_files( "gssapi/gssapi_generic.h;gssapi/gssapi_krb5.h" _GSS_HAVE_MIT_HEADERS)
 
-    if(_GSS_CONFIGURE_SCRIPT)
-        execute_process(
-            COMMAND ${_GSS_CONFIGURE_SCRIPT} "--cflags" "gssapi"
-            OUTPUT_VARIABLE _GSS_CFLAGS
-            RESULT_VARIABLE _GSS_CONFIGURE_FAILED
-        )
-message(STATUS "CFLAGS: ${_GSS_CFLAGS}")
-        if(NOT _GSS_CONFIGURE_FAILED) # 0 means success
-            # should also work in an odd case when multiple directories are given
-            string(STRIP "${_GSS_CFLAGS}" _GSS_CFLAGS)
-            string(REGEX REPLACE " +-I" ";" _GSS_CFLAGS "${_GSS_CFLAGS}")
-            string(REGEX REPLACE " +-([^I][^ \\t;]*)" ";-\\1"_GSS_CFLAGS "${_GSS_CFLAGS}")
-
-            foreach(_flag ${_GSS_CFLAGS})
-                if(_flag MATCHES "^-I.*")
-                    string(REGEX REPLACE "^-I" "" _val "${_flag}")
-                    list(APPEND _GSS_INCLUDE_DIR "${_val}")
-                else()
-                    list(APPEND _GSS_COMPILER_FLAGS "${_flag}")
-                endif()
-            endforeach()
-        endif()
-
-        execute_process(
-            COMMAND ${_GSS_CONFIGURE_SCRIPT} "--libs" "gssapi"
-            OUTPUT_VARIABLE _GSS_LIB_FLAGS
-            RESULT_VARIABLE _GSS_CONFIGURE_FAILED
-        )
-message(STATUS "LDFLAGS: ${_GSS_LIB_FLAGS}")
-        if(NOT _GSS_CONFIGURE_FAILED) # 0 means success
-            # this script gives us libraries and link directories. Blah. We have to deal with it.
-            string(STRIP "${_GSS_LIB_FLAGS}" _GSS_LIB_FLAGS)
-            string(REGEX REPLACE " +-(L|l)" ";-\\1" _GSS_LIB_FLAGS "${_GSS_LIB_FLAGS}")
-            string(REGEX REPLACE " +-([^Ll][^ \\t;]*)" ";-\\1"_GSS_LIB_FLAGS "${_GSS_LIB_FLAGS}")
-
-            foreach(_flag ${_GSS_LIB_FLAGS})
-                if(_flag MATCHES "^-l.*")
-                    string(REGEX REPLACE "^-l" "" _val "${_flag}")
-                    list(APPEND _GSS_LIBRARIES "${_val}")
-                elseif(_flag MATCHES "^-L.*")
-                    string(REGEX REPLACE "^-L" "" _val "${_flag}")
-                    list(APPEND _GSS_LINK_DIRECTORIES "${_val}")
-                else()
-                    list(APPEND _GSS_LINKER_FLAGS "${_flag}")
-                endif()
-            endforeach()
-        endif()
-
-
-        execute_process(
-            COMMAND ${_GSS_CONFIGURE_SCRIPT} "--version"
-            OUTPUT_VARIABLE _GSS_VERSION
-            RESULT_VARIABLE _GSS_CONFIGURE_FAILED
-        )
-
-        # older versions may not have the "--version" parameter. In this case we just don't care.
-        if(_GSS_CONFIGURE_FAILED)
-            set(_GSS_VERSION 0)
-        endif()
-
-
-        execute_process(
-            COMMAND ${_GSS_CONFIGURE_SCRIPT} "--vendor"
-            OUTPUT_VARIABLE _GSS_VENDOR
-            RESULT_VARIABLE _GSS_CONFIGURE_FAILED
-        )
-
-        # older versions may not have the "--vendor" parameter. In this case we just don't care.
-        if(_GSS_CONFIGURE_FAILED)
-            set(GSS_FLAVOUR "Heimdal") # most probably, shouldn't really matter
-        else()
-            if(_GSS_VENDOR MATCHES ".*H|heimdal.*")
-                set(GSS_FLAVOUR "Heimdal")
-            else()
-                set(GSS_FLAVOUR "MIT")
-            endif()
-        endif()
-
-    else() # either there is no config script or we are on platform that doesn't provide one (Windows?)
-
-        find_path(_GSS_INCLUDE_DIR
-            NAMES
-                "gssapi/gssapi.h"
-            HINTS
-                ${_GSS_ROOT_HINTS}
-            PATH_SUFFIXES
-                include
-                inc
-        )
-
-        if(_GSS_INCLUDE_DIR) #jay, we've found something
-            set(CMAKE_REQUIRED_INCLUDES "${_GSS_INCLUDE_DIR}")
-            check_include_files( "gssapi/gssapi_generic.h;gssapi/gssapi_krb5.h" _GSS_HAVE_MIT_HEADERS)
-
-            if(_GSS_HAVE_MIT_HEADERS)
-                set(GSS_FLAVOUR "MIT")
-            else()
-                # prevent compiling the header - just check if we can include it
-                set(CMAKE_REQUIRED_DEFINITIONS "${CMAKE_REQUIRED_DEFINITIONS} -D__ROKEN_H__")
-                check_include_file( "roken.h" _GSS_HAVE_ROKEN_H)
-
-                check_include_file( "heimdal/roken.h" _GSS_HAVE_HEIMDAL_ROKEN_H)
-                if(_GSS_HAVE_ROKEN_H OR _GSS_HAVE_HEIMDAL_ROKEN_H)
-                    set(GSS_FLAVOUR "Heimdal")
-                endif()
-                set(CMAKE_REQUIRED_DEFINITIONS "")
-            endif()
-        else()
-            # I'm not convienced if this is the right way but this is what autotools do at the moment
-            find_path(_GSS_INCLUDE_DIR
-                NAMES
-                    "gssapi.h"
-                HINTS
-                    ${_GSS_ROOT_HINTS}
-                PATH_SUFFIXES
-                    include
-                    inc
-            )
-
-            if(_GSS_INCLUDE_DIR)
-                set(GSS_FLAVOUR "Heimdal")
-            endif()
-        endif()
-
-        # if we have headers, check if we can link libraries
-        if(GSS_FLAVOUR)
-            set(_GSS_LIBDIR_SUFFIXES "")
-            set(_GSS_LIBDIR_HINTS ${_GSS_ROOT_HINTS})
-            get_filename_component(_GSS_CALCULATED_POTENTIAL_ROOT "${_GSS_INCLUDE_DIR}" PATH)
-            list(APPEND _GSS_LIBDIR_HINTS ${_GSS_CALCULATED_POTENTIAL_ROOT})
-
-            if(WIN32)
-                if(CMAKE_SIZEOF_VOID_P EQUAL 8)
-                    list(APPEND _GSS_LIBDIR_SUFFIXES "lib/AMD64")
-                    if(GSS_FLAVOUR STREQUAL "MIT")
-                        set(_GSS_LIBNAME "gssapi64")
-                    else()
-                        set(_GSS_LIBNAME "libgssapi")
-                    endif()
-                else()
-                    list(APPEND _GSS_LIBDIR_SUFFIXES "lib/i386")
-                    if(GSS_FLAVOUR STREQUAL "MIT")
-                        set(_GSS_LIBNAME "gssapi32")
-                    else()
-                        set(_GSS_LIBNAME "libgssapi")
-                    endif()
-                endif()
-            else()
-                list(APPEND _GSS_LIBDIR_SUFFIXES "lib;lib64") # those suffixes are not checked for HINTS
-                if(GSS_FLAVOUR STREQUAL "MIT")
-                    set(_GSS_LIBNAME "gssapi_krb5")
-                else()
-                    set(_GSS_LIBNAME "gssapi")
-                endif()
-            endif()
-
-            find_library(_GSS_LIBRARIES
-                NAMES
-                    ${_GSS_LIBNAME}
-                HINTS
-                    ${_GSS_LIBDIR_HINTS}
-                PATH_SUFFIXES
-                    ${_GSS_LIBDIR_SUFFIXES}
-            )
-
-        endif()
-
-    endif()
-else()
-    if(_GSS_PKG_${_MIT_MODNAME}_VERSION)
+      if(_GSS_HAVE_MIT_HEADERS)
         set(GSS_FLAVOUR "MIT")
-        set(_GSS_VERSION _GSS_PKG_${_MIT_MODNAME}_VERSION)
+      else()
+        # prevent compiling the header - just check if we can include it
+        set(CMAKE_REQUIRED_DEFINITIONS "${CMAKE_REQUIRED_DEFINITIONS} -D__ROKEN_H__")
+        check_include_file( "roken.h" _GSS_HAVE_ROKEN_H)
+
+        check_include_file( "heimdal/roken.h" _GSS_HAVE_HEIMDAL_ROKEN_H)
+        if(_GSS_HAVE_ROKEN_H OR _GSS_HAVE_HEIMDAL_ROKEN_H)
+          set(GSS_FLAVOUR "Heimdal")
+        endif()
+        set(CMAKE_REQUIRED_DEFINITIONS "")
+      endif()
     else()
+      # I'm not convinced if this is the right way but this is what autotools do at the moment
+      find_path(_GSS_INCLUDE_DIR
+          NAMES
+              "gssapi.h"
+          HINTS
+              ${_GSS_ROOT_HINTS}
+          PATH_SUFFIXES
+              include
+              inc
+      )
+
+      if(_GSS_INCLUDE_DIR)
         set(GSS_FLAVOUR "Heimdal")
-        set(_GSS_VERSION _GSS_PKG_${_MIT_HEIMDAL}_VERSION)
+      endif()
     endif()
+
+    # if we have headers, check if we can link libraries
+    if(GSS_FLAVOUR)
+      set(_GSS_LIBDIR_SUFFIXES "")
+      set(_GSS_LIBDIR_HINTS ${_GSS_ROOT_HINTS})
+      get_filename_component(_GSS_CALCULATED_POTENTIAL_ROOT "${_GSS_INCLUDE_DIR}" PATH)
+      list(APPEND _GSS_LIBDIR_HINTS ${_GSS_CALCULATED_POTENTIAL_ROOT})
+
+      if(WIN32)
+        if(CMAKE_SIZEOF_VOID_P EQUAL 8)
+          list(APPEND _GSS_LIBDIR_SUFFIXES "lib/AMD64")
+          if(GSS_FLAVOUR STREQUAL "MIT")
+            set(_GSS_LIBNAME "gssapi64")
+          else()
+            set(_GSS_LIBNAME "libgssapi")
+          endif()
+        else()
+          list(APPEND _GSS_LIBDIR_SUFFIXES "lib/i386")
+          if(GSS_FLAVOUR STREQUAL "MIT")
+            set(_GSS_LIBNAME "gssapi32")
+          else()
+            set(_GSS_LIBNAME "libgssapi")
+          endif()
+        endif()
+      else()
+        list(APPEND _GSS_LIBDIR_SUFFIXES "lib;lib64") # those suffixes are not checked for HINTS
+        if(GSS_FLAVOUR STREQUAL "MIT")
+          set(_GSS_LIBNAME "gssapi_krb5")
+        else()
+          set(_GSS_LIBNAME "gssapi")
+        endif()
+      endif()
+
+      find_library(_GSS_LIBRARIES
+          NAMES
+              ${_GSS_LIBNAME}
+          HINTS
+              ${_GSS_LIBDIR_HINTS}
+          PATH_SUFFIXES
+              ${_GSS_LIBDIR_SUFFIXES}
+      )
+
+    endif()
+  endif()
+else()
+  if(_GSS_PKG_${_MIT_MODNAME}_VERSION)
+    set(GSS_FLAVOUR "MIT")
+    set(_GSS_VERSION _GSS_PKG_${_MIT_MODNAME}_VERSION)
+  else()
+    set(GSS_FLAVOUR "Heimdal")
+    set(_GSS_VERSION _GSS_PKG_${_MIT_HEIMDAL}_VERSION)
+  endif()
 endif()
 
 set(GSS_INCLUDE_DIR ${_GSS_INCLUDE_DIR})
@@ -243,35 +266,33 @@
 set(GSS_VERSION ${_GSS_VERSION})
 
 if(GSS_FLAVOUR)
-
-    if(NOT GSS_VERSION AND GSS_FLAVOUR STREQUAL "Heimdal")
-        if(CMAKE_SIZEOF_VOID_P EQUAL 8)
-            set(HEIMDAL_MANIFEST_FILE "Heimdal.Application.amd64.manifest")
-        else()
-            set(HEIMDAL_MANIFEST_FILE "Heimdal.Application.x86.manifest")
-        endif()
-
-        if(EXISTS "${GSS_INCLUDE_DIR}/${HEIMDAL_MANIFEST_FILE}")
-            file(STRINGS "${GSS_INCLUDE_DIR}/${HEIMDAL_MANIFEST_FILE}" heimdal_version_str
-                 REGEX "^.*version=\"[0-9]\\.[^\"]+\".*$")
-
-            string(REGEX MATCH "[0-9]\\.[^\"]+"
-                   GSS_VERSION "${heimdal_version_str}")
-        endif()
-
-        if(NOT GSS_VERSION)
-            set(GSS_VERSION "Heimdal Unknown")
-        endif()
-    elseif(NOT GSS_VERSION AND GSS_FLAVOUR STREQUAL "MIT")
-        get_filename_component(_MIT_VERSION "[HKEY_LOCAL_MACHINE\\SOFTWARE\\MIT\\Kerberos\\SDK\\CurrentVersion;VersionString]" NAME CACHE)
-        if(WIN32 AND _MIT_VERSION)
-            set(GSS_VERSION "${_MIT_VERSION}")
-        else()
-            set(GSS_VERSION "MIT Unknown")
-        endif()
+  if(NOT GSS_VERSION AND GSS_FLAVOUR STREQUAL "Heimdal")
+    if(CMAKE_SIZEOF_VOID_P EQUAL 8)
+      set(HEIMDAL_MANIFEST_FILE "Heimdal.Application.amd64.manifest")
+    else()
+      set(HEIMDAL_MANIFEST_FILE "Heimdal.Application.x86.manifest")
     endif()
-endif()
 
+    if(EXISTS "${GSS_INCLUDE_DIR}/${HEIMDAL_MANIFEST_FILE}")
+      file(STRINGS "${GSS_INCLUDE_DIR}/${HEIMDAL_MANIFEST_FILE}" heimdal_version_str
+           REGEX "^.*version=\"[0-9]\\.[^\"]+\".*$")
+
+      string(REGEX MATCH "[0-9]\\.[^\"]+"
+             GSS_VERSION "${heimdal_version_str}")
+    endif()
+
+    if(NOT GSS_VERSION)
+      set(GSS_VERSION "Heimdal Unknown")
+    endif()
+  elseif(NOT GSS_VERSION AND GSS_FLAVOUR STREQUAL "MIT")
+    get_filename_component(_MIT_VERSION "[HKEY_LOCAL_MACHINE\\SOFTWARE\\MIT\\Kerberos\\SDK\\CurrentVersion;VersionString]" NAME CACHE)
+    if(WIN32 AND _MIT_VERSION)
+      set(GSS_VERSION "${_MIT_VERSION}")
+    else()
+      set(GSS_VERSION "MIT Unknown")
+    endif()
+  endif()
+endif()
 
 include(FindPackageHandleStandardArgs)
 
diff --git a/CMake/FindLibSSH2.cmake b/CMake/FindLibSSH2.cmake
index 12a7c61..4cdf3e3 100644
--- a/CMake/FindLibSSH2.cmake
+++ b/CMake/FindLibSSH2.cmake
@@ -1,3 +1,24 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 # - Try to find the libssh2 library
 # Once done this will define
 #
@@ -5,31 +26,18 @@
 # LIBSSH2_INCLUDE_DIR - the libssh2 include directory
 # LIBSSH2_LIBRARY - the libssh2 library name
 
-if (LIBSSH2_INCLUDE_DIR AND LIBSSH2_LIBRARY)
-  set(LibSSH2_FIND_QUIETLY TRUE)
-endif (LIBSSH2_INCLUDE_DIR AND LIBSSH2_LIBRARY)
+find_path(LIBSSH2_INCLUDE_DIR libssh2.h)
 
-FIND_PATH(LIBSSH2_INCLUDE_DIR libssh2.h
-)
-
-FIND_LIBRARY(LIBSSH2_LIBRARY NAMES ssh2
-)
+find_library(LIBSSH2_LIBRARY NAMES ssh2 libssh2)
 
 if(LIBSSH2_INCLUDE_DIR)
-  file(STRINGS "${LIBSSH2_INCLUDE_DIR}/libssh2.h" libssh2_version_str REGEX "^#define[\t ]+LIBSSH2_VERSION_NUM[\t ]+0x[0-9][0-9][0-9][0-9][0-9][0-9].*")
-
-  string(REGEX REPLACE "^.*LIBSSH2_VERSION_NUM[\t ]+0x([0-9][0-9]).*$" "\\1" LIBSSH2_VERSION_MAJOR "${libssh2_version_str}")
-  string(REGEX REPLACE "^.*LIBSSH2_VERSION_NUM[\t ]+0x[0-9][0-9]([0-9][0-9]).*$" "\\1" LIBSSH2_VERSION_MINOR  "${libssh2_version_str}")
-  string(REGEX REPLACE "^.*LIBSSH2_VERSION_NUM[\t ]+0x[0-9][0-9][0-9][0-9]([0-9][0-9]).*$" "\\1" LIBSSH2_VERSION_PATCH "${libssh2_version_str}")
-
-  string(REGEX REPLACE "^0(.+)" "\\1" LIBSSH2_VERSION_MAJOR "${LIBSSH2_VERSION_MAJOR}")
-  string(REGEX REPLACE "^0(.+)" "\\1" LIBSSH2_VERSION_MINOR "${LIBSSH2_VERSION_MINOR}")
-  string(REGEX REPLACE "^0(.+)" "\\1" LIBSSH2_VERSION_PATCH "${LIBSSH2_VERSION_PATCH}")
-
-  set(LIBSSH2_VERSION "${LIBSSH2_VERSION_MAJOR}.${LIBSSH2_VERSION_MINOR}.${LIBSSH2_VERSION_PATCH}")
-endif(LIBSSH2_INCLUDE_DIR)
+  file(STRINGS "${LIBSSH2_INCLUDE_DIR}/libssh2.h" libssh2_version_str REGEX "^#define[\t ]+LIBSSH2_VERSION[\t ]+\"(.*)\"")
+  string(REGEX REPLACE "^.*\"([^\"]+)\"" "\\1"  LIBSSH2_VERSION "${libssh2_version_str}")
+endif()
 
 include(FindPackageHandleStandardArgs)
-FIND_PACKAGE_HANDLE_STANDARD_ARGS(LibSSH2 DEFAULT_MSG LIBSSH2_INCLUDE_DIR LIBSSH2_LIBRARY )
+find_package_handle_standard_args(LibSSH2
+    REQUIRED_VARS LIBSSH2_LIBRARY LIBSSH2_INCLUDE_DIR
+    VERSION_VAR LIBSSH2_VERSION)
 
-MARK_AS_ADVANCED(LIBSSH2_INCLUDE_DIR LIBSSH2_LIBRARY LIBSSH2_VERSION_MAJOR LIBSSH2_VERSION_MINOR LIBSSH2_VERSION_PATCH LIBSSH2_VERSION)
+mark_as_advanced(LIBSSH2_INCLUDE_DIR LIBSSH2_LIBRARY)
diff --git a/CMake/FindMbedTLS.cmake b/CMake/FindMbedTLS.cmake
index a916395..2ebe721 100644
--- a/CMake/FindMbedTLS.cmake
+++ b/CMake/FindMbedTLS.cmake
@@ -1,3 +1,24 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 find_path(MBEDTLS_INCLUDE_DIRS mbedtls/ssl.h)
 
 find_library(MBEDTLS_LIBRARY mbedtls)
diff --git a/CMake/FindNGHTTP2.cmake b/CMake/FindNGHTTP2.cmake
index 4e566cf..e1eba05 100644
--- a/CMake/FindNGHTTP2.cmake
+++ b/CMake/FindNGHTTP2.cmake
@@ -1,3 +1,24 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 include(FindPackageHandleStandardArgs)
 
 find_path(NGHTTP2_INCLUDE_DIR "nghttp2/nghttp2.h")
@@ -10,9 +31,9 @@
     REQUIRED_VARS
       NGHTTP2_LIBRARY
       NGHTTP2_INCLUDE_DIR
-    FAIL_MESSAGE
-      "Could NOT find NGHTTP2"
 )
 
-set(NGHTTP2_INCLUDE_DIRS ${NGHTTP2_INCLUDE_DIR} )
+set(NGHTTP2_INCLUDE_DIRS ${NGHTTP2_INCLUDE_DIR})
 set(NGHTTP2_LIBRARIES ${NGHTTP2_LIBRARY})
+
+mark_as_advanced(NGHTTP2_INCLUDE_DIRS NGHTTP2_LIBRARIES)
diff --git a/CMake/FindNSS.cmake b/CMake/FindNSS.cmake
new file mode 100644
index 0000000..5fdb2b7
--- /dev/null
+++ b/CMake/FindNSS.cmake
@@ -0,0 +1,38 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+if(UNIX)
+  find_package(PkgConfig QUIET)
+  pkg_search_module(PC_NSS nss)
+endif()
+if(NOT PC_NSS_FOUND)
+  return()
+endif()
+
+set(NSS_LIBRARIES ${PC_NSS_LINK_LIBRARIES})
+set(NSS_INCLUDE_DIRS ${PC_NSS_INCLUDE_DIRS})
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(NSS
+    REQUIRED_VARS NSS_LIBRARIES NSS_INCLUDE_DIRS
+    VERSION_VAR PC_NSS_VERSION)
+
+mark_as_advanced(NSS_INCLUDE_DIRS NSS_LIBRARIES)
diff --git a/CMake/FindWolfSSL.cmake b/CMake/FindWolfSSL.cmake
new file mode 100644
index 0000000..54df1a8
--- /dev/null
+++ b/CMake/FindWolfSSL.cmake
@@ -0,0 +1,34 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+find_path(WolfSSL_INCLUDE_DIR NAMES wolfssl/ssl.h)
+find_library(WolfSSL_LIBRARY NAMES wolfssl)
+mark_as_advanced(WolfSSL_INCLUDE_DIR WolfSSL_LIBRARY)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(WolfSSL
+  REQUIRED_VARS WolfSSL_INCLUDE_DIR WolfSSL_LIBRARY
+  )
+
+if(WolfSSL_FOUND)
+  set(WolfSSL_INCLUDE_DIRS ${WolfSSL_INCLUDE_DIR})
+  set(WolfSSL_LIBRARIES ${WolfSSL_LIBRARY})
+endif()
diff --git a/CMake/Macros.cmake b/CMake/Macros.cmake
index dab005f..65a41e4 100644
--- a/CMake/Macros.cmake
+++ b/CMake/Macros.cmake
@@ -1,3 +1,24 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 #File defines convenience macros for available feature testing
 
 # This macro checks if the symbol exists in the library and if it
@@ -5,35 +26,35 @@
 # multiple times with a sequence of possibly dependent libraries in
 # order of least-to-most-dependent.  Some libraries depend on others
 # to link correctly.
-macro(CHECK_LIBRARY_EXISTS_CONCAT LIBRARY SYMBOL VARIABLE)
+macro(check_library_exists_concat LIBRARY SYMBOL VARIABLE)
   check_library_exists("${LIBRARY};${CURL_LIBS}" ${SYMBOL} "${CMAKE_LIBRARY_PATH}"
     ${VARIABLE})
   if(${VARIABLE})
     set(CURL_LIBS ${LIBRARY} ${CURL_LIBS})
-  endif(${VARIABLE})
-endmacro(CHECK_LIBRARY_EXISTS_CONCAT)
+  endif()
+endmacro()
 
 # Check if header file exists and add it to the list.
 # This macro is intended to be called multiple times with a sequence of
 # possibly dependent header files.  Some headers depend on others to be
 # compiled correctly.
-macro(CHECK_INCLUDE_FILE_CONCAT FILE VARIABLE)
+macro(check_include_file_concat FILE VARIABLE)
   check_include_files("${CURL_INCLUDES};${FILE}" ${VARIABLE})
   if(${VARIABLE})
     set(CURL_INCLUDES ${CURL_INCLUDES} ${FILE})
     set(CURL_TEST_DEFINES "${CURL_TEST_DEFINES} -D${VARIABLE}")
-  endif(${VARIABLE})
-endmacro(CHECK_INCLUDE_FILE_CONCAT)
+  endif()
+endmacro()
 
 # For other curl specific tests, use this macro.
-macro(CURL_INTERNAL_TEST CURL_TEST)
+macro(curl_internal_test CURL_TEST)
   if(NOT DEFINED "${CURL_TEST}")
     set(MACRO_CHECK_FUNCTION_DEFINITIONS
       "-D${CURL_TEST} ${CURL_TEST_DEFINES} ${CMAKE_REQUIRED_FLAGS}")
     if(CMAKE_REQUIRED_LIBRARIES)
       set(CURL_TEST_ADD_LIBRARIES
         "-DLINK_LIBRARIES:STRING=${CMAKE_REQUIRED_LIBRARIES}")
-    endif(CMAKE_REQUIRED_LIBRARIES)
+    endif()
 
     message(STATUS "Performing Curl Test ${CURL_TEST}")
     try_compile(${CURL_TEST}
@@ -48,48 +69,41 @@
       file(APPEND ${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/CMakeOutput.log
         "Performing Curl Test ${CURL_TEST} passed with the following output:\n"
         "${OUTPUT}\n")
-    else(${CURL_TEST})
+    else()
       message(STATUS "Performing Curl Test ${CURL_TEST} - Failed")
       set(${CURL_TEST} "" CACHE INTERNAL "Curl test ${FUNCTION}")
       file(APPEND ${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/CMakeError.log
         "Performing Curl Test ${CURL_TEST} failed with the following output:\n"
         "${OUTPUT}\n")
-    endif(${CURL_TEST})
+    endif()
   endif()
-endmacro(CURL_INTERNAL_TEST)
+endmacro()
 
-macro(CURL_INTERNAL_TEST_RUN CURL_TEST)
-  if(NOT DEFINED "${CURL_TEST}_COMPILE")
-    set(MACRO_CHECK_FUNCTION_DEFINITIONS
-      "-D${CURL_TEST} ${CMAKE_REQUIRED_FLAGS}")
-    if(CMAKE_REQUIRED_LIBRARIES)
-      set(CURL_TEST_ADD_LIBRARIES
-        "-DLINK_LIBRARIES:STRING=${CMAKE_REQUIRED_LIBRARIES}")
-    endif(CMAKE_REQUIRED_LIBRARIES)
-
-    message(STATUS "Performing Curl Test ${CURL_TEST}")
-    try_run(${CURL_TEST} ${CURL_TEST}_COMPILE
-      ${CMAKE_BINARY_DIR}
-      ${CMAKE_CURRENT_SOURCE_DIR}/CMake/CurlTests.c
-      CMAKE_FLAGS -DCOMPILE_DEFINITIONS:STRING=${MACRO_CHECK_FUNCTION_DEFINITIONS}
-      "${CURL_TEST_ADD_LIBRARIES}"
-      OUTPUT_VARIABLE OUTPUT)
-    if(${CURL_TEST}_COMPILE AND NOT ${CURL_TEST})
-      set(${CURL_TEST} 1 CACHE INTERNAL "Curl test ${FUNCTION}")
-      message(STATUS "Performing Curl Test ${CURL_TEST} - Success")
-    else(${CURL_TEST}_COMPILE AND NOT ${CURL_TEST})
-      message(STATUS "Performing Curl Test ${CURL_TEST} - Failed")
-      set(${CURL_TEST} "" CACHE INTERNAL "Curl test ${FUNCTION}")
-      file(APPEND "${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/CMakeError.log"
-        "Performing Curl Test ${CURL_TEST} failed with the following output:\n"
-        "${OUTPUT}")
-      if(${CURL_TEST}_COMPILE)
-        file(APPEND
-          "${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/CMakeError.log"
-          "There was a problem running this test\n")
-      endif(${CURL_TEST}_COMPILE)
-      file(APPEND "${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/CMakeError.log"
-        "\n\n")
-    endif(${CURL_TEST}_COMPILE AND NOT ${CURL_TEST})
+macro(curl_nroff_check)
+  find_program(NROFF NAMES gnroff nroff)
+  if(NROFF)
+    # Need a way to write to stdin, this will do
+    file(WRITE "${CMAKE_CURRENT_BINARY_DIR}/nroff-input.txt" "test")
+    # Tests for a valid nroff option to generate a manpage
+    foreach(_MANOPT "-man" "-mandoc")
+      execute_process(COMMAND "${NROFF}" ${_MANOPT}
+        OUTPUT_VARIABLE NROFF_MANOPT_OUTPUT
+        INPUT_FILE "${CMAKE_CURRENT_BINARY_DIR}/nroff-input.txt"
+        ERROR_QUIET)
+      # Save the option if it was valid
+      if(NROFF_MANOPT_OUTPUT)
+        message("Found *nroff option: -- ${_MANOPT}")
+        set(NROFF_MANOPT ${_MANOPT})
+        set(NROFF_USEFUL ON)
+        break()
+      endif()
+    endforeach()
+    # No need for the temporary file
+    file(REMOVE "${CMAKE_CURRENT_BINARY_DIR}/nroff-input.txt")
+    if(NOT NROFF_USEFUL)
+      message(WARNING "Found no *nroff option to get plaintext from man pages")
+    endif()
+  else()
+    message(WARNING "Found no *nroff program")
   endif()
-endmacro(CURL_INTERNAL_TEST_RUN)
+endmacro()
diff --git a/CMake/OtherTests.cmake b/CMake/OtherTests.cmake
index 3b203c5..7cec6da 100644
--- a/CMake/OtherTests.cmake
+++ b/CMake/OtherTests.cmake
@@ -1,3 +1,24 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 include(CheckCSourceCompiles)
 # The begin of the sources (macros and includes)
 set(_source_epilogue "#undef inline")
@@ -5,8 +26,8 @@
 macro(add_header_include check header)
   if(${check})
     set(_source_epilogue "${_source_epilogue}\n#include <${header}>")
-  endif(${check})
-endmacro(add_header_include)
+  endif()
+endmacro()
 
 set(signature_call_conv)
 if(HAVE_WINDOWS_H)
@@ -19,10 +40,12 @@
   if(HAVE_LIBWS2_32)
     set(CMAKE_REQUIRED_LIBRARIES ws2_32)
   endif()
-else(HAVE_WINDOWS_H)
+else()
   add_header_include(HAVE_SYS_TYPES_H "sys/types.h")
   add_header_include(HAVE_SYS_SOCKET_H "sys/socket.h")
-endif(HAVE_WINDOWS_H)
+endif()
+
+set(CMAKE_TRY_COMPILE_TARGET_TYPE STATIC_LIBRARY)
 
 check_c_source_compiles("${_source_epilogue}
 int main(void) {
@@ -30,16 +53,19 @@
     return 0;
 }" curl_cv_recv)
 if(curl_cv_recv)
-  if(NOT DEFINED curl_cv_func_recv_args OR "${curl_cv_func_recv_args}" STREQUAL "unknown")
+  if(NOT DEFINED curl_cv_func_recv_args OR curl_cv_func_recv_args STREQUAL "unknown")
     foreach(recv_retv "int" "ssize_t" )
-      foreach(recv_arg1 "int" "ssize_t" "SOCKET")
-        foreach(recv_arg2 "void *" "char *")
-          foreach(recv_arg3 "size_t" "int" "socklen_t" "unsigned int")
+      foreach(recv_arg1 "SOCKET" "int" )
+        foreach(recv_arg2 "char *" "void *" )
+          foreach(recv_arg3 "int" "size_t" "socklen_t" "unsigned int")
             foreach(recv_arg4 "int" "unsigned int")
               if(NOT curl_cv_func_recv_done)
                 unset(curl_cv_func_recv_test CACHE)
                 check_c_source_compiles("
                   ${_source_epilogue}
+                  #ifdef WINSOCK_API_LINKAGE
+                  WINSOCK_API_LINKAGE
+                  #endif
                   extern ${recv_retv} ${signature_call_conv}
                   recv(${recv_arg1}, ${recv_arg2}, ${recv_arg3}, ${recv_arg4});
                   int main(void) {
@@ -64,13 +90,13 @@
                   set(RECV_TYPE_RETV "${recv_retv}")
                   set(HAVE_RECV 1)
                   set(curl_cv_func_recv_done 1)
-                endif(curl_cv_func_recv_test)
-              endif(NOT curl_cv_func_recv_done)
-            endforeach(recv_arg4)
-          endforeach(recv_arg3)
-        endforeach(recv_arg2)
-      endforeach(recv_arg1)
-    endforeach(recv_retv)
+                endif()
+              endif()
+            endforeach()
+          endforeach()
+        endforeach()
+      endforeach()
+    endforeach()
   else()
     string(REGEX REPLACE "^([^,]*),[^,]*,[^,]*,[^,]*,[^,]*$" "\\1" RECV_TYPE_ARG1 "${curl_cv_func_recv_args}")
     string(REGEX REPLACE "^[^,]*,([^,]*),[^,]*,[^,]*,[^,]*$" "\\1" RECV_TYPE_ARG2 "${curl_cv_func_recv_args}")
@@ -79,12 +105,12 @@
     string(REGEX REPLACE "^[^,]*,[^,]*,[^,]*,[^,]*,([^,]*)$" "\\1" RECV_TYPE_RETV "${curl_cv_func_recv_args}")
   endif()
 
-  if("${curl_cv_func_recv_args}" STREQUAL "unknown")
+  if(curl_cv_func_recv_args STREQUAL "unknown")
     message(FATAL_ERROR "Cannot find proper types to use for recv args")
-  endif("${curl_cv_func_recv_args}" STREQUAL "unknown")
-else(curl_cv_recv)
+  endif()
+else()
   message(FATAL_ERROR "Unable to link function recv")
-endif(curl_cv_recv)
+endif()
 set(curl_cv_func_recv_args "${curl_cv_func_recv_args}" CACHE INTERNAL "Arguments for recv")
 set(HAVE_RECV 1)
 
@@ -96,14 +122,17 @@
 if(curl_cv_send)
   if(NOT DEFINED curl_cv_func_send_args OR "${curl_cv_func_send_args}" STREQUAL "unknown")
     foreach(send_retv "int" "ssize_t" )
-      foreach(send_arg1 "int" "ssize_t" "SOCKET")
-        foreach(send_arg2 "const void *" "void *" "char *" "const char *")
-          foreach(send_arg3 "size_t" "int" "socklen_t" "unsigned int")
+      foreach(send_arg1 "SOCKET" "int" "ssize_t" )
+        foreach(send_arg2 "const char *" "const void *" "void *" "char *")
+          foreach(send_arg3 "int" "size_t" "socklen_t" "unsigned int")
             foreach(send_arg4 "int" "unsigned int")
               if(NOT curl_cv_func_send_done)
                 unset(curl_cv_func_send_test CACHE)
                 check_c_source_compiles("
                   ${_source_epilogue}
+                  #ifdef WINSOCK_API_LINKAGE
+                  WINSOCK_API_LINKAGE
+                  #endif
                   extern ${send_retv} ${signature_call_conv}
                   send(${send_arg1}, ${send_arg2}, ${send_arg3}, ${send_arg4});
                   int main(void) {
@@ -130,13 +159,13 @@
                   set(SEND_TYPE_RETV "${send_retv}")
                   set(HAVE_SEND 1)
                   set(curl_cv_func_send_done 1)
-                endif(curl_cv_func_send_test)
-              endif(NOT curl_cv_func_send_done)
-            endforeach(send_arg4)
-          endforeach(send_arg3)
-        endforeach(send_arg2)
-      endforeach(send_arg1)
-    endforeach(send_retv)
+                endif()
+              endif()
+            endforeach()
+          endforeach()
+        endforeach()
+      endforeach()
+    endforeach()
   else()
     string(REGEX REPLACE "^([^,]*),[^,]*,[^,]*,[^,]*,[^,]*,[^,]*$" "\\1" SEND_TYPE_ARG1 "${curl_cv_func_send_args}")
     string(REGEX REPLACE "^[^,]*,([^,]*),[^,]*,[^,]*,[^,]*,[^,]*$" "\\1" SEND_TYPE_ARG2 "${curl_cv_func_send_args}")
@@ -148,11 +177,11 @@
 
   if("${curl_cv_func_send_args}" STREQUAL "unknown")
     message(FATAL_ERROR "Cannot find proper types to use for send args")
-  endif("${curl_cv_func_send_args}" STREQUAL "unknown")
+  endif()
   set(SEND_QUAL_ARG2 "const")
-else(curl_cv_send)
+else()
   message(FATAL_ERROR "Unable to link function send")
-endif(curl_cv_send)
+endif()
 set(curl_cv_func_send_args "${curl_cv_func_send_args}" CACHE INTERNAL "Arguments for send")
 set(HAVE_SEND 1)
 
@@ -177,29 +206,12 @@
   return 0;
 }" HAVE_STRUCT_TIMEVAL)
 
-
-include(CheckCSourceRuns)
-# See HAVE_POLL in CMakeLists.txt for why poll is disabled on macOS
-if(NOT APPLE)
-  set(CMAKE_REQUIRED_FLAGS)
-  if(HAVE_SYS_POLL_H)
-    set(CMAKE_REQUIRED_FLAGS "-DHAVE_SYS_POLL_H")
-  endif(HAVE_SYS_POLL_H)
-  check_c_source_runs("
-    #ifdef HAVE_SYS_POLL_H
-    #  include <sys/poll.h>
-    #endif
-    int main(void) {
-      return poll((void *)0, 0, 10 /*ms*/);
-    }" HAVE_POLL_FINE)
-endif()
-
 set(HAVE_SIG_ATOMIC_T 1)
 set(CMAKE_REQUIRED_FLAGS)
 if(HAVE_SIGNAL_H)
   set(CMAKE_REQUIRED_FLAGS "-DHAVE_SIGNAL_H")
   set(CMAKE_EXTRA_INCLUDE_FILES "signal.h")
-endif(HAVE_SIGNAL_H)
+endif()
 check_type_size("sig_atomic_t" SIZEOF_SIG_ATOMIC_T)
 if(HAVE_SIZEOF_SIG_ATOMIC_T)
   check_c_source_compiles("
@@ -213,8 +225,8 @@
     }" HAVE_SIG_ATOMIC_T_NOT_VOLATILE)
   if(NOT HAVE_SIG_ATOMIC_T_NOT_VOLATILE)
     set(HAVE_SIG_ATOMIC_T_VOLATILE 1)
-  endif(NOT HAVE_SIG_ATOMIC_T_NOT_VOLATILE)
-endif(HAVE_SIZEOF_SIG_ATOMIC_T)
+  endif()
+endif()
 
 if(HAVE_WINDOWS_H)
   set(CMAKE_EXTRA_INCLUDE_FILES winsock2.h)
@@ -222,11 +234,58 @@
   set(CMAKE_EXTRA_INCLUDE_FILES)
   if(HAVE_SYS_SOCKET_H)
     set(CMAKE_EXTRA_INCLUDE_FILES sys/socket.h)
-  endif(HAVE_SYS_SOCKET_H)
+  endif()
 endif()
 
 check_type_size("struct sockaddr_storage" SIZEOF_STRUCT_SOCKADDR_STORAGE)
 if(HAVE_SIZEOF_STRUCT_SOCKADDR_STORAGE)
   set(HAVE_STRUCT_SOCKADDR_STORAGE 1)
-endif(HAVE_SIZEOF_STRUCT_SOCKADDR_STORAGE)
+endif()
+
+unset(CMAKE_TRY_COMPILE_TARGET_TYPE)
+
+if(NOT DEFINED CMAKE_TOOLCHAIN_FILE)
+  # if not cross-compilation...
+  include(CheckCSourceRuns)
+  set(CMAKE_REQUIRED_FLAGS "")
+  if(HAVE_SYS_POLL_H)
+    set(CMAKE_REQUIRED_FLAGS "-DHAVE_SYS_POLL_H")
+  elseif(HAVE_POLL_H)
+    set(CMAKE_REQUIRED_FLAGS "-DHAVE_POLL_H")
+  endif()
+  check_c_source_runs("
+    #include <stdlib.h>
+    #include <sys/time.h>
+
+    #ifdef HAVE_SYS_POLL_H
+    #  include <sys/poll.h>
+    #elif  HAVE_POLL_H
+    #  include <poll.h>
+    #endif
+
+    int main(void)
+    {
+        if(0 != poll(0, 0, 10)) {
+          return 1; /* fail */
+        }
+        else {
+          /* detect the 10.12 poll() breakage */
+          struct timeval before, after;
+          int rc;
+          size_t us;
+
+          gettimeofday(&before, NULL);
+          rc = poll(NULL, 0, 500);
+          gettimeofday(&after, NULL);
+
+          us = (after.tv_sec - before.tv_sec) * 1000000 +
+            (after.tv_usec - before.tv_usec);
+
+          if(us < 400000) {
+            return 1;
+          }
+        }
+        return 0;
+    }" HAVE_POLL_FINE)
+endif()
 
diff --git a/CMake/Platforms/WindowsCache.cmake b/CMake/Platforms/WindowsCache.cmake
index 6fc2991..9ae9b56 100644
--- a/CMake/Platforms/WindowsCache.cmake
+++ b/CMake/Platforms/WindowsCache.cmake
@@ -1,3 +1,24 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 if(NOT UNIX)
   if(WIN32)
     set(HAVE_LIBDL 0)
@@ -7,7 +28,6 @@
     set(HAVE_LIBNSL 0)
     set(HAVE_GETHOSTNAME 1)
     set(HAVE_LIBZ 0)
-    set(HAVE_LIBCRYPTO 0)
 
     set(HAVE_DLOPEN 0)
 
@@ -118,8 +138,7 @@
 
     set(HAVE_SIGACTION 0)
     set(HAVE_MACRO_SIGSETJMP 0)
-  else(WIN32)
+  else()
     message("This file should be included on Windows platform only")
-  endif(WIN32)
-endif(NOT UNIX)
-
+  endif()
+endif()
diff --git a/CMake/Utilities.cmake b/CMake/Utilities.cmake
index 8b6276d..59b17d0 100644
--- a/CMake/Utilities.cmake
+++ b/CMake/Utilities.cmake
@@ -1,44 +1,33 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 # File containing various utilities
 
-# Converts a CMake list to a string containing elements separated by spaces
-function(TO_LIST_SPACES _LIST_NAME OUTPUT_VAR)
-  set(NEW_LIST_SPACE)
-  foreach(ITEM ${${_LIST_NAME}})
-    set(NEW_LIST_SPACE "${NEW_LIST_SPACE} ${ITEM}")
-  endforeach()
-  string(STRIP ${NEW_LIST_SPACE} NEW_LIST_SPACE)
-  set(${OUTPUT_VAR} "${NEW_LIST_SPACE}" PARENT_SCOPE)
-endfunction()
-
-# Appends a lis of item to a string which is a space-separated list, if they don't already exist.
-function(LIST_SPACES_APPEND_ONCE LIST_NAME)
-  string(REPLACE " " ";" _LIST ${${LIST_NAME}})
-  list(APPEND _LIST ${ARGN})
-  list(REMOVE_DUPLICATES _LIST)
-  to_list_spaces(_LIST NEW_LIST_SPACE)
-  set(${LIST_NAME} "${NEW_LIST_SPACE}" PARENT_SCOPE)
-endfunction()
-
-# Convinience function that does the same as LIST(FIND ...) but with a TRUE/FALSE return value.
-# Ex: IN_STR_LIST(MY_LIST "Searched item" WAS_FOUND)
-function(IN_STR_LIST LIST_NAME ITEM_SEARCHED RETVAL)
-  list(FIND ${LIST_NAME} ${ITEM_SEARCHED} FIND_POS)
-  if(${FIND_POS} EQUAL -1)
-    set(${RETVAL} FALSE PARENT_SCOPE)
-  else()
-    set(${RETVAL} TRUE PARENT_SCOPE)
-  endif()
-endfunction()
-
 # Returns a list of arguments that evaluate to true
-function(collect_true output_var output_count_var)
-  set(${output_var})
+function(count_true output_count_var)
+  set(lst_len 0)
   foreach(option_var IN LISTS ARGN)
     if(${option_var})
-      list(APPEND ${output_var} ${option_var})
+      math(EXPR lst_len "${lst_len} + 1")
     endif()
   endforeach()
-  set(${output_var} ${${output_var}} PARENT_SCOPE)
-  list(LENGTH ${output_var} ${output_count_var})
-  set(${output_count_var} ${${output_count_var}} PARENT_SCOPE)
+  set(${output_count_var} ${lst_len} PARENT_SCOPE)
 endfunction()
diff --git a/CMake/cmake_uninstall.cmake.in b/CMake/cmake_uninstall.cmake.in
new file mode 100644
index 0000000..4a0de5e
--- /dev/null
+++ b/CMake/cmake_uninstall.cmake.in
@@ -0,0 +1,47 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+if(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+  message(FATAL_ERROR "Cannot find install manifest: @CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+endif()
+
+if(NOT DEFINED CMAKE_INSTALL_PREFIX)
+  set(CMAKE_INSTALL_PREFIX "@CMAKE_INSTALL_PREFIX@")
+endif()
+message(${CMAKE_INSTALL_PREFIX})
+
+file(READ "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt" files)
+string(REGEX REPLACE "\n" ";" files "${files}")
+foreach(file ${files})
+  message(STATUS "Uninstalling $ENV{DESTDIR}${file}")
+  if(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+    exec_program(
+      "@CMAKE_COMMAND@" ARGS "-E remove \"$ENV{DESTDIR}${file}\""
+      OUTPUT_VARIABLE rm_out
+      RETURN_VALUE rm_retval
+      )
+    if(NOT "${rm_retval}" STREQUAL 0)
+      message(FATAL_ERROR "Problem when removing $ENV{DESTDIR}${file}")
+    endif()
+  else()
+    message(STATUS "File $ENV{DESTDIR}${file} does not exist.")
+  endif()
+endforeach()
diff --git a/CMake/curl-config.cmake.in b/CMake/curl-config.cmake.in
new file mode 100644
index 0000000..ae8cc30
--- /dev/null
+++ b/CMake/curl-config.cmake.in
@@ -0,0 +1,33 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+@PACKAGE_INIT@
+
+include(CMakeFindDependencyMacro)
+if(@USE_OPENSSL@)
+  find_dependency(OpenSSL @OPENSSL_VERSION_MAJOR@)
+endif()
+if(@USE_ZLIB@)
+  find_dependency(ZLIB @ZLIB_VERSION_MAJOR@)
+endif()
+
+include("${CMAKE_CURRENT_LIST_DIR}/@TARGETS_EXPORT_NAME@.cmake")
+check_required_components("@PROJECT_NAME@")
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8390c38..b8061d1 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -38,25 +38,26 @@
 # To check:
 # (From Daniel Stenberg) The cmake build selected to run gcc with -fPIC on my box while the plain configure script did not.
 # (From Daniel Stenberg) The gcc command line use neither -g nor any -O options. As a developer, I also treasure our configure scripts's --enable-debug option that sets a long range of "picky" compiler options.
-cmake_minimum_required(VERSION 2.8 FATAL_ERROR)
+cmake_minimum_required(VERSION 3.0...3.16 FATAL_ERROR)
+
 set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake;${CMAKE_MODULE_PATH}")
 include(Utilities)
 include(Macros)
 include(CMakeDependentOption)
+include(CheckCCompilerFlag)
 
-project( CURL C )
+project(CURL C)
 
 message(WARNING "the curl cmake build system is poorly maintained. Be aware")
 
-file (READ ${CURL_SOURCE_DIR}/include/curl/curlver.h CURL_VERSION_H_CONTENTS)
-string (REGEX MATCH "#define LIBCURL_VERSION \"[^\"]*"
+file(STRINGS ${CURL_SOURCE_DIR}/include/curl/curlver.h CURL_VERSION_H_CONTENTS REGEX "#define LIBCURL_VERSION( |_NUM )")
+string(REGEX MATCH "#define LIBCURL_VERSION \"[^\"]*"
   CURL_VERSION ${CURL_VERSION_H_CONTENTS})
-string (REGEX REPLACE "[^\"]+\"" "" CURL_VERSION ${CURL_VERSION})
-string (REGEX MATCH "#define LIBCURL_VERSION_NUM 0x[0-9a-fA-F]+"
+string(REGEX REPLACE "[^\"]+\"" "" CURL_VERSION ${CURL_VERSION})
+string(REGEX MATCH "#define LIBCURL_VERSION_NUM 0x[0-9a-fA-F]+"
   CURL_VERSION_NUM ${CURL_VERSION_H_CONTENTS})
-string (REGEX REPLACE "[^0]+0x" "" CURL_VERSION_NUM ${CURL_VERSION_NUM})
+string(REGEX REPLACE "[^0]+0x" "" CURL_VERSION_NUM ${CURL_VERSION_NUM})
 
-include_regular_expression("^.*$")    # Sukender: Is it necessary?
 
 # Setup package meta-data
 # SET(PACKAGE "curl")
@@ -69,54 +70,72 @@
 set(OPERATING_SYSTEM "${CMAKE_SYSTEM_NAME}")
 set(OS "\"${CMAKE_SYSTEM_NAME}\"")
 
-include_directories(${PROJECT_BINARY_DIR}/include/curl)
-include_directories( ${CURL_SOURCE_DIR}/include )
+include_directories(${CURL_SOURCE_DIR}/include)
 
+option(CURL_WERROR "Turn compiler warnings into errors" OFF)
+option(PICKY_COMPILER "Enable picky compiler options" ON)
 option(BUILD_CURL_EXE "Set to ON to build curl executable." ON)
-option(CURL_STATICLIB "Set to ON to build libcurl with static linking." OFF)
+option(BUILD_SHARED_LIBS "Build shared libraries" ON)
 option(ENABLE_ARES "Set to ON to enable c-ares support" OFF)
 if(WIN32)
-  CMAKE_DEPENDENT_OPTION(ENABLE_THREADED_RESOLVER
-                         "Set to ON to enable threaded DNS lookup"
-                         ON "NOT ENABLE_ARES"
-                         OFF)
-else()
-  option(ENABLE_THREADED_RESOLVER "Set to ON to enable POSIX threaded DNS lookup" OFF)
+  option(CURL_STATIC_CRT "Set to ON to build libcurl with static CRT on Windows (/MT)." OFF)
+  option(ENABLE_INET_PTON "Set to OFF to prevent usage of inet_pton when building against modern SDKs while still requiring compatibility with older Windows versions, such as Windows XP, Windows Server 2003 etc." ON)
+  set(CURL_TARGET_WINDOWS_VERSION "" CACHE STRING "Minimum target Windows version as hex string")
+  if(CURL_TARGET_WINDOWS_VERSION)
+    add_definitions(-D_WIN32_WINNT=${CURL_TARGET_WINDOWS_VERSION})
+  elseif(ENABLE_INET_PTON)
+    # _WIN32_WINNT_VISTA (0x0600)
+    add_definitions(-D_WIN32_WINNT=0x0600)
+  else()
+    # _WIN32_WINNT_WINXP (0x0501)
+    add_definitions(-D_WIN32_WINNT=0x0501)
+  endif()
 endif()
+option(CURL_LTO "Turn on compiler Link Time Optimizations" OFF)
+
+cmake_dependent_option(ENABLE_THREADED_RESOLVER "Set to ON to enable threaded DNS lookup"
+        ON "NOT ENABLE_ARES"
+        OFF)
+
 option(ENABLE_DEBUG "Set to ON to enable curl debug features" OFF)
 option(ENABLE_CURLDEBUG "Set to ON to build with TrackMemory feature enabled" OFF)
 
-if (ENABLE_DEBUG)
-  # DEBUGBUILD will be defined only for Debug builds
-  if(NOT CMAKE_VERSION VERSION_LESS 3.0)
-    set_property(DIRECTORY APPEND PROPERTY COMPILE_DEFINITIONS $<$<CONFIG:Debug>:DEBUGBUILD>)
-  else()
-    set_property(DIRECTORY APPEND PROPERTY COMPILE_DEFINITIONS_DEBUG DEBUGBUILD)
+if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG)
+  if(PICKY_COMPILER)
+    foreach(_CCOPT -pedantic -Wall -W -Wpointer-arith -Wwrite-strings -Wunused -Wshadow -Winline -Wnested-externs -Wmissing-declarations -Wmissing-prototypes -Wno-long-long -Wfloat-equal -Wno-multichar -Wsign-compare -Wundef -Wno-format-nonliteral -Wendif-labels -Wstrict-prototypes -Wdeclaration-after-statement -Wstrict-aliasing=3 -Wcast-align -Wtype-limits -Wold-style-declaration -Wmissing-parameter-type -Wempty-body -Wclobbered -Wignored-qualifiers -Wconversion -Wno-sign-conversion -Wvla -Wdouble-promotion -Wno-system-headers -Wno-pedantic-ms-format)
+      # surprisingly, CHECK_C_COMPILER_FLAG needs a new variable to store each new
+      # test result in.
+      string(MAKE_C_IDENTIFIER "OPT${_CCOPT}" _optvarname)
+      check_c_compiler_flag(${_CCOPT} ${_optvarname})
+      if(${_optvarname})
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${_CCOPT}")
+      endif()
+    endforeach()
   endif()
+endif()
+
+if(ENABLE_DEBUG)
+  # DEBUGBUILD will be defined only for Debug builds
+  set_property(DIRECTORY APPEND PROPERTY COMPILE_DEFINITIONS $<$<CONFIG:Debug>:DEBUGBUILD>)
   set(ENABLE_CURLDEBUG ON)
 endif()
 
-if (ENABLE_CURLDEBUG)
+if(ENABLE_CURLDEBUG)
   set_property(DIRECTORY APPEND PROPERTY COMPILE_DEFINITIONS CURLDEBUG)
 endif()
 
+# For debug libs and exes, add "-d" postfix
+if(NOT DEFINED CMAKE_DEBUG_POSTFIX)
+  set(CMAKE_DEBUG_POSTFIX "-d")
+endif()
+
 # initialize CURL_LIBS
 set(CURL_LIBS "")
 
-if(ENABLE_THREADED_RESOLVER AND ENABLE_ARES)
-  message(FATAL_ERROR "Options ENABLE_THREADED_RESOLVER and ENABLE_ARES are mutually exclusive")
-endif()
-
 if(ENABLE_ARES)
   set(USE_ARES 1)
   find_package(CARES REQUIRED)
-  list(APPEND CURL_LIBS ${CARES_LIBRARY} )
-  set(CURL_LIBS ${CURL_LIBS} ${CARES_LIBRARY})
-endif()
-
-if(MSVC)
-  option(BUILD_RELEASE_DEBUG_DIRS "Set OFF to build each configuration to a separate directory" OFF)
-  mark_as_advanced(BUILD_RELEASE_DEBUG_DIRS)
+  list(APPEND CURL_LIBS ${CARES_LIBRARY})
 endif()
 
 include(CurlSymbolHiding)
@@ -153,6 +172,8 @@
 mark_as_advanced(CURL_DISABLE_SMTP)
 option(CURL_DISABLE_GOPHER "to disable Gopher" OFF)
 mark_as_advanced(CURL_DISABLE_GOPHER)
+option(CURL_ENABLE_MQTT "to enable MQTT" OFF)
+mark_as_advanced(CURL_ENABLE_MQTT)
 
 if(HTTP_ONLY)
   set(CURL_DISABLE_FTP ON)
@@ -165,6 +186,7 @@
   set(CURL_DISABLE_RTSP ON)
   set(CURL_DISABLE_POP3 ON)
   set(CURL_DISABLE_IMAP ON)
+  set(CURL_DISABLE_SMB ON)
   set(CURL_DISABLE_SMTP ON)
   set(CURL_DISABLE_GOPHER ON)
 endif()
@@ -176,8 +198,6 @@
 mark_as_advanced(CURL_DISABLE_CRYPTO_AUTH)
 option(CURL_DISABLE_VERBOSE_STRINGS "to disable verbose strings" OFF)
 mark_as_advanced(CURL_DISABLE_VERBOSE_STRINGS)
-option(DISABLED_THREADSAFE "Set to explicitly specify we don't want to use thread-safe functions" OFF)
-mark_as_advanced(DISABLED_THREADSAFE)
 option(ENABLE_IPV6 "Define if you want to enable IPv6 support" ON)
 mark_as_advanced(ENABLE_IPV6)
 if(ENABLE_IPV6 AND NOT WIN32)
@@ -194,85 +214,70 @@
   endif()
 endif()
 
-option(ENABLE_MANUAL "to provide the built-in manual" ON)
-unset(USE_MANUAL CACHE) # TODO: cache NROFF/NROFF_MANOPT/USE_MANUAL vars?
+curl_nroff_check()
+find_package(Perl)
+
+cmake_dependent_option(ENABLE_MANUAL "to provide the built-in manual"
+    ON "NROFF_USEFUL;PERL_FOUND"
+    OFF)
+
+if(NOT PERL_FOUND)
+  message(STATUS "Perl not found, testing disabled.")
+  set(BUILD_TESTING OFF)
+endif()
 if(ENABLE_MANUAL)
-  find_program(NROFF NAMES gnroff nroff)
-  if(NROFF)
-    # Need a way to write to stdin, this will do
-    file(WRITE "${CMAKE_CURRENT_BINARY_DIR}/nroff-input.txt" "test")
-    # Tests for a valid nroff option to generate a manpage
-    foreach(_MANOPT "-man" "-mandoc")
-      execute_process(COMMAND "${NROFF}" ${_MANOPT}
-        OUTPUT_VARIABLE NROFF_MANOPT_OUTPUT
-        INPUT_FILE "${CMAKE_CURRENT_BINARY_DIR}/nroff-input.txt"
-        ERROR_QUIET)
-      # Save the option if it was valid
-      if(NROFF_MANOPT_OUTPUT)
-        message("Found *nroff option: -- ${_MANOPT}")
-        set(NROFF_MANOPT ${_MANOPT})
-        set(USE_MANUAL 1)
-        break()
-      endif()
-    endforeach()
-    # No need for the temporary file
-    file(REMOVE "${CMAKE_CURRENT_BINARY_DIR}/nroff-input.txt")
-    if(NOT USE_MANUAL)
-      message(WARNING "Found no *nroff option to get plaintext from man pages")
-    endif()
-  else()
-    message(WARNING "Found no *nroff program")
-  endif()
+  set(USE_MANUAL ON)
 endif()
 
 # We need ansi c-flags, especially on HP
 set(CMAKE_C_FLAGS "${CMAKE_ANSI_CFLAGS} ${CMAKE_C_FLAGS}")
 set(CMAKE_REQUIRED_FLAGS ${CMAKE_ANSI_CFLAGS})
 
+if(CURL_STATIC_CRT)
+  set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
+  set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} /MT")
+  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} /MTd")
+endif()
+
 # Disable warnings on Borland to avoid changing 3rd party code.
 if(BORLAND)
   set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -w-")
-endif(BORLAND)
+endif()
 
 # If we are on AIX, do the _ALL_SOURCE magic
 if(${CMAKE_SYSTEM_NAME} MATCHES AIX)
   set(_ALL_SOURCE 1)
-endif(${CMAKE_SYSTEM_NAME} MATCHES AIX)
+endif()
 
 # Include all the necessary files for macros
-include (CheckFunctionExists)
-include (CheckIncludeFile)
-include (CheckIncludeFiles)
-include (CheckLibraryExists)
-include (CheckSymbolExists)
-include (CheckTypeSize)
-include (CheckCSourceCompiles)
-include (CMakeDependentOption)
+include(CMakePushCheckState)
+include(CheckFunctionExists)
+include(CheckIncludeFile)
+include(CheckIncludeFiles)
+include(CheckLibraryExists)
+include(CheckSymbolExists)
+include(CheckTypeSize)
+include(CheckCSourceCompiles)
 
 # On windows preload settings
 if(WIN32)
   set(CMAKE_REQUIRED_DEFINITIONS "${CMAKE_REQUIRED_DEFINITIONS} -D_WINSOCKAPI_=")
   include(${CMAKE_CURRENT_SOURCE_DIR}/CMake/Platforms/WindowsCache.cmake)
-endif(WIN32)
+endif()
 
 if(ENABLE_THREADED_RESOLVER)
+  find_package(Threads REQUIRED)
   if(WIN32)
     set(USE_THREADS_WIN32 ON)
   else()
-    check_include_file_concat("pthread.h" HAVE_PTHREAD_H)
-    if(HAVE_PTHREAD_H)
-      set(CMAKE_THREAD_PREFER_PTHREAD 1)
-      find_package(Threads)
-      if(CMAKE_USE_PTHREADS_INIT)
-        set(CURL_LIBS ${CURL_LIBS} ${CMAKE_THREAD_LIBS_INIT})
-        set(USE_THREADS_POSIX 1)
-      endif()
-    endif()
+    set(USE_THREADS_POSIX ${CMAKE_USE_PTHREADS_INIT})
+    set(HAVE_PTHREAD_H ${CMAKE_USE_PTHREADS_INIT})
   endif()
+  set(CURL_LIBS ${CURL_LIBS} ${CMAKE_THREAD_LIBS_INIT})
 endif()
 
 # Check for all needed libraries
-check_library_exists_concat("dl"     dlopen       HAVE_LIBDL)
+check_library_exists_concat("${CMAKE_DL_LIBS}" dlopen HAVE_LIBDL)
 check_library_exists_concat("socket" connect      HAVE_LIBSOCKET)
 check_library_exists("c" gethostbyname "" NOT_NEED_LIBNSL)
 
@@ -281,24 +286,25 @@
   set(NOT_NEED_LIBNSL 1)
   check_library_exists_concat("bind" gethostbyname HAVE_LIBBIND)
   check_library_exists_concat("bnetapi" closesocket HAVE_LIBBNETAPI)
-endif(BEOS)
+endif()
 
 if(NOT NOT_NEED_LIBNSL)
   check_library_exists_concat("nsl"    gethostbyname  HAVE_LIBNSL)
-endif(NOT NOT_NEED_LIBNSL)
+endif()
 
 check_function_exists(gethostname HAVE_GETHOSTNAME)
 
 if(WIN32)
   check_library_exists_concat("ws2_32" getch        HAVE_LIBWS2_32)
   check_library_exists_concat("winmm"  getch        HAVE_LIBWINMM)
+  list(APPEND CURL_LIBS "advapi32")
 endif()
 
 # check SSL libraries
-# TODO support GNUTLS, NSS, POLARSSL, AXTLS, CYASSL
+# TODO support GnuTLS
 
 if(APPLE)
-  option(CMAKE_USE_DARWINSSL "enable Apple OS native SSL/TLS" OFF)
+  option(CMAKE_USE_SECTRANSP "enable Apple OS native SSL/TLS" OFF)
 endif()
 if(WIN32)
   option(CMAKE_USE_WINSSL "enable Windows native SSL/TLS" OFF)
@@ -306,21 +312,27 @@
     CMAKE_USE_WINSSL OFF)
 endif()
 option(CMAKE_USE_MBEDTLS "Enable mbedTLS for SSL/TLS" OFF)
+option(CMAKE_USE_BEARSSL "Enable BearSSL for SSL/TLS" OFF)
+option(CMAKE_USE_NSS "Enable NSS for SSL/TLS" OFF)
+option(CMAKE_USE_WOLFSSL "enable wolfSSL for SSL/TLS" OFF)
 
 set(openssl_default ON)
-if(WIN32 OR CMAKE_USE_DARWINSSL OR CMAKE_USE_WINSSL OR CMAKE_USE_MBEDTLS)
+if(WIN32 OR CMAKE_USE_SECTRANSP OR CMAKE_USE_WINSSL OR CMAKE_USE_MBEDTLS OR CMAKE_USE_NSS OR CMAKE_USE_WOLFSSL)
   set(openssl_default OFF)
 endif()
 option(CMAKE_USE_OPENSSL "Use OpenSSL code. Experimental" ${openssl_default})
 
-collect_true(enabled_ssl_options enabled_ssl_options_count
+count_true(enabled_ssl_options_count
   CMAKE_USE_WINSSL
-  CMAKE_USE_DARWINSSL
+  CMAKE_USE_SECTRANSP
   CMAKE_USE_OPENSSL
   CMAKE_USE_MBEDTLS
+  CMAKE_USE_BEARSSL
+  CMAKE_USE_NSS
+  CMAKE_USE_WOLFSSL
 )
-if(enabled_ssl_options_count GREATER 1)
-  message(FATAL_ERROR "Multiple SSL options specified: ${enabled_ssl_options}. Please pick at most one and disable the rest.")
+if(enabled_ssl_options_count GREATER "1")
+  set(CURL_WITH_MULTI_SSL ON)
 endif()
 
 if(CMAKE_USE_WINSSL)
@@ -335,6 +347,10 @@
 endif()
 
 if(CMAKE_USE_DARWINSSL)
+  message(FATAL_ERROR "The cmake option CMAKE_USE_DARWINSSL was renamed to CMAKE_USE_SECTRANSP.")
+endif()
+
+if(CMAKE_USE_SECTRANSP)
   find_library(COREFOUNDATION_FRAMEWORK "CoreFoundation")
   if(NOT COREFOUNDATION_FRAMEWORK)
       message(FATAL_ERROR "CoreFoundation framework not found")
@@ -346,7 +362,7 @@
   endif()
 
   set(SSL_ENABLED ON)
-  set(USE_DARWINSSL ON)
+  set(USE_SECTRANSP ON)
   list(APPEND CURL_LIBS "${COREFOUNDATION_FRAMEWORK}" "${SECURITY_FRAMEWORK}")
 endif()
 
@@ -354,16 +370,21 @@
   find_package(OpenSSL REQUIRED)
   set(SSL_ENABLED ON)
   set(USE_OPENSSL ON)
-  set(HAVE_LIBCRYPTO ON)
-  set(HAVE_LIBSSL ON)
-  list(APPEND CURL_LIBS ${OPENSSL_LIBRARIES})
-  include_directories(${OPENSSL_INCLUDE_DIR})
+
+  # Depend on OpenSSL via imported targets if supported by the running
+  # version of CMake.  This allows our dependents to get our dependencies
+  # transitively.
+  if(NOT CMAKE_VERSION VERSION_LESS 3.4)
+    list(APPEND CURL_LIBS OpenSSL::SSL OpenSSL::Crypto)
+  else()
+    list(APPEND CURL_LIBS ${OPENSSL_LIBRARIES})
+    include_directories(${OPENSSL_INCLUDE_DIR})
+  endif()
+
   set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
   check_include_file("openssl/crypto.h" HAVE_OPENSSL_CRYPTO_H)
-  check_include_file("openssl/engine.h" HAVE_OPENSSL_ENGINE_H)
   check_include_file("openssl/err.h"    HAVE_OPENSSL_ERR_H)
   check_include_file("openssl/pem.h"    HAVE_OPENSSL_PEM_H)
-  check_include_file("openssl/pkcs12.h" HAVE_OPENSSL_PKCS12_H)
   check_include_file("openssl/rsa.h"    HAVE_OPENSSL_RSA_H)
   check_include_file("openssl/ssl.h"    HAVE_OPENSSL_SSL_H)
   check_include_file("openssl/x509.h"   HAVE_OPENSSL_X509_H)
@@ -378,7 +399,36 @@
   set(SSL_ENABLED ON)
   set(USE_MBEDTLS ON)
   list(APPEND CURL_LIBS ${MBEDTLS_LIBRARIES})
-  include_directories(${MBEDTLS_INCLUDE_DIR})
+  include_directories(${MBEDTLS_INCLUDE_DIRS})
+endif()
+
+if(CMAKE_USE_BEARSSL)
+  find_package(BearSSL REQUIRED)
+  set(SSL_ENABLED ON)
+  set(USE_BEARSSL ON)
+  list(APPEND CURL_LIBS ${BEARSSL_LIBRARY})
+  include_directories(${BEARSSL_INCLUDE_DIRS})
+endif()
+
+if(CMAKE_USE_WOLFSSL)
+  find_package(WolfSSL REQUIRED)
+  set(SSL_ENABLED ON)
+  set(USE_WOLFSSL ON)
+  list(APPEND CURL_LIBS ${WolfSSL_LIBRARIES})
+  include_directories(${WolfSSL_INCLUDE_DIRS})
+endif()
+
+if(CMAKE_USE_NSS)
+  find_package(NSS REQUIRED)
+  include_directories(${NSS_INCLUDE_DIRS})
+  list(APPEND CURL_LIBS ${NSS_LIBRARIES})
+  set(SSL_ENABLED ON)
+  set(USE_NSS ON)
+  cmake_push_check_state()
+  set(CMAKE_REQUIRED_INCLUDES ${NSS_INCLUDE_DIRS})
+  set(CMAKE_REQUIRED_LIBRARIES ${NSS_LIBRARIES})
+  check_symbol_exists(PK11_CreateManagedGenericObject "pk11pub.h" HAVE_PK11_CREATEMANAGEDGENERICOBJECT)
+  cmake_pop_check_state()
 endif()
 
 option(USE_NGHTTP2 "Use Nghttp2 library" OFF)
@@ -388,6 +438,10 @@
   list(APPEND CURL_LIBS ${NGHTTP2_LIBRARIES})
 endif()
 
+if(WIN32)
+  set(USE_WIN32_CRYPTO ON)
+endif()
+
 if(NOT CURL_DISABLE_LDAP)
   if(WIN32)
     option(USE_WIN32_LDAP "Use Windows LDAP implementation" ON)
@@ -473,6 +527,7 @@
         list(APPEND CMAKE_REQUIRED_LIBRARIES ${CMAKE_LBER_LIB})
       endif()
       check_c_source_compiles("${_SRC_STRING}" NOT_NEED_LBER_H)
+      unset(CMAKE_REQUIRED_LIBRARIES)
 
       if(NOT_NEED_LBER_H)
         set(NEED_LBER_H OFF)
@@ -481,7 +536,6 @@
       endif()
     endif()
   endif()
-
 endif()
 
 # No ldap, no ldaps.
@@ -506,19 +560,39 @@
 option(CURL_ZLIB "Set to ON to enable building curl with zlib support." ON)
 set(HAVE_LIBZ OFF)
 set(HAVE_ZLIB_H OFF)
-set(HAVE_ZLIB OFF)
+set(USE_ZLIB OFF)
 if(CURL_ZLIB)
   find_package(ZLIB QUIET)
   if(ZLIB_FOUND)
     set(HAVE_ZLIB_H ON)
-    set(HAVE_ZLIB ON)
     set(HAVE_LIBZ ON)
-    list(APPEND CURL_LIBS ${ZLIB_LIBRARIES})
-    include_directories(${ZLIB_INCLUDE_DIRS})
+    set(USE_ZLIB ON)
+
+    # Depend on ZLIB via imported targets if supported by the running
+    # version of CMake.  This allows our dependents to get our dependencies
+    # transitively.
+    if(NOT CMAKE_VERSION VERSION_LESS 3.4)
+      list(APPEND CURL_LIBS ZLIB::ZLIB)
+    else()
+      list(APPEND CURL_LIBS ${ZLIB_LIBRARIES})
+      include_directories(${ZLIB_INCLUDE_DIRS})
+    endif()
     list(APPEND CMAKE_REQUIRED_INCLUDES ${ZLIB_INCLUDE_DIRS})
   endif()
 endif()
 
+option(CURL_BROTLI "Set to ON to enable building curl with brotli support." OFF)
+set(HAVE_BROTLI OFF)
+if(CURL_BROTLI)
+  find_package(Brotli QUIET)
+  if(BROTLI_FOUND)
+    set(HAVE_BROTLI ON)
+    list(APPEND CURL_LIBS ${BROTLI_LIBRARIES})
+    include_directories(${BROTLI_INCLUDE_DIRS})
+    list(APPEND CMAKE_REQUIRED_INCLUDES ${BROTLI_INCLUDE_DIRS})
+  endif()
+endif()
+
 #libSSH2
 option(CMAKE_USE_LIBSSH2 "Use libSSH2" ON)
 mark_as_advanced(CMAKE_USE_LIBSSH2)
@@ -549,9 +623,9 @@
     check_function_exists(libssh2_scp_send64        HAVE_LIBSSH2_SCP_SEND64)
     check_function_exists(libssh2_session_handshake HAVE_LIBSSH2_SESSION_HANDSHAKE)
     set(CMAKE_EXTRA_INCLUDE_FILES "")
-
-  endif(LIBSSH2_FOUND)
-endif(CMAKE_USE_LIBSSH2)
+    unset(CMAKE_REQUIRED_LIBRARIES)
+  endif()
+endif()
 
 option(CMAKE_USE_GSSAPI "Use GSSAPI implementation (right now only Heimdal is supported with CMake build)" OFF)
 mark_as_advanced(CMAKE_USE_GSSAPI)
@@ -564,7 +638,7 @@
 
     message(STATUS "Found ${GSS_FLAVOUR} GSSAPI version: \"${GSS_VERSION}\"")
 
-    list(APPEND CMAKE_REQUIRED_INCLUDES ${GSS_INCLUDE_DIRECTORIES})
+    list(APPEND CMAKE_REQUIRED_INCLUDES ${GSS_INCLUDE_DIR})
     check_include_file_concat("gssapi/gssapi.h"  HAVE_GSSAPI_GSSAPI_H)
     check_include_file_concat("gssapi/gssapi_generic.h" HAVE_GSSAPI_GSSAPI_GENERIC_H)
     check_include_file_concat("gssapi/gssapi_krb5.h" HAVE_GSSAPI_GSSAPI_KRB5_H)
@@ -597,10 +671,11 @@
       if(NOT HAVE_GSS_C_NT_HOSTBASED_SERVICE)
         set(HAVE_OLD_GSSMIT ON)
       endif()
+      unset(CMAKE_REQUIRED_LIBRARIES)
 
     endif()
 
-    include_directories(${GSS_INCLUDE_DIRECTORIES})
+    include_directories(${GSS_INCLUDE_DIR})
     link_directories(${GSS_LINK_DIRECTORIES})
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${GSS_COMPILER_FLAGS}")
     set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${GSS_LINKER_FLAGS}")
@@ -620,6 +695,78 @@
   unset(USE_UNIX_SOCKETS CACHE)
 endif()
 
+#
+# CA handling
+#
+set(CURL_CA_BUNDLE "auto" CACHE STRING
+    "Path to the CA bundle. Set 'none' to disable or 'auto' for auto-detection. Defaults to 'auto'.")
+set(CURL_CA_FALLBACK OFF CACHE BOOL
+    "Set ON to use built-in CA store of TLS backend. Defaults to OFF")
+set(CURL_CA_PATH "auto" CACHE STRING
+    "Location of default CA path. Set 'none' to disable or 'auto' for auto-detection. Defaults to 'auto'.")
+
+if("${CURL_CA_BUNDLE}" STREQUAL "")
+  message(FATAL_ERROR "Invalid value of CURL_CA_BUNDLE. Use 'none', 'auto' or file path.")
+elseif("${CURL_CA_BUNDLE}" STREQUAL "none")
+  unset(CURL_CA_BUNDLE CACHE)
+elseif("${CURL_CA_BUNDLE}" STREQUAL "auto")
+  unset(CURL_CA_BUNDLE CACHE)
+  set(CURL_CA_BUNDLE_AUTODETECT TRUE)
+else()
+  set(CURL_CA_BUNDLE_SET TRUE)
+endif()
+
+if("${CURL_CA_PATH}" STREQUAL "")
+  message(FATAL_ERROR "Invalid value of CURL_CA_PATH. Use 'none', 'auto' or directory path.")
+elseif("${CURL_CA_PATH}" STREQUAL "none")
+  unset(CURL_CA_PATH CACHE)
+elseif("${CURL_CA_PATH}" STREQUAL "auto")
+  unset(CURL_CA_PATH CACHE)
+  if(NOT USE_NSS)
+    set(CURL_CA_PATH_AUTODETECT TRUE)
+  endif()
+else()
+  set(CURL_CA_PATH_SET TRUE)
+endif()
+
+if(CURL_CA_BUNDLE_SET AND CURL_CA_PATH_AUTODETECT)
+  # Skip autodetection of unset CA path because CA bundle is set explicitly
+elseif(CURL_CA_PATH_SET AND CURL_CA_BUNDLE_AUTODETECT)
+  # Skip autodetection of unset CA bundle because CA path is set explicitly
+elseif(CURL_CA_PATH_AUTODETECT OR CURL_CA_BUNDLE_AUTODETECT)
+  # first try autodetecting a CA bundle, then a CA path
+
+  if(CURL_CA_BUNDLE_AUTODETECT)
+    set(SEARCH_CA_BUNDLE_PATHS
+        /etc/ssl/certs/ca-certificates.crt
+        /etc/pki/tls/certs/ca-bundle.crt
+        /usr/share/ssl/certs/ca-bundle.crt
+        /usr/local/share/certs/ca-root-nss.crt
+        /etc/ssl/cert.pem)
+
+    foreach(SEARCH_CA_BUNDLE_PATH ${SEARCH_CA_BUNDLE_PATHS})
+      if(EXISTS "${SEARCH_CA_BUNDLE_PATH}")
+        message(STATUS "Found CA bundle: ${SEARCH_CA_BUNDLE_PATH}")
+        set(CURL_CA_BUNDLE "${SEARCH_CA_BUNDLE_PATH}")
+        set(CURL_CA_BUNDLE_SET TRUE CACHE BOOL "Path to the CA bundle has been set")
+        break()
+      endif()
+    endforeach()
+  endif()
+
+  if(CURL_CA_PATH_AUTODETECT AND (NOT CURL_CA_PATH_SET))
+    if(EXISTS "/etc/ssl/certs")
+      set(CURL_CA_PATH "/etc/ssl/certs")
+      set(CURL_CA_PATH_SET TRUE CACHE BOOL "Path to the CA bundle has been set")
+    endif()
+  endif()
+endif()
+
+if(CURL_CA_PATH_SET AND NOT USE_OPENSSL AND NOT USE_MBEDTLS)
+  message(STATUS
+          "CA path only supported by OpenSSL, GnuTLS or mbed TLS. "
+          "Set CURL_CA_PATH=none or enable one of those TLS backends.")
+endif()
 
 # Check for header files
 if(NOT UNIX)
@@ -630,7 +777,7 @@
   if(NOT CURL_WINDOWS_SSPI AND USE_OPENSSL)
     set(CURL_LIBS ${CURL_LIBS} "crypt32")
   endif()
-endif(NOT UNIX)
+endif()
 
 check_include_file_concat("stdio.h"          HAVE_STDIO_H)
 check_include_file_concat("inttypes.h"       HAVE_INTTYPES_H)
@@ -654,7 +801,6 @@
 check_include_file_concat("arpa/tftp.h"      HAVE_ARPA_TFTP_H)
 check_include_file_concat("assert.h"         HAVE_ASSERT_H)
 check_include_file_concat("crypto.h"         HAVE_CRYPTO_H)
-check_include_file_concat("des.h"            HAVE_DES_H)
 check_include_file_concat("err.h"            HAVE_ERR_H)
 check_include_file_concat("errno.h"          HAVE_ERRNO_H)
 check_include_file_concat("fcntl.h"          HAVE_FCNTL_H)
@@ -663,7 +809,6 @@
 check_include_file_concat("io.h"             HAVE_IO_H)
 check_include_file_concat("krb.h"            HAVE_KRB_H)
 check_include_file_concat("libgen.h"         HAVE_LIBGEN_H)
-check_include_file_concat("limits.h"         HAVE_LIMITS_H)
 check_include_file_concat("locale.h"         HAVE_LOCALE_H)
 check_include_file_concat("net/if.h"         HAVE_NET_IF_H)
 check_include_file_concat("netdb.h"          HAVE_NETDB_H)
@@ -714,61 +859,17 @@
 if(NOT HAVE_SIZEOF_SSIZE_T)
   if(SIZEOF_LONG EQUAL SIZEOF_SIZE_T)
     set(ssize_t long)
-  endif(SIZEOF_LONG EQUAL SIZEOF_SIZE_T)
+  endif()
   if(NOT ssize_t AND SIZEOF___INT64 EQUAL SIZEOF_SIZE_T)
     set(ssize_t __int64)
-  endif(NOT ssize_t AND SIZEOF___INT64 EQUAL SIZEOF_SIZE_T)
-endif(NOT HAVE_SIZEOF_SSIZE_T)
+  endif()
+endif()
 # off_t is sized later, after the HAVE_FILE_OFFSET_BITS test
 
-# Different sizeofs, etc.
-
-#    define CURL_SIZEOF_LONG        4
-#    define CURL_TYPEOF_CURL_OFF_T  long long
-#    define CURL_FORMAT_CURL_OFF_T  "lld"
-#    define CURL_FORMAT_CURL_OFF_TU "llu"
-#    define CURL_FORMAT_OFF_T       "%lld"
-#    define CURL_SIZEOF_CURL_OFF_T  8
-#    define CURL_SUFFIX_CURL_OFF_T  LL
-#    define CURL_SUFFIX_CURL_OFF_TU ULL
-
-set(CURL_SIZEOF_LONG ${SIZEOF_LONG})
-
-if(SIZEOF_LONG EQUAL 8)
-  set(CURL_TYPEOF_CURL_OFF_T long)
-  set(CURL_SIZEOF_CURL_OFF_T 8)
-  set(CURL_FORMAT_CURL_OFF_T "ld")
-  set(CURL_FORMAT_CURL_OFF_TU "lu")
-  set(CURL_FORMAT_OFF_T "%ld")
-  set(CURL_SUFFIX_CURL_OFF_T L)
-  set(CURL_SUFFIX_CURL_OFF_TU UL)
-endif(SIZEOF_LONG EQUAL 8)
-
-if(SIZEOF_LONG_LONG EQUAL 8)
-  set(CURL_TYPEOF_CURL_OFF_T "long long")
-  set(CURL_SIZEOF_CURL_OFF_T 8)
-  set(CURL_FORMAT_CURL_OFF_T "lld")
-  set(CURL_FORMAT_CURL_OFF_TU "llu")
-  set(CURL_FORMAT_OFF_T "%lld")
-  set(CURL_SUFFIX_CURL_OFF_T LL)
-  set(CURL_SUFFIX_CURL_OFF_TU ULL)
-endif(SIZEOF_LONG_LONG EQUAL 8)
-
-if(NOT CURL_TYPEOF_CURL_OFF_T)
-  set(CURL_TYPEOF_CURL_OFF_T ${ssize_t})
-  set(CURL_SIZEOF_CURL_OFF_T ${SIZEOF_SSIZE_T})
-  # TODO: need adjustment here.
-  set(CURL_FORMAT_CURL_OFF_T "ld")
-  set(CURL_FORMAT_CURL_OFF_TU "lu")
-  set(CURL_FORMAT_OFF_T "%ld")
-  set(CURL_SUFFIX_CURL_OFF_T L)
-  set(CURL_SUFFIX_CURL_OFF_TU LU)
-endif(NOT CURL_TYPEOF_CURL_OFF_T)
-
 if(HAVE_SIZEOF_LONG_LONG)
   set(HAVE_LONGLONG 1)
   set(HAVE_LL 1)
-endif(HAVE_SIZEOF_LONG_LONG)
+endif()
 
 find_file(RANDOM_FILE urandom /dev)
 mark_as_advanced(RANDOM_FILE)
@@ -782,12 +883,8 @@
 
 check_symbol_exists(basename      "${CURL_INCLUDES}" HAVE_BASENAME)
 check_symbol_exists(socket        "${CURL_INCLUDES}" HAVE_SOCKET)
-# poll on macOS is unreliable, it first did not exist, then was broken until
-# fixed in 10.9 only to break again in 10.12.
-if(NOT APPLE)
-  check_symbol_exists(poll        "${CURL_INCLUDES}" HAVE_POLL)
-endif()
 check_symbol_exists(select        "${CURL_INCLUDES}" HAVE_SELECT)
+check_symbol_exists(poll          "${CURL_INCLUDES}" HAVE_POLL)
 check_symbol_exists(strdup        "${CURL_INCLUDES}" HAVE_STRDUP)
 check_symbol_exists(strstr        "${CURL_INCLUDES}" HAVE_STRSTR)
 check_symbol_exists(strtok_r      "${CURL_INCLUDES}" HAVE_STRTOK_R)
@@ -800,7 +897,7 @@
 check_symbol_exists(alarm         "${CURL_INCLUDES}" HAVE_ALARM)
 if(NOT HAVE_STRNCMPI)
   set(HAVE_STRCMPI)
-endif(NOT HAVE_STRNCMPI)
+endif()
 check_symbol_exists(gethostbyaddr "${CURL_INCLUDES}" HAVE_GETHOSTBYADDR)
 check_symbol_exists(gethostbyaddr_r "${CURL_INCLUDES}" HAVE_GETHOSTBYADDR_R)
 check_symbol_exists(gettimeofday  "${CURL_INCLUDES}" HAVE_GETTIMEOFDAY)
@@ -816,7 +913,9 @@
 check_symbol_exists(getpass_r     "${CURL_INCLUDES}" HAVE_GETPASS_R)
 check_symbol_exists(strlcat       "${CURL_INCLUDES}" HAVE_STRLCAT)
 check_symbol_exists(getpwuid      "${CURL_INCLUDES}" HAVE_GETPWUID)
+check_symbol_exists(getpwuid_r    "${CURL_INCLUDES}" HAVE_GETPWUID_R)
 check_symbol_exists(geteuid       "${CURL_INCLUDES}" HAVE_GETEUID)
+check_symbol_exists(usleep        "${CURL_INCLUDES}" HAVE_USLEEP)
 check_symbol_exists(utime         "${CURL_INCLUDES}" HAVE_UTIME)
 check_symbol_exists(gmtime_r      "${CURL_INCLUDES}" HAVE_GMTIME_R)
 check_symbol_exists(localtime_r   "${CURL_INCLUDES}" HAVE_LOCALTIME_R)
@@ -828,7 +927,7 @@
 check_symbol_exists(SIGALRM       "${CURL_INCLUDES}" HAVE_SIGNAL_MACRO)
 if(HAVE_SIGNAL_FUNC AND HAVE_SIGNAL_MACRO)
   set(HAVE_SIGNAL 1)
-endif(HAVE_SIGNAL_FUNC AND HAVE_SIGNAL_MACRO)
+endif()
 check_symbol_exists(uname          "${CURL_INCLUDES}" HAVE_UNAME)
 check_symbol_exists(strtoll        "${CURL_INCLUDES}" HAVE_STRTOLL)
 check_symbol_exists(_strtoi64      "${CURL_INCLUDES}" HAVE__STRTOI64)
@@ -842,42 +941,45 @@
 check_symbol_exists(pipe           "${CURL_INCLUDES}" HAVE_PIPE)
 check_symbol_exists(ftruncate      "${CURL_INCLUDES}" HAVE_FTRUNCATE)
 check_symbol_exists(getprotobyname "${CURL_INCLUDES}" HAVE_GETPROTOBYNAME)
+check_symbol_exists(getpeername    "${CURL_INCLUDES}" HAVE_GETPEERNAME)
+check_symbol_exists(getsockname    "${CURL_INCLUDES}" HAVE_GETSOCKNAME)
+check_symbol_exists(if_nametoindex "${CURL_INCLUDES}" HAVE_IF_NAMETOINDEX)
 check_symbol_exists(getrlimit      "${CURL_INCLUDES}" HAVE_GETRLIMIT)
 check_symbol_exists(setlocale      "${CURL_INCLUDES}" HAVE_SETLOCALE)
+check_symbol_exists(setmode        "${CURL_INCLUDES}" HAVE_SETMODE)
 check_symbol_exists(setrlimit      "${CURL_INCLUDES}" HAVE_SETRLIMIT)
 check_symbol_exists(fcntl          "${CURL_INCLUDES}" HAVE_FCNTL)
 check_symbol_exists(ioctl          "${CURL_INCLUDES}" HAVE_IOCTL)
 check_symbol_exists(setsockopt     "${CURL_INCLUDES}" HAVE_SETSOCKOPT)
-
-# symbol exists in win32, but function does not.
-check_function_exists(inet_pton HAVE_INET_PTON)
+check_function_exists(mach_absolute_time HAVE_MACH_ABSOLUTE_TIME)
+check_symbol_exists(inet_pton      "${CURL_INCLUDES}" HAVE_INET_PTON)
 
 check_symbol_exists(fsetxattr "${CURL_INCLUDES}" HAVE_FSETXATTR)
 if(HAVE_FSETXATTR)
   foreach(CURL_TEST HAVE_FSETXATTR_5 HAVE_FSETXATTR_6)
-    curl_internal_test_run(${CURL_TEST})
-  endforeach(CURL_TEST)
-endif(HAVE_FSETXATTR)
+    curl_internal_test(${CURL_TEST})
+  endforeach()
+endif()
 
 # sigaction and sigsetjmp are special. Use special mechanism for
 # detecting those, but only if previous attempt failed.
 if(HAVE_SIGNAL_H)
   check_symbol_exists(sigaction "signal.h" HAVE_SIGACTION)
-endif(HAVE_SIGNAL_H)
+endif()
 
 if(NOT HAVE_SIGSETJMP)
   if(HAVE_SETJMP_H)
     check_symbol_exists(sigsetjmp "setjmp.h" HAVE_MACRO_SIGSETJMP)
     if(HAVE_MACRO_SIGSETJMP)
       set(HAVE_SIGSETJMP 1)
-    endif(HAVE_MACRO_SIGSETJMP)
-  endif(HAVE_SETJMP_H)
-endif(NOT HAVE_SIGSETJMP)
+    endif()
+  endif()
+endif()
 
 # If there is no stricmp(), do not allow LDAP to parse URLs
 if(NOT HAVE_STRICMP)
   set(HAVE_LDAP_URL_PARSE 1)
-endif(NOT HAVE_STRICMP)
+endif()
 
 # Do curl specific tests
 foreach(CURL_TEST
@@ -904,7 +1006,6 @@
     HAVE_GETHOSTBYNAME_R_3_REENTRANT
     HAVE_GETHOSTBYNAME_R_5_REENTRANT
     HAVE_GETHOSTBYNAME_R_6_REENTRANT
-    HAVE_SOCKLEN_T
     HAVE_IN_ADDR_T
     HAVE_BOOL_T
     STDC_HEADERS
@@ -913,23 +1014,32 @@
     HAVE_INET_NTOA_R_DECL_REENTRANT
     HAVE_GETADDRINFO
     HAVE_FILE_OFFSET_BITS
+    HAVE_VARIADIC_MACROS_C99
+    HAVE_VARIADIC_MACROS_GCC
     )
   curl_internal_test(${CURL_TEST})
-endforeach(CURL_TEST)
+endforeach()
 
 if(HAVE_FILE_OFFSET_BITS)
   set(_FILE_OFFSET_BITS 64)
   set(CMAKE_REQUIRED_FLAGS "-D_FILE_OFFSET_BITS=64")
-endif(HAVE_FILE_OFFSET_BITS)
+endif()
 check_type_size("off_t"  SIZEOF_OFF_T)
+
+# include this header to get the type
+set(CMAKE_REQUIRED_INCLUDES "${CURL_SOURCE_DIR}/include")
+set(CMAKE_EXTRA_INCLUDE_FILES "curl/system.h")
+check_type_size("curl_off_t"  SIZEOF_CURL_OFF_T)
+set(CMAKE_EXTRA_INCLUDE_FILES "")
+
 set(CMAKE_REQUIRED_FLAGS)
 
 foreach(CURL_TEST
     HAVE_GLIBC_STRERROR_R
     HAVE_POSIX_STRERROR_R
     )
-  curl_internal_test_run(${CURL_TEST})
-endforeach(CURL_TEST)
+  curl_internal_test(${CURL_TEST})
+endforeach()
 
 # Check for reentrant
 foreach(CURL_TEST
@@ -943,9 +1053,9 @@
   if(NOT ${CURL_TEST})
     if(${CURL_TEST}_REENTRANT)
       set(NEED_REENTRANT 1)
-    endif(${CURL_TEST}_REENTRANT)
-  endif(NOT ${CURL_TEST})
-endforeach(CURL_TEST)
+    endif()
+  endif()
+endforeach()
 
 if(NEED_REENTRANT)
   foreach(CURL_TEST
@@ -958,32 +1068,38 @@
     set(${CURL_TEST} 0)
     if(${CURL_TEST}_REENTRANT)
       set(${CURL_TEST} 1)
-    endif(${CURL_TEST}_REENTRANT)
-  endforeach(CURL_TEST)
-endif(NEED_REENTRANT)
+    endif()
+  endforeach()
+endif()
 
 if(HAVE_INET_NTOA_R_DECL_REENTRANT)
   set(HAVE_INET_NTOA_R_DECL 1)
   set(NEED_REENTRANT 1)
-endif(HAVE_INET_NTOA_R_DECL_REENTRANT)
+endif()
+
+# Check clock_gettime(CLOCK_MONOTONIC, x) support
+curl_internal_test(HAVE_CLOCK_GETTIME_MONOTONIC)
+
+# Check compiler support of __builtin_available()
+curl_internal_test(HAVE_BUILTIN_AVAILABLE)
 
 # Some other minor tests
 
 if(NOT HAVE_IN_ADDR_T)
   set(in_addr_t "unsigned long")
-endif(NOT HAVE_IN_ADDR_T)
+endif()
 
 # Fix libz / zlib.h
 
 if(NOT CURL_SPECIAL_LIBZ)
   if(NOT HAVE_LIBZ)
     set(HAVE_ZLIB_H 0)
-  endif(NOT HAVE_LIBZ)
+  endif()
 
   if(NOT HAVE_ZLIB_H)
     set(HAVE_LIBZ 0)
-  endif(NOT HAVE_ZLIB_H)
-endif(NOT CURL_SPECIAL_LIBZ)
+  endif()
+endif()
 
 # Check for nonblocking
 set(HAVE_DISABLED_NONBLOCKING 1)
@@ -992,16 +1108,13 @@
     HAVE_IOCTLSOCKET_CASE OR
     HAVE_O_NONBLOCK)
   set(HAVE_DISABLED_NONBLOCKING)
-endif(HAVE_FIONBIO OR
-  HAVE_IOCTLSOCKET OR
-  HAVE_IOCTLSOCKET_CASE OR
-  HAVE_O_NONBLOCK)
+endif()
 
 if(RETSIGTYPE_TEST)
   set(RETSIGTYPE void)
-else(RETSIGTYPE_TEST)
+else()
   set(RETSIGTYPE int)
-endif(RETSIGTYPE_TEST)
+endif()
 
 if(CMAKE_COMPILER_IS_GNUCC AND APPLE)
   include(CheckCCompilerFlag)
@@ -1011,33 +1124,15 @@
     get_source_file_property(MPRINTF_COMPILE_FLAGS mprintf.c COMPILE_FLAGS)
     if(MPRINTF_COMPILE_FLAGS)
       set(MPRINTF_COMPILE_FLAGS "${MPRINTF_COMPILE_FLAGS} -Wno-long-double")
-    else(MPRINTF_COMPILE_FLAGS)
+    else()
       set(MPRINTF_COMPILE_FLAGS "-Wno-long-double")
-    endif(MPRINTF_COMPILE_FLAGS)
+    endif()
     set_source_files_properties(mprintf.c PROPERTIES
       COMPILE_FLAGS ${MPRINTF_COMPILE_FLAGS})
-  endif(HAVE_C_FLAG_Wno_long_double)
-endif(CMAKE_COMPILER_IS_GNUCC AND APPLE)
-
-if(HAVE_SOCKLEN_T)
-  set(CURL_TYPEOF_CURL_SOCKLEN_T "socklen_t")
-  if(WIN32)
-    set(CMAKE_EXTRA_INCLUDE_FILES "winsock2.h;ws2tcpip.h")
-  elseif(HAVE_SYS_SOCKET_H)
-    set(CMAKE_EXTRA_INCLUDE_FILES "sys/socket.h")
   endif()
-  check_type_size("socklen_t" CURL_SIZEOF_CURL_SOCKLEN_T)
-  set(CMAKE_EXTRA_INCLUDE_FILES)
-  if(NOT HAVE_CURL_SIZEOF_CURL_SOCKLEN_T)
-    message(FATAL_ERROR
-     "Check for sizeof socklen_t failed, see CMakeFiles/CMakerror.log")
-  endif()
-else()
-  set(CURL_TYPEOF_CURL_SOCKLEN_T int)
-  set(CURL_SIZEOF_CURL_SOCKLEN_T ${SIZEOF_INT})
 endif()
 
-# TODO test which of these headers are required for the typedefs used in curlbuild.h
+# TODO test which of these headers are required
 if(WIN32)
   set(CURL_PULL_WS2TCPIP_H ${HAVE_WS2TCPIP_H})
 else()
@@ -1052,22 +1147,54 @@
 
 add_definitions(-DHAVE_CONFIG_H)
 
-# For windows, do not allow the compiler to use default target (Vista).
-if(WIN32)
-  add_definitions(-D_WIN32_WINNT=0x0501)
-endif(WIN32)
-
-# For windows, all compilers used by cmake should support large files
+# For Windows, all compilers used by CMake should support large files
 if(WIN32)
   set(USE_WIN32_LARGE_FILES ON)
-endif(WIN32)
+
+  # Use the manifest embedded in the Windows Resource
+  set(CMAKE_RC_FLAGS "${CMAKE_RC_FLAGS} -DCURL_EMBED_MANIFEST")
+endif()
 
 if(MSVC)
+  # Disable default manifest added by CMake
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /MANIFEST:NO")
+
   add_definitions(-D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE)
-endif(MSVC)
+  if(CMAKE_C_FLAGS MATCHES "/W[0-4]")
+    string(REGEX REPLACE "/W[0-4]" "/W4" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
+  else()
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W4")
+  endif()
+endif()
+
+if(CURL_WERROR)
+  if(MSVC_VERSION)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX")
+  else()
+    # this assumes clang or gcc style options
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror")
+  endif()
+endif()
+
+if(CURL_LTO)
+  if(CMAKE_VERSION VERSION_LESS 3.9)
+    message(FATAL_ERROR "Requested LTO but your cmake version ${CMAKE_VERSION} is to old. You need at least 3.9")
+  endif()
+
+  cmake_policy(SET CMP0069 NEW)
+
+  include(CheckIPOSupported)
+  check_ipo_supported(RESULT CURL_HAS_LTO OUTPUT CURL_LTO_ERROR LANGUAGES C)
+  if(CURL_HAS_LTO)
+    message(STATUS "LTO supported and enabled")
+  else()
+    message(FATAL_ERROR "LTO was requested - but compiler doesn't support it\n${CURL_LTO_ERROR}")
+  endif()
+endif()
+
 
 # Ugly (but functional) way to include "Makefile.inc" by transforming it (= regenerate it).
-function(TRANSFORM_MAKEFILE_INC INPUT_FILE OUTPUT_FILE)
+function(transform_makefile_inc INPUT_FILE OUTPUT_FILE)
   file(READ ${INPUT_FILE} MAKEFILE_INC_TEXT)
   string(REPLACE "$(top_srcdir)"   "\${CURL_SOURCE_DIR}" MAKEFILE_INC_TEXT ${MAKEFILE_INC_TEXT})
   string(REPLACE "$(top_builddir)" "\${CURL_BINARY_DIR}" MAKEFILE_INC_TEXT ${MAKEFILE_INC_TEXT})
@@ -1082,7 +1209,20 @@
 
 endfunction()
 
+include(GNUInstallDirs)
+
+set(CURL_INSTALL_CMAKE_DIR ${CMAKE_INSTALL_LIBDIR}/cmake/${PROJECT_NAME})
+set(TARGETS_EXPORT_NAME "${PROJECT_NAME}Targets")
+set(generated_dir "${CMAKE_CURRENT_BINARY_DIR}/generated")
+set(project_config "${generated_dir}/${PROJECT_NAME}Config.cmake")
+set(version_config "${generated_dir}/${PROJECT_NAME}ConfigVersion.cmake")
+
+if(USE_MANUAL)
+  add_subdirectory(docs)
+endif()
+
 add_subdirectory(lib)
+
 if(BUILD_CURL_EXE)
   add_subdirectory(src)
 endif()
@@ -1092,21 +1232,26 @@
   add_subdirectory(tests)
 endif()
 
+# NTLM support requires crypto function adaptions from various SSL libs
+# TODO alternative SSL libs tests for SSP1, GNUTLS, NSS
+if(NOT CURL_DISABLE_CRYPTO_AUTH AND (USE_OPENSSL OR USE_WINDOWS_SSPI OR USE_DARWINSSL OR USE_MBEDTLS OR USE_WIN32_CRYPTO))
+  set(use_ntlm ON)
+else()
+  set(use_ntlm OFF)
+endif()
+
 # Helper to populate a list (_items) with a label when conditions (the remaining
 # args) are satisfied
-function(_add_if label)
-  # TODO need to disable policy CMP0054 (CMake 3.1) to allow this indirection
+macro(_add_if label)
+  # needs to be a macro to allow this indirection
   if(${ARGN})
-    set(_items ${_items} "${label}" PARENT_SCOPE)
+    set(_items ${_items} "${label}")
   endif()
-endfunction()
+endmacro()
 
 # Clear list and try to detect available features
 set(_items)
-_add_if("WinSSL"        SSL_ENABLED AND USE_WINDOWS_SSPI)
-_add_if("OpenSSL"       SSL_ENABLED AND USE_OPENSSL)
-_add_if("DarwinSSL"     SSL_ENABLED AND USE_DARWINSSL)
-_add_if("mbedTLS"       SSL_ENABLED AND USE_MBEDTLS)
+_add_if("SSL"           SSL_ENABLED)
 _add_if("IPv6"          ENABLE_IPV6)
 _add_if("unix-sockets"  USE_UNIX_SOCKETS)
 _add_if("libz"          HAVE_LIBZ)
@@ -1124,16 +1269,14 @@
                         (HAVE_GSSAPI OR USE_WINDOWS_SSPI))
 # NTLM support requires crypto function adaptions from various SSL libs
 # TODO alternative SSL libs tests for SSP1, GNUTLS, NSS
-if(NOT CURL_DISABLE_CRYPTO_AUTH AND (USE_OPENSSL OR
-   USE_WINDOWS_SSPI OR GNUTLS_ENABLED OR NSS_ENABLED OR USE_DARWINSSL OR USE_MBEDTLS))
-  _add_if("NTLM"        1)
-  # TODO missing option (autoconf: --enable-ntlm-wb)
-  _add_if("NTLM_WB"     NOT CURL_DISABLE_HTTP AND NTLM_WB_ENABLED)
-endif()
+_add_if("NTLM"        use_ntlm)
+# TODO missing option (autoconf: --enable-ntlm-wb)
+_add_if("NTLM_WB"     use_ntlm AND NOT CURL_DISABLE_HTTP AND NTLM_WB_ENABLED)
 # TODO missing option (--enable-tls-srp), depends on GNUTLS_SRP/OPENSSL_SRP
 _add_if("TLS-SRP"       USE_TLS_SRP)
 # TODO option --with-nghttp2 tests for nghttp2 lib and nghttp2/nghttp2.h header
 _add_if("HTTP2"         USE_NGHTTP2)
+_add_if("HTTPS-proxy"   SSL_ENABLED AND (USE_OPENSSL OR USE_GNUTLS OR USE_NSS))
 string(REPLACE ";" " " SUPPORT_FEATURES "${_items}")
 message(STATUS "Enabled features: ${SUPPORT_FEATURES}")
 
@@ -1158,30 +1301,49 @@
 _add_if("POP3S"         NOT CURL_DISABLE_POP3 AND SSL_ENABLED)
 _add_if("IMAP"          NOT CURL_DISABLE_IMAP)
 _add_if("IMAPS"         NOT CURL_DISABLE_IMAP AND SSL_ENABLED)
+_add_if("SMB"           NOT CURL_DISABLE_SMB AND use_ntlm)
+_add_if("SMBS"          NOT CURL_DISABLE_SMB AND SSL_ENABLED AND use_ntlm)
 _add_if("SMTP"          NOT CURL_DISABLE_SMTP)
 _add_if("SMTPS"         NOT CURL_DISABLE_SMTP AND SSL_ENABLED)
 _add_if("SCP"           USE_LIBSSH2)
 _add_if("SFTP"          USE_LIBSSH2)
 _add_if("RTSP"          NOT CURL_DISABLE_RTSP)
 _add_if("RTMP"          USE_LIBRTMP)
-list(SORT _items)
+_add_if("MQTT"          CURL_ENABLE_MQTT)
+if(_items)
+  list(SORT _items)
+endif()
 string(REPLACE ";" " " SUPPORT_PROTOCOLS "${_items}")
 message(STATUS "Enabled protocols: ${SUPPORT_PROTOCOLS}")
 
+# Clear list and collect SSL backends
+set(_items)
+_add_if("WinSSL"           SSL_ENABLED AND USE_WINDOWS_SSPI)
+_add_if("OpenSSL"          SSL_ENABLED AND USE_OPENSSL)
+_add_if("Secure Transport" SSL_ENABLED AND USE_SECTRANSP)
+_add_if("mbedTLS"          SSL_ENABLED AND USE_MBEDTLS)
+_add_if("BearSSL"          SSL_ENABLED AND USE_BEARSSL)
+_add_if("NSS"              SSL_ENABLED AND USE_NSS)
+_add_if("wolfSSL"          SSL_ENABLED AND USE_WOLFSSL)
+if(_items)
+  list(SORT _items)
+endif()
+string(REPLACE ";" " " SSL_BACKENDS "${_items}")
+message(STATUS "Enabled SSL backends: ${SSL_BACKENDS}")
+
 # curl-config needs the following options to be set.
 set(CC                      "${CMAKE_C_COMPILER}")
 # TODO probably put a -D... options here?
 set(CONFIGURE_OPTIONS       "")
 # TODO when to set "-DCURL_STATICLIB" for CPPFLAG_CURL_STATICLIB?
 set(CPPFLAG_CURL_STATICLIB  "")
-# TODO need to set this (see CURL_CHECK_CA_BUNDLE in acinclude.m4)
-set(CURL_CA_BUNDLE          "")
 set(CURLVERSION             "${CURL_VERSION}")
-set(ENABLE_SHARED           "yes")
-if(CURL_STATICLIB)
-  set(ENABLE_STATIC         "yes")
-else()
+if(BUILD_SHARED_LIBS)
+  set(ENABLE_SHARED         "yes")
   set(ENABLE_STATIC         "no")
+else()
+  set(ENABLE_SHARED         "no")
+  set(ENABLE_STATIC         "yes")
 endif()
 set(exec_prefix             "\${prefix}")
 set(includedir              "\${prefix}/include")
@@ -1189,7 +1351,7 @@
 set(LIBCURL_LIBS            "")
 set(libdir                  "${CMAKE_INSTALL_PREFIX}/lib")
 foreach(_lib ${CMAKE_C_IMPLICIT_LINK_LIBRARIES} ${CURL_LIBS})
-  if(_lib MATCHES ".*/.*")
+  if(_lib MATCHES ".*/.*" OR _lib MATCHES "^-")
     set(LIBCURL_LIBS          "${LIBCURL_LIBS} ${_lib}")
   else()
     set(LIBCURL_LIBS          "${LIBCURL_LIBS} -l${_lib}")
@@ -1205,10 +1367,13 @@
 set(VERSIONNUM              "${CURL_VERSION_NUM}")
 
 # Finally generate a "curl-config" matching this config
+# Use:
+# * ENABLE_SHARED
+# * ENABLE_STATIC
 configure_file("${CURL_SOURCE_DIR}/curl-config.in"
                "${CURL_BINARY_DIR}/curl-config" @ONLY)
 install(FILES "${CURL_BINARY_DIR}/curl-config"
-        DESTINATION bin
+        DESTINATION ${CMAKE_INSTALL_BINDIR}
         PERMISSIONS
           OWNER_READ OWNER_WRITE OWNER_EXECUTE
           GROUP_READ GROUP_EXECUTE
@@ -1218,23 +1383,38 @@
 configure_file("${CURL_SOURCE_DIR}/libcurl.pc.in"
                "${CURL_BINARY_DIR}/libcurl.pc" @ONLY)
 install(FILES "${CURL_BINARY_DIR}/libcurl.pc"
-        DESTINATION lib/pkgconfig)
+        DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
 
-# This needs to be run very last so other parts of the scripts can take advantage of this.
-if(NOT CURL_CONFIG_HAS_BEEN_RUN_BEFORE)
-  set(CURL_CONFIG_HAS_BEEN_RUN_BEFORE 1 CACHE INTERNAL "Flag to track whether this is the first time running CMake or if CMake has been configured before")
-endif()
-
-# Installation.
-# First, install generated curlbuild.h
-install(FILES "${CMAKE_CURRENT_BINARY_DIR}/include/curl/curlbuild.h"
-    DESTINATION include/curl )
-# Next, install other headers excluding curlbuild.h
+# install headers
 install(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/include/curl"
-    DESTINATION include
-    FILES_MATCHING PATTERN "*.h"
-    PATTERN "curlbuild.h" EXCLUDE)
+    DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+    FILES_MATCHING PATTERN "*.h")
 
+include(CMakePackageConfigHelpers)
+write_basic_package_version_file(
+    "${version_config}"
+    VERSION ${CURL_VERSION}
+    COMPATIBILITY SameMajorVersion
+)
+
+# Use:
+# * TARGETS_EXPORT_NAME
+# * PROJECT_NAME
+configure_package_config_file(CMake/curl-config.cmake.in
+        "${project_config}"
+        INSTALL_DESTINATION ${CURL_INSTALL_CMAKE_DIR}
+)
+
+install(
+        EXPORT "${TARGETS_EXPORT_NAME}"
+        NAMESPACE "${PROJECT_NAME}::"
+        DESTINATION ${CURL_INSTALL_CMAKE_DIR}
+)
+
+install(
+        FILES ${version_config} ${project_config}
+        DESTINATION ${CURL_INSTALL_CMAKE_DIR}
+)
 
 # Workaround for MSVS10 to avoid the Dialog Hell
 # FIXME: This could be removed with future version of CMake.
@@ -1244,3 +1424,14 @@
     file(APPEND "${CURL_SLN_FILENAME}" "\n# This should be regenerated!\n")
   endif()
 endif()
+
+if(NOT TARGET uninstall)
+  configure_file(
+      ${CMAKE_CURRENT_SOURCE_DIR}/CMake/cmake_uninstall.cmake.in
+      ${CMAKE_CURRENT_BINARY_DIR}/CMake/cmake_uninstall.cmake
+      IMMEDIATE @ONLY)
+
+  add_custom_target(uninstall
+      COMMAND ${CMAKE_COMMAND} -P
+      ${CMAKE_CURRENT_BINARY_DIR}/CMake/cmake_uninstall.cmake)
+endif()
diff --git a/COPYING b/COPYING
index 1e45a5e..9d9e4af 100644
--- a/COPYING
+++ b/COPYING
@@ -1,6 +1,6 @@
 COPYRIGHT AND PERMISSION NOTICE
 
-Copyright (c) 1996 - 2017, Daniel Stenberg, <daniel@haxx.se>, and many
+Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many
 contributors, see the THANKS file.
 
 All rights reserved.
diff --git a/CTestConfig.cmake b/CTestConfig.cmake
deleted file mode 100644
index 6b1e798..0000000
--- a/CTestConfig.cmake
+++ /dev/null
@@ -1,13 +0,0 @@
-## This file should be placed in the root directory of your project.
-## Then modify the CMakeLists.txt file in the root directory of your
-## project to incorporate the testing dashboard.
-## # The following are required to uses Dart and the Cdash dashboard
-##   ENABLE_TESTING()
-##   INCLUDE(Dart)
-set(CTEST_PROJECT_NAME "CURL")
-set(CTEST_NIGHTLY_START_TIME "00:00:00 EST")
-
-set(CTEST_DROP_METHOD "http")
-set(CTEST_DROP_SITE "my.cdash.org")
-set(CTEST_DROP_LOCATION "/submit.php?project=CURL")
-set(CTEST_DROP_SITE_CDASH TRUE)
diff --git a/MacOSX-Framework b/MacOSX-Framework
index 19b338f..4cf23f0 100755
--- a/MacOSX-Framework
+++ b/MacOSX-Framework
@@ -1,4 +1,25 @@
 #!/bin/bash
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
 # This script performs all of the steps needed to build a
 # universal binary libcurl.framework for Mac OS X 10.4 or greater.
 #
@@ -126,15 +147,6 @@
     pwd
     lipo libcurl.framework/${FRAMEWORK_VERSION}/libcurl32 libcurl.framework/${FRAMEWORK_VERSION}/libcurl64 -create -output libcurl.framework/${FRAMEWORK_VERSION}/libcurl
     rm libcurl.framework/${FRAMEWORK_VERSION}/libcurl32 libcurl.framework/${FRAMEWORK_VERSION}/libcurl64
-    cp libcurl.framework/${FRAMEWORK_VERSION}/Headers/curl/curlbuild.h libcurl.framework/${FRAMEWORK_VERSION}/Headers/curl/curlbuild32.h
-    cp include/curl/curlbuild.h libcurl.framework/${FRAMEWORK_VERSION}/Headers/curl/curlbuild64.h
-    cat >libcurl.framework/${FRAMEWORK_VERSION}/Headers/curl/curlbuild.h <<EOF
-#ifdef __LP64__
-#include "curl/curlbuild64.h"
-#else
-#include "curl/curlbuild32.h"
-#endif
-EOF
   fi
 
   pwd
diff --git a/Makefile.am b/Makefile.am
index 1507a84..2f70980 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -24,13 +24,24 @@
 
 ACLOCAL_AMFLAGS = -I m4
 
-CMAKE_DIST = CMakeLists.txt CMake/CMakeConfigurableFile.in      \
- CMake/CurlTests.c CMake/FindGSS.cmake CMake/OtherTests.cmake   \
- CMake/Platforms/WindowsCache.cmake CMake/Utilities.cmake       \
- include/curl/curlbuild.h.cmake CMake/Macros.cmake              \
- CMake/CurlSymbolHiding.cmake CMake/FindCARES.cmake             \
- CMake/FindLibSSH2.cmake CMake/FindNGHTTP2.cmake
-
+CMAKE_DIST =                                    \
+ CMake/cmake_uninstall.cmake.in                 \
+ CMake/CMakeConfigurableFile.in                 \
+ CMake/curl-config.cmake.in                     \
+ CMake/CurlSymbolHiding.cmake                   \
+ CMake/CurlTests.c                              \
+ CMake/FindBearSSL.cmake                        \
+ CMake/FindCARES.cmake                          \
+ CMake/FindGSS.cmake                            \
+ CMake/FindLibSSH2.cmake                        \
+ CMake/FindMbedTLS.cmake                        \
+ CMake/FindNGHTTP2.cmake                        \
+ CMake/FindWolfSSL.cmake                        \
+ CMake/Macros.cmake                             \
+ CMake/OtherTests.cmake                         \
+ CMake/Platforms/WindowsCache.cmake             \
+ CMake/Utilities.cmake                          \
+ CMakeLists.txt
 
 VC6_LIBTMPL = projects/Windows/VC6/lib/libcurl.tmpl
 VC6_LIBDSP = projects/Windows/VC6/lib/libcurl.dsp.dist
@@ -95,6 +106,13 @@
 VC14_SRCVCXPROJ = projects/Windows/VC14/src/curl.vcxproj.dist
 VC14_SRCVCXPROJ_DEPS = $(VC14_SRCTMPL) Makefile.am src/Makefile.inc
 
+VC15_LIBTMPL = projects/Windows/VC15/lib/libcurl.tmpl
+VC15_LIBVCXPROJ = projects/Windows/VC15/lib/libcurl.vcxproj.dist
+VC15_LIBVCXPROJ_DEPS = $(VC15_LIBTMPL) Makefile.am lib/Makefile.inc
+VC15_SRCTMPL = projects/Windows/VC15/src/curl.tmpl
+VC15_SRCVCXPROJ = projects/Windows/VC15/src/curl.vcxproj.dist
+VC15_SRCVCXPROJ_DEPS = $(VC15_SRCTMPL) Makefile.am src/Makefile.inc
+
 VC_DIST = projects/README                           \
  projects/build-openssl.bat                         \
  projects/build-wolfssl.bat                         \
@@ -133,26 +151,45 @@
  projects/Windows/VC14/lib/libcurl.sln              \
  projects/Windows/VC14/lib/libcurl.vcxproj.filters  \
  projects/Windows/VC14/src/curl.sln                 \
- projects/Windows/VC14/src/curl.vcxproj.filters
+ projects/Windows/VC14/src/curl.vcxproj.filters     \
+ projects/Windows/VC15/curl-all.sln                 \
+ projects/Windows/VC15/lib/libcurl.sln              \
+ projects/Windows/VC15/lib/libcurl.vcxproj.filters  \
+ projects/Windows/VC15/src/curl.sln                 \
+ projects/Windows/VC15/src/curl.vcxproj.filters     \
+ projects/generate.bat                              \
+ projects/wolfssl_options.h                         \
+ projects/wolfssl_override.props
 
-WINBUILD_DIST = winbuild/BUILD.WINDOWS.txt winbuild/gen_resp_file.bat	\
+WINBUILD_DIST = winbuild/BUILD.WINDOWS.txt winbuild/gen_resp_file.bat \
  winbuild/MakefileBuild.vc winbuild/Makefile.vc
 
-EXTRA_DIST = CHANGES COPYING maketgz Makefile.dist curl-config.in	\
- RELEASE-NOTES buildconf libcurl.pc.in MacOSX-Framework scripts/zsh.pl	\
- scripts/updatemanpages.pl $(CMAKE_DIST) $(VC_DIST) $(WINBUILD_DIST)	\
- lib/libcurl.vers.in buildconf.bat
+PLAN9_DIST = plan9/include/mkfile \
+ plan9/include/mkfile             \
+ plan9/mkfile.proto               \
+ plan9/mkfile                     \
+ plan9/README                     \
+ plan9/lib/mkfile.inc             \
+ plan9/lib/mkfile                 \
+ plan9/src/mkfile.inc             \
+ plan9/src/mkfile
 
-CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ)	\
- $(VC71_LIBVCPROJ) $(VC71_SRCVCPROJ) $(VC8_LIBVCPROJ) $(VC8_SRCVCPROJ)	\
- $(VC9_LIBVCPROJ) $(VC9_SRCVCPROJ) $(VC10_LIBVCXPROJ) $(VC10_SRCVCXPROJ)	\
- $(VC11_LIBVCXPROJ) $(VC11_SRCVCXPROJ) $(VC12_LIBVCXPROJ) $(VC12_SRCVCXPROJ)	\
- $(VC14_LIBVCXPROJ) $(VC14_SRCVCXPROJ)
+EXTRA_DIST = CHANGES COPYING maketgz Makefile.dist curl-config.in \
+ RELEASE-NOTES buildconf libcurl.pc.in MacOSX-Framework \
+ scripts/updatemanpages.pl $(CMAKE_DIST) \
+ $(VC_DIST) $(WINBUILD_DIST) $(PLAN9_DIST) \
+ lib/libcurl.vers.in buildconf.bat scripts/coverage.sh scripts/completion.pl
+
+CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ) \
+ $(VC71_LIBVCPROJ) $(VC71_SRCVCPROJ) $(VC8_LIBVCPROJ) $(VC8_SRCVCPROJ) \
+ $(VC9_LIBVCPROJ) $(VC9_SRCVCPROJ) $(VC10_LIBVCXPROJ) $(VC10_SRCVCXPROJ) \
+ $(VC11_LIBVCXPROJ) $(VC11_SRCVCXPROJ) $(VC12_LIBVCXPROJ) $(VC12_SRCVCXPROJ) \
+ $(VC14_LIBVCXPROJ) $(VC14_SRCVCXPROJ) $(VC15_LIBVCXPROJ) $(VC15_SRCVCXPROJ)
 
 bin_SCRIPTS = curl-config
 
-SUBDIRS = lib docs src include
-DIST_SUBDIRS = $(SUBDIRS) tests packages scripts
+SUBDIRS = lib src
+DIST_SUBDIRS = $(SUBDIRS) tests packages scripts include docs
 
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcurl.pc
@@ -167,14 +204,14 @@
 	(distit=`find $(srcdir) -name "*.dist" | grep -v ./ares/`; \
 	for file in $$distit; do \
 	  strip=`echo $$file | sed -e s/^$(srcdir)// -e s/\.dist//`; \
-	  cp $$file $(distdir)$$strip; \
+	  cp -p $$file $(distdir)$$strip; \
 	done)
 
 html:
-	cd docs && make html
+	cd docs && $(MAKE) html
 
 pdf:
-	cd docs && make pdf
+	cd docs && $(MAKE) pdf
 
 check: test examples check-docs
 
@@ -193,9 +230,15 @@
 test-full:
 	@(cd tests; $(MAKE) all full-test)
 
+test-nonflaky:
+	@(cd tests; $(MAKE) all nonflaky-test)
+
 test-torture:
 	@(cd tests; $(MAKE) all torture-test)
 
+test-event:
+	@(cd tests; $(MAKE) all event-test)
+
 test-am:
 	@(cd tests; $(MAKE) all am-test)
 
@@ -207,15 +250,6 @@
 check-docs:
 	@(cd docs/libcurl; $(MAKE) check)
 
-# This is a hook to have 'make clean' also clean up the docs and the tests
-# dir. The extra check for the Makefiles being present is necessary because
-# 'make distcheck' will make clean first in these directories _before_ it runs
-# this hook.
-clean-local:
-	@(if test -f tests/Makefile; then cd tests; $(MAKE) clean; fi)
-	@(if test -f docs/Makefile; then cd docs; $(MAKE) clean; fi)
-
-#
 # Build source and binary rpms. For rpm-3.0 and above, the ~/.rpmmacros
 # must contain the following line:
 # %_topdir /home/loic/local/rpm
@@ -250,10 +284,10 @@
 # pkgadd -d ./HAXXcurl-*
 #
 
-# gak - libtool requires an absoulte directory, hence the pwd below...
+# gak - libtool requires an absolute directory, hence the pwd below...
 pkgadd:
 	umask 022 ; \
-	make install DESTDIR=`/bin/pwd`/packages/Solaris/root ; \
+	$(MAKE) install DESTDIR=`/bin/pwd`/packages/Solaris/root ; \
 	cat COPYING > $(srcdir)/packages/Solaris/copyright ; \
 	cd $(srcdir)/packages/Solaris && $(MAKE) package
 
@@ -265,13 +299,15 @@
 
 # We extend the standard install with a custom hook:
 install-data-hook:
-	cd include && $(MAKE) install
-	cd docs && $(MAKE) install
+	(cd include && $(MAKE) install)
+	(cd docs && $(MAKE) install)
+	(cd docs/libcurl && $(MAKE) install)
 
 # We extend the standard uninstall with a custom hook:
 uninstall-hook:
-	cd include && $(MAKE) uninstall
-	cd docs && $(MAKE) uninstall
+	(cd include && $(MAKE) uninstall)
+	(cd docs && $(MAKE) uninstall)
+	(cd docs/libcurl && $(MAKE) uninstall)
 
 ca-bundle: lib/mk-ca-bundle.pl
 	@echo "generating a fresh ca-bundle.crt"
@@ -282,25 +318,30 @@
 	./lib/firefox-db2pem.sh lib/ca-bundle.crt
 
 checksrc:
-	cd lib && $(MAKE) checksrc
-	cd src && $(MAKE) checksrc
-	cd tests && $(MAKE) checksrc
-	cd include/curl && $(MAKE) checksrc
-	cd docs/examples && $(MAKE) checksrc
+	(cd lib && $(MAKE) checksrc)
+	(cd src && $(MAKE) checksrc)
+	(cd tests && $(MAKE) checksrc)
+	(cd include/curl && $(MAKE) checksrc)
+	(cd docs/examples && $(MAKE) checksrc)
 
 .PHONY: vc-ide
 
-vc-ide: $(VC6_LIBDSP_DEPS) $(VC6_SRCDSP_DEPS) $(VC7_LIBVCPROJ_DEPS)	\
- $(VC7_SRCVCPROJ_DEPS) $(VC71_LIBVCPROJ_DEPS) $(VC71_SRCVCPROJ_DEPS)	\
- $(VC8_LIBVCPROJ_DEPS) $(VC8_SRCVCPROJ_DEPS) $(VC9_LIBVCPROJ_DEPS)	\
- $(VC9_SRCVCPROJ_DEPS) $(VC10_LIBVCXPROJ_DEPS) $(VC10_SRCVCXPROJ_DEPS)	\
- $(VC11_LIBVCXPROJ_DEPS) $(VC11_SRCVCXPROJ_DEPS) $(VC12_LIBVCXPROJ_DEPS)	\
- $(VC12_SRCVCXPROJ_DEPS) $(VC14_LIBVCXPROJ_DEPS) $(VC14_SRCVCXPROJ_DEPS)
+vc-ide: $(VC6_LIBDSP_DEPS) $(VC6_SRCDSP_DEPS) $(VC7_LIBVCPROJ_DEPS) \
+ $(VC7_SRCVCPROJ_DEPS) $(VC71_LIBVCPROJ_DEPS) $(VC71_SRCVCPROJ_DEPS) \
+ $(VC8_LIBVCPROJ_DEPS) $(VC8_SRCVCPROJ_DEPS) $(VC9_LIBVCPROJ_DEPS) \
+ $(VC9_SRCVCPROJ_DEPS) $(VC10_LIBVCXPROJ_DEPS) $(VC10_SRCVCXPROJ_DEPS) \
+ $(VC11_LIBVCXPROJ_DEPS) $(VC11_SRCVCXPROJ_DEPS) $(VC12_LIBVCXPROJ_DEPS) \
+ $(VC12_SRCVCXPROJ_DEPS) $(VC14_LIBVCXPROJ_DEPS) $(VC14_SRCVCXPROJ_DEPS) \
+ $(VC15_LIBVCXPROJ_DEPS) $(VC15_SRCVCXPROJ_DEPS)
 	@(win32_lib_srcs='$(LIB_CFILES)'; \
 	win32_lib_hdrs='$(LIB_HFILES) config-win32.h'; \
 	win32_lib_rc='$(LIB_RCFILES)'; \
 	win32_lib_vauth_srcs='$(LIB_VAUTH_CFILES)'; \
 	win32_lib_vauth_hdrs='$(LIB_VAUTH_HFILES)'; \
+	win32_lib_vquic_srcs='$(LIB_VQUIC_CFILES)'; \
+	win32_lib_vquic_hdrs='$(LIB_VQUIC_HFILES)'; \
+	win32_lib_vssh_srcs='$(LIB_VSSH_CFILES)'; \
+	win32_lib_vssh_hdrs='$(LIB_VSSH_HFILES)'; \
 	win32_lib_vtls_srcs='$(LIB_VTLS_CFILES)'; \
 	win32_lib_vtls_hdrs='$(LIB_VTLS_HFILES)'; \
 	win32_src_srcs='$(CURL_CFILES)'; \
@@ -313,6 +354,10 @@
 	sorted_lib_hdrs=`for file in $$win32_lib_hdrs; do echo $$file; done | sort`; \
 	sorted_lib_vauth_srcs=`for file in $$win32_lib_vauth_srcs; do echo $$file; done | sort`; \
 	sorted_lib_vauth_hdrs=`for file in $$win32_lib_vauth_hdrs; do echo $$file; done | sort`; \
+	sorted_lib_vquic_srcs=`for file in $$win32_lib_vquic_srcs; do echo $$file; done | sort`; \
+	sorted_lib_vquic_hdrs=`for file in $$win32_lib_vquic_hdrs; do echo $$file; done | sort`; \
+	sorted_lib_vssh_srcs=`for file in $$win32_lib_vssh_srcs; do echo $$file; done | sort`; \
+	sorted_lib_vssh_hdrs=`for file in $$win32_lib_vssh_hdrs; do echo $$file; done | sort`; \
 	sorted_lib_vtls_srcs=`for file in $$win32_lib_vtls_srcs; do echo $$file; done | sort`; \
 	sorted_lib_vtls_hdrs=`for file in $$win32_lib_vtls_hdrs; do echo $$file; done | sort`; \
 	sorted_src_srcs=`for file in $$win32_src_srcs; do echo $$file; done | sort`; \
@@ -324,10 +369,15 @@
 function gen_element(type, dir, file)\
 {\
   sub(/vauth\//, "", file);\
+  sub(/vquic\//, "", file);\
+  sub(/vssh\//, "", file);\
   sub(/vtls\//, "", file);\
 \
   spaces="    ";\
-  if(dir == "lib\\vauth" || dir == "lib\\vtls")\
+  if(dir == "lib\\vauth" ||\
+     dir == "lib\\vquic" ||\
+     dir == "lib\\vssh"  ||\
+     dir == "lib\\vtls")\
     tabs="				";\
   else\
     tabs="			";\
@@ -389,6 +439,22 @@
     split(lib_vauth_hdrs, arr);\
     for(val in arr) gen_element(proj_type, "lib\\vauth", arr[val]);\
   }\
+  else if($$0 == "CURL_LIB_VQUIC_C_FILES") {\
+    split(lib_vquic_srcs, arr);\
+    for(val in arr) gen_element(proj_type, "lib\\vquic", arr[val]);\
+  }\
+  else if($$0 == "CURL_LIB_VQUIC_H_FILES") {\
+    split(lib_vquic_hdrs, arr);\
+    for(val in arr) gen_element(proj_type, "lib\\vquic", arr[val]);\
+  }\
+  else if($$0 == "CURL_LIB_VSSH_C_FILES") {\
+    split(lib_vssh_srcs, arr);\
+    for(val in arr) gen_element(proj_type, "lib\\vssh", arr[val]);\
+  }\
+  else if($$0 == "CURL_LIB_VSSH_H_FILES") {\
+    split(lib_vssh_hdrs, arr);\
+    for(val in arr) gen_element(proj_type, "lib\\vssh", arr[val]);\
+  }\
   else if($$0 == "CURL_LIB_VTLS_C_FILES") {\
     split(lib_vtls_srcs, arr);\
     for(val in arr) gen_element(proj_type, "lib\\vtls", arr[val]);\
@@ -434,6 +500,10 @@
 		-v lib_rc="$$win32_lib_rc" \
 		-v lib_vauth_srcs="$$sorted_lib_vauth_srcs" \
 		-v lib_vauth_hdrs="$$sorted_lib_vauth_hdrs" \
+		-v lib_vquic_srcs="$$sorted_lib_vquic_srcs" \
+		-v lib_vquic_hdrs="$$sorted_lib_vquic_hdrs" \
+		-v lib_vssh_srcs="$$sorted_lib_vssh_srcs" \
+		-v lib_vssh_hdrs="$$sorted_lib_vssh_hdrs" \
 		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
 		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
 		"$$awk_code" $(srcdir)/$(VC6_LIBTMPL) > $(VC6_LIBDSP) || { exit 1; }; \
@@ -454,6 +524,10 @@
 		-v lib_rc="$$win32_lib_rc" \
 		-v lib_vauth_srcs="$$sorted_lib_vauth_srcs" \
 		-v lib_vauth_hdrs="$$sorted_lib_vauth_hdrs" \
+		-v lib_vquic_srcs="$$sorted_lib_vquic_srcs" \
+		-v lib_vquic_hdrs="$$sorted_lib_vquic_hdrs" \
+		-v lib_vssh_srcs="$$sorted_lib_vssh_srcs" \
+		-v lib_vssh_hdrs="$$sorted_lib_vssh_hdrs" \
 		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
 		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
 		"$$awk_code" $(srcdir)/$(VC7_LIBTMPL) > $(VC7_LIBVCPROJ) || { exit 1; }; \
@@ -474,6 +548,10 @@
 		-v lib_rc="$$win32_lib_rc" \
 		-v lib_vauth_srcs="$$sorted_lib_vauth_srcs" \
 		-v lib_vauth_hdrs="$$sorted_lib_vauth_hdrs" \
+		-v lib_vquic_srcs="$$sorted_lib_vquic_srcs" \
+		-v lib_vquic_hdrs="$$sorted_lib_vquic_hdrs" \
+		-v lib_vssh_srcs="$$sorted_lib_vssh_srcs" \
+		-v lib_vssh_hdrs="$$sorted_lib_vssh_hdrs" \
 		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
 		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
 		"$$awk_code" $(srcdir)/$(VC71_LIBTMPL) > $(VC71_LIBVCPROJ) || { exit 1; }; \
@@ -494,6 +572,10 @@
 		-v lib_rc="$$win32_lib_rc" \
 		-v lib_vauth_srcs="$$sorted_lib_vauth_srcs" \
 		-v lib_vauth_hdrs="$$sorted_lib_vauth_hdrs" \
+		-v lib_vquic_srcs="$$sorted_lib_vquic_srcs" \
+		-v lib_vquic_hdrs="$$sorted_lib_vquic_hdrs" \
+		-v lib_vssh_srcs="$$sorted_lib_vssh_srcs" \
+		-v lib_vssh_hdrs="$$sorted_lib_vssh_hdrs" \
 		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
 		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
 		"$$awk_code" $(srcdir)/$(VC8_LIBTMPL) > $(VC8_LIBVCPROJ) || { exit 1; }; \
@@ -514,6 +596,10 @@
 		-v lib_rc="$$win32_lib_rc" \
 		-v lib_vauth_srcs="$$sorted_lib_vauth_srcs" \
 		-v lib_vauth_hdrs="$$sorted_lib_vauth_hdrs" \
+		-v lib_vquic_srcs="$$sorted_lib_vquic_srcs" \
+		-v lib_vquic_hdrs="$$sorted_lib_vquic_hdrs" \
+		-v lib_vssh_srcs="$$sorted_lib_vssh_srcs" \
+		-v lib_vssh_hdrs="$$sorted_lib_vssh_hdrs" \
 		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
 		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
 		"$$awk_code" $(srcdir)/$(VC9_LIBTMPL) > $(VC9_LIBVCPROJ) || { exit 1; }; \
@@ -534,6 +620,10 @@
 		-v lib_rc="$$win32_lib_rc" \
 		-v lib_vauth_srcs="$$sorted_lib_vauth_srcs" \
 		-v lib_vauth_hdrs="$$sorted_lib_vauth_hdrs" \
+		-v lib_vquic_srcs="$$sorted_lib_vquic_srcs" \
+		-v lib_vquic_hdrs="$$sorted_lib_vquic_hdrs" \
+		-v lib_vssh_srcs="$$sorted_lib_vssh_srcs" \
+		-v lib_vssh_hdrs="$$sorted_lib_vssh_hdrs" \
 		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
 		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
 		"$$awk_code" $(srcdir)/$(VC10_LIBTMPL) > $(VC10_LIBVCXPROJ) || { exit 1; }; \
@@ -554,6 +644,10 @@
 		-v lib_rc="$$win32_lib_rc" \
 		-v lib_vauth_srcs="$$sorted_lib_vauth_srcs" \
 		-v lib_vauth_hdrs="$$sorted_lib_vauth_hdrs" \
+		-v lib_vquic_srcs="$$sorted_lib_vquic_srcs" \
+		-v lib_vquic_hdrs="$$sorted_lib_vquic_hdrs" \
+		-v lib_vssh_srcs="$$sorted_lib_vssh_srcs" \
+		-v lib_vssh_hdrs="$$sorted_lib_vssh_hdrs" \
 		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
 		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
 		"$$awk_code" $(srcdir)/$(VC11_LIBTMPL) > $(VC11_LIBVCXPROJ) || { exit 1; }; \
@@ -574,6 +668,10 @@
 		-v lib_rc="$$win32_lib_rc" \
 		-v lib_vauth_srcs="$$sorted_lib_vauth_srcs" \
 		-v lib_vauth_hdrs="$$sorted_lib_vauth_hdrs" \
+		-v lib_vquic_srcs="$$sorted_lib_vquic_srcs" \
+		-v lib_vquic_hdrs="$$sorted_lib_vquic_hdrs" \
+		-v lib_vssh_srcs="$$sorted_lib_vssh_srcs" \
+		-v lib_vssh_hdrs="$$sorted_lib_vssh_hdrs" \
 		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
 		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
 		"$$awk_code" $(srcdir)/$(VC12_LIBTMPL) > $(VC12_LIBVCXPROJ) || { exit 1; }; \
@@ -594,6 +692,10 @@
 		-v lib_rc="$$win32_lib_rc" \
 		-v lib_vauth_srcs="$$sorted_lib_vauth_srcs" \
 		-v lib_vauth_hdrs="$$sorted_lib_vauth_hdrs" \
+		-v lib_vquic_srcs="$$sorted_lib_vquic_srcs" \
+		-v lib_vquic_hdrs="$$sorted_lib_vquic_hdrs" \
+		-v lib_vssh_srcs="$$sorted_lib_vssh_srcs" \
+		-v lib_vssh_hdrs="$$sorted_lib_vssh_hdrs" \
 		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
 		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
 		"$$awk_code" $(srcdir)/$(VC14_LIBTMPL) > $(VC14_LIBVCXPROJ) || { exit 1; }; \
@@ -605,4 +707,32 @@
 		-v src_rc="$$win32_src_rc" \
 		-v src_x_srcs="$$sorted_src_x_srcs" \
 		-v src_x_hdrs="$$sorted_src_x_hdrs" \
-		"$$awk_code" $(srcdir)/$(VC14_SRCTMPL) > $(VC14_SRCVCXPROJ) || { exit 1; };)
+		"$$awk_code" $(srcdir)/$(VC14_SRCTMPL) > $(VC14_SRCVCXPROJ) || { exit 1; }; \
+	\
+	echo "generating '$(VC15_LIBVCXPROJ)'"; \
+	awk -v proj_type=vcxproj \
+		-v lib_srcs="$$sorted_lib_srcs" \
+		-v lib_hdrs="$$sorted_lib_hdrs" \
+		-v lib_rc="$$win32_lib_rc" \
+		-v lib_vauth_srcs="$$sorted_lib_vauth_srcs" \
+		-v lib_vauth_hdrs="$$sorted_lib_vauth_hdrs" \
+		-v lib_vquic_srcs="$$sorted_lib_vquic_srcs" \
+		-v lib_vquic_hdrs="$$sorted_lib_vquic_hdrs" \
+		-v lib_vssh_srcs="$$sorted_lib_vssh_srcs" \
+		-v lib_vssh_hdrs="$$sorted_lib_vssh_hdrs" \
+		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
+		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
+		"$$awk_code" $(srcdir)/$(VC15_LIBTMPL) > $(VC15_LIBVCXPROJ) || { exit 1; }; \
+	\
+	echo "generating '$(VC15_SRCVCXPROJ)'"; \
+	awk -v proj_type=vcxproj \
+		-v src_srcs="$$sorted_src_srcs" \
+		-v src_hdrs="$$sorted_src_hdrs" \
+		-v src_rc="$$win32_src_rc" \
+		-v src_x_srcs="$$sorted_src_x_srcs" \
+		-v src_x_hdrs="$$sorted_src_x_hdrs" \
+		"$$awk_code" $(srcdir)/$(VC15_SRCTMPL) > $(VC15_SRCVCXPROJ) || { exit 1; };)
+
+tidy:
+	(cd src && $(MAKE) tidy)
+	(cd lib && $(MAKE) tidy)
diff --git a/Makefile.dist b/Makefile.dist
index 8577c8a..a6316ab 100644
--- a/Makefile.dist
+++ b/Makefile.dist
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -28,30 +28,6 @@
 	./configure --with-ssl
 	make
 
-borland:
-	cd lib
-	$(MAKE) -f Makefile.b32
-	cd ..\src
-	$(MAKE) -f Makefile.b32
-
-borland-ssl:
-	cd lib
-	$(MAKE) -f Makefile.b32 WITH_SSL=1
-	cd ..\src
-	$(MAKE) -f Makefile.b32 WITH_SSL=1
-
-borland-ssl-zlib:
-	cd lib
-	$(MAKE) -f Makefile.b32 WITH_SSL=1 WITH_ZLIB=1
-	cd ..\src
-	$(MAKE) -f Makefile.b32 WITH_SSL=1 WITH_ZLIB=1
-
-borland-clean:
-	cd lib
-	$(MAKE) -f Makefile.b32 clean
-	cd ..\src
-	$(MAKE) -f Makefile.b32 clean
-
 watcom: .SYMBOLIC
 	cd lib && $(MAKE) -u -f Makefile.Watcom
 	cd src && $(MAKE) -u -f Makefile.Watcom
diff --git a/README b/README
index f0b3b93..490faca 100644
--- a/README
+++ b/README
@@ -21,6 +21,8 @@
   curl binaries or other binaries that involve libcurl, you might enjoy the
   LICENSE-MIXING document.
 
+  All of those documents and more can be found in the docs/ directory.
+
 CONTACT
 
   If you have problems, questions, ideas or suggestions, please contact us
@@ -42,6 +44,12 @@
 
   (you'll get a directory named curl created, filled with the source code)
 
+SECURITY PROBLEMS
+
+  Report suspected security problems via our HackerOne page and not in public!
+
+    https://hackerone.com/curl
+
 NOTICE
 
   Curl contains pieces of source code that is Copyright (c) 1998, 1999
diff --git a/README.md b/README.md
index 3473bb3..16e4b00 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,16 @@
-![curl logo](https://cdn.rawgit.com/curl/curl-www/master/logo/curl-logo.svg)
+![curl logo](https://curl.haxx.se/logo/curl-logo.svg)
+
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/63/badge)](https://bestpractices.coreinfrastructure.org/projects/63)
 [![Coverity passed](https://scan.coverity.com/projects/curl/badge.svg)](https://scan.coverity.com/projects/curl)
-[![Build Status](https://travis-ci.org/curl/curl.svg?branch=master)](https://travis-ci.org/curl/curl)
+[![Travis-CI Build Status](https://travis-ci.org/curl/curl.svg?branch=master)](https://travis-ci.org/curl/curl)
+[![AppVeyor Build Status](https://ci.appveyor.com/api/projects/status/l1vv31029huhf4g4?svg=true)](https://ci.appveyor.com/project/curlorg/curl)
+[![Azure DevOps Build Status](https://dev.azure.com/daniel0244/curl/_apis/build/status/curl.curl?branchName=master)](https://dev.azure.com/daniel0244/curl/_build/latest?definitionId=1&branchName=master)
+[![Cirrus Build Status](https://api.cirrus-ci.com/github/curl/curl.svg?branch=master)](https://cirrus-ci.com/github/curl/curl)
+[![Backers on Open Collective](https://opencollective.com/curl/backers/badge.svg)](#backers)
+[![Sponsors on Open Collective](https://opencollective.com/curl/sponsors/badge.svg)](#sponsors)
+[![Language Grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/curl/curl.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/curl/curl/context:cpp)
+[![Codacy Badge](https://api.codacy.com/project/badge/Grade/d11483a0cc5c4ebd9da4ff9f7cd56690)](https://www.codacy.com/app/curl/curl?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=curl/curl&amp;utm_campaign=Badge_Grade)
+[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/curl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:curl)
 
 Curl is a command-line tool for transferring data specified with URL
 syntax. Find out how to use curl by reading [the curl.1 man
@@ -13,7 +22,7 @@
 be used by your software. Read [the libcurl.3 man
 page](https://curl.haxx.se/libcurl/c/libcurl.html) to learn how!
 
-You find answers to the most frequent questions we get in [the FAQ
+You can find answers to the most frequent questions we get in [the FAQ
 document](https://curl.haxx.se/docs/faq.html).
 
 Study [the COPYING file](https://curl.haxx.se/docs/copyright.html) for
@@ -36,14 +45,42 @@
 
 ## Git
 
-To download the very latest source off the Git server do this:
+To download the very latest source from the Git server do this:
 
     git clone https://github.com/curl/curl.git
 
 (you'll get a directory named curl created, filled with the source code)
 
+## Security problems
+
+Report suspected security problems via [our HackerOne
+page](https://hackerone.com/curl) and not in public!
+
 ## Notice
 
 Curl contains pieces of source code that is Copyright (c) 1998, 1999 Kungliga
 Tekniska Högskolan. This notice is included here to comply with the
 distribution terms.
+
+## Backers
+
+Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/curl#backer)]
+
+<a href="https://opencollective.com/curl#backers" target="_blank"><img src="https://opencollective.com/curl/backers.svg?width=890"></a>
+
+## Sponsors
+
+Support this project by becoming a sponsor. Your logo will show up here with a
+link to your website. [[Become a
+sponsor](https://opencollective.com/curl#sponsor)]
+
+<a href="https://opencollective.com/curl/sponsor/0/website" target="_blank"><img src="https://opencollective.com/curl/sponsor/0/avatar.svg"></a>
+<a href="https://opencollective.com/curl/sponsor/1/website" target="_blank"><img src="https://opencollective.com/curl/sponsor/1/avatar.svg"></a>
+<a href="https://opencollective.com/curl/sponsor/2/website" target="_blank"><img src="https://opencollective.com/curl/sponsor/2/avatar.svg"></a>
+<a href="https://opencollective.com/curl/sponsor/3/website" target="_blank"><img src="https://opencollective.com/curl/sponsor/3/avatar.svg"></a>
+<a href="https://opencollective.com/curl/sponsor/4/website" target="_blank"><img src="https://opencollective.com/curl/sponsor/4/avatar.svg"></a>
+<a href="https://opencollective.com/curl/sponsor/5/website" target="_blank"><img src="https://opencollective.com/curl/sponsor/5/avatar.svg"></a>
+<a href="https://opencollective.com/curl/sponsor/6/website" target="_blank"><img src="https://opencollective.com/curl/sponsor/6/avatar.svg"></a>
+<a href="https://opencollective.com/curl/sponsor/7/website" target="_blank"><img src="https://opencollective.com/curl/sponsor/7/avatar.svg"></a>
+<a href="https://opencollective.com/curl/sponsor/8/website" target="_blank"><img src="https://opencollective.com/curl/sponsor/8/avatar.svg"></a>
+<a href="https://opencollective.com/curl/sponsor/9/website" target="_blank"><img src="https://opencollective.com/curl/sponsor/9/avatar.svg"></a>
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index c37e553..6880318 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -1,61 +1,155 @@
-Curl and libcurl 7.54.0
+curl and libcurl 7.70.0
 
- Public curl releases:         165
- Command line options:         207
- curl_easy_setopt() options:   245
- Public functions in libcurl:  61
- Contributors:                 1507
+ Public curl releases:         191
+ Command line options:         231
+ curl_easy_setopt() options:   270
+ Public functions in libcurl:  82
+ Contributors:                 2169
 
 This release includes the following changes:
- o Add CURL_SSLVERSION_MAX_* constants to CURLOPT_SSLVERSION [19]
- o Add --max-tls [19]
- o Add CURLOPT_SUPPRESS_CONNECT_HEADERS [24]
- o Add --suppress-connect-headers [24]
+
+ o curl: add --ssl-revoke-best-effort to allow a "best effort" revocation check [5]
+ o mqtt: add new experimental protocol [57]
+ o schannel: add "best effort" revocation check option: CURLSSLOPT_REVOKE_BEST_EFFORT [5]
+ o writeout: support to generate JSON output with '%{json}' [8]
 
 This release includes the following bugfixes:
 
- o cmake: Replace invalid UTF-8 byte sequence [1]
- o tests: use consistent environment variables for setting charset
- o proxy: fixed a memory leak on OOM
- o ftp: removed an erroneous free in an OOM path
- o docs: de-duplicate file lists in the Makefiles [2]
- o ftp: fixed a NULL pointer dereference on OOM
- o gopher: fixed detection of an error condition from Curl_urldecode
- o url: fix unix-socket support for proxy-disabled builds [3]
- o test1139: allow for the possibility that the man page is not rebuilt
- o cyassl: get library version string at runtime
- o digest_sspi: fix compilation warning
- o tests: enable HTTP/2 tests to run with non-default port numbers
- o warnless: suppress compiler warning
- o darwinssl: Warn that disabling host verify also disables SNI [4]
- o configure: fix for --enable-pthreads [5]
- o checksrc.bat: Ignore curl_config.h.in, curl_config.h
- o no-keepalive.d: fix typo [6]
- o configure: fix --with-zlib when a path is specified [7]
- o build: fix gcc7 implicit fallthrough warnings [8]
- o fix potential use of uninitialized variables [9]
- o CURLOPT_SSL_CTX_FUNCTION.3: Fix EXAMPLE formatting errors [10]
- o CMake: Reorganize SSL support, separate WinSSL and SSPI [11]
- o CMake: Add DarwinSSL support [12]
- o CMake: Add mbedTLS support [13]
- o ares: return error at once if timed out before name resolve starts [14]
- o BINDINGS: added C++, perl, go and Scilab bindings
- o URL: return error on malformed URLs with junk after port number
- o KNOWN_BUGS: Add DarwinSSL won't import PKCS#12 without a password [15]
- o http2: Fix assertion error on redirect with CL=0 [16]
- o updatemanpages.pl: Update man pages to use current date and versions [17]
- o --insecure: clarify that this option is for server connections [18]
- o mkhelp: simplified the gzip code
- o build: fixed making man page in out-of-tree tarball builds
- o tests: disabled 1903 due to flakiness
- o openssl: add two /* FALLTHROUGH */ to satisfy coverity
- o cmdline-opts: fixed a few typos
- o authneg: clear auth.multi flag at http_done [20]
- o curl_easy_reset: Also reset the authentication state [21]
- o proxy: skip SSL initialization for closed connections [22]
- o http_proxy: ignore TE and CL in CONNECT 2xx responses [23]
- o tool_writeout: fixed a buffer read overrun on --write-out
- o make: regenerate docs/curl.1 by runinng make in docs [25]
+ o appveyor: add Unicode winbuild jobs [88]
+ o appveyor: completely disable tests that fail to timeout early
+ o appveyor: show failed tests in log even if test is ignored
+ o appveyor: sort builds by type and add two new variants
+ o appveyor: turn disabled tests into ignored result tests
+ o appveyor: use random test server ports based upon APPVEYOR_API_URL [52]
+ o build: fixed build for systems with select() in unistd.h [43]
+ o buildconf: avoid using tempfile when removing files [90]
+ o checksrc: warn on obvious conditional blocks on the same line as if() [44]
+ o CI-fuzz: increase fuzz time to 40 minutes [59]
+ o ci/tests: fix Azure Pipelines not running Windows containers [25]
+ o CI: add build with ngtcp2 + gnutls on Travis CI
+ o CI: bring GitHub Actions fuzzing job in line with macOS jobs
+ o CI: migrate macOS jobs from Azure and Travis CI to GitHub Actions [36]
+ o CI: remove default Ubuntu build from GitHub Actions
+ o cirrus: no longer ignore test 504 which is working again
+ o cirrus: re-enable the FreeBSD 13 CI builds [29]
+ o cleanup: insert newline after if() conditions
+ o cmake: add aliases so exported target names are available in tree [73]
+ o cmake: add CMAKE_MSVC_RUNTIME_LIBRARY [45]
+ o cmake: add support for building with wolfSSL [9]
+ o cmake: Avoid MSVC C4273 warnings in send/recv checks [92]
+ o cmdline: fix handling of OperationConfig linked list (--next) [24]
+ o compressed.d: stress that the headers are not modified [80]
+ o config: remove all defines of HAVE_DES_H [37]
+ o configure: convert -I to -isystem as a last step [2]
+ o configure: document 'compiler_num' for gcc [4]
+ o configure: don't check for Security.framework when cross-compiling [47]
+ o configure: fix -pedantic-errors for GCC 5 and later [3]
+ o configure: remove use of -vec-report0 from CFLAGS with icc [71]
+ o connect: happy eyeballs cleanup [15]
+ o connect: store connection info for QUIC connections [68]
+ o copyright: fix out-of-date copyright ranges and missing headers [38]
+ o curl-functions.m4: remove inappropriate AC_REQUIRE [26]
+ o curl.h: remnove CURL_VERSION_ESNI. Never supported nor documented [49]
+ o curl.h: update comment typo [61]
+ o curl: allow both --etag-compare and --etag-save with same file name [56]
+ o curl_setup: define _WIN32_WINNT_[OS] symbols [27]
+ o CURLINFO_CONDITION_UNMET: return true for 304 http status code [54]
+ o CURLINFO_NUM_CONNECTS: improve accuracy [28]
+ o CURLOPT_WRITEFUNCTION.3: add inline example and new see-also [70]
+ o dist: add mail-rcpt-allowfails.d to the tarball [35]
+ o docs/make: generate curl.1 from listed files only [33]
+ o docs: add warnings about FILE: URLs on Windows [19]
+ o easy: fix curl_easy_duphandle for builds missing IPv6 that use c-ares [18]
+ o examples/sessioninfo.c: add include to fix compiler warning [42]
+ o github actions: run when pushed to master or */ci + PRs [64]
+ o gnutls: bump lowest supported version to 3.1.10 [89]
+ o gnutls: Don't skip really long certificate fields [86]
+ o gnutls: ensure TLS 1.3 when SRP isn't requested [79]
+ o gopher: check remaining time left during write busy loop [78]
+ o gskit: use our internal select wrapper for portability [12]
+ o http2: Fix erroneous debug message that h2 connection closed [21]
+ o http: don't consider upload done if the request isn't completely sent off [67]
+ o http: free memory when Alt-Used header creation fails due to OOM [98]
+ o lib/mk-ca-bundle: skip empty certs [112]
+ o lib670: use the same Win32 API check as all other lib tests
+ o lib: fix typos in comments and errormessages
+ o lib: never define CURL_CA_BUNDLE with a getenv [51]
+ o libcurl-multi.3: added missing full stop [110]
+ o libssh: avoid options override by configuration files [104]
+ o libssh: Use new ECDSA key types to check known hosts [87]
+ o mailmap: fixup a few author names/fields
+ o Makefile.m32: Improve windres parameter compatibility [17]
+ o Makefile: run the cd commands in a subshell [1]
+ o memdebug: don't log free(NULL)
+ o mime: properly check Content-Type even if it has parameters [83]
+ o multi-ssl: reset the SSL backend on `Curl_global_cleanup()` [100]
+ o multi: improve parameter check for curl_multi_remove_handle [6]
+ o nghttp2: 1.12.0 required [40]
+ o ngtcp2: update to git master for the key installation API change [46]
+ o nss: check for PK11_CreateDigestContext() returning NULL [96]
+ o openssl: adapt to functions marked as deprecated since version 3 [34]
+ o OS400: update strings for ccsid-ifier (fixes the build) [30]
+ o output.d: quote the URL when globbing [48]
+ o packages: add OS400/chkstrings.c to the dist [39]
+ o RELEASE-PROCEDURE.md: run the copyright.pl script!
+ o Revert "file: on Windows, refuse paths that start with \\" [50]
+ o runtests: always put test number in servercmd file
+ o runtests: provide nicer errormsg when protocol "dump" file is empty
+ o schannel: Fix blocking timeout logic [76]
+ o schannel: support .P12 or .PFX client certificates [65]
+ o scripts/release-notes.pl: add helper script for RELEASE-NOTES maintenance
+ o select: make Curl_socket_check take timediff_t timeout [109]
+ o select: move duplicate select preparation code into Curl_select [14]
+ o select: remove typecast from SOCKET_WRITABLE/READABLE macros [69]
+ o server/getpart: make the "XML-parser" stricter [20]
+ o server/resolve: remove AI_CANONNAME to make macos tell the truth [63]
+ o smtp: set auth correctly [103]
+ o sockfilt: add logmsg output to select_ws_wait_thread on Windows [32]
+ o sockfilt: fix broken pipe on Windows to be ready in select_ws [95]
+ o sockfilt: fix handling of ready closed sockets on Windows
+ o sockfilt: fix race-condition of waiting threads and event handling [58]
+ o socks: Fix blocking timeout logic [77]
+ o src: Remove C99 constructs to ensure C89 compliance [82]
+ o SSLCERTS.md: Fix example code for setting CA cert file [31]
+ o test1148: tolerate progress updates better (again) [60]
+ o test1154: set a proper name
+ o test1177: verify that all the CURL_VERSION_ bits are documented
+ o test1566: verify --etag-compare that gets a 304 back [53]
+ o test1908: avoid using fixed port number in test data [75]
+ o test2043: use revoked.badssl.com instead of revoked.grc.com [94]
+ o test2100: fix static port instead of dynamic value being used
+ o tests/data: fix some XML formatting issues in test cases
+ o tests/FILEFORMAT: converted to markdown and extended [84]
+ o tests/server/util.c: use curl_off_t instead of long for pid
+ o tests: add %NOLISTENPORT and use it [93]
+ o tests: add Windows compatible pidwait like pidkill and pidterm
+ o tests: fix conflict between Cygwin/msys and Windows PIDs [81]
+ o tests: introduce preprocessed test cases
+ o tests: make Python-based servers compatible with Python 2 and 3 [22]
+ o tests: make runtests check that disabled tests exists [108]
+ o tests: move pingpong server to dynamic listening port
+ o tests: remove python_dependencies for smbserver from our tree [16]
+ o tests: run the RTSP test server on a dynamic port number [91]
+ o tests: run the SOCKS test server on a dynamic port number [99]
+ o tests: run the sws server on "any port" [85]
+ o tests: run the TFTP test server on a dynamic port number [101]
+ o tests: use Cygwin/msys PIDs for stunnel and sshd on Windows
+ o tls: remove the BACKEND define kludge from most backends [23]
+ o tool: do not declare functions with Curl_ prefix [66]
+ o tool_operate: fix add_parallel_transfers when more are in queue [10]
+ o transfer: cap retries of "dead connections" to 5 [13]
+ o transfer: Switch PUT to GET/HEAD on 303 redirect [111]
+ o travis: bump the wolfssl CI build to use 4.4.0 [97]
+ o travis: update the ngtcp2 build to use the latest OpenSSL patch
+ o url: allow non-HTTPS altsvc-matching for debug builds [62]
+ o version: add 'cainfo' and 'capath' to version info struct [55]
+ o version: increase buffer space for ssl version output [74]
+ o version: skip idn2_check_version() check and add precaution [113]
+ o vquic: add support for GnuTLS backend of ngtcp2 [41]
+ o vtls: fix ssl_config memory-leak on out-of-memory [11]
+ o warnless: remove code block for icc that didn't work [72]
+ o windows: enable UnixSockets with all build toolchains
+ o windows: suppress UI in all CryptAcquireContext() calls [7]
 
 This release includes the following known bugs:
 
@@ -64,41 +158,133 @@
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Alexis La Goutte, Andrew Krieger, Antony74 on github, Brian Carpenter,
-  Carlo Cannas, Carlo Teubner, Dan Fandrich, Daniel Stenberg, Desmond O. Chang,
-  Giuseppe Persico, Greg Rowe, Isaac Boukris, Joel Depooter, Jozef Kralik,
-  Justin Clift, Marc-Antoine Perennou, Marcel Raad, mccormickt12 on github,
-  Michael Kaufmann, Michael Maltese, mkzero on github, Orange Tsai,
-  Peter Pentchev, Peter Wu, Ray Satiro, Simon Warta, Steve Brokenshire,
-  Sylvestre Ledru, Tatsuhiro Tsujikawa, Thomas Glanzmann,
-  (30 contributors)
+  Alain Miniussi, Alexander V. Tikhonov, Alex Gaynor,
+  Anderson Toshiyuki Sasaki, Andrew Kurushin, Ashwin Metpalli, Björn Stenberg,
+  Brad King, Brian Bergeron, Calvin Buckley, Chris Roberts, Christoph Krey,
+  Clément Notin, Daiki Ueno, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg,
+  davidedec on github, Dennis Felsing, Dima Tisnek, Dirkjan Bussink,
+  Emil Engler, Eric Sauvageau, Eylem Ugurel, Frank Gevaerts,
+  FuccDucc on github, Gavin Wong, Gilles Vollant, Gisle Vanem, Hao Wu,
+  Harry Sintonen, hydra3333 on github, James Fuller, Johannes Schindelin,
+  Jon Rumsey, JP Mens, Kamil Dudka, Karl Chen, Kwon-Young Choi, Leo Neat,
+  Maksim Stsepanenka, Marcel Raad, Marc Hörsken, Markus Olsson, Mathias Gumz,
+  Michael Kaufmann, Michael Osipov, Muhammad Herdiansyah, Nathaniel R. Lewis,
+  Patrick Monnerat, Paul Vixie, Ray Satiro, Rici Lake, Rikard Falkeborn,
+  Roger Orr, Ross Burton, Simon Chalifoux, Stepan Efremov, Steven Penny,
+  thanhchungbtc on github, Timothe Litt, Tim Sedlmeyer, Tommy Petty,
+  Viktor Szakats, Yuri Slobodyanyuk,
+  (65 contributors)
 
         Thanks! (and sorry if I forgot to mention someone)
 
 References to bug reports and discussions on issues:
 
- [1] = https://curl.haxx.se/bug/?i=1275
- [2] = https://curl.haxx.se/bug/?i=1287
- [3] = https://curl.haxx.se/bug/?i=1289
- [4] = https://curl.haxx.se/bug/?i=1240
- [5] = https://curl.haxx.se/bug/?i=1295
- [6] = https://curl.haxx.se/bug/?i=1301
- [7] = https://curl.haxx.se/bug/?i=1292
- [8] = https://curl.haxx.se/bug/?i=1297
- [9] = https://curl.haxx.se/bug/?i=1304
- [10] = https://curl.haxx.se/bug/?i=1290
- [11] = https://curl.haxx.se/bug/?i=1228
- [12] = https://curl.haxx.se/bug/?i=1228
- [13] = https://curl.haxx.se/bug/?i=1228
- [14] = https://curl.haxx.se/mail/lib-2017-03/0004.html
- [15] = https://curl.haxx.se/bug/?i=1308
- [16] = https://curl.haxx.se/bug/?i=1286
- [17] = https://curl.haxx.se/bug/?i=1058
- [18] = https://curl.haxx.se/mail/lib-2017-03/0002.html
- [19] = https://curl.haxx.se/bug/?i=1166
- [20] = https://curl.haxx.se/bug/?i=1095
- [21] = https://curl.haxx.se/bug/?i=1095
- [22] = https://curl.haxx.se/bug/?i=1239
- [23] = https://curl.haxx.se/bug/?i=1317
- [24] = https://curl.haxx.se/bug/?i=783
- [25] = https://curl.haxx.se/mail/lib-2017-03/0017.html
+ [1] = https://curl.haxx.se/bug/?i=5073
+ [2] = https://curl.haxx.se/bug/?i=5060
+ [3] = https://curl.haxx.se/bug/?i=5067
+ [4] = https://curl.haxx.se/bug/?i=5069
+ [5] = https://curl.haxx.se/bug/?i=4981
+ [6] = https://curl.haxx.se/bug/?i=5116
+ [7] = https://curl.haxx.se/bug/?i=5088
+ [8] = https://curl.haxx.se/bug/?i=4870
+ [9] = https://curl.haxx.se/bug/?i=5095
+ [10] = https://curl.haxx.se/bug/?i=4937
+ [11] = https://curl.haxx.se/bug/?i=5108
+ [12] = https://curl.haxx.se/bug/?i=5106
+ [13] = https://curl.haxx.se/mail/lib-2020-03/0044.html
+ [14] = https://curl.haxx.se/bug/?i=5078
+ [15] = https://curl.haxx.se/bug/?i=4954
+ [16] = https://curl.haxx.se/bug/?i=5094
+ [17] = https://curl.haxx.se/bug/?i=5099
+ [18] = https://curl.haxx.se/bug/?i=5097
+ [19] = https://curl.haxx.se/bug/?i=5066
+ [20] = https://curl.haxx.se/bug/?i=5071
+ [21] = https://curl.haxx.se/bug/?i=5118
+ [22] = https://curl.haxx.se/bug/?i=5104
+ [23] = https://curl.haxx.se/bug/?i=5122
+ [24] = https://curl.haxx.se/bug/?i=5120
+ [25] = https://curl.haxx.se/bug/?i=5117
+ [26] = https://curl.haxx.se/bug/?i=5126
+ [27] = https://curl.haxx.se/bug/?i=4995
+ [28] = https://curl.haxx.se/bug/?i=5135
+ [29] = https://curl.haxx.se/bug/?i=5091
+ [30] = https://curl.haxx.se/bug/?i=5132
+ [31] = https://curl.haxx.se/mail/lib-2020-03/0121.html
+ [32] = https://curl.haxx.se/bug/?i=5086
+ [33] = https://curl.haxx.se/bug/?i=5149
+ [34] = https://curl.haxx.se/bug/?i=5139
+ [35] = https://curl.haxx.se/bug/?i=5146
+ [36] = https://curl.haxx.se/bug/?i=5124
+ [37] = https://curl.haxx.se/bug/?i=5144
+ [38] = https://curl.haxx.se/bug/?i=5141
+ [39] = https://curl.haxx.se/bug/?i=5142
+ [40] = https://curl.haxx.se/bug/?i=5140
+ [41] = https://curl.haxx.se/bug/?i=5148
+ [42] = https://curl.haxx.se/bug/?i=5171
+ [43] = https://curl.haxx.se/bug/?i=5169
+ [44] = https://curl.haxx.se/bug/?i=5164
+ [45] = https://curl.haxx.se/bug/?i=5165
+ [46] = https://curl.haxx.se/bug/?i=5166
+ [47] = https://curl.haxx.se/bug/?i=5189
+ [48] = https://curl.haxx.se/bug/?i=5160
+ [49] = https://curl.haxx.se/bug/?i=5157
+ [50] = https://curl.haxx.se/mail/archive-2020-04/0013.html
+ [51] = https://github.com/curl/curl/commit/6de756c#r38127030
+ [52] = https://curl.haxx.se/bug/?i=5034
+ [53] = https://curl.haxx.se/bug/?i=5186
+ [54] = https://curl.haxx.se/bug/?i=5181
+ [55] = https://curl.haxx.se/bug/?i=5150
+ [56] = https://curl.haxx.se/bug/?i=5179
+ [57] = https://curl.haxx.se/bug/?i=5173
+ [58] = https://curl.haxx.se/bug/?i=5156
+ [59] = https://curl.haxx.se/bug/?i=5174
+ [60] = https://curl.haxx.se/bug/?i=5194
+ [61] = https://curl.haxx.se/bug/?i=5279
+ [62] = https://curl.haxx.se/bug/?i=5205
+ [63] = https://curl.haxx.se/bug/?i=5202
+ [64] = https://curl.haxx.se/bug/?i=5201
+ [65] = https://curl.haxx.se/bug/?i=5193
+ [66] = https://curl.haxx.se/bug/?i=5219
+ [67] = https://curl.haxx.se/bug/?i=4919
+ [68] = https://curl.haxx.se/bug/?i=5196
+ [69] = https://curl.haxx.se/bug/?i=5190
+ [70] = https://curl.haxx.se/bug/?i=5192
+ [71] = https://curl.haxx.se/bug/?i=5096
+ [72] = https://curl.haxx.se/bug/?i=5096
+ [73] = https://curl.haxx.se/bug/?i=5206
+ [74] = https://curl.haxx.se/bug/?i=5222
+ [75] = https://curl.haxx.se/bug/?i=5225
+ [76] = https://curl.haxx.se/bug/?i=5177
+ [77] = https://curl.haxx.se/bug/?i=5220
+ [78] = https://curl.haxx.se/bug/?i=5214
+ [79] = https://curl.haxx.se/bug/?i=5223
+ [80] = https://github.com/curl/curl/issues/5182#issuecomment-611638008
+ [81] = https://curl.haxx.se/bug/?i=5188
+ [82] = https://curl.haxx.se/bug/?i=5254
+ [83] = https://curl.haxx.se/bug/?i=5256
+ [84] = https://curl.haxx.se/bug/?i=5261
+ [85] = https://curl.haxx.se/bug/?i=5247
+ [86] = https://curl.haxx.se/bug/?i=5271
+ [87] = https://curl.haxx.se/bug/?i=5252
+ [88] = https://curl.haxx.se/bug/?i=5063
+ [89] = https://curl.haxx.se/bug/?i=5276
+ [90] = https://curl.haxx.se/bug/?i=5213
+ [91] = https://curl.haxx.se/bug/?i=5272
+ [92] = https://curl.haxx.se/bug/?i=4764
+ [93] = https://curl.haxx.se/bug/?i=5270
+ [94] = https://curl.haxx.se/bug/?i=5233
+ [95] = https://curl.haxx.se/bug/?i=5228
+ [96] = https://curl.haxx.se/bug/?i=5302
+ [97] = https://curl.haxx.se/bug/?i=5301
+ [98] = https://curl.haxx.se/bug/?i=5268
+ [99] = https://curl.haxx.se/bug/?i=5266
+ [100] = https://curl.haxx.se/bug/?i=5255
+ [101] = https://curl.haxx.se/bug/?i=5265
+ [103] = https://curl.haxx.se/bug/?i=5294
+ [104] = https://curl.haxx.se/bug/?i=4972
+ [108] = https://curl.haxx.se/bug/?i=5288
+ [109] = https://curl.haxx.se/bug/?i=5240
+ [110] = https://curl.haxx.se/bug/?i=5285
+ [111] = https://curl.haxx.se/bug/?i=5237
+ [112] = https://curl.haxx.se/bug/?i=5278
+ [113] = https://curl.haxx.se/bug/?i=5281
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..4e84fbe
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,10 @@
+# Security Policy
+
+See [docs/SECURITY-PROCESS.md](docs/SECURITY-PROCESS.md) for full details.
+
+## Reporting a Vulnerability
+
+If you have found or just suspect a security problem somewhere in curl or libcurl,
+report it on [https://hackerone.com/curl](https://hackerone.com/curl).
+
+We treat security issues with confidentiality until controlled and disclosed responsibly.
diff --git a/acinclude.m4 b/acinclude.m4
index 2abae8d..089449b 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -199,8 +199,6 @@
     yes)
       AC_DEFINE_UNQUOTED(HAVE_WINDOWS_H, 1,
         [Define to 1 if you have the windows.h header file.])
-      AC_DEFINE_UNQUOTED(WIN32_LEAN_AND_MEAN, 1,
-        [Define to avoid automatic inclusion of winsock.h])
       ;;
   esac
 ])
@@ -790,10 +788,12 @@
   #
   for x_nlibs in '' "$u_libs" \
     '-lldap' \
-    '-llber -lldap' \
     '-lldap -llber' \
+    '-llber -lldap' \
     '-lldapssl -lldapx -lldapsdk' \
-    '-lldapsdk -lldapx -lldapssl' ; do
+    '-lldapsdk -lldapx -lldapssl' \
+    '-lldap -llber -lssl -lcrypto' ; do
+
     if test "$curl_cv_ldap_LIBS" = "unknown"; then
       if test -z "$x_nlibs"; then
         LIBS="$curl_cv_save_LIBS"
@@ -962,208 +962,6 @@
   fi
 ])
 
-
-dnl CURL_CHECK_FUNC_GETNAMEINFO
-dnl -------------------------------------------------
-dnl Test if the getnameinfo function is available,
-dnl and check the types of five of its arguments.
-dnl If the function succeeds HAVE_GETNAMEINFO will be
-dnl defined, defining the types of the arguments in
-dnl GETNAMEINFO_TYPE_ARG1, GETNAMEINFO_TYPE_ARG2,
-dnl GETNAMEINFO_TYPE_ARG46 and GETNAMEINFO_TYPE_ARG7,
-dnl and also defining the type qualifier of first
-dnl argument in GETNAMEINFO_QUAL_ARG1.
-
-AC_DEFUN([CURL_CHECK_FUNC_GETNAMEINFO], [
-  AC_REQUIRE([CURL_CHECK_HEADER_WS2TCPIP])dnl
-  AC_CHECK_HEADERS(sys/types.h sys/socket.h netdb.h)
-  #
-  AC_MSG_CHECKING([for getnameinfo])
-  AC_LINK_IFELSE([
-    AC_LANG_FUNC_LINK_TRY([getnameinfo])
-  ],[
-    AC_MSG_RESULT([yes])
-    curl_cv_getnameinfo="yes"
-  ],[
-    AC_MSG_RESULT([no])
-    curl_cv_getnameinfo="no"
-  ])
-  #
-  if test "$curl_cv_getnameinfo" != "yes"; then
-    AC_MSG_CHECKING([deeper for getnameinfo])
-    AC_LINK_IFELSE([
-      AC_LANG_PROGRAM([[
-      ]],[[
-        getnameinfo();
-      ]])
-    ],[
-      AC_MSG_RESULT([yes])
-      curl_cv_getnameinfo="yes"
-    ],[
-      AC_MSG_RESULT([but still no])
-      curl_cv_getnameinfo="no"
-    ])
-  fi
-  #
-  if test "$curl_cv_getnameinfo" != "yes"; then
-    AC_MSG_CHECKING([deeper and deeper for getnameinfo])
-    AC_LINK_IFELSE([
-      AC_LANG_PROGRAM([[
-#undef inline
-#ifdef HAVE_WINDOWS_H
-#ifndef WIN32_LEAN_AND_MEAN
-#define WIN32_LEAN_AND_MEAN
-#endif
-#include <windows.h>
-#ifdef HAVE_WINSOCK2_H
-#include <winsock2.h>
-#ifdef HAVE_WS2TCPIP_H
-#include <ws2tcpip.h>
-#endif
-#endif
-#else
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-#endif
-      ]],[[
-        getnameinfo(0, 0, 0, 0, 0, 0, 0);
-      ]])
-    ],[
-      AC_MSG_RESULT([yes])
-      curl_cv_getnameinfo="yes"
-    ],[
-      AC_MSG_RESULT([but still no])
-      curl_cv_getnameinfo="no"
-    ])
-  fi
-  #
-  if test "$curl_cv_getnameinfo" = "yes"; then
-    AC_CACHE_CHECK([types of arguments for getnameinfo],
-      [curl_cv_func_getnameinfo_args], [
-      curl_cv_func_getnameinfo_args="unknown"
-      for gni_arg1 in 'struct sockaddr *' 'const struct sockaddr *' 'void *'; do
-        for gni_arg2 in 'socklen_t' 'size_t' 'int'; do
-          for gni_arg46 in 'size_t' 'int' 'socklen_t' 'unsigned int' 'DWORD'; do
-            for gni_arg7 in 'int' 'unsigned int'; do
-              if test "$curl_cv_func_getnameinfo_args" = "unknown"; then
-                AC_COMPILE_IFELSE([
-                  AC_LANG_PROGRAM([[
-#undef inline
-#ifdef HAVE_WINDOWS_H
-#ifndef WIN32_LEAN_AND_MEAN
-#define WIN32_LEAN_AND_MEAN
-#endif
-#if (!defined(_WIN32_WINNT)) || (_WIN32_WINNT < 0x0501)
-#undef _WIN32_WINNT
-#define _WIN32_WINNT 0x0501
-#endif
-#include <windows.h>
-#ifdef HAVE_WINSOCK2_H
-#include <winsock2.h>
-#ifdef HAVE_WS2TCPIP_H
-#include <ws2tcpip.h>
-#endif
-#endif
-#define GNICALLCONV WSAAPI
-#else
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-#define GNICALLCONV
-#endif
-                    extern int GNICALLCONV getnameinfo($gni_arg1, $gni_arg2,
-                                           char *, $gni_arg46,
-                                           char *, $gni_arg46,
-                                           $gni_arg7);
-                  ]],[[
-                    $gni_arg2 salen=0;
-                    $gni_arg46 hostlen=0;
-                    $gni_arg46 servlen=0;
-                    $gni_arg7 flags=0;
-                    int res = getnameinfo(0, salen, 0, hostlen, 0, servlen, flags);
-                  ]])
-                ],[
-                  curl_cv_func_getnameinfo_args="$gni_arg1,$gni_arg2,$gni_arg46,$gni_arg7"
-                ])
-              fi
-            done
-          done
-        done
-      done
-    ]) # AC-CACHE-CHECK
-    if test "$curl_cv_func_getnameinfo_args" = "unknown"; then
-      AC_MSG_WARN([Cannot find proper types to use for getnameinfo args])
-      AC_MSG_WARN([HAVE_GETNAMEINFO will not be defined])
-    else
-      gni_prev_IFS=$IFS; IFS=','
-      set dummy `echo "$curl_cv_func_getnameinfo_args" | sed 's/\*/\*/g'`
-      IFS=$gni_prev_IFS
-      shift
-      #
-      gni_qual_type_arg1=$[1]
-      #
-      AC_DEFINE_UNQUOTED(GETNAMEINFO_TYPE_ARG2, $[2],
-        [Define to the type of arg 2 for getnameinfo.])
-      AC_DEFINE_UNQUOTED(GETNAMEINFO_TYPE_ARG46, $[3],
-        [Define to the type of args 4 and 6 for getnameinfo.])
-      AC_DEFINE_UNQUOTED(GETNAMEINFO_TYPE_ARG7, $[4],
-        [Define to the type of arg 7 for getnameinfo.])
-      #
-      prev_sh_opts=$-
-      #
-      case $prev_sh_opts in
-        *f*)
-          ;;
-        *)
-          set -f
-          ;;
-      esac
-      #
-      case "$gni_qual_type_arg1" in
-        const*)
-          gni_qual_arg1=const
-          gni_type_arg1=`echo $gni_qual_type_arg1 | sed 's/^const //'`
-        ;;
-        *)
-          gni_qual_arg1=
-          gni_type_arg1=$gni_qual_type_arg1
-        ;;
-      esac
-      #
-      AC_DEFINE_UNQUOTED(GETNAMEINFO_QUAL_ARG1, $gni_qual_arg1,
-        [Define to the type qualifier of arg 1 for getnameinfo.])
-      AC_DEFINE_UNQUOTED(GETNAMEINFO_TYPE_ARG1, $gni_type_arg1,
-        [Define to the type of arg 1 for getnameinfo.])
-      #
-      case $prev_sh_opts in
-        *f*)
-          ;;
-        *)
-          set +f
-          ;;
-      esac
-      #
-      AC_DEFINE_UNQUOTED(HAVE_GETNAMEINFO, 1,
-        [Define to 1 if you have the getnameinfo function.])
-      curl_cv_func_getnameinfo="yes"
-    fi
-  fi
-])
-
-
 dnl TYPE_SOCKADDR_STORAGE
 dnl -------------------------------------------------
 dnl Check for struct sockaddr_storage. Most IPv6-enabled
@@ -1201,107 +999,6 @@
    ])
 ])
 
-
-dnl CURL_CHECK_NI_WITHSCOPEID
-dnl -------------------------------------------------
-dnl Check for working NI_WITHSCOPEID in getnameinfo()
-
-AC_DEFUN([CURL_CHECK_NI_WITHSCOPEID], [
-  AC_REQUIRE([CURL_CHECK_FUNC_GETNAMEINFO])dnl
-  AC_REQUIRE([TYPE_SOCKADDR_STORAGE])dnl
-  AC_CHECK_HEADERS(stdio.h sys/types.h sys/socket.h \
-                   netdb.h netinet/in.h arpa/inet.h)
-  #
-  AC_CACHE_CHECK([for working NI_WITHSCOPEID],
-    [curl_cv_working_ni_withscopeid], [
-    AC_RUN_IFELSE([
-      AC_LANG_PROGRAM([[
-#ifdef HAVE_STDLIB_H
-#include <stdlib.h>
-#endif
-#ifdef HAVE_STDIO_H
-#include <stdio.h>
-#endif
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-      ]],[[
-#if defined(NI_WITHSCOPEID) && defined(HAVE_GETNAMEINFO)
-#ifdef HAVE_STRUCT_SOCKADDR_STORAGE
-        struct sockaddr_storage sa;
-#else
-        unsigned char sa[256];
-#endif
-        char hostbuf[NI_MAXHOST];
-        int rc;
-        GETNAMEINFO_TYPE_ARG2 salen = (GETNAMEINFO_TYPE_ARG2)sizeof(sa);
-        GETNAMEINFO_TYPE_ARG46 hostlen = (GETNAMEINFO_TYPE_ARG46)sizeof(hostbuf);
-        GETNAMEINFO_TYPE_ARG7 flags = NI_NUMERICHOST | NI_NUMERICSERV | NI_WITHSCOPEID;
-        int fd = socket(AF_INET6, SOCK_STREAM, 0);
-        if(fd < 0) {
-          perror("socket()");
-          return 1; /* Error creating socket */
-        }
-        rc = getsockname(fd, (GETNAMEINFO_TYPE_ARG1)&sa, &salen);
-        if(rc) {
-          perror("getsockname()");
-          return 2; /* Error retrieving socket name */
-        }
-        rc = getnameinfo((GETNAMEINFO_TYPE_ARG1)&sa, salen, hostbuf, hostlen, NULL, 0, flags);
-        if(rc) {
-          printf("rc = %s\n", gai_strerror(rc));
-          return 3; /* Error translating socket address */
-        }
-        return 0; /* Ok, NI_WITHSCOPEID works */
-#else
-        return 4; /* Error, NI_WITHSCOPEID not defined or no getnameinfo() */
-#endif
-      ]]) # AC-LANG-PROGRAM
-    ],[
-      # Exit code == 0. Program worked.
-      curl_cv_working_ni_withscopeid="yes"
-    ],[
-      # Exit code != 0. Program failed.
-      curl_cv_working_ni_withscopeid="no"
-    ],[
-      # Program is not run when cross-compiling. So we assume
-      # NI_WITHSCOPEID will work if we are able to compile it.
-      AC_COMPILE_IFELSE([
-        AC_LANG_PROGRAM([[
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-        ]],[[
-          unsigned int dummy= NI_NUMERICHOST | NI_NUMERICSERV | NI_WITHSCOPEID;
-        ]])
-      ],[
-        curl_cv_working_ni_withscopeid="yes"
-      ],[
-        curl_cv_working_ni_withscopeid="no"
-      ]) # AC-COMPILE-IFELSE
-    ]) # AC-RUN-IFELSE
-  ]) # AC-CACHE-CHECK
-  case "$curl_cv_working_ni_withscopeid" in
-    yes)
-      AC_DEFINE(HAVE_NI_WITHSCOPEID, 1,
-        [Define to 1 if NI_WITHSCOPEID exists and works.])
-      ;;
-  esac
-])
-
-
 dnl CURL_CHECK_FUNC_RECV
 dnl -------------------------------------------------
 dnl Test if the socket recv() function is available,
@@ -1334,6 +1031,10 @@
 #endif
 #endif
 #else
+#ifdef HAVE_PROTO_BSDSOCKET_H
+#include <proto/bsdsocket.h>
+struct Library *SocketBase = NULL;
+#endif
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
@@ -1379,6 +1080,10 @@
 #endif
 #define RECVCALLCONV PASCAL
 #else
+#ifdef HAVE_PROTO_BSDSOCKET_H
+#include <proto/bsdsocket.h>
+struct Library *SocketBase = NULL;
+#endif
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
@@ -1387,8 +1092,10 @@
 #endif
 #define RECVCALLCONV
 #endif
+#ifndef HAVE_PROTO_BSDSOCKET_H
                       extern $recv_retv RECVCALLCONV
                       recv($recv_arg1, $recv_arg2, $recv_arg3, $recv_arg4);
+#endif
                     ]],[[
                       $recv_arg1 s=0;
                       $recv_arg2 buf=0;
@@ -1468,6 +1175,10 @@
 #endif
 #endif
 #else
+#ifdef HAVE_PROTO_BSDSOCKET_H
+#include <proto/bsdsocket.h>
+struct Library *SocketBase = NULL;
+#endif
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
@@ -1513,6 +1224,10 @@
 #endif
 #define SENDCALLCONV PASCAL
 #else
+#ifdef HAVE_PROTO_BSDSOCKET_H
+#include <proto/bsdsocket.h>
+struct Library *SocketBase = NULL;
+#endif
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
@@ -1521,8 +1236,10 @@
 #endif
 #define SENDCALLCONV
 #endif
+#ifndef HAVE_PROTO_BSDSOCKET_H
                       extern $send_retv SENDCALLCONV
                       send($send_arg1, $send_arg2, $send_arg3, $send_arg4);
+#endif
                     ]],[[
                       $send_arg1 s=0;
                       $send_arg3 len=0;
@@ -1624,6 +1341,10 @@
 #endif
 #endif
 #else
+#ifdef HAVE_PROTO_BSDSOCKET_H
+#include <proto/bsdsocket.h>
+struct Library *SocketBase = NULL;
+#endif
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
@@ -1963,7 +1684,7 @@
     if test "x$cross_compiling" != "xyes" &&
       test "$curl_func_clock_gettime" = "yes"; then
       AC_MSG_CHECKING([if monotonic clock_gettime works])
-      AC_RUN_IFELSE([
+      CURL_RUN_IFELSE([
         AC_LANG_PROGRAM([[
 #ifdef HAVE_STDLIB_H
 #include <stdlib.h>
@@ -2017,6 +1738,7 @@
 
 AC_DEFUN([CURL_CHECK_LIBS_CONNECT], [
   AC_REQUIRE([CURL_INCLUDES_WINSOCK2])dnl
+  AC_REQUIRE([CURL_INCLUDES_BSDSOCKET])dnl
   AC_MSG_CHECKING([for connect in libraries])
   tst_connect_save_LIBS="$LIBS"
   tst_connect_need_LIBS="unknown"
@@ -2026,7 +1748,8 @@
       AC_LINK_IFELSE([
         AC_LANG_PROGRAM([[
           $curl_includes_winsock2
-          #ifndef HAVE_WINDOWS_H
+          $curl_includes_bsdsocket
+          #if !defined(HAVE_WINDOWS_H) && !defined(HAVE_PROTO_BSDSOCKET_H)
             int connect(int, void*, int);
           #endif
         ]],[[
@@ -2075,157 +1798,8 @@
 _EOF
 ])
 
-
-dnl CURL_CONFIGURE_LONG
-dnl -------------------------------------------------
-dnl Find out the size of long as reported by sizeof() and define
-dnl CURL_SIZEOF_LONG as appropriate to be used in template file
-dnl include/curl/curlbuild.h.in to properly configure the library.
-dnl The size of long is a build time characteristic and as such
-dnl must be recorded in curlbuild.h
-
-AC_DEFUN([CURL_CONFIGURE_LONG], [
-  if test -z "$ac_cv_sizeof_long" ||
-    test "$ac_cv_sizeof_long" -eq "0"; then
-    AC_MSG_ERROR([cannot find out size of long.])
-  fi
-  CURL_DEFINE_UNQUOTED([CURL_SIZEOF_LONG], [$ac_cv_sizeof_long])
-])
-
-
-dnl CURL_CONFIGURE_CURL_SOCKLEN_T
-dnl -------------------------------------------------
-dnl Find out suitable curl_socklen_t data type definition and size, making
-dnl appropriate definitions for template file include/curl/curlbuild.h.in
-dnl to properly configure and use the library.
-dnl
-dnl The need for the curl_socklen_t definition arises mainly to properly
-dnl interface HP-UX systems which on one hand have a typedef'ed socklen_t
-dnl data type which is 32 or 64-Bit wide depending on the data model being
-dnl used, and that on the other hand is only actually used when interfacing
-dnl the X/Open sockets provided in the xnet library.
-
-AC_DEFUN([CURL_CONFIGURE_CURL_SOCKLEN_T], [
-  AC_REQUIRE([CURL_INCLUDES_WS2TCPIP])dnl
-  AC_REQUIRE([CURL_INCLUDES_SYS_SOCKET])dnl
-  AC_REQUIRE([CURL_PREPROCESS_CALLCONV])dnl
-  #
-  AC_BEFORE([$0], [CURL_CONFIGURE_PULL_SYS_POLL])dnl
-  #
-  AC_MSG_CHECKING([for curl_socklen_t data type])
-  curl_typeof_curl_socklen_t="unknown"
-  for arg1 in int SOCKET; do
-    for arg2 in 'struct sockaddr' void; do
-      for t in socklen_t int size_t 'unsigned int' long 'unsigned long' void; do
-        if test "$curl_typeof_curl_socklen_t" = "unknown"; then
-          AC_COMPILE_IFELSE([
-            AC_LANG_PROGRAM([[
-              $curl_includes_ws2tcpip
-              $curl_includes_sys_socket
-              $curl_preprocess_callconv
-              extern int FUNCALLCONV getpeername($arg1, $arg2 *, $t *);
-            ]],[[
-              $t *lenptr = 0;
-              if(0 != getpeername(0, 0, lenptr))
-                return 1;
-            ]])
-          ],[
-            curl_typeof_curl_socklen_t="$t"
-          ])
-        fi
-      done
-    done
-  done
-  for t in socklen_t int; do
-    if test "$curl_typeof_curl_socklen_t" = "void"; then
-      AC_COMPILE_IFELSE([
-        AC_LANG_PROGRAM([[
-          $curl_includes_sys_socket
-          typedef $t curl_socklen_t;
-        ]],[[
-          curl_socklen_t dummy;
-        ]])
-      ],[
-        curl_typeof_curl_socklen_t="$t"
-      ])
-    fi
-  done
-  AC_MSG_RESULT([$curl_typeof_curl_socklen_t])
-  if test "$curl_typeof_curl_socklen_t" = "void" ||
-    test "$curl_typeof_curl_socklen_t" = "unknown"; then
-    AC_MSG_ERROR([cannot find data type for curl_socklen_t.])
-  fi
-  #
-  AC_MSG_CHECKING([size of curl_socklen_t])
-  curl_sizeof_curl_socklen_t="unknown"
-  curl_pull_headers_socklen_t="unknown"
-  if test "$curl_cv_header_ws2tcpip_h" = "yes"; then
-    tst_pull_header_checks='none ws2tcpip'
-    tst_size_checks='4'
-  else
-    tst_pull_header_checks='none systypes syssocket'
-    tst_size_checks='4 8 2'
-  fi
-  for tst_size in $tst_size_checks; do
-    for tst_pull_headers in $tst_pull_header_checks; do
-      if test "$curl_sizeof_curl_socklen_t" = "unknown"; then
-        case $tst_pull_headers in
-          ws2tcpip)
-            tmp_includes="$curl_includes_ws2tcpip"
-            ;;
-          systypes)
-            tmp_includes="$curl_includes_sys_types"
-            ;;
-          syssocket)
-            tmp_includes="$curl_includes_sys_socket"
-            ;;
-          *)
-            tmp_includes=""
-            ;;
-        esac
-        AC_COMPILE_IFELSE([
-          AC_LANG_PROGRAM([[
-            $tmp_includes
-            typedef $curl_typeof_curl_socklen_t curl_socklen_t;
-            typedef char dummy_arr[sizeof(curl_socklen_t) == $tst_size ? 1 : -1];
-          ]],[[
-            curl_socklen_t dummy;
-          ]])
-        ],[
-          curl_sizeof_curl_socklen_t="$tst_size"
-          curl_pull_headers_socklen_t="$tst_pull_headers"
-        ])
-      fi
-    done
-  done
-  AC_MSG_RESULT([$curl_sizeof_curl_socklen_t])
-  if test "$curl_sizeof_curl_socklen_t" = "unknown"; then
-    AC_MSG_ERROR([cannot find out size of curl_socklen_t.])
-  fi
-  #
-  case $curl_pull_headers_socklen_t in
-    ws2tcpip)
-      CURL_DEFINE_UNQUOTED([CURL_PULL_WS2TCPIP_H])
-      ;;
-    systypes)
-      CURL_DEFINE_UNQUOTED([CURL_PULL_SYS_TYPES_H])
-      ;;
-    syssocket)
-      CURL_DEFINE_UNQUOTED([CURL_PULL_SYS_TYPES_H])
-      CURL_DEFINE_UNQUOTED([CURL_PULL_SYS_SOCKET_H])
-      ;;
-  esac
-  CURL_DEFINE_UNQUOTED([CURL_TYPEOF_CURL_SOCKLEN_T], [$curl_typeof_curl_socklen_t])
-  CURL_DEFINE_UNQUOTED([CURL_SIZEOF_CURL_SOCKLEN_T], [$curl_sizeof_curl_socklen_t])
-])
-
-
 dnl CURL_CONFIGURE_PULL_SYS_POLL
 dnl -------------------------------------------------
-dnl Find out if system header file sys/poll.h must be included by the
-dnl external interface, making appropriate definitions for template file
-dnl include/curl/curlbuild.h.in to properly configure and use the library.
-dnl
 dnl The need for the sys/poll.h inclusion arises mainly to properly
 dnl interface AIX systems which define macros 'events' and 'revents'.
 
@@ -2306,8 +1880,15 @@
 #endif
 #endif
 #ifndef HAVE_WINDOWS_H
+#ifdef HAVE_PROTO_BSDSOCKET_H
+#include <proto/bsdsocket.h>
+struct Library *SocketBase = NULL;
+#define select(a,b,c,d,e) WaitSelect(a,b,c,d,e,0)
+#endif
 #ifdef HAVE_SYS_SELECT_H
 #include <sys/select.h>
+#elif defined(HAVE_UNISTD_H)
+#include <unistd.h>
 #endif
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
@@ -2364,8 +1945,15 @@
 #endif
 #endif
 #ifndef HAVE_WINDOWS_H
+#ifdef HAVE_PROTO_BSDSOCKET_H
+#include <proto/bsdsocket.h>
+struct Library *SocketBase = NULL;
+#define select(a,b,c,d,e) WaitSelect(a,b,c,d,e,0)
+#endif
 #ifdef HAVE_SYS_SELECT_H
 #include <sys/select.h>
+#elif defined(HAVE_UNISTD_H)
+#include <unistd.h>
 #endif
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
@@ -2378,11 +1966,14 @@
                       long tv_usec;
                     };
 #endif
-                    extern $sel_retv SELECTCALLCONV select($sel_arg1,
-                                                           $sel_arg234,
-                                                           $sel_arg234,
-                                                           $sel_arg234,
-                                                           $sel_arg5);
+#ifndef HAVE_PROTO_BSDSOCKET_H
+                    extern $sel_retv SELECTCALLCONV
+				select($sel_arg1,
+					$sel_arg234,
+					$sel_arg234,
+					$sel_arg234,
+					$sel_arg5);
+#endif
                   ]],[[
                     $sel_arg1   nfds=0;
                     $sel_arg234 rfds=0;
@@ -2477,8 +2068,8 @@
     dnl just run a program to verify that the libs checked for previous to this
     dnl point also is available run-time!
     AC_MSG_CHECKING([run-time libs availability])
-    AC_TRY_RUN([
-main()
+    CURL_RUN_IFELSE([
+int main()
 {
   return 0;
 }
@@ -2587,8 +2178,8 @@
   AC_ARG_WITH(ca-path,
 AC_HELP_STRING([--with-ca-path=DIRECTORY],
 [Path to a directory containing CA certificates stored individually, with \
-their filenames in a hash format. This option can be used with OpenSSL, \
-GnuTLS and PolarSSL backends. Refer to OpenSSL c_rehash for details. \
+their filenames in a hash format. This option can be used with the OpenSSL, \
+GnuTLS and mbedTLS backends. Refer to OpenSSL c_rehash for details. \
 (example: /etc/certificates)])
 AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
   [
@@ -2614,8 +2205,8 @@
     capath="no"
   elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
     dnl --with-ca-path given
-    if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
-      AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL])
+    if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$MBEDTLS_ENABLED" != "x1"; then
+      AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or mbedTLS])
     fi
     capath="$want_capath"
     ca="no"
@@ -2717,292 +2308,6 @@
   fi
 ])
 
-
-dnl DO_CURL_OFF_T_CHECK (TYPE, SIZE)
-dnl -------------------------------------------------
-dnl Internal macro for CURL_CONFIGURE_CURL_OFF_T
-
-AC_DEFUN([DO_CURL_OFF_T_CHECK], [
-  AC_REQUIRE([CURL_INCLUDES_INTTYPES])dnl
-  if test "$curl_typeof_curl_off_t" = "unknown" && test ! -z "$1"; then
-    tmp_includes=""
-    tmp_source=""
-    tmp_fmt=""
-    case XC_SH_TR_SH([$1]) in
-      int64_t)
-        tmp_includes="$curl_includes_inttypes"
-        tmp_source="char f@<:@@:>@ = PRId64;"
-        tmp_fmt="PRId64"
-        ;;
-      int32_t)
-        tmp_includes="$curl_includes_inttypes"
-        tmp_source="char f@<:@@:>@ = PRId32;"
-        tmp_fmt="PRId32"
-        ;;
-      int16_t)
-        tmp_includes="$curl_includes_inttypes"
-        tmp_source="char f@<:@@:>@ = PRId16;"
-        tmp_fmt="PRId16"
-        ;;
-    esac
-    AC_COMPILE_IFELSE([
-      AC_LANG_PROGRAM([[
-        $tmp_includes
-        typedef $1 curl_off_t;
-        typedef char dummy_arr[sizeof(curl_off_t) == $2 ? 1 : -1];
-      ]],[[
-        $tmp_source
-        curl_off_t dummy;
-      ]])
-    ],[
-      if test -z "$tmp_fmt"; then
-        curl_typeof_curl_off_t="$1"
-        curl_sizeof_curl_off_t="$2"
-      else
-        CURL_CHECK_DEF([$tmp_fmt], [$curl_includes_inttypes], [silent])
-        AS_VAR_PUSHDEF([tmp_HaveFmtDef], [curl_cv_have_def_$tmp_fmt])dnl
-        AS_VAR_PUSHDEF([tmp_FmtDef], [curl_cv_def_$tmp_fmt])dnl
-        if test AS_VAR_GET(tmp_HaveFmtDef) = "yes"; then
-          curl_format_curl_off_t=AS_VAR_GET(tmp_FmtDef)
-          curl_typeof_curl_off_t="$1"
-          curl_sizeof_curl_off_t="$2"
-        fi
-        AS_VAR_POPDEF([tmp_FmtDef])dnl
-        AS_VAR_POPDEF([tmp_HaveFmtDef])dnl
-      fi
-    ])
-  fi
-])
-
-
-dnl DO_CURL_OFF_T_SUFFIX_CHECK (TYPE)
-dnl -------------------------------------------------
-dnl Internal macro for CURL_CONFIGURE_CURL_OFF_T
-
-AC_DEFUN([DO_CURL_OFF_T_SUFFIX_CHECK], [
-  AC_REQUIRE([CURL_INCLUDES_INTTYPES])dnl
-  AC_MSG_CHECKING([constant suffix string for curl_off_t])
-  #
-  curl_suffix_curl_off_t="unknown"
-  curl_suffix_curl_off_tu="unknown"
-  #
-  case XC_SH_TR_SH([$1]) in
-    long_long | __longlong | __longlong_t)
-      tst_suffixes="LL::"
-      ;;
-    long)
-      tst_suffixes="L::"
-      ;;
-    int)
-      tst_suffixes="::"
-      ;;
-    __int64 | int64_t)
-      tst_suffixes="LL:i64::"
-      ;;
-    __int32 | int32_t)
-      tst_suffixes="L:i32::"
-      ;;
-    __int16 | int16_t)
-      tst_suffixes="L:i16::"
-      ;;
-    *)
-      AC_MSG_ERROR([unexpected data type $1])
-      ;;
-  esac
-  #
-  old_IFS=$IFS; IFS=':'
-  for tmp_ssuf in $tst_suffixes ; do
-    IFS=$old_IFS
-    if test "x$curl_suffix_curl_off_t" = "xunknown"; then
-      case $tmp_ssuf in
-        i64 | i32 | i16)
-          tmp_usuf="u$tmp_ssuf"
-          ;;
-        LL | L)
-          tmp_usuf="U$tmp_ssuf"
-          ;;
-        *)
-          tmp_usuf=""
-          ;;
-      esac
-      AC_COMPILE_IFELSE([
-        AC_LANG_PROGRAM([[
-          $curl_includes_inttypes
-          typedef $1 new_t;
-        ]],[[
-          new_t s1;
-          new_t s2;
-          s1 = -10$tmp_ssuf ;
-          s2 =  20$tmp_ssuf ;
-          if(s1 > s2)
-            return 1;
-        ]])
-      ],[
-        curl_suffix_curl_off_t="$tmp_ssuf"
-        curl_suffix_curl_off_tu="$tmp_usuf"
-      ])
-    fi
-  done
-  IFS=$old_IFS
-  #
-  if test "x$curl_suffix_curl_off_t" = "xunknown"; then
-    AC_MSG_ERROR([cannot find constant suffix string for curl_off_t.])
-  else
-    AC_MSG_RESULT([$curl_suffix_curl_off_t])
-    AC_MSG_CHECKING([constant suffix string for unsigned curl_off_t])
-    AC_MSG_RESULT([$curl_suffix_curl_off_tu])
-  fi
-  #
-])
-
-
-dnl CURL_CONFIGURE_CURL_OFF_T
-dnl -------------------------------------------------
-dnl Find out suitable curl_off_t data type definition and associated
-dnl items, and make the appropriate definitions used in template file
-dnl include/curl/curlbuild.h.in to properly configure the library.
-
-AC_DEFUN([CURL_CONFIGURE_CURL_OFF_T], [
-  AC_REQUIRE([CURL_INCLUDES_INTTYPES])dnl
-  #
-  AC_BEFORE([$0],[AC_SYS_LARGEFILE])dnl
-  AC_BEFORE([$0],[CURL_CONFIGURE_REENTRANT])dnl
-  AC_BEFORE([$0],[CURL_CHECK_AIX_ALL_SOURCE])dnl
-  #
-  if test -z "$SED"; then
-    AC_MSG_ERROR([SED not set. Cannot continue without SED being set.])
-  fi
-  #
-  AC_CHECK_SIZEOF(long)
-  AC_CHECK_SIZEOF(void*)
-  #
-  if test -z "$ac_cv_sizeof_long" ||
-    test "$ac_cv_sizeof_long" -eq "0"; then
-    AC_MSG_ERROR([cannot find out size of long.])
-  fi
-  if test -z "$ac_cv_sizeof_voidp" ||
-     test "$ac_cv_sizeof_voidp" -eq "0"; then
-    AC_MSG_ERROR([cannot find out size of void*.])
-  fi
-  #
-  x_LP64_long=""
-  x_LP32_long=""
-  #
-  if test "$ac_cv_sizeof_long" -eq "8" &&
-     test "$ac_cv_sizeof_voidp" -ge "8"; then
-    x_LP64_long="long"
-  elif test "$ac_cv_sizeof_long" -eq "4" &&
-       test "$ac_cv_sizeof_voidp" -ge "4"; then
-    x_LP32_long="long"
-  fi
-  #
-  dnl DO_CURL_OFF_T_CHECK results are stored in next 3 vars
-  #
-  curl_typeof_curl_off_t="unknown"
-  curl_sizeof_curl_off_t="unknown"
-  curl_format_curl_off_t="unknown"
-  curl_format_curl_off_tu="unknown"
-  #
-  if test "$curl_typeof_curl_off_t" = "unknown"; then
-    AC_MSG_CHECKING([for 64-bit curl_off_t data type])
-    for t8 in          \
-      "$x_LP64_long"   \
-      'int64_t'        \
-      '__int64'        \
-      'long long'      \
-      '__longlong'     \
-      '__longlong_t'   ; do
-      DO_CURL_OFF_T_CHECK([$t8], [8])
-    done
-    AC_MSG_RESULT([$curl_typeof_curl_off_t])
-  fi
-  if test "$curl_typeof_curl_off_t" = "unknown"; then
-    AC_MSG_CHECKING([for 32-bit curl_off_t data type])
-    for t4 in          \
-      "$x_LP32_long"   \
-      'int32_t'        \
-      '__int32'        \
-      'int'            ; do
-      DO_CURL_OFF_T_CHECK([$t4], [4])
-    done
-    AC_MSG_RESULT([$curl_typeof_curl_off_t])
-  fi
-  if test "$curl_typeof_curl_off_t" = "unknown"; then
-    AC_MSG_ERROR([cannot find data type for curl_off_t.])
-  fi
-  #
-  AC_MSG_CHECKING([size of curl_off_t])
-  AC_MSG_RESULT([$curl_sizeof_curl_off_t])
-  #
-  AC_MSG_CHECKING([formatting string directive for curl_off_t])
-  if test "$curl_format_curl_off_t" != "unknown"; then
-    x_pull_headers="yes"
-    curl_format_curl_off_t=`echo "$curl_format_curl_off_t" | "$SED" 's/[["]]//g'`
-    curl_format_curl_off_tu=`echo "$curl_format_curl_off_t" | "$SED" 's/i$/u/'`
-    curl_format_curl_off_tu=`echo "$curl_format_curl_off_tu" | "$SED" 's/d$/u/'`
-    curl_format_curl_off_tu=`echo "$curl_format_curl_off_tu" | "$SED" 's/D$/U/'`
-  else
-    x_pull_headers="no"
-    case XC_SH_TR_SH([$curl_typeof_curl_off_t]) in
-      long_long | __longlong | __longlong_t)
-        curl_format_curl_off_t="lld"
-        curl_format_curl_off_tu="llu"
-        ;;
-      long)
-        curl_format_curl_off_t="ld"
-        curl_format_curl_off_tu="lu"
-        ;;
-      int)
-        curl_format_curl_off_t="d"
-        curl_format_curl_off_tu="u"
-        ;;
-      __int64)
-        curl_format_curl_off_t="I64d"
-        curl_format_curl_off_tu="I64u"
-        ;;
-      __int32)
-        curl_format_curl_off_t="I32d"
-        curl_format_curl_off_tu="I32u"
-        ;;
-      __int16)
-        curl_format_curl_off_t="I16d"
-        curl_format_curl_off_tu="I16u"
-        ;;
-      *)
-        AC_MSG_ERROR([cannot find print format string for curl_off_t.])
-        ;;
-    esac
-  fi
-  AC_MSG_RESULT(["$curl_format_curl_off_t"])
-  #
-  AC_MSG_CHECKING([formatting string directive for unsigned curl_off_t])
-  AC_MSG_RESULT(["$curl_format_curl_off_tu"])
-  #
-  DO_CURL_OFF_T_SUFFIX_CHECK([$curl_typeof_curl_off_t])
-  #
-  if test "$x_pull_headers" = "yes"; then
-    if test "x$ac_cv_header_sys_types_h" = "xyes"; then
-      CURL_DEFINE_UNQUOTED([CURL_PULL_SYS_TYPES_H])
-    fi
-    if test "x$ac_cv_header_stdint_h" = "xyes"; then
-      CURL_DEFINE_UNQUOTED([CURL_PULL_STDINT_H])
-    fi
-    if test "x$ac_cv_header_inttypes_h" = "xyes"; then
-      CURL_DEFINE_UNQUOTED([CURL_PULL_INTTYPES_H])
-    fi
-  fi
-  #
-  CURL_DEFINE_UNQUOTED([CURL_TYPEOF_CURL_OFF_T], [$curl_typeof_curl_off_t])
-  CURL_DEFINE_UNQUOTED([CURL_FORMAT_CURL_OFF_T], ["$curl_format_curl_off_t"])
-  CURL_DEFINE_UNQUOTED([CURL_FORMAT_CURL_OFF_TU], ["$curl_format_curl_off_tu"])
-  CURL_DEFINE_UNQUOTED([CURL_FORMAT_OFF_T], ["%$curl_format_curl_off_t"])
-  CURL_DEFINE_UNQUOTED([CURL_SIZEOF_CURL_OFF_T], [$curl_sizeof_curl_off_t])
-  CURL_DEFINE_UNQUOTED([CURL_SUFFIX_CURL_OFF_T], [$curl_suffix_curl_off_t])
-  CURL_DEFINE_UNQUOTED([CURL_SUFFIX_CURL_OFF_TU], [$curl_suffix_curl_off_tu])
-  #
-])
-
-
 dnl CURL_CHECK_WIN32_LARGEFILE
 dnl -------------------------------------------------
 dnl Check if curl's WIN32 large file will be used
@@ -3243,3 +2548,29 @@
   fi
 
 ])
+
+
+dnl CURL_SUPPORTS_BUILTIN_AVAILABLE
+dnl
+dnl Check to see if the compiler supports __builtin_available. This built-in
+dnl compiler function first appeared in Apple LLVM 9.0.0. It's so new that, at
+dnl the time this macro was written, the function was not yet documented. Its
+dnl purpose is to return true if the code is running under a certain OS version
+dnl or later.
+
+AC_DEFUN([CURL_SUPPORTS_BUILTIN_AVAILABLE], [
+  AC_MSG_CHECKING([to see if the compiler supports __builtin_available()])
+  AC_COMPILE_IFELSE([
+    AC_LANG_PROGRAM([[
+#include <stdlib.h>
+    ]],[[
+      if (__builtin_available(macOS 10.8, iOS 5.0, *)) {}
+    ]])
+  ],[
+    AC_MSG_RESULT([yes])
+    AC_DEFINE_UNQUOTED(HAVE_BUILTIN_AVAILABLE, 1,
+        [Define to 1 if you have the __builtin_available function.])
+  ],[
+    AC_MSG_RESULT([no])
+  ])
+])
diff --git a/appveyor.yml b/appveyor.yml
index b9d5a7f..b092480 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,65 +1,293 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+
 version: 7.50.0.{build}
 
 environment:
     matrix:
-      - PRJ_GEN: "Visual Studio 11 2012 Win64"
-        BDIR: msvc2012
+      # generated CMake-based Visual Studio Release builds
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2015"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "Visual Studio 9 2008"
         PRJ_CFG: Release
         OPENSSL: OFF
+        WINSSL: ON
+        HTTP_ONLY: OFF
         TESTING: OFF
-        STATICLIB: OFF
-      - PRJ_GEN: "Visual Studio 12 2013 Win64"
-        BDIR: msvc2013
-        PRJ_CFG: Release
-        OPENSSL: OFF
-        TESTING: OFF
-        STATICLIB: OFF
-      - PRJ_GEN: "Visual Studio 14 2015 Win64"
-        BDIR: msvc2015
-        PRJ_CFG: Release
-        OPENSSL: OFF
-        TESTING: OFF
-        STATICLIB: OFF
-      - PRJ_GEN: "Visual Studio 11 2012 Win64"
-        BDIR: msvc2012
+        SHARED: ON
+        DISABLED_TESTS: ""
+        COMPILER_PATH: ""
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2019"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "Visual Studio 16 2019"
+        TARGET: "-A x64"
         PRJ_CFG: Release
         OPENSSL: ON
+        WINSSL: OFF
+        HTTP_ONLY: OFF
         TESTING: OFF
-        STATICLIB: OFF
-      - PRJ_GEN: "Visual Studio 12 2013 Win64"
-        BDIR: msvc2013
-        PRJ_CFG: Release
-        OPENSSL: ON
-        TESTING: OFF
-        STATICLIB: OFF
-      - PRJ_GEN: "Visual Studio 14 2015 Win64"
-        BDIR: msvc2015
-        PRJ_CFG: Release
-        OPENSSL: ON
-        TESTING: OFF
-        STATICLIB: OFF
-      - PRJ_GEN: "Visual Studio 11 2012 Win64"
-        BDIR: msvc2012
+        SHARED: ON
+        DISABLED_TESTS: ""
+        COMPILER_PATH: ""
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2019"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "Visual Studio 16 2019"
+        TARGET: "-A ARM64"
         PRJ_CFG: Release
         OPENSSL: OFF
-        TESTING: ON
-        STATICLIB: ON
-      - PRJ_GEN: "Visual Studio 12 2013 Win64"
-        BDIR: msvc2013
-        PRJ_CFG: Release
+        WINSSL: ON
+        HTTP_ONLY: OFF
+        TESTING: OFF
+        SHARED: OFF
+        DISABLED_TESTS: ""
+        COMPILER_PATH: ""
+      # generated CMake-based Visual Studio Debug builds
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2015"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "Visual Studio 10 2010 Win64"
+        PRJ_CFG: Debug
         OPENSSL: OFF
+        WINSSL: OFF
+        HTTP_ONLY: OFF
         TESTING: ON
-        STATICLIB: ON
-      - PRJ_GEN: "Visual Studio 14 2015 Win64"
-        BDIR: msvc2015
-        PRJ_CFG: Release
+        SHARED: OFF
+        DISABLED_TESTS: "~1139"
+        COMPILER_PATH: ""
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2019"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "Visual Studio 16 2019"
+        TARGET: "-A x64"
+        PRJ_CFG: Debug
         OPENSSL: OFF
+        WINSSL: ON
+        HTTP_ONLY: OFF
         TESTING: ON
-        STATICLIB: ON
+        SHARED: OFF
+        DISABLED_TESTS: "~1139"
+        COMPILER_PATH: ""
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2019"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "Visual Studio 16 2019"
+        TARGET: "-A x64"
+        PRJ_CFG: Debug
+        OPENSSL: OFF
+        WINSSL: OFF
+        HTTP_ONLY: OFF
+        TESTING: ON
+        SHARED: OFF
+        DISABLED_TESTS: "~1139"
+        COMPILER_PATH: ""
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2019"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "Visual Studio 16 2019"
+        TARGET: "-A x64"
+        PRJ_CFG: Debug
+        OPENSSL: OFF
+        WINSSL: OFF
+        HTTP_ONLY: ON
+        TESTING: ON
+        SHARED: OFF
+        DISABLED_TESTS: "~1139"
+        COMPILER_PATH: ""
+      # generated CMake-based MSYS Makefiles builds
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2015"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "MSYS Makefiles"
+        PRJ_CFG: Debug
+        OPENSSL: OFF
+        WINSSL: ON
+        HTTP_ONLY: OFF
+        TESTING: ON
+        SHARED: OFF
+        DISABLED_TESTS: "~1139"
+        COMPILER_PATH: "C:\\mingw-w64\\x86_64-8.1.0-posix-seh-rt_v6-rev0\\mingw64\\bin"
+        MSYS2_ARG_CONV_EXCL: "/*"
+        BUILD_OPT: -k
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2017"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "MSYS Makefiles"
+        PRJ_CFG: Debug
+        OPENSSL: OFF
+        WINSSL: ON
+        HTTP_ONLY: OFF
+        TESTING: ON
+        SHARED: OFF
+        DISABLED_TESTS: "~1139"
+        COMPILER_PATH: "C:\\mingw-w64\\x86_64-7.2.0-posix-seh-rt_v5-rev1\\mingw64\\bin"
+        MSYS2_ARG_CONV_EXCL: "/*"
+        BUILD_OPT: -k
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2015"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "MSYS Makefiles"
+        PRJ_CFG: Debug
+        OPENSSL: OFF
+        WINSSL: ON
+        HTTP_ONLY: OFF
+        TESTING: ON
+        SHARED: OFF
+        DISABLED_TESTS: "~1139"
+        COMPILER_PATH: "C:\\mingw-w64\\i686-6.3.0-posix-dwarf-rt_v5-rev1\\mingw32\\bin"
+        MSYS2_ARG_CONV_EXCL: "/*"
+        BUILD_OPT: -k
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2015"
+        BUILD_SYSTEM: CMake
+        PRJ_GEN: "MSYS Makefiles"
+        PRJ_CFG: Debug
+        OPENSSL: OFF
+        WINSSL: OFF
+        HTTP_ONLY: OFF
+        TESTING: ON
+        SHARED: OFF
+        DISABLED_TESTS: "~1139"
+        COMPILER_PATH: "C:\\MinGW\\bin"
+        MSYS2_ARG_CONV_EXCL: "/*"
+        BUILD_OPT: -k
+      # winbuild-based builds
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2015"
+        BUILD_SYSTEM: winbuild_vs2015
+        DEBUG: yes
+        PATHPART: debug
+        TESTING: OFF
+        ENABLE_UNICODE: no
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2015"
+        BUILD_SYSTEM: winbuild_vs2015
+        DEBUG: no
+        PATHPART: release
+        TESTING: OFF
+        ENABLE_UNICODE: no
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2017"
+        BUILD_SYSTEM: winbuild_vs2017
+        DEBUG: yes
+        PATHPART: debug
+        TESTING: OFF
+        ENABLE_UNICODE: no
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2017"
+        BUILD_SYSTEM: winbuild_vs2017
+        DEBUG: no
+        PATHPART: release
+        TESTING: OFF
+        ENABLE_UNICODE: no
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2015"
+        BUILD_SYSTEM: winbuild_vs2015
+        DEBUG: yes
+        PATHPART: debug
+        TESTING: OFF
+        ENABLE_UNICODE: yes
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2015"
+        BUILD_SYSTEM: winbuild_vs2015
+        DEBUG: no
+        PATHPART: release
+        TESTING: OFF
+        ENABLE_UNICODE: yes
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2017"
+        BUILD_SYSTEM: winbuild_vs2017
+        DEBUG: yes
+        PATHPART: debug
+        TESTING: OFF
+        ENABLE_UNICODE: yes
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2017"
+        BUILD_SYSTEM: winbuild_vs2017
+        DEBUG: no
+        PATHPART: release
+        TESTING: OFF
+        ENABLE_UNICODE: yes
+      # generated VisualStudioSolution-based builds
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2017"
+        BUILD_SYSTEM: VisualStudioSolution
+        PRJ_CFG: "DLL Debug - DLL Windows SSPI - DLL WinIDN"
+        TESTING: OFF
+        VC_VERSION: VC15
+      # autotools-based builds
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2015"
+        BUILD_SYSTEM: autotools
+        TESTING: ON
+        DISABLED_TESTS: "!19 !1233 ~1242 ~1243 ~2002 ~2003"
+        CONFIG_ARGS: "--enable-debug --enable-werror --enable-alt-svc --disable-threaded-resolver --disable-proxy"
+      - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2019"
+        BUILD_SYSTEM: autotools
+        TESTING: ON
+        DISABLED_TESTS: "!19 !504 !704 !705 !1233 ~1242 ~1243 ~2002 ~2003"
+        CONFIG_ARGS: "--enable-debug --enable-werror --enable-alt-svc --disable-threaded-resolver"
 
+install:
+    - set "PATH=C:\msys64\usr\bin;%PATH%"
+    - if not "%COMPILER_PATH%"=="" (
+        set "PATH=%COMPILER_PATH%;%PATH%" )
 
 build_script:
-    - mkdir build.%BDIR%
-    - cd build.%BDIR%
-    - cmake .. -G"%PRJ_GEN%" -DCMAKE_USE_OPENSSL=%OPENSSL% -DCURL_STATICLIB=%STATICLIB% -DBUILD_TESTING=%TESTING%
-    - cmake --build . --config %PRJ_CFG% --clean-first
+    - if %BUILD_SYSTEM%==CMake (
+        cmake .
+        -G"%PRJ_GEN%"
+        %TARGET%
+        -DCMAKE_USE_OPENSSL=%OPENSSL%
+        -DCMAKE_USE_WINSSL=%WINSSL%
+        -DHTTP_ONLY=%HTTP_ONLY%
+        -DBUILD_SHARED_LIBS=%SHARED%
+        -DBUILD_TESTING=%TESTING%
+        -DCURL_WERROR=ON
+        -DENABLE_DEBUG=ON
+        -DCMAKE_RUNTIME_OUTPUT_DIRECTORY_RELEASE=""
+        -DCMAKE_RUNTIME_OUTPUT_DIRECTORY_DEBUG=""
+        -DCMAKE_INSTALL_PREFIX="C:/CURL"
+        -DCMAKE_BUILD_TYPE=%PRJ_CFG% &&
+        cmake --build . --config %PRJ_CFG% --parallel 2 --clean-first -- %BUILD_OPT%
+      ) else (
+      if %BUILD_SYSTEM%==VisualStudioSolution (
+        cd projects &&
+        .\\generate.bat %VC_VERSION% &&
+        msbuild.exe /p:Configuration="%PRJ_CFG%" "Windows\\%VC_VERSION%\\curl-all.sln"
+      ) else (
+      if %BUILD_SYSTEM%==winbuild_vs2015 (
+        call buildconf.bat &&
+        cd winbuild &&
+        call "C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd" /x64 &&
+        call "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x86_amd64 &&
+        nmake /f Makefile.vc mode=dll VC=14 "SSL_PATH=C:\OpenSSL-v111-Win64" WITH_SSL=dll MACHINE=x64 DEBUG=%DEBUG% ENABLE_UNICODE=%ENABLE_UNICODE% &&
+        ..\builds\libcurl-vc14-x64-%PATHPART%-dll-ssl-dll-ipv6-sspi\bin\curl.exe -V
+      ) else (
+      if %BUILD_SYSTEM%==winbuild_vs2017 (
+        call buildconf.bat &&
+        cd winbuild &&
+        call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvars64.bat" &&
+        nmake /f Makefile.vc mode=dll VC=15 "SSL_PATH=C:\OpenSSL-v111-Win64" WITH_SSL=dll MACHINE=x64 DEBUG=%DEBUG% ENABLE_UNICODE=%ENABLE_UNICODE% &&
+        ..\builds\libcurl-vc15-x64-%PATHPART%-dll-ssl-dll-ipv6-sspi\bin\curl.exe -V
+      ) else (
+      if %BUILD_SYSTEM%==autotools (
+        bash.exe -e -l -c "cd /c/projects/curl && ./buildconf && ./configure %CONFIG_ARGS% && make && make examples && cd tests && make"
+      )))))
+
+test_script:
+    - if %TESTING%==ON (
+        echo APPVEYOR_API_URL=%APPVEYOR_API_URL% &&
+        bash.exe -e -l -c "cd /c/projects/curl/tests && ./runtests.pl -a -b$(($(echo '%APPVEYOR_API_URL%' | cut -d'/' -f3 | cut -d':' -f2)+1)) -p !flaky %DISABLED_TESTS%" )
+
+# whitelist branches to avoid testing feature branches twice (as branch and as pull request)
+branches:
+    only:
+        - master
+        - /\/ci$/
+
+artifacts:
+  - path: '**/curl.exe'
+    name: curl
+  - path: '**/libcurl.dll'
+    name: libcurl
diff --git a/buildconf b/buildconf
index 0d998c2..6f7f0b3 100755
--- a/buildconf
+++ b/buildconf
@@ -6,7 +6,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -64,16 +64,7 @@
 #
 removethis(){
   if test "$#" = "1"; then
-    find . -depth -name $1 -print > buildconf.tmp.$$
-    while read fdname
-    do
-      if test -f "$fdname"; then
-        rm -f "$fdname"
-      elif test -d "$fdname"; then
-        rm -f -r "$fdname"
-      fi
-    done < buildconf.tmp.$$
-    rm -f buildconf.tmp.$$
+    find . -depth -name $1 -execdir rm -rf {} \;
   fi
 }
 
@@ -255,7 +246,7 @@
 #--------------------------------------------------------------------------
 # m4 check
 #
-m4=`(${M4:-m4} --version || ${M4:-gm4} --version) 2>/dev/null | head -n 1`;
+m4=`(${M4:-m4} --version 0<&- || ${M4:-gm4} --version) 2>/dev/null 0<&- | head -n 1`;
 m4_version=`echo $m4 | sed -e 's/^.* \([0-9]\)/\1/' -e 's/[a-z]* *$//'`
 
 if { echo $m4 | grep "GNU" >/dev/null 2>&1; } then
@@ -291,9 +282,6 @@
     Makefile.in \
     aclocal.m4 \
     aclocal.m4.bak \
-    ares_build.h \
-    ares_config.h \
-    ares_config.h.in \
     autom4te.cache \
     compile \
     config.guess \
@@ -306,7 +294,6 @@
     configure \
     configurehelp.pm \
     curl-config \
-    curlbuild.h \
     depcomp \
     libcares.pc \
     libcurl.pc \
diff --git a/buildconf.bat b/buildconf.bat
index ad3fba6..0435233 100644
--- a/buildconf.bat
+++ b/buildconf.bat
@@ -6,7 +6,7 @@
 rem *                            | (__| |_| |  _ <| |___
 rem *                             \___|\___/|_| \_\_____|
 rem *
-rem * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+rem * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
 rem *
 rem * This software is licensed as described in the file COPYING, which
 rem * you should have received as part of this distribution. The terms
@@ -73,7 +73,6 @@
     echo Generating prerequisite files
 
     call :generate
-    if errorlevel 4 goto nogencurlbuild
     if errorlevel 3 goto nogenhugehelp
     if errorlevel 2 goto nogenmakefile
     if errorlevel 1 goto warning
@@ -83,7 +82,6 @@
     echo Removing prerequisite files
 
     call :clean
-    if errorlevel 3 goto nocleancurlbuild
     if errorlevel 2 goto nocleanhugehelp
     if errorlevel 1 goto nocleanmakefile
   )
@@ -95,10 +93,9 @@
 rem Returns:
 rem
 rem 0 - success
-rem 1 - success with simplified tool_hugehelp.c 
+rem 1 - success with simplified tool_hugehelp.c
 rem 2 - failed to generate Makefile
 rem 3 - failed to generate tool_hugehelp.c
-rem 4 - failed to generate curlbuild.h
 rem
 :generate
   if "%OS%" == "Windows_NT" setlocal
@@ -126,16 +123,6 @@
   )
   cmd /c exit 0
 
-  rem Create curlbuild.h
-  echo * %CD%\include\curl\curlbuild.h
-  if exist include\curl\curlbuild.h.dist (
-    copy /Y include\curl\curlbuild.h.dist include\curl\curlbuild.h 1>NUL 2>&1
-    if errorlevel 1 (
-      if "%OS%" == "Windows_NT" endlocal
-      exit /B 4
-    )
-  )
-
   rem Setup c-ares git tree
   if exist ares\buildconf.bat (
     echo.
@@ -160,7 +147,6 @@
 rem 0 - success
 rem 1 - failed to clean Makefile
 rem 2 - failed to clean tool_hugehelp.c
-rem 3 - failed to clean curlbuild.h
 rem
 :clean
   rem Remove Makefile
@@ -181,15 +167,6 @@
     )
   )
 
-  rem Remove curlbuild.h
-  echo * %CD%\include\curl\curlbuild.h
-  if exist include\curl\curlbuild.h (
-    del include\curl\curlbuild.h 2>NUL
-    if exist include\curl\curlbuild.h (
-      exit /B 3
-    )
-  )
-
   exit /B
 
 rem Function to generate src\tool_hugehelp.c
@@ -216,7 +193,7 @@
 
   if defined ROFFCMD (
     echo #include "tool_setup.h"> src\tool_hugehelp.c
-    echo #include "tool_hugehelp.h">> src\tool_hugehelp.c 
+    echo #include "tool_hugehelp.h">> src\tool_hugehelp.c
 
     if defined HAVE_GZIP (
       echo #ifndef HAVE_LIBZ>> src\tool_hugehelp.c
@@ -235,7 +212,7 @@
       copy /Y src\tool_hugehelp.c.cvs src\tool_hugehelp.c 1>NUL 2>&1
     ) else (
       echo #include "tool_setup.h"> src\tool_hugehelp.c
-      echo #include "tool_hugehelp.hd">> src\tool_hugehelp.c
+      echo #include "tool_hugehelp.h">> src\tool_hugehelp.c
       echo.>> src\tool_hugehelp.c
       echo void hugehelp(void^)>> src\tool_hugehelp.c
       echo {>> src\tool_hugehelp.c
@@ -304,11 +281,6 @@
   echo Error: Unable to generate src\tool_hugehelp.c
   goto error
 
-:nogencurlbuild
-  echo.
-  echo Error: Unable to generate include\curl\curlbuild.h
-  goto error
-
 :nocleanmakefile
   echo.
   echo Error: Unable to clean Makefile
@@ -319,11 +291,6 @@
   echo Error: Unable to clean src\tool_hugehelp.c
   goto error
 
-:nocleancurlbuild
-  echo.
-  echo Error: Unable to clean include\curl\curlbuild.h
-  goto error
-
 :warning
   echo.
   echo Warning: The curl manual could not be integrated in the source. This means when
diff --git a/configure.ac b/configure.ac
old mode 100644
new mode 100755
index abd0def..768f52f
--- a/configure.ac
+++ b/configure.ac
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -31,12 +31,12 @@
 CURL_OVERRIDE_AUTOCONF
 
 dnl configure script copyright
-AC_COPYRIGHT([Copyright (c) 1998 - 2016 Daniel Stenberg, <daniel@haxx.se>
+AC_COPYRIGHT([Copyright (c) 1998 - 2020 Daniel Stenberg, <daniel@haxx.se>
 This configure script may be copied, distributed and modified under the
 terms of the curl license; see COPYING for more details])
 
 AC_CONFIG_SRCDIR([lib/urldata.h])
-AC_CONFIG_HEADERS(lib/curl_config.h include/curl/curlbuild.h)
+AC_CONFIG_HEADERS(lib/curl_config.h)
 AC_CONFIG_MACRO_DIR([m4])
 AM_MAINTAINER_MODE
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
@@ -49,6 +49,7 @@
 CURL_CHECK_OPTION_SYMBOL_HIDING
 CURL_CHECK_OPTION_ARES
 CURL_CHECK_OPTION_RT
+CURL_CHECK_OPTION_ESNI
 
 XC_CHECK_PATH_SEPARATOR
 
@@ -58,12 +59,6 @@
 CONFIGURE_OPTIONS="\"$ac_configure_args\""
 AC_SUBST(CONFIGURE_OPTIONS)
 
-CURL_CFLAG_EXTRAS=""
-if test X"$want_werror" = Xyes; then
-  CURL_CFLAG_EXTRAS="-Werror"
-fi
-AC_SUBST(CURL_CFLAG_EXTRAS)
-
 dnl SED is mandatory for configure process and libtool.
 dnl Set it now, allowing it to be changed later.
 if test -z "$SED"; then
@@ -120,14 +115,13 @@
 
 AC_SUBST(libext)
 
-dnl Remove non-configure distributed curlbuild.h
-if test -f ${srcdir}/include/curl/curlbuild.h; then
-  rm -f ${srcdir}/include/curl/curlbuild.h
-fi
-
 dnl figure out the libcurl version
-CURLVERSION=`$SED -ne 's/^#define LIBCURL_VERSION "\(.*\)"/\1/p' ${srcdir}/include/curl/curlver.h`
+CURLVERSION=`$SED -ne 's/^#define LIBCURL_VERSION "\(.*\)".*/\1/p' ${srcdir}/include/curl/curlver.h`
 XC_CHECK_PROG_CC
+
+dnl for --enable-code-coverage
+CURL_COVERAGE
+
 XC_AUTOMAKE
 AC_MSG_CHECKING([curl version])
 AC_MSG_RESULT($CURLVERSION)
@@ -136,7 +130,7 @@
 
 dnl
 dnl we extract the numerical version for curl-config only
-VERSIONNUM=`$SED -ne 's/^#define LIBCURL_VERSION_NUM 0x\(.*\)/\1/p' ${srcdir}/include/curl/curlver.h`
+VERSIONNUM=`$SED -ne 's/^#define LIBCURL_VERSION_NUM 0x\([0-9A-Fa-f]*\).*/\1/p' ${srcdir}/include/curl/curlver.h`
 AC_SUBST(VERSIONNUM)
 
 dnl Solaris pkgadd support definitions
@@ -149,9 +143,10 @@
 
 dnl
 dnl initialize all the info variables
-    curl_ssl_msg="no      (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl} )"
-    curl_ssh_msg="no      (--with-libssh2)"
+    curl_ssl_msg="no      (--with-{ssl,gnutls,nss,mbedtls,wolfssl,schannel,secure-transport,mesalink,amissl,bearssl} )"
+    curl_ssh_msg="no      (--with-{libssh,libssh2})"
    curl_zlib_msg="no      (--with-zlib)"
+ curl_brotli_msg="no      (--with-brotli)"
     curl_gss_msg="no      (--with-gssapi)"
 curl_tls_srp_msg="no      (--enable-tls-srp)"
     curl_res_msg="default (--enable-ares / --enable-threaded-resolver)"
@@ -169,7 +164,7 @@
   curl_mtlnk_msg="no      (--with-libmetalink)"
     curl_psl_msg="no      (--with-libpsl)"
 
-    init_ssl_msg=${curl_ssl_msg}
+    ssl_backends=
 
 dnl
 dnl Save some initial values the user might have provided
@@ -185,10 +180,8 @@
 dnl Get system canonical name
 AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS])
 
-dnl Checks for programs.
-
-dnl Our curl_off_t internal and external configure settings
-CURL_CONFIGURE_CURL_OFF_T
+# Silence warning: ar: 'u' modifier ignored since 'D' is the default
+AC_SUBST(AR_FLAGS, [cr])
 
 dnl This defines _ALL_SOURCE for AIX
 CURL_CHECK_AIX_ALL_SOURCE
@@ -280,6 +273,19 @@
   #
 fi
 
+CURL_CFLAG_EXTRAS=""
+if test X"$want_werror" = Xyes; then
+  CURL_CFLAG_EXTRAS="-Werror"
+  if test "$compiler_id" = "GNU_C"; then
+    dnl enable -pedantic-errors for GCC 5 and later,
+    dnl as before that it was the same as -Werror=pedantic
+    if test "$compiler_num" -ge "500"; then
+      CURL_CFLAG_EXTRAS="$CURL_CFLAG_EXTRAS -pedantic-errors"
+    fi
+  fi
+fi
+AC_SUBST(CURL_CFLAG_EXTRAS)
+
 CURL_CHECK_COMPILER_HALT_ON_ERROR
 CURL_CHECK_COMPILER_ARRAY_SIZE_NEGATIVE
 CURL_CHECK_COMPILER_PROTOTYPE_MISMATCH
@@ -358,6 +364,8 @@
 CURL_CHECK_WIN32_LARGEFILE
 
 CURL_MAC_CFLAGS
+CURL_SUPPORTS_BUILTIN_AVAILABLE
+
 
 dnl ************************************************************
 dnl switch off particular protocols
@@ -370,6 +378,7 @@
   no)
        AC_MSG_RESULT(no)
        AC_DEFINE(CURL_DISABLE_HTTP, 1, [to disable HTTP])
+       disable_http="yes"
        AC_MSG_WARN([disable HTTP disables FTP over proxy and RTSP])
        AC_SUBST(CURL_DISABLE_HTTP, [1])
        AC_DEFINE(CURL_DISABLE_RTSP, 1, [to disable RTSP])
@@ -628,6 +637,22 @@
        AC_MSG_RESULT(yes)
 )
 
+AC_MSG_CHECKING([whether to support mqtt])
+AC_ARG_ENABLE(mqtt,
+AC_HELP_STRING([--enable-mqtt],[Enable MQTT support])
+AC_HELP_STRING([--disable-mqtt],[Disable MQTT support]),
+[ case "$enableval" in
+  no)
+       AC_MSG_RESULT(no)
+       ;;
+  *)   AC_MSG_RESULT(yes)
+       experimental="$experimental MQTT"
+       AC_DEFINE(CURL_ENABLE_MQTT, 1, [to enable MQTT])
+       AC_SUBST(CURL_ENABLE_MQTT, [1])
+       ;;
+  esac ],
+       AC_MSG_RESULT(no)
+)
 
 dnl **********************************************************************
 dnl Check for built-in manual
@@ -832,6 +857,28 @@
 
 if test "$HAVE_GETHOSTBYNAME" != "1"
 then
+  dnl This is for AmigaOS with bsdsocket.library - needs testing before -lnet
+  AC_MSG_CHECKING([for gethostbyname for AmigaOS bsdsocket.library])
+  AC_LINK_IFELSE([
+    AC_LANG_PROGRAM([[
+#include <proto/bsdsocket.h>
+struct Library *SocketBase = NULL;
+    ]],[[
+      gethostbyname("www.dummysite.com");
+    ]])
+  ],[
+    AC_MSG_RESULT([yes])
+    HAVE_GETHOSTBYNAME="1"
+    HAVE_PROTO_BSDSOCKET_H="1"
+    AC_DEFINE(HAVE_PROTO_BSDSOCKET_H, 1, [if Amiga bsdsocket.library is in use])
+    AC_SUBST(HAVE_PROTO_BSDSOCKET_H, [1])
+  ],[
+    AC_MSG_RESULT([no])
+  ])
+fi
+
+if test "$HAVE_GETHOSTBYNAME" != "1"
+then
   dnl gethostbyname in the network lib - for Haiku OS
   AC_CHECK_LIB(network, gethostbyname,
                [HAVE_GETHOSTBYNAME="1"
@@ -898,8 +945,8 @@
 
     if test "$PKGCONFIG" != "no" ; then
       LIBS="`$PKGCONFIG --libs-only-l zlib` $LIBS"
-      LDFLAGS="`$PKGCONFIG --libs-only-L zlib` $LDFLAGS"
-      CPPFLAGS="`$PKGCONFIG --cflags-only-I zlib` $CPPFLAGS"
+      LDFLAGS="$LDFLAGS `$PKGCONFIG --libs-only-L zlib`"
+      CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags-only-I zlib`"
       OPT_ZLIB=""
       HAVE_LIBZ="1"
     fi
@@ -981,6 +1028,94 @@
 AC_SUBST(ZLIB_LIBS)
 
 dnl **********************************************************************
+dnl Check for the presence of BROTLI decoder libraries and headers
+dnl **********************************************************************
+
+dnl Brotli project home page: https://github.com/google/brotli
+
+dnl Default to compiler & linker defaults for BROTLI files & libraries.
+OPT_BROTLI=off
+AC_ARG_WITH(brotli,dnl
+AC_HELP_STRING([--with-brotli=PATH],[Where to look for brotli, PATH points to the BROTLI installation; when possible, set the PKG_CONFIG_PATH environment variable instead of using this option])
+AC_HELP_STRING([--without-brotli], [disable BROTLI]),
+  OPT_BROTLI=$withval)
+
+if test X"$OPT_BROTLI" != Xno; then
+  dnl backup the pre-brotli variables
+  CLEANLDFLAGS="$LDFLAGS"
+  CLEANCPPFLAGS="$CPPFLAGS"
+  CLEANLIBS="$LIBS"
+
+  case "$OPT_BROTLI" in
+  yes)
+    dnl --with-brotli (without path) used
+    CURL_CHECK_PKGCONFIG(libbrotlidec)
+
+    if test "$PKGCONFIG" != "no" ; then
+      LIB_BROTLI=`$PKGCONFIG --libs-only-l libbrotlidec`
+      LD_BROTLI=`$PKGCONFIG --libs-only-L libbrotlidec`
+      CPP_BROTLI=`$PKGCONFIG --cflags-only-I libbrotlidec`
+      version=`$PKGCONFIG --modversion libbrotlidec`
+      DIR_BROTLI=`echo $LD_BROTLI | $SED -e 's/-L//'`
+    fi
+
+    ;;
+  off)
+    dnl no --with-brotli option given, just check default places
+    ;;
+  *)
+    dnl use the given --with-brotli spot
+    PREFIX_BROTLI=$OPT_BROTLI
+    ;;
+  esac
+
+  dnl if given with a prefix, we set -L and -I based on that
+  if test -n "$PREFIX_BROTLI"; then
+    LIB_BROTLI="-lbrotlidec"
+    LD_BROTLI=-L${PREFIX_BROTLI}/lib$libsuff
+    CPP_BROTLI=-I${PREFIX_BROTLI}/include
+    DIR_BROTLI=${PREFIX_BROTLI}/lib$libsuff
+  fi
+
+  LDFLAGS="$LDFLAGS $LD_BROTLI"
+  CPPFLAGS="$CPPFLAGS $CPP_BROTLI"
+  LIBS="$LIB_BROTLI $LIBS"
+
+  AC_CHECK_LIB(brotlidec, BrotliDecoderDecompress)
+
+  AC_CHECK_HEADERS(brotli/decode.h,
+    curl_brotli_msg="enabled (libbrotlidec)"
+    HAVE_BROTLI=1
+    AC_DEFINE(HAVE_BROTLI, 1, [if BROTLI is in use])
+    AC_SUBST(HAVE_BROTLI, [1])
+  )
+
+  if test X"$OPT_BROTLI" != Xoff &&
+     test "$HAVE_BROTLI" != "1"; then
+    AC_MSG_ERROR([BROTLI libs and/or directories were not found where specified!])
+  fi
+
+  if test "$HAVE_BROTLI" = "1"; then
+    if test -n "$DIR_BROTLI"; then
+       dnl when the brotli shared libs were found in a path that the run-time
+       dnl linker doesn't search through, we need to add it to CURL_LIBRARY_PATH
+       dnl to prevent further configure tests to fail due to this
+
+       if test "x$cross_compiling" != "xyes"; then
+         CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_BROTLI"
+         export CURL_LIBRARY_PATH
+         AC_MSG_NOTICE([Added $DIR_BROTLI to CURL_LIBRARY_PATH])
+       fi
+    fi
+  else
+    dnl no brotli, revert back to clean variables
+    LDFLAGS=$CLEANLDFLAGS
+    CPPFLAGS=$CLEANCPPFLAGS
+    LIBS=$CLEANLIBS
+  fi
+fi
+
+dnl **********************************************************************
 dnl Check for LDAP
 dnl **********************************************************************
 
@@ -1084,16 +1219,23 @@
        ;;
   esac ],
 
-  AC_TRY_RUN([ /* is AF_INET6 available? */
+  AC_TRY_RUN([ /* are AF_INET6 and sockaddr_in6 available? */
 #include <sys/types.h>
 #ifdef HAVE_WINSOCK2_H
 #include <winsock2.h>
+#include <ws2tcpip.h>
 #else
 #include <sys/socket.h>
+#include <netinet/in.h>
+#if defined (__TANDEM)
+# include <netinet/in6.h>
+#endif
 #endif
 #include <stdlib.h> /* for exit() */
 main()
 {
+ struct sockaddr_in6 s;
+ (void)s;
  if (socket(AF_INET6, SOCK_STREAM, 0) < 0)
    exit(1);
  else
@@ -1108,12 +1250,12 @@
   ipv6=yes
 ))
 
-if test "$ipv6" = "yes"; then
-  curl_ipv6_msg="enabled"
-fi
-
-# Check if struct sockaddr_in6 have sin6_scope_id member
 if test "$ipv6" = yes; then
+  curl_ipv6_msg="enabled"
+  AC_DEFINE(ENABLE_IPV6, 1, [Define if you want to enable IPv6 support])
+  IPV6_ENABLED=1
+  AC_SUBST(IPV6_ENABLED)
+
   AC_MSG_CHECKING([if struct sockaddr_in6 has sin6_scope_id member])
   AC_TRY_COMPILE([
 #include <sys/types.h>
@@ -1122,6 +1264,9 @@
 #include <ws2tcpip.h>
 #else
 #include <netinet/in.h>
+#if defined (__TANDEM)
+# include <netinet/in6.h>
+#endif
 #endif] ,
   struct sockaddr_in6 s; s.sin6_scope_id = 0; , have_sin6_scope_id=yes)
   if test "$have_sin6_scope_id" = yes; then
@@ -1137,13 +1282,11 @@
 dnl **********************************************************************
 
 AC_MSG_CHECKING([if argv can be written to])
-AC_RUN_IFELSE([
-  AC_LANG_SOURCE([[
+CURL_RUN_IFELSE([
 int main(int argc, char ** argv) {
     argv[0][0] = ' ';
     return (argv[0][0] == ' ')?0:1;
 }
-  ]])
 ],[
   curl_cv_writable_argv=yes
 ],[
@@ -1339,6 +1482,41 @@
   CPPFLAGS="$save_CPPFLAGS"
 fi
 
+build_libstubgss=no
+if test x"$want_gss" = "xyes"; then
+  build_libstubgss=yes
+fi
+
+AM_CONDITIONAL(BUILD_STUB_GSS, test "x$build_libstubgss" = "xyes")
+
+dnl -------------------------------------------------------------
+dnl parse --with-default-ssl-backend so it can be validated below
+dnl -------------------------------------------------------------
+
+DEFAULT_SSL_BACKEND=no
+VALID_DEFAULT_SSL_BACKEND=
+AC_ARG_WITH(default-ssl-backend,
+AC_HELP_STRING([--with-default-ssl-backend=NAME],[Use NAME as default SSL backend])
+AC_HELP_STRING([--without-default-ssl-backend],[Use implicit default SSL backend]),
+  [DEFAULT_SSL_BACKEND=$withval])
+case "$DEFAULT_SSL_BACKEND" in
+  no)
+    dnl --without-default-ssl-backend option used
+    ;;
+  default|yes)
+    dnl --with-default-ssl-backend option used without name
+    AC_MSG_ERROR([The name of the default SSL backend is required.])
+    ;;
+  *)
+    dnl --with-default-ssl-backend option used with name
+    AC_SUBST(DEFAULT_SSL_BACKEND)
+    dnl needs to be validated below
+    VALID_DEFAULT_SSL_BACKEND=no
+    ;;
+esac
+
+dnl **********************************************************************
+
 dnl -------------------------------------------------
 dnl check winssl option before other SSL libraries
 dnl -------------------------------------------------
@@ -1349,14 +1527,21 @@
 AC_HELP_STRING([--without-winssl], [disable Windows native SSL/TLS]),
   OPT_WINSSL=$withval)
 
+AC_ARG_WITH(schannel,dnl
+AC_HELP_STRING([--with-schannel],[enable Windows native SSL/TLS])
+AC_HELP_STRING([--without-schannel], [disable Windows native SSL/TLS]),
+  OPT_WINSSL=$withval)
+
 AC_MSG_CHECKING([whether to enable Windows native SSL/TLS (Windows native builds only)])
-if test "$curl_ssl_msg" = "$init_ssl_msg"; then
+if test -z "$ssl_backends" -o "x$OPT_WINSSL" != xno; then
+  ssl_msg=
   if test "x$OPT_WINSSL" != "xno"  &&
      test "x$curl_cv_native_windows" = "xyes"; then
     AC_MSG_RESULT(yes)
     AC_DEFINE(USE_SCHANNEL, 1, [to enable Windows native SSL/TLS support])
     AC_SUBST(USE_SCHANNEL, [1])
-    curl_ssl_msg="enabled (Windows-native)"
+    ssl_msg="Windows-native"
+    test schannel != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
     WINSSL_ENABLED=1
     # --with-winssl implies --enable-sspi
     AC_DEFINE(USE_WINDOWS_SSPI, 1, [to enable SSPI support])
@@ -1366,29 +1551,66 @@
   else
     AC_MSG_RESULT(no)
   fi
+  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
 else
   AC_MSG_RESULT(no)
 fi
 
-OPT_DARWINSSL=no
+OPT_SECURETRANSPORT=no
 AC_ARG_WITH(darwinssl,dnl
 AC_HELP_STRING([--with-darwinssl],[enable Apple OS native SSL/TLS])
 AC_HELP_STRING([--without-darwinssl], [disable Apple OS native SSL/TLS]),
-  OPT_DARWINSSL=$withval)
+  OPT_SECURETRANSPORT=$withval)
 
-AC_MSG_CHECKING([whether to enable Apple OS native SSL/TLS])
-if test "$curl_ssl_msg" = "$init_ssl_msg"; then
-  if test "x$OPT_DARWINSSL" != "xno" &&
-     test -d "/System/Library/Frameworks/Security.framework"; then
+AC_ARG_WITH(secure-transport,dnl
+AC_HELP_STRING([--with-secure-transport],[enable Apple OS native SSL/TLS])
+AC_HELP_STRING([--without-secure-transport], [disable Apple OS native SSL/TLS]),
+  OPT_SECURETRANSPORT=$withval)
+
+AC_MSG_CHECKING([whether to enable Secure Transport])
+if test -z "$ssl_backends" -o "x$OPT_SECURETRANSPORT" != xno; then
+  if test "x$OPT_SECURETRANSPORT" != "xno" &&
+     (test "x$cross_compiling" != "xno" || test -d "/System/Library/Frameworks/Security.framework"); then
     AC_MSG_RESULT(yes)
-    AC_DEFINE(USE_DARWINSSL, 1, [to enable Apple OS native SSL/TLS support])
-    AC_SUBST(USE_DARWINSSL, [1])
-    curl_ssl_msg="enabled (Apple OS-native)"
-    DARWINSSL_ENABLED=1
+    AC_DEFINE(USE_SECTRANSP, 1, [enable Secure Transport])
+    AC_SUBST(USE_SECTRANSP, [1])
+    ssl_msg="Secure Transport"
+    test secure-transport != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+    SECURETRANSPORT_ENABLED=1
     LDFLAGS="$LDFLAGS -framework CoreFoundation -framework Security"
   else
     AC_MSG_RESULT(no)
   fi
+  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
+else
+  AC_MSG_RESULT(no)
+fi
+
+OPT_AMISSL=no
+AC_ARG_WITH(amissl,dnl
+AC_HELP_STRING([--with-amissl],[enable Amiga native SSL/TLS (AmiSSL)])
+AC_HELP_STRING([--without-amissl], [disable Amiga native SSL/TLS (AmiSSL)]),
+  OPT_AMISSL=$withval)
+
+AC_MSG_CHECKING([whether to enable Amiga native SSL/TLS (AmiSSL)])
+if test "$HAVE_PROTO_BSDSOCKET_H" = "1"; then
+  if test -z "$ssl_backends" -o "x$OPT_AMISSL" != xno; then
+    ssl_msg=
+    if test "x$OPT_AMISSL" != "xno"; then
+      AC_MSG_RESULT(yes)
+      ssl_msg="AmiSSL"
+      test amissl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+      AMISSL_ENABLED=1
+      LIBS="-lamisslauto $LIBS"
+      AC_DEFINE(USE_AMISSL, 1, [if AmiSSL is in use])
+      AC_DEFINE(USE_OPENSSL, 1, [if OpenSSL is in use])
+    else
+      AC_MSG_RESULT(no)
+    fi
+    test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
+  else
+    AC_MSG_RESULT(no)
+  fi
 else
   AC_MSG_RESULT(no)
 fi
@@ -1406,7 +1628,10 @@
 AC_HELP_STRING([--without-ssl], [disable OpenSSL]),
   OPT_SSL=$withval)
 
-if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then
+if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
+   test X"$OPT_SSL" != Xno; then
+  ssl_msg=
+
   dnl backup the pre-ssl variables
   CLEANLDFLAGS="$LDFLAGS"
   CLEANCPPFLAGS="$CPPFLAGS"
@@ -1457,9 +1682,11 @@
     dnl specify PKG_CONFIG_LIBDIR we're only looking where
     dnl the user told us to look
     OPENSSL_PCDIR="$OPT_SSL/lib/pkgconfig"
-    AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"])
     if test -f "$OPENSSL_PCDIR/openssl.pc"; then
+      AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"])
       PKGTEST="yes"
+    elif test ! -f "$PREFIX_OPENSSL/include/openssl/ssl.h"; then
+      AC_MSG_ERROR([$PREFIX_OPENSSL is a bad --with-ssl prefix!])
     fi
 
     dnl in case pkg-config comes up empty, use what we got
@@ -1479,7 +1706,7 @@
 
     if test "$PKGCONFIG" != "no" ; then
       SSL_LIBS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl
-        $PKGCONFIG --libs-only-l openssl 2>/dev/null`
+        $PKGCONFIG --libs-only-l --libs-only-other openssl 2>/dev/null`
 
       SSL_LDFLAGS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl
         $PKGCONFIG --libs-only-L openssl 2>/dev/null`
@@ -1513,56 +1740,57 @@
      LIBS="-lcrypto $LIBS"
      ],[
      LDFLAGS="$CLEANLDFLAGS -L$LIB_OPENSSL"
-     CPPFLAGS="$CLEANCPPFLAGS -I$PREFIX_OPENSSL/include/openssl -I$PREFIX_OPENSSL/include"
+     if test "$PKGCONFIG" = "no" ; then
+       # only set this if pkg-config wasn't used
+       CPPFLAGS="$CLEANCPPFLAGS -I$PREFIX_OPENSSL/include/openssl -I$PREFIX_OPENSSL/include"
+     fi
      AC_CHECK_LIB(crypto, HMAC_Init_ex,[
        HAVECRYPTO="yes"
        LIBS="-lcrypto $LIBS"], [
-       LDFLAGS="$CLEANLDFLAGS"
-       CPPFLAGS="$CLEANCPPFLAGS"
-       LIBS="$CLEANLIBS"
+
+       dnl still no, but what about with -ldl?
+       AC_MSG_CHECKING([OpenSSL linking with -ldl])
+       LIBS="$CLEANLIBS -lcrypto -ldl"
+       AC_TRY_LINK(
+       [
+         #include <openssl/err.h>
+       ],
+       [
+         ERR_clear_error();
+       ],
+       [
+         AC_MSG_RESULT(yes)
+         HAVECRYPTO="yes"
+       ],
+       [
+         AC_MSG_RESULT(no)
+         dnl ok, so what about both -ldl and -lpthread?
+
+         AC_MSG_CHECKING([OpenSSL linking with -ldl and -lpthread])
+         LIBS="$CLEANLIBS -lcrypto -ldl -lpthread"
+         AC_TRY_LINK(
+         [
+           #include <openssl/err.h>
+         ],
+         [
+           ERR_clear_error();
+         ],
+         [
+           AC_MSG_RESULT(yes)
+           HAVECRYPTO="yes"
+         ],
+         [
+           AC_MSG_RESULT(no)
+           LDFLAGS="$CLEANLDFLAGS"
+           CPPFLAGS="$CLEANCPPFLAGS"
+           LIBS="$CLEANLIBS"
+
+         ])
+
        ])
-    ])
 
-
-  if test X"$HAVECRYPTO" = X"yes"; then
-     AC_MSG_CHECKING([OpenSSL linking without -ldl])
-     saved_libs=$LIBS
-     AC_TRY_LINK(
-        [
-          #include <openssl/evp.h>
-        ],
-        [
-          SSLeay_add_all_algorithms();
-        ],
-        [
-          AC_MSG_RESULT(yes)
-          LIBS="$saved_libs"
-        ],
-        [
-          AC_MSG_RESULT(no)
-          AC_MSG_CHECKING([OpenSSL linking with -ldl])
-          LIBS="-ldl $LIBS"
-          AC_TRY_LINK(
-          [
-            #include <openssl/evp.h>
-          ],
-          [
-            SSLeay_add_all_algorithms();
-          ],
-          [
-            AC_MSG_RESULT(yes)
-            LIBS="$saved_libs -ldl"
-          ],
-          [
-            AC_MSG_RESULT(no)
-            LIBS="$saved_libs"
-          ]
-          )
-
-        ]
-     )
-
-  fi
+     ])
+  ])
 
   if test X"$HAVECRYPTO" = X"yes"; then
     dnl This is only reasonable to do if crypto actually is there: check for
@@ -1589,7 +1817,8 @@
       dnl Have the libraries--check for OpenSSL headers
       AC_CHECK_HEADERS(openssl/x509.h openssl/rsa.h openssl/crypto.h \
                        openssl/pem.h openssl/ssl.h openssl/err.h,
-        curl_ssl_msg="enabled (OpenSSL)"
+        ssl_msg="OpenSSL"
+	test openssl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
         OPENSSL_ENABLED=1
         AC_DEFINE(USE_OPENSSL, 1, [if OpenSSL is in use]))
 
@@ -1603,16 +1832,13 @@
            test $ac_cv_header_crypto_h = yes &&
            test $ac_cv_header_ssl_h = yes; then
           dnl three matches
-          curl_ssl_msg="enabled (OpenSSL)"
+          ssl_msg="OpenSSL"
           OPENSSL_ENABLED=1
         fi
       fi
     fi
 
-    if test X"$OPENSSL_ENABLED" = X"1"; then
-       dnl is there a pkcs12.h header present?
-       AC_CHECK_HEADERS(openssl/pkcs12.h)
-    else
+    if test X"$OPENSSL_ENABLED" != X"1"; then
        LIBS="$CLEANLIBS"
     fi
 
@@ -1623,23 +1849,12 @@
   fi
 
   if test X"$OPENSSL_ENABLED" = X"1"; then
-    dnl If the ENGINE library seems to be around, check for the OpenSSL engine
-    dnl stuff, it is kind of "separated" from the main SSL check
-    AC_CHECK_FUNC(ENGINE_init,
-              [
-                AC_CHECK_HEADERS(openssl/engine.h)
-                AC_CHECK_FUNCS( ENGINE_load_builtin_engines )
-              ])
-
     dnl These can only exist if OpenSSL exists
-    dnl Older versions of Cyassl (some time before 2.9.4) don't have
-    dnl SSL_get_shutdown (but this check won't actually detect it there
-    dnl as it's a macro that needs the header files be included)
+    dnl OpenSSL_version is introduced in 3.0.0
 
     AC_CHECK_FUNCS( RAND_egd \
-                    ENGINE_cleanup \
-                    SSL_get_shutdown \
-                    SSLv2_client_method )
+                    SSLv2_client_method \
+                    OpenSSL_version )
 
     AC_MSG_CHECKING([for BoringSSL])
     AC_COMPILE_IFELSE([
@@ -1654,7 +1869,7 @@
         AC_MSG_RESULT([yes])
         AC_DEFINE_UNQUOTED(HAVE_BORINGSSL, 1,
                            [Define to 1 if using BoringSSL.])
-        curl_ssl_msg="enabled (BoringSSL)"
+        ssl_msg="BoringSSL"
     ],[
         AC_MSG_RESULT([no])
     ])
@@ -1670,7 +1885,32 @@
       AC_MSG_RESULT([yes])
       AC_DEFINE_UNQUOTED(HAVE_LIBRESSL, 1,
         [Define to 1 if using libressl.])
-      curl_ssl_msg="enabled (libressl)"
+      ssl_msg="libressl"
+    ],[
+      AC_MSG_RESULT([no])
+    ])
+
+    AC_MSG_CHECKING([for OpenSSL >= v3])
+    AC_COMPILE_IFELSE([
+      AC_LANG_PROGRAM([[
+#include <openssl/opensslv.h>
+      ]],[[
+        #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+        return 0;
+        #else
+        #error older than 3
+        #endif
+      ]])
+    ],[
+      AC_MSG_RESULT([yes])
+      AC_DEFINE_UNQUOTED(HAVE_OPENSSL3, 1,
+        [Define to 1 if using OpenSSL 3 or later.])
+      dnl OpenSSLv3 marks the DES functions deprecated but we have no
+      dnl replacements (yet) so tell the compiler to not warn for them
+      dnl
+      dnl Ask OpenSSL to suppress the warnings.
+      CPPFLAGS="$CPPFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+      ssl_msg="OpenSSL v3+"
     ],[
       AC_MSG_RESULT([no])
     ])
@@ -1679,17 +1919,27 @@
   if test "$OPENSSL_ENABLED" = "1"; then
     if test -n "$LIB_OPENSSL"; then
        dnl when the ssl shared libs were found in a path that the run-time
-       dnl linker doesn't search through, we need to add it to LD_LIBRARY_PATH
+       dnl linker doesn't search through, we need to add it to CURL_LIBRARY_PATH
        dnl to prevent further configure tests to fail due to this
        if test "x$cross_compiling" != "xyes"; then
-         LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$LIB_OPENSSL"
-         export LD_LIBRARY_PATH
-         AC_MSG_NOTICE([Added $LIB_OPENSSL to LD_LIBRARY_PATH])
+         CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$LIB_OPENSSL"
+         export CURL_LIBRARY_PATH
+         AC_MSG_NOTICE([Added $LIB_OPENSSL to CURL_LIBRARY_PATH])
        fi
     fi
     CURL_CHECK_OPENSSL_API
+    check_for_ca_bundle=1
   fi
 
+  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
+fi
+
+if test X"$OPT_SSL" != Xoff &&
+  test X"$OPT_SSL" != Xno &&
+  test "$OPENSSL_ENABLED" != "1"; then
+  AC_MSG_NOTICE([OPT_SSL: $OPT_SSL])
+  AC_MSG_NOTICE([OPENSSL_ENABLED: $OPENSSL_ENABLED])
+  AC_MSG_ERROR([--with-ssl was given but OpenSSL could not be detected])
 fi
 
 dnl **********************************************************************
@@ -1739,6 +1989,20 @@
    ])
 fi
 
+dnl ---
+dnl Whether the OpenSSL configuration will be loaded automatically
+dnl ---
+if test X"$OPENSSL_ENABLED" = X"1"; then
+AC_ARG_ENABLE(openssl-auto-load-config,
+AC_HELP_STRING([--enable-openssl-auto-load-config],[Enable automatic loading of OpenSSL configuration])
+AC_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading of OpenSSL configuration]),
+[ if test X"$enableval" = X"no"; then
+    AC_MSG_NOTICE([automatic loading of OpenSSL configuration disabled])
+    AC_DEFINE(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG, 1, [if the OpenSSL configuration won't be loaded automatically])
+  fi
+])
+fi
+
 dnl ----------------------------------------------------
 dnl check for GnuTLS
 dnl ----------------------------------------------------
@@ -1751,7 +2015,8 @@
 AC_HELP_STRING([--without-gnutls], [disable GnuTLS detection]),
   OPT_GNUTLS=$withval)
 
-if test "$curl_ssl_msg" = "$init_ssl_msg"; then
+if test -z "$ssl_backends" -o "x$OPT_GNUTLS" != xno; then
+  ssl_msg=
 
   if test X"$OPT_GNUTLS" != Xno; then
 
@@ -1819,13 +2084,15 @@
          CPPFLAGS="$CPPFLAGS $addcflags"
       fi
 
-      AC_CHECK_LIB(gnutls, gnutls_check_version,
+      dnl this function is selected since it was introduced in 3.1.10
+      AC_CHECK_LIB(gnutls, gnutls_x509_crt_get_dn2,
        [
        AC_DEFINE(USE_GNUTLS, 1, [if GnuTLS is enabled])
        AC_SUBST(USE_GNUTLS, [1])
        GNUTLS_ENABLED=1
        USE_GNUTLS="yes"
-       curl_ssl_msg="enabled (GnuTLS)"
+       ssl_msg="GnuTLS"
+       test gnutls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
        ],
        [
          LIBS="$CLEANLIBS"
@@ -1834,25 +2101,25 @@
 
       if test "x$USE_GNUTLS" = "xyes"; then
         AC_MSG_NOTICE([detected GnuTLS version $version])
-
+        check_for_ca_bundle=1
         if test -n "$gtlslib"; then
           dnl when shared libs were found in a path that the run-time
           dnl linker doesn't search through, we need to add it to
-          dnl LD_LIBRARY_PATH to prevent further configure tests to fail
+          dnl CURL_LIBRARY_PATH to prevent further configure tests to fail
           dnl due to this
-          if test "x$cross_compiling" != "xyes"; then 
-            LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$gtlslib"
-            export LD_LIBRARY_PATH
-            AC_MSG_NOTICE([Added $gtlslib to LD_LIBRARY_PATH])
+          if test "x$cross_compiling" != "xyes"; then
+            CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$gtlslib"
+            export CURL_LIBRARY_PATH
+            AC_MSG_NOTICE([Added $gtlslib to CURL_LIBRARY_PATH])
           fi
         fi
-        AC_CHECK_FUNCS([gnutls_certificate_set_x509_key_file2 gnutls_alpn_set_protocols gnutls_ocsp_req_init])
       fi
 
     fi
 
   fi dnl GNUTLS not disabled
 
+  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
 fi
 
 dnl ---
@@ -1897,94 +2164,6 @@
 fi
 
 dnl ----------------------------------------------------
-dnl check for PolarSSL
-dnl ----------------------------------------------------
-
-dnl Default to compiler & linker defaults for PolarSSL files & libraries.
-OPT_POLARSSL=no
-
-_cppflags=$CPPFLAGS
-_ldflags=$LDFLAGS
-AC_ARG_WITH(polarssl,dnl
-AC_HELP_STRING([--with-polarssl=PATH],[where to look for PolarSSL, PATH points to the installation root])
-AC_HELP_STRING([--without-polarssl], [disable PolarSSL detection]),
-  OPT_POLARSSL=$withval)
-
-if test "$curl_ssl_msg" = "$init_ssl_msg"; then
-
-  if test X"$OPT_POLARSSL" != Xno; then
-
-    if test "$OPT_POLARSSL" = "yes"; then
-      OPT_POLARSSL=""
-    fi
-
-    if test -z "$OPT_POLARSSL" ; then
-      dnl check for lib first without setting any new path
-
-      AC_CHECK_LIB(polarssl, havege_init,
-      dnl libpolarssl found, set the variable
-       [
-         AC_DEFINE(USE_POLARSSL, 1, [if PolarSSL is enabled])
-         AC_SUBST(USE_POLARSSL, [1])
-         POLARSSL_ENABLED=1
-         USE_POLARSSL="yes"
-         curl_ssl_msg="enabled (PolarSSL)"
-        ])
-    fi
-
-    addld=""
-    addlib=""
-    addcflags=""
-    polarssllib=""
-
-    if test "x$USE_POLARSSL" != "xyes"; then
-      dnl add the path and test again
-      addld=-L$OPT_POLARSSL/lib$libsuff
-      addcflags=-I$OPT_POLARSSL/include
-      polarssllib=$OPT_POLARSSL/lib$libsuff
-
-      LDFLAGS="$LDFLAGS $addld"
-      if test "$addcflags" != "-I/usr/include"; then
-         CPPFLAGS="$CPPFLAGS $addcflags"
-      fi
-
-      AC_CHECK_LIB(polarssl, ssl_init,
-       [
-       AC_DEFINE(USE_POLARSSL, 1, [if PolarSSL is enabled])
-       AC_SUBST(USE_POLARSSL, [1])
-       POLARSSL_ENABLED=1
-       USE_POLARSSL="yes"
-       curl_ssl_msg="enabled (PolarSSL)"
-       ],
-       [
-         CPPFLAGS=$_cppflags
-         LDFLAGS=$_ldflags
-       ])
-    fi
-
-    if test "x$USE_POLARSSL" = "xyes"; then
-      AC_MSG_NOTICE([detected PolarSSL])
-
-      LIBS="-lpolarssl $LIBS"
-
-      if test -n "$polarssllib"; then
-        dnl when shared libs were found in a path that the run-time
-        dnl linker doesn't search through, we need to add it to
-        dnl LD_LIBRARY_PATH to prevent further configure tests to fail
-        dnl due to this
-        if test "x$cross_compiling" != "xyes"; then
-          LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$polarssllib"
-          export LD_LIBRARY_PATH
-          AC_MSG_NOTICE([Added $polarssllib to LD_LIBRARY_PATH])
-        fi
-      fi
-    fi
-
-  fi dnl PolarSSL not disabled
-
-fi
-
-dnl ----------------------------------------------------
 dnl check for mbedTLS
 dnl ----------------------------------------------------
 
@@ -1997,7 +2176,8 @@
 AC_HELP_STRING([--without-mbedtls], [disable mbedTLS detection]),
   OPT_MBEDTLS=$withval)
 
-if test "$curl_ssl_msg" = "$init_ssl_msg"; then
+if test -z "$ssl_backends" -o "x$OPT_MBEDTLS" != xno; then
+  ssl_msg=
 
   if test X"$OPT_MBEDTLS" != Xno; then
 
@@ -2015,7 +2195,8 @@
          AC_SUBST(USE_MBEDTLS, [1])
          MBEDTLS_ENABLED=1
          USE_MBEDTLS="yes"
-         curl_ssl_msg="enabled (mbedTLS)"
+         ssl_msg="mbedTLS"
+	 test mbedtls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
         ], [], -lmbedx509 -lmbedcrypto)
     fi
 
@@ -2041,7 +2222,8 @@
        AC_SUBST(USE_MBEDTLS, [1])
        MBEDTLS_ENABLED=1
        USE_MBEDTLS="yes"
-       curl_ssl_msg="enabled (mbedTLS)"
+       ssl_msg="mbedTLS"
+       test mbedtls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
        ],
        [
          CPPFLAGS=$_cppflags
@@ -2051,187 +2233,314 @@
 
     if test "x$USE_MBEDTLS" = "xyes"; then
       AC_MSG_NOTICE([detected mbedTLS])
+      check_for_ca_bundle=1
 
       LIBS="-lmbedtls -lmbedx509 -lmbedcrypto $LIBS"
 
       if test -n "$mbedtlslib"; then
         dnl when shared libs were found in a path that the run-time
         dnl linker doesn't search through, we need to add it to
-        dnl LD_LIBRARY_PATH to prevent further configure tests to fail
+        dnl CURL_LIBRARY_PATH to prevent further configure tests to fail
         dnl due to this
         if test "x$cross_compiling" != "xyes"; then
-          LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$mbedtlslib"
-          export LD_LIBRARY_PATH
-          AC_MSG_NOTICE([Added $mbedtlslib to LD_LIBRARY_PATH])
+          CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$mbedtlslib"
+          export CURL_LIBRARY_PATH
+          AC_MSG_NOTICE([Added $mbedtlslib to CURL_LIBRARY_PATH])
         fi
       fi
     fi
 
   fi dnl mbedTLS not disabled
 
+  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
 fi
 
 dnl ----------------------------------------------------
-dnl check for CyaSSL
+dnl check for wolfSSL
 dnl ----------------------------------------------------
 
-dnl Default to compiler & linker defaults for CyaSSL files & libraries.
-OPT_CYASSL=no
+dnl Default to compiler & linker defaults for wolfSSL files & libraries.
+OPT_WOLFSSL=no
 
 _cppflags=$CPPFLAGS
 _ldflags=$LDFLAGS
-AC_ARG_WITH(cyassl,dnl
-AC_HELP_STRING([--with-cyassl=PATH],[where to look for CyaSSL, PATH points to the installation root (default: system lib default)])
-AC_HELP_STRING([--without-cyassl], [disable CyaSSL detection]),
-  OPT_CYASSL=$withval)
 
-if test "$curl_ssl_msg" = "$init_ssl_msg"; then
+AC_ARG_WITH(wolfssl,dnl
+AC_HELP_STRING([--with-wolfssl=PATH],[where to look for WolfSSL, PATH points to the installation root (default: system lib default)])
+AC_HELP_STRING([--without-wolfssl], [disable WolfSSL detection]),
+  OPT_WOLFSSL=$withval)
 
-  if test X"$OPT_CYASSL" != Xno; then
+if test -z "$ssl_backends" -o "x$OPT_WOLFSSL" != xno; then
+  ssl_msg=
 
-    if test "$OPT_CYASSL" = "yes"; then
-      OPT_CYASSL=""
-    fi
+  if test X"$OPT_WOLFSSL" != Xno; then
 
-    dnl This should be reworked to use pkg-config instead
-
-    cyassllibname=cyassl
-
-    if test -z "$OPT_CYASSL" ; then
-      dnl check for lib in system default first
-
-      AC_CHECK_LIB(cyassl, CyaSSL_Init,
-      dnl libcyassl found, set the variable
-       [
-         AC_DEFINE(USE_CYASSL, 1, [if CyaSSL is enabled])
-         AC_SUBST(USE_CYASSL, [1])
-         CYASSL_ENABLED=1
-         USE_CYASSL="yes"
-         curl_ssl_msg="enabled (CyaSSL)"
-        ])
-    fi
-
-    addld=""
-    addlib=""
-    addcflags=""
-    cyassllib=""
-
-    if test "x$USE_CYASSL" != "xyes"; then
-      dnl add the path and test again
-      addld=-L$OPT_CYASSL/lib$libsuff
-      addcflags=-I$OPT_CYASSL/include
-      cyassllib=$OPT_CYASSL/lib$libsuff
-
-      LDFLAGS="$LDFLAGS $addld"
-      if test "$addcflags" != "-I/usr/include"; then
-         CPPFLAGS="$CPPFLAGS $addcflags"
-      fi
-
-      AC_CHECK_LIB(cyassl, CyaSSL_Init,
-       [
-       AC_DEFINE(USE_CYASSL, 1, [if CyaSSL is enabled])
-       AC_SUBST(USE_CYASSL, [1])
-       CYASSL_ENABLED=1
-       USE_CYASSL="yes"
-       curl_ssl_msg="enabled (CyaSSL)"
-       ],
-       [
-         CPPFLAGS=$_cppflags
-         LDFLAGS=$_ldflags
-         cyassllib=""
-       ])
+    if test "$OPT_WOLFSSL" = "yes"; then
+      OPT_WOLFSSL=""
     fi
 
     addld=""
     addlib=""
     addcflags=""
 
-    if test "x$USE_CYASSL" != "xyes"; then
-      dnl libcyassl renamed to libwolfssl as of 3.4.0
-      addld=-L$OPT_CYASSL/lib$libsuff
-      addcflags=-I$OPT_CYASSL/include
-      cyassllib=$OPT_CYASSL/lib$libsuff
+    if test "x$USE_WOLFSSL" != "xyes"; then
+      addld=-L$OPT_WOLFSSL/lib$libsuff
+      addcflags=-I$OPT_WOLFSSL/include
+      wolfssllibpath=$OPT_WOLFSSL/lib$libsuff
 
       LDFLAGS="$LDFLAGS $addld"
       if test "$addcflags" != "-I/usr/include"; then
          CPPFLAGS="$CPPFLAGS $addcflags"
       fi
 
-      cyassllibname=wolfssl
       my_ac_save_LIBS="$LIBS"
-      LIBS="-l$cyassllibname -lm $LIBS"
+      LIBS="-lwolfssl -lm $LIBS"
 
-      AC_MSG_CHECKING([for CyaSSL_Init in -lwolfssl])
+      AC_MSG_CHECKING([for wolfSSL_Init in -lwolfssl])
       AC_LINK_IFELSE([
 	AC_LANG_PROGRAM([[
 /* These aren't needed for detection and confuse WolfSSL.
    They are set up properly later if it is detected.  */
 #undef SIZEOF_LONG
 #undef SIZEOF_LONG_LONG
-#include <cyassl/ssl.h>
+#include <wolfssl/ssl.h>
 	]],[[
-	  return CyaSSL_Init();
+	  return wolfSSL_Init();
 	]])
       ],[
          AC_MSG_RESULT(yes)
-         AC_DEFINE(USE_CYASSL, 1, [if CyaSSL/WolfSSL is enabled])
-         AC_SUBST(USE_CYASSL, [1])
-         CYASSL_ENABLED=1
-         USE_CYASSL="yes"
-         curl_ssl_msg="enabled (WolfSSL)"
+         AC_DEFINE(USE_WOLFSSL, 1, [if wolfSSL is enabled])
+         AC_SUBST(USE_WOLFSSL, [1])
+         WOLFSSL_ENABLED=1
+         USE_WOLFSSL="yes"
+         ssl_msg="WolfSSL"
+	 test wolfssl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
        ],
        [
          AC_MSG_RESULT(no)
          CPPFLAGS=$_cppflags
          LDFLAGS=$_ldflags
-         cyassllib=""
+         wolfssllibpath=""
        ])
       LIBS="$my_ac_save_LIBS"
     fi
 
-    if test "x$USE_CYASSL" = "xyes"; then
-      AC_MSG_NOTICE([detected $cyassllibname])
+    if test "x$USE_WOLFSSL" = "xyes"; then
+      AC_MSG_NOTICE([detected wolfSSL])
+      check_for_ca_bundle=1
 
-      dnl cyassl/ctaocrypt/types.h needs SIZEOF_LONG_LONG defined!
-      AC_CHECK_SIZEOF(long long)
+      dnl wolfssl/ctaocrypt/types.h needs SIZEOF_LONG_LONG defined!
+      AX_COMPILE_CHECK_SIZEOF(long long)
 
-      dnl Versions since at least 2.6.0 may have options.h
-      AC_CHECK_HEADERS(cyassl/options.h)
+      LIBS="-lwolfssl -lm $LIBS"
 
-      dnl Versions since at least 2.9.4 renamed error.h to error-ssl.h
-      AC_CHECK_HEADERS(cyassl/error-ssl.h)
+      dnl Recent WolfSSL versions build without SSLv3 by default
+      dnl WolfSSL needs configure --enable-opensslextra to have *get_peer*
+      AC_CHECK_FUNCS(wolfSSLv3_client_method \
+                     wolfSSL_get_peer_certificate \
+                     wolfSSL_UseALPN)
 
-      LIBS="-l$cyassllibname -lm $LIBS"
-
-      if test "x$cyassllibname" = "xwolfssl"; then
-        dnl Recent WolfSSL versions build without SSLv3 by default
-        dnl WolfSSL needs configure --enable-opensslextra to have *get_peer*
-        AC_CHECK_FUNCS(wolfSSLv3_client_method \
-                       wolfSSL_CTX_UseSupportedCurve \
-                       wolfSSL_get_peer_certificate \
-                       wolfSSL_UseALPN)
-      else
-        dnl Cyassl needs configure --enable-opensslextra to have *get_peer*
-        AC_CHECK_FUNCS(CyaSSL_CTX_UseSupportedCurve \
-                       CyaSSL_get_peer_certificate)
-      fi
-
-      if test -n "$cyassllib"; then
+      if test -n "$wolfssllibpath"; then
         dnl when shared libs were found in a path that the run-time
         dnl linker doesn't search through, we need to add it to
-        dnl LD_LIBRARY_PATH to prevent further configure tests to fail
+        dnl CURL_LIBRARY_PATH to prevent further configure tests to fail
         dnl due to this
         if test "x$cross_compiling" != "xyes"; then
-          LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$cyassllib"
-          export LD_LIBRARY_PATH
-          AC_MSG_NOTICE([Added $cyassllib to LD_LIBRARY_PATH])
+          CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$wolfssllibpath"
+          export CURL_LIBRARY_PATH
+          AC_MSG_NOTICE([Added $wolfssllibpath to CURL_LIBRARY_PATH])
         fi
       fi
 
     fi
 
-  fi dnl CyaSSL not disabled
+  fi dnl wolfSSL not disabled
 
+  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
+fi
+
+dnl ----------------------------------------------------
+dnl check for MesaLink
+dnl ----------------------------------------------------
+
+dnl Default to compiler & linker defaults for MesaLink files & libraries.
+OPT_MESALINK=no
+
+_cppflags=$CPPFLAGS
+_ldflags=$LDFLAGS
+AC_ARG_WITH(mesalink,dnl
+AC_HELP_STRING([--with-mesalink=PATH],[where to look for MesaLink, PATH points to the installation root])
+AC_HELP_STRING([--without-mesalink], [disable MesaLink detection]),
+  OPT_MESALINK=$withval)
+
+if test -z "$ssl_backends" -o "x$OPT_MESALINK" != xno; then
+  ssl_msg=
+
+  if test X"$OPT_MESALINK" != Xno; then
+
+    if test "$OPT_MESALINK" = "yes"; then
+      OPT_MESALINK=""
+    fi
+
+    if test -z "$OPT_MESALINK" ; then
+      dnl check for lib first without setting any new path
+
+      AC_CHECK_LIB(mesalink, mesalink_library_init,
+      dnl libmesalink found, set the variable
+       [
+         AC_DEFINE(USE_MESALINK, 1, [if MesaLink is enabled])
+         AC_SUBST(USE_MESALINK, [1])
+         MESALINK_ENABLED=1
+         USE_MESALINK="yes"
+         ssl_msg="MesaLink"
+	 test mesalink != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+        ])
+    fi
+
+    addld=""
+    addlib=""
+    addcflags=""
+    mesalinklib=""
+
+    if test "x$USE_MESALINK" != "xyes"; then
+      dnl add the path and test again
+      addld=-L$OPT_MESALINK/lib$libsuff
+      addcflags=-I$OPT_MESALINK/include
+      mesalinklib=$OPT_MESALINK/lib$libsuff
+
+      LDFLAGS="$LDFLAGS $addld"
+      if test "$addcflags" != "-I/usr/include"; then
+         CPPFLAGS="$CPPFLAGS $addcflags"
+      fi
+
+      AC_CHECK_LIB(mesalink, mesalink_library_init,
+       [
+       AC_DEFINE(USE_MESALINK, 1, [if MesaLink is enabled])
+       AC_SUBST(USE_MESALINK, [1])
+       MESALINK_ENABLED=1
+       USE_MESALINK="yes"
+       ssl_msg="MesaLink"
+       test mesalink != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+       ],
+       [
+         CPPFLAGS=$_cppflags
+         LDFLAGS=$_ldflags
+       ])
+    fi
+
+    if test "x$USE_MESALINK" = "xyes"; then
+      AC_MSG_NOTICE([detected MesaLink])
+
+      LIBS="-lmesalink $LIBS"
+
+      if test -n "$mesalinklib"; then
+        dnl when shared libs were found in a path that the run-time
+        dnl linker doesn't search through, we need to add it to
+        dnl LD_LIBRARY_PATH to prevent further configure tests to fail
+        dnl due to this
+        if test "x$cross_compiling" != "xyes"; then
+          LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$mesalinklib"
+          export LD_LIBRARY_PATH
+          AC_MSG_NOTICE([Added $mesalinklib to LD_LIBRARY_PATH])
+        fi
+      fi
+    fi
+
+  fi dnl MesaLink not disabled
+
+  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
+fi
+
+dnl ----------------------------------------------------
+dnl check for BearSSL
+dnl ----------------------------------------------------
+
+OPT_BEARSSL=no
+
+_cppflags=$CPPFLAGS
+_ldflags=$LDFLAGS
+AC_ARG_WITH(bearssl,dnl
+AC_HELP_STRING([--with-bearssl=PATH],[where to look for BearSSL, PATH points to the installation root])
+AC_HELP_STRING([--without-bearssl], [disable BearSSL detection]),
+  OPT_BEARSSL=$withval)
+
+if test -z "$ssl_backends" -o "x$OPT_BEARSSL" != xno; then
+  ssl_msg=
+
+  if test X"$OPT_BEARSSL" != Xno; then
+
+    if test "$OPT_BEARSSL" = "yes"; then
+      OPT_BEARSSL=""
+    fi
+
+    if test -z "$OPT_BEARSSL" ; then
+      dnl check for lib first without setting any new path
+
+      AC_CHECK_LIB(bearssl, br_ssl_client_init_full,
+      dnl libbearssl found, set the variable
+       [
+         AC_DEFINE(USE_BEARSSL, 1, [if BearSSL is enabled])
+         AC_SUBST(USE_BEARSSL, [1])
+         BEARSSL_ENABLED=1
+         USE_BEARSSL="yes"
+         ssl_msg="BearSSL"
+	 test bearssl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+        ], [], -lbearssl)
+    fi
+
+    addld=""
+    addlib=""
+    addcflags=""
+    bearssllib=""
+
+    if test "x$USE_BEARSSL" != "xyes"; then
+      dnl add the path and test again
+      addld=-L$OPT_BEARSSL/lib$libsuff
+      addcflags=-I$OPT_BEARSSL/include
+      bearssllib=$OPT_BEARSSL/lib$libsuff
+
+      LDFLAGS="$LDFLAGS $addld"
+      if test "$addcflags" != "-I/usr/include"; then
+         CPPFLAGS="$CPPFLAGS $addcflags"
+      fi
+
+      AC_CHECK_LIB(bearssl, br_ssl_client_init_full,
+       [
+       AC_DEFINE(USE_BEARSSL, 1, [if BearSSL is enabled])
+       AC_SUBST(USE_BEARSSL, [1])
+       BEARSSL_ENABLED=1
+       USE_BEARSSL="yes"
+       ssl_msg="BearSSL"
+       test bearssl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+       ],
+       [
+         CPPFLAGS=$_cppflags
+         LDFLAGS=$_ldflags
+       ], -lbearssl)
+    fi
+
+    if test "x$USE_BEARSSL" = "xyes"; then
+      AC_MSG_NOTICE([detected BearSSL])
+      check_for_ca_bundle=1
+
+      LIBS="-lbearssl $LIBS"
+
+      if test -n "$bearssllib"; then
+        dnl when shared libs were found in a path that the run-time
+        dnl linker doesn't search through, we need to add it to
+        dnl CURL_LIBRARY_PATH to prevent further configure tests to fail
+        dnl due to this
+        if test "x$cross_compiling" != "xyes"; then
+          CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$bearssllib"
+          export CURL_LIBRARY_PATH
+          AC_MSG_NOTICE([Added $bearssllib to CURL_LIBRARY_PATH])
+        fi
+      fi
+    fi
+
+  fi dnl BearSSL not disabled
+
+  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
 fi
 
 dnl ----------------------------------------------------
@@ -2246,7 +2555,8 @@
 AC_HELP_STRING([--without-nss], [disable NSS detection]),
   OPT_NSS=$withval)
 
-if test "$curl_ssl_msg" = "$init_ssl_msg"; then
+if test -z "$ssl_backends" -o "x$OPT_NSS" != xno; then
+  ssl_msg=
 
   if test X"$OPT_NSS" != Xno; then
 
@@ -2321,7 +2631,8 @@
      AC_SUBST(USE_NSS, [1])
      USE_NSS="yes"
      NSS_ENABLED=1
-     curl_ssl_msg="enabled (NSS)"
+     ssl_msg="NSS"
+     test nss != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
      ],
      [
        LDFLAGS="$CLEANLDFLAGS"
@@ -2332,96 +2643,82 @@
     if test "x$USE_NSS" = "xyes"; then
       AC_MSG_NOTICE([detected NSS version $version])
 
+      dnl PK11_CreateManagedGenericObject() was introduced in NSS 3.34 because
+      dnl PK11_DestroyGenericObject() does not release resources allocated by
+      dnl PK11_CreateGenericObject() early enough.
+      AC_CHECK_FUNC(PK11_CreateManagedGenericObject,
+        [
+          AC_DEFINE(HAVE_PK11_CREATEMANAGEDGENERICOBJECT, 1,
+                    [if you have the PK11_CreateManagedGenericObject function])
+        ])
+
       dnl needed when linking the curl tool without USE_EXPLICIT_LIB_DEPS
       NSS_LIBS=$addlib
       AC_SUBST([NSS_LIBS])
 
       dnl when shared libs were found in a path that the run-time
       dnl linker doesn't search through, we need to add it to
-      dnl LD_LIBRARY_PATH to prevent further configure tests to fail
+      dnl CURL_LIBRARY_PATH to prevent further configure tests to fail
       dnl due to this
       if test "x$cross_compiling" != "xyes"; then
-        LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$nssprefix/lib$libsuff"
-        export LD_LIBRARY_PATH
-        AC_MSG_NOTICE([Added $nssprefix/lib$libsuff to LD_LIBRARY_PATH])
+        CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$nssprefix/lib$libsuff"
+        export CURL_LIBRARY_PATH
+        AC_MSG_NOTICE([Added $nssprefix/lib$libsuff to CURL_LIBRARY_PATH])
       fi
 
     fi dnl NSS found
 
   fi dnl NSS not disabled
 
-fi dnl curl_ssl_msg = init_ssl_msg
-
-OPT_AXTLS=off
-
-AC_ARG_WITH(axtls,dnl
-AC_HELP_STRING([--with-axtls=PATH],[Where to look for axTLS, PATH points to the axTLS installation prefix (default: /usr/local).  Ignored if another SSL engine is selected.])
-AC_HELP_STRING([--without-axtls], [disable axTLS]),
-  OPT_AXTLS=$withval)
-
-if test "$curl_ssl_msg" = "$init_ssl_msg"; then
-  if test X"$OPT_AXTLS" != Xno; then
-    dnl backup the pre-axtls variables
-    CLEANLDFLAGS="$LDFLAGS"
-    CLEANCPPFLAGS="$CPPFLAGS"
-    CLEANLIBS="$LIBS"
-
-    case "$OPT_AXTLS" in
-    yes)
-      dnl --with-axtls (without path) used
-      PREFIX_AXTLS=/usr/local
-      LIB_AXTLS="$PREFIX_AXTLS/lib"
-      LDFLAGS="$LDFLAGS -L$LIB_AXTLS"
-      CPPFLAGS="$CPPFLAGS -I$PREFIX_AXTLS/include"
-      ;;
-    off)
-      dnl no --with-axtls option given, just check default places
-      PREFIX_AXTLS=
-      ;;
-    *)
-      dnl check the given --with-axtls spot
-      PREFIX_AXTLS=$OPT_AXTLS
-      LIB_AXTLS="$PREFIX_AXTLS/lib"
-      LDFLAGS="$LDFLAGS -L$LIB_AXTLS"
-      CPPFLAGS="$CPPFLAGS -I$PREFIX_AXTLS/include"
-      ;;
-    esac
-
-    AC_CHECK_LIB(axtls, ssl_version,[
-      LIBS="-laxtls $LIBS"
-      AC_DEFINE(USE_AXTLS, 1, [if axTLS is enabled])
-      AC_SUBST(USE_AXTLS, [1])
-      AXTLS_ENABLED=1
-      USE_AXTLS="yes"
-      curl_ssl_msg="enabled (axTLS)"
-
-      if test "x$cross_compiling" != "xyes"; then
-        LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$LIB_AXTLS"
-        export LD_LIBRARY_PATH
-        AC_MSG_NOTICE([Added $LIB_AXTLS to LD_LIBRARY_PATH])
-      fi
-      ],[
-      LDFLAGS="$CLEANLDFLAGS"
-      CPPFLAGS="$CLEANCPPFLAGS"
-      LIBS="$CLEANLIBS"
-    ])
-  fi
+  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
 fi
 
-if test "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$POLARSSL_ENABLED$MBEDTLS_ENABLED$AXTLS_ENABLED$CYASSL_ENABLED$WINSSL_ENABLED$DARWINSSL_ENABLED" = "x"; then
+case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$WINSSL_ENABLED$SECURETRANSPORT_ENABLED$MESALINK_ENABLED$BEARSSL_ENABLED$AMISSL_ENABLED" in
+x)
   AC_MSG_WARN([SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.])
-  AC_MSG_WARN([Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this.])
-else
-  # SSL is enabled, genericly
+  AC_MSG_WARN([Use --with-ssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-nss, --with-schannel, --with-secure-transport, --with-mesalink, --with-amissl or --with-bearssl to address this.])
+  ;;
+x1)
+  # one SSL backend is enabled
   AC_SUBST(SSL_ENABLED)
   SSL_ENABLED="1"
+  AC_MSG_NOTICE([built with one SSL backend])
+  ;;
+*)
+  # more than one SSL backend is enabled
+  AC_SUBST(SSL_ENABLED)
+  SSL_ENABLED="1"
+  AC_SUBST(CURL_WITH_MULTI_SSL)
+  CURL_WITH_MULTI_SSL="1"
+  AC_DEFINE(CURL_WITH_MULTI_SSL, 1, [built with multiple SSL backends])
+  AC_MSG_NOTICE([built with multiple SSL backends])
+  ;;
+esac
+
+if test -n "$ssl_backends"; then
+  curl_ssl_msg="enabled ($ssl_backends)"
+fi
+
+if test no = "$VALID_DEFAULT_SSL_BACKEND"
+then
+  if test -n "$SSL_ENABLED"
+  then
+    AC_MSG_ERROR([Default SSL backend $DEFAULT_SSL_BACKEND not enabled!])
+  else
+    AC_MSG_ERROR([Default SSL backend requires SSL!])
+  fi
+elif test yes = "$VALID_DEFAULT_SSL_BACKEND"
+then
+  AC_DEFINE_UNQUOTED([CURL_DEFAULT_SSL_BACKEND], ["$DEFAULT_SSL_BACKEND"], [Default SSL backend])
 fi
 
 dnl **********************************************************************
 dnl Check for the CA bundle
 dnl **********************************************************************
 
-CURL_CHECK_CA_BUNDLE
+if test -n "$check_for_ca_bundle"; then
+  CURL_CHECK_CA_BUNDLE
+fi
 
 dnl **********************************************************************
 dnl Check for libpsl
@@ -2434,7 +2731,7 @@
            with_libpsl=yes)
 if test $with_libpsl != "no"; then
   AC_SEARCH_LIBS(psl_builtin, psl,
-    [curl_psl_msg="yes";
+    [curl_psl_msg="enabled";
      AC_DEFINE([USE_LIBPSL], [1], [PSL support enabled])
      ],
     [curl_psl_msg="no      (libpsl not found)";
@@ -2442,7 +2739,7 @@
      ]
   )
 fi
-AM_CONDITIONAL([USE_LIBPSL], [test "$curl_psl_msg" = "yes"])
+AM_CONDITIONAL([USE_LIBPSL], [test "$curl_psl_msg" = "enabled"])
 
 dnl **********************************************************************
 dnl Check for libmetalink
@@ -2495,8 +2792,8 @@
     clean_CPPFLAGS="$CPPFLAGS"
     clean_LDFLAGS="$LDFLAGS"
     clean_LIBS="$LIBS"
-    CPPFLAGS="$addcflags $clean_CPPFLAGS"
-    LDFLAGS="$addld $clean_LDFLAGS"
+    CPPFLAGS="$clean_CPPFLAGS $addcflags"
+    LDFLAGS="$clean_LDFLAGS $addld"
     LIBS="$addlib $clean_LIBS"
     AC_MSG_CHECKING([if libmetalink is recent enough])
     AC_LINK_IFELSE([
@@ -2514,6 +2811,12 @@
       AC_MSG_NOTICE([libmetalink library defective or too old])
       want_metalink="no"
     ])
+    if test "x$OPENSSL_ENABLED" != "x1" -a "x$USE_WINDOWS_SSPI" != "x1" \
+        -a "x$GNUTLS_ENABLED" != "x1" -a "x$NSS_ENABLED" != "x1" \
+        -a "x$SECURETRANSPORT_ENABLED" != "x1"; then
+      AC_MSG_WARN([metalink support requires a compatible SSL/TLS backend])
+      want_metalink="no"
+    fi
     CPPFLAGS="$clean_CPPFLAGS"
     LDFLAGS="$clean_LDFLAGS"
     LIBS="$clean_LIBS"
@@ -2539,9 +2842,22 @@
 dnl Default to compiler & linker defaults for LIBSSH2 files & libraries.
 OPT_LIBSSH2=off
 AC_ARG_WITH(libssh2,dnl
-AC_HELP_STRING([--with-libssh2=PATH],[Where to look for libssh2, PATH points to the LIBSSH2 installation; when possible, set the PKG_CONFIG_PATH environment variable instead of using this option])
-AC_HELP_STRING([--without-libssh2], [disable LIBSSH2]),
-  OPT_LIBSSH2=$withval)
+AC_HELP_STRING([--with-libssh2=PATH],[Where to look for libssh2, PATH points to the libssh2 installation; when possible, set the PKG_CONFIG_PATH environment variable instead of using this option])
+AC_HELP_STRING([--with-libssh2], [enable libssh2]),
+  OPT_LIBSSH2=$withval, OPT_LIBSSH2=no)
+
+
+OPT_LIBSSH=off
+AC_ARG_WITH(libssh,dnl
+AC_HELP_STRING([--with-libssh=PATH],[Where to look for libssh, PATH points to the libssh installation; when possible, set the PKG_CONFIG_PATH environment variable instead of using this option])
+AC_HELP_STRING([--with-libssh], [enable libssh]),
+  OPT_LIBSSH=$withval, OPT_LIBSSH=no)
+
+OPT_WOLFSSH=off
+AC_ARG_WITH(wolfssh,dnl
+AC_HELP_STRING([--with-wolfssh=PATH],[Where to look for wolfssh, PATH points to the wolfSSH installation; when possible, set the PKG_CONFIG_PATH environment variable instead of using this option])
+AC_HELP_STRING([--with-wolfssh], [enable wolfssh]),
+  OPT_WOLFSSH=$withval, OPT_WOLFSSH=no)
 
 if test X"$OPT_LIBSSH2" != Xno; then
   dnl backup the pre-libssh2 variables
@@ -2555,7 +2871,7 @@
     CURL_CHECK_PKGCONFIG(libssh2)
 
     if test "$PKGCONFIG" != "no" ; then
-      LIB_SSH2=`$PKGCONFIG --libs-only-l libssh2`
+      LIB_SSH2=`$PKGCONFIG --libs libssh2`
       LD_SSH2=`$PKGCONFIG --libs-only-L libssh2`
       CPP_SSH2=`$PKGCONFIG --cflags-only-I libssh2`
       version=`$PKGCONFIG --modversion libssh2`
@@ -2580,7 +2896,7 @@
     DIR_SSH2=${PREFIX_SSH2}/lib$libsuff
   fi
 
-  LDFLAGS="$LD_SSH2 $LDFLAGS"
+  LDFLAGS="$LDFLAGS $LD_SSH2"
   CPPFLAGS="$CPPFLAGS $CPP_SSH2"
   LIBS="$LIB_SSH2 $LIBS"
 
@@ -2601,13 +2917,13 @@
   if test "$LIBSSH2_ENABLED" = "1"; then
     if test -n "$DIR_SSH2"; then
        dnl when the libssh2 shared libs were found in a path that the run-time
-       dnl linker doesn't search through, we need to add it to LD_LIBRARY_PATH
+       dnl linker doesn't search through, we need to add it to CURL_LIBRARY_PATH
        dnl to prevent further configure tests to fail due to this
 
        if test "x$cross_compiling" != "xyes"; then
-         LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$DIR_SSH2"
-         export LD_LIBRARY_PATH
-         AC_MSG_NOTICE([Added $DIR_SSH2 to LD_LIBRARY_PATH])
+         CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_SSH2"
+         export CURL_LIBRARY_PATH
+         AC_MSG_NOTICE([Added $DIR_SSH2 to CURL_LIBRARY_PATH])
        fi
     fi
   else
@@ -2616,6 +2932,101 @@
     CPPFLAGS=$CLEANCPPFLAGS
     LIBS=$CLEANLIBS
   fi
+elif test X"$OPT_LIBSSH" != Xno; then
+  dnl backup the pre-libssh variables
+  CLEANLDFLAGS="$LDFLAGS"
+  CLEANCPPFLAGS="$CPPFLAGS"
+  CLEANLIBS="$LIBS"
+
+  case "$OPT_LIBSSH" in
+  yes)
+    dnl --with-libssh (without path) used
+    CURL_CHECK_PKGCONFIG(libssh)
+
+    if test "$PKGCONFIG" != "no" ; then
+      LIB_SSH=`$PKGCONFIG --libs-only-l libssh`
+      LD_SSH=`$PKGCONFIG --libs-only-L libssh`
+      CPP_SSH=`$PKGCONFIG --cflags-only-I libssh`
+      version=`$PKGCONFIG --modversion libssh`
+      DIR_SSH=`echo $LD_SSH | $SED -e 's/-L//'`
+    fi
+
+    ;;
+  off)
+    dnl no --with-libssh option given, just check default places
+    ;;
+  *)
+    dnl use the given --with-libssh spot
+    PREFIX_SSH=$OPT_LIBSSH
+    ;;
+  esac
+
+  dnl if given with a prefix, we set -L and -I based on that
+  if test -n "$PREFIX_SSH"; then
+    LIB_SSH="-lssh"
+    LD_SSH=-L${PREFIX_SSH}/lib$libsuff
+    CPP_SSH=-I${PREFIX_SSH}/include
+    DIR_SSH=${PREFIX_SSH}/lib$libsuff
+  fi
+
+  LDFLAGS="$LDFLAGS $LD_SSH"
+  CPPFLAGS="$CPPFLAGS $CPP_SSH"
+  LIBS="$LIB_SSH $LIBS"
+
+  AC_CHECK_LIB(ssh, ssh_new)
+
+  AC_CHECK_HEADERS(libssh/libssh.h,
+    curl_ssh_msg="enabled (libSSH)"
+    LIBSSH_ENABLED=1
+    AC_DEFINE(USE_LIBSSH, 1, [if libSSH is in use])
+    AC_SUBST(USE_LIBSSH, [1])
+  )
+
+  if test X"$OPT_LIBSSH" != Xoff &&
+     test "$LIBSSH_ENABLED" != "1"; then
+    AC_MSG_ERROR([libSSH libs and/or directories were not found where specified!])
+  fi
+
+  if test "$LIBSSH_ENABLED" = "1"; then
+    if test -n "$DIR_SSH"; then
+       dnl when the libssh shared libs were found in a path that the run-time
+       dnl linker doesn't search through, we need to add it to CURL_LIBRARY_PATH
+       dnl to prevent further configure tests to fail due to this
+
+       if test "x$cross_compiling" != "xyes"; then
+         CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_SSH"
+         export CURL_LIBRARY_PATH
+         AC_MSG_NOTICE([Added $DIR_SSH to CURL_LIBRARY_PATH])
+       fi
+    fi
+  else
+    dnl no libssh, revert back to clean variables
+    LDFLAGS=$CLEANLDFLAGS
+    CPPFLAGS=$CLEANCPPFLAGS
+    LIBS=$CLEANLIBS
+  fi
+elif test X"$OPT_WOLFSSH" != Xno; then
+  dnl backup the pre-wolfssh variables
+  CLEANLDFLAGS="$LDFLAGS"
+  CLEANCPPFLAGS="$CPPFLAGS"
+  CLEANLIBS="$LIBS"
+
+
+  if test "$OPT_WOLFSSH" != yes; then
+     WOLFCONFIG="$OPT_WOLFSSH/bin/wolfssh-config"
+     LDFLAGS="$LDFLAGS `$WOLFCONFIG --libs`"
+     CPPFLAGS="$CPPFLAGS `$WOLFCONFIG --cflags`"
+  fi
+
+  AC_CHECK_LIB(wolfssh, wolfSSH_Init)
+
+  AC_CHECK_HEADERS(wolfssh/ssh.h,
+    curl_ssh_msg="enabled (wolfSSH)"
+    WOLFSSH_ENABLED=1
+    AC_DEFINE(USE_WOLFSSH, 1, [if wolfSSH is in use])
+    AC_SUBST(USE_WOLFSSH, [1])
+  )
+
 fi
 
 dnl **********************************************************************
@@ -2659,6 +3070,7 @@
     ;;
   *)
     dnl use the given --with-librtmp spot
+    LIB_RTMP="-lrtmp"
     PREFIX_RTMP=$OPT_LIBRTMP
     ;;
   esac
@@ -2714,22 +3126,20 @@
         AC_MSG_WARN([You need an ld version supporting the --version-script option])
     else
         AC_MSG_RESULT(yes)
-        if test "x$OPENSSL_ENABLED" = "x1"; then
+        if test "x$CURL_WITH_MULTI_SSL" = "x1"; then
+          versioned_symbols_flavour="MULTISSL_"
+        elif test "x$OPENSSL_ENABLED" = "x1"; then
           versioned_symbols_flavour="OPENSSL_"
         elif test "x$GNUTLS_ENABLED" = "x1"; then
           versioned_symbols_flavour="GNUTLS_"
         elif test "x$NSS_ENABLED" = "x1"; then
           versioned_symbols_flavour="NSS_"
-        elif test "x$POLARSSL_ENABLED" = "x1"; then
-          versioned_symbols_flavour="POLARSSL_"
-        elif test "x$CYASSL_ENABLED" = "x1"; then
-          versioned_symbols_flavour="CYASSL_"
-        elif test "x$AXTLS_ENABLED" = "x1"; then
-          versioned_symbols_flavour="AXTLS_"
+        elif test "x$WOLFSSL_ENABLED" = "x1"; then
+          versioned_symbols_flavour="WOLFSSL_"
         elif test "x$WINSSL_ENABLED" = "x1"; then
-          versioned_symbols_flavour="WINSSL_"
-        elif test "x$DARWINSSL_ENABLED" = "x1"; then
-          versioned_symbols_flavour="DARWINSSL_"
+          versioned_symbols_flavour="SCHANNEL_"
+        elif test "x$SECURETRANSPORT_ENABLED" = "x1"; then
+          versioned_symbols_flavour="SECURE_TRANSPORT_"
         else
           versioned_symbols_flavour=""
         fi
@@ -2786,6 +3196,7 @@
   clean_LDFLAGS="$LDFLAGS"
   clean_LIBS="$LIBS"
   WINIDN_LIBS="-lnormaliz"
+  WINIDN_CPPFLAGS="-DWINVER=0x0600"
   #
   if test "$want_winidn_path" != "default"; then
     dnl path has been specified
@@ -2795,13 +3206,17 @@
     WINIDN_DIR="$want_winidn_path/lib$libsuff"
   fi
   #
-  CPPFLAGS="$WINIDN_CPPFLAGS $CPPFLAGS"
-  LDFLAGS="$WINIDN_LDFLAGS $LDFLAGS"
+  CPPFLAGS="$CPPFLAGS $WINIDN_CPPFLAGS"
+  LDFLAGS="$LDFLAGS $WINIDN_LDFLAGS"
   LIBS="$WINIDN_LIBS $LIBS"
   #
   AC_MSG_CHECKING([if IdnToUnicode can be linked])
   AC_LINK_IFELSE([
-    AC_LANG_FUNC_LINK_TRY([IdnToUnicode])
+    AC_LANG_PROGRAM([[
+      #include <windows.h>
+    ]],[[
+      IdnToUnicode(0, NULL, 0, NULL, 0);
+    ]])
   ],[
     AC_MSG_RESULT([yes])
     tst_links_winidn="yes"
@@ -2911,8 +3326,8 @@
     AC_MSG_NOTICE([IDN_DIR: "$IDN_DIR"])
   fi
   #
-  CPPFLAGS="$IDN_CPPFLAGS $CPPFLAGS"
-  LDFLAGS="$IDN_LDFLAGS $LDFLAGS"
+  CPPFLAGS="$CPPFLAGS $IDN_CPPFLAGS"
+  LDFLAGS="$LDFLAGS $IDN_LDFLAGS"
   LIBS="$IDN_LIBS $LIBS"
   #
   AC_MSG_CHECKING([if idn2_lookup_ul can be linked])
@@ -2935,9 +3350,9 @@
     AC_SUBST([IDN_ENABLED], [1])
     curl_idn_msg="enabled (libidn2)"
     if test -n "$IDN_DIR" -a "x$cross_compiling" != "xyes"; then
-      LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$IDN_DIR"
-      export LD_LIBRARY_PATH
-      AC_MSG_NOTICE([Added $IDN_DIR to LD_LIBRARY_PATH])
+      CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$IDN_DIR"
+      export CURL_LIBRARY_PATH
+      AC_MSG_NOTICE([Added $IDN_DIR to CURL_LIBRARY_PATH])
     fi
   else
     AC_MSG_WARN([Cannot find libraries for IDN support: IDN disabled])
@@ -2949,7 +3364,7 @@
 
 
 dnl Let's hope this split URL remains working:
-dnl http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/ \
+dnl https://www15.software.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/ \
 dnl genprogc/thread_quick_ref.htm
 
 
@@ -2958,6 +3373,12 @@
 dnl **********************************************************************
 
 OPT_H2="yes"
+
+if test "x$disable_http" = "xyes"; then
+  # without HTTP, nghttp2 is no use
+  OPT_H2="no"
+fi
+
 AC_ARG_WITH(nghttp2,
 AC_HELP_STRING([--with-nghttp2=PATH],[Enable nghttp2 usage])
 AC_HELP_STRING([--without-nghttp2],[Disable nghttp2 usage]),
@@ -3005,9 +3426,9 @@
     CPPFLAGS="$CPPFLAGS $CPP_H2"
     LIBS="$LIB_H2 $LIBS"
 
-    # use nghttp2_option_set_no_recv_client_magic to require nghttp2
-    # >= 1.0.0
-    AC_CHECK_LIB(nghttp2, nghttp2_option_set_no_recv_client_magic,
+    # use nghttp2_session_set_local_window_size to require nghttp2
+    # >= 1.12.0
+    AC_CHECK_LIB(nghttp2, nghttp2_session_set_local_window_size,
       [
        AC_CHECK_HEADERS(nghttp2/nghttp2.h,
           curl_h2_msg="enabled (nghttp2)"
@@ -3034,6 +3455,386 @@
 fi
 
 dnl **********************************************************************
+dnl Check for ngtcp2 (QUIC)
+dnl **********************************************************************
+
+OPT_TCP2="yes"
+curl_h3_msg="disabled (--with-ngtcp2, --with-quiche)"
+
+if test "x$disable_http" = "xyes"; then
+  # without HTTP, ngtcp2 is no use
+  OPT_TCP2="no"
+fi
+
+AC_ARG_WITH(ngtcp2,
+AC_HELP_STRING([--with-ngtcp2=PATH],[Enable ngtcp2 usage])
+AC_HELP_STRING([--without-ngtcp2],[Disable ngtcp2 usage]),
+  [OPT_TCP2=$withval])
+case "$OPT_TCP2" in
+  no)
+    dnl --without-ngtcp2 option used
+    want_tcp2="no"
+    ;;
+  yes)
+    dnl --with-ngtcp2 option used without path
+    want_tcp2="default"
+    want_tcp2_path=""
+    ;;
+  *)
+    dnl --with-ngtcp2 option used with path
+    want_tcp2="yes"
+    want_tcp2_path="$withval/lib/pkgconfig"
+    ;;
+esac
+
+curl_tcp2_msg="disabled (--with-ngtcp2)"
+if test X"$want_tcp2" != Xno; then
+  dnl backup the pre-ngtcp2 variables
+  CLEANLDFLAGS="$LDFLAGS"
+  CLEANCPPFLAGS="$CPPFLAGS"
+  CLEANLIBS="$LIBS"
+
+  CURL_CHECK_PKGCONFIG(libngtcp2, $want_tcp2_path)
+
+  if test "$PKGCONFIG" != "no" ; then
+    LIB_TCP2=`CURL_EXPORT_PCDIR([$want_tcp2_path])
+      $PKGCONFIG --libs-only-l libngtcp2`
+    AC_MSG_NOTICE([-l is $LIB_TCP2])
+
+    CPP_TCP2=`CURL_EXPORT_PCDIR([$want_tcp2_path]) dnl
+      $PKGCONFIG --cflags-only-I libngtcp2`
+    AC_MSG_NOTICE([-I is $CPP_TCP2])
+
+    LD_TCP2=`CURL_EXPORT_PCDIR([$want_tcp2_path])
+      $PKGCONFIG --libs-only-L libngtcp2`
+    AC_MSG_NOTICE([-L is $LD_TCP2])
+
+    LDFLAGS="$LDFLAGS $LD_TCP2"
+    CPPFLAGS="$CPPFLAGS $CPP_TCP2"
+    LIBS="$LIB_TCP2 $LIBS"
+
+    if test "x$cross_compiling" != "xyes"; then
+      DIR_TCP2=`echo $LD_TCP2 | $SED -e 's/-L//'`
+    fi
+    AC_CHECK_LIB(ngtcp2, ngtcp2_conn_client_new,
+      [
+       AC_CHECK_HEADERS(ngtcp2/ngtcp2.h,
+          NGTCP2_ENABLED=1
+          AC_DEFINE(USE_NGTCP2, 1, [if ngtcp2 is in use])
+          AC_SUBST(USE_NGTCP2, [1])
+          CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_TCP2"
+          export CURL_LIBRARY_PATH
+          AC_MSG_NOTICE([Added $DIR_TCP2 to CURL_LIBRARY_PATH])
+       )
+      ],
+        dnl not found, revert back to clean variables
+        LDFLAGS=$CLEANLDFLAGS
+        CPPFLAGS=$CLEANCPPFLAGS
+        LIBS=$CLEANLIBS
+    )
+
+  else
+    dnl no ngtcp2 pkg-config found, deal with it
+    if test X"$want_tcp2" != Xdefault; then
+      dnl To avoid link errors, we do not allow --with-ngtcp2 without
+      dnl a pkgconfig file
+      AC_MSG_ERROR([--with-ngtcp2 was specified but could not find ngtcp2 pkg-config file.])
+    fi
+  fi
+
+fi
+
+if test "x$NGTCP2_ENABLED" = "x1" -a "x$OPENSSL_ENABLED" = "x1"; then
+  dnl backup the pre-ngtcp2_crypto_openssl variables
+  CLEANLDFLAGS="$LDFLAGS"
+  CLEANCPPFLAGS="$CPPFLAGS"
+  CLEANLIBS="$LIBS"
+
+  CURL_CHECK_PKGCONFIG(libngtcp2_crypto_openssl, $want_tcp2_path)
+
+  if test "$PKGCONFIG" != "no" ; then
+    LIB_NGTCP2_CRYPTO_OPENSSL=`CURL_EXPORT_PCDIR([$want_tcp2_path])
+      $PKGCONFIG --libs-only-l libngtcp2_crypto_openssl`
+    AC_MSG_NOTICE([-l is $LIB_NGTCP2_CRYPTO_OPENSSL])
+
+    CPP_NGTCP2_CRYPTO_OPENSSL=`CURL_EXPORT_PCDIR([$want_tcp2_path]) dnl
+      $PKGCONFIG --cflags-only-I libngtcp2_crypto_openssl`
+    AC_MSG_NOTICE([-I is $CPP_NGTCP2_CRYPTO_OPENSSL])
+
+    LD_NGTCP2_CRYPTO_OPENSSL=`CURL_EXPORT_PCDIR([$want_tcp2_path])
+      $PKGCONFIG --libs-only-L libngtcp2_crypto_openssl`
+    AC_MSG_NOTICE([-L is $LD_NGTCP2_CRYPTO_OPENSSL])
+
+    LDFLAGS="$LDFLAGS $LD_NGTCP2_CRYPTO_OPENSSL"
+    CPPFLAGS="$CPPFLAGS $CPP_NGTCP2_CRYPTO_OPENSSL"
+    LIBS="$LIB_NGTCP2_CRYPTO_OPENSSL $LIBS"
+
+    if test "x$cross_compiling" != "xyes"; then
+      DIR_NGTCP2_CRYPTO_OPENSSL=`echo $LD_NGTCP2_CRYPTO_OPENSSL | $SED -e 's/-L//'`
+    fi
+    AC_CHECK_LIB(ngtcp2_crypto_openssl, ngtcp2_crypto_ctx_initial,
+      [
+       AC_CHECK_HEADERS(ngtcp2/ngtcp2_crypto.h,
+          NGTCP2_ENABLED=1
+          AC_DEFINE(USE_NGTCP2_CRYPTO_OPENSSL, 1, [if ngtcp2_crypto_openssl is in use])
+          AC_SUBST(USE_NGTCP2_CRYPTO_OPENSSL, [1])
+          CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_NGTCP2_CRYPTO_OPENSSL"
+          export CURL_LIBRARY_PATH
+          AC_MSG_NOTICE([Added $DIR_NGTCP2_CRYPTO_OPENSSL to CURL_LIBRARY_PATH])
+       )
+      ],
+        dnl not found, revert back to clean variables
+        LDFLAGS=$CLEANLDFLAGS
+        CPPFLAGS=$CLEANCPPFLAGS
+        LIBS=$CLEANLIBS
+    )
+
+  else
+    dnl no ngtcp2_crypto_openssl pkg-config found, deal with it
+    if test X"$want_tcp2" != Xdefault; then
+      dnl To avoid link errors, we do not allow --with-ngtcp2 without
+      dnl a pkgconfig file
+      AC_MSG_ERROR([--with-ngtcp2 was specified but could not find ngtcp2_crypto_openssl pkg-config file.])
+    fi
+  fi
+fi
+
+if test "x$NGTCP2_ENABLED" = "x1" -a "x$GNUTLS_ENABLED" = "x1"; then
+  dnl backup the pre-ngtcp2_crypto_gnutls variables
+  CLEANLDFLAGS="$LDFLAGS"
+  CLEANCPPFLAGS="$CPPFLAGS"
+  CLEANLIBS="$LIBS"
+
+  CURL_CHECK_PKGCONFIG(libngtcp2_crypto_gnutls, $want_tcp2_path)
+
+  if test "$PKGCONFIG" != "no" ; then
+    LIB_NGTCP2_CRYPTO_GNUTLS=`CURL_EXPORT_PCDIR([$want_tcp2_path])
+      $PKGCONFIG --libs-only-l libngtcp2_crypto_gnutls`
+    AC_MSG_NOTICE([-l is $LIB_NGTCP2_CRYPTO_GNUTLS])
+
+    CPP_NGTCP2_CRYPTO_GNUTLS=`CURL_EXPORT_PCDIR([$want_tcp2_path]) dnl
+      $PKGCONFIG --cflags-only-I libngtcp2_crypto_gnutls`
+    AC_MSG_NOTICE([-I is $CPP_NGTCP2_CRYPTO_GNUTLS])
+
+    LD_NGTCP2_CRYPTO_GNUTLS=`CURL_EXPORT_PCDIR([$want_tcp2_path])
+      $PKGCONFIG --libs-only-L libngtcp2_crypto_gnutls`
+    AC_MSG_NOTICE([-L is $LD_NGTCP2_CRYPTO_GNUTLS])
+
+    LDFLAGS="$LDFLAGS $LD_NGTCP2_CRYPTO_GNUTLS"
+    CPPFLAGS="$CPPFLAGS $CPP_NGTCP2_CRYPTO_GNUTLS"
+    LIBS="$LIB_NGTCP2_CRYPTO_GNUTLS $LIBS"
+
+    if test "x$cross_compiling" != "xyes"; then
+      DIR_NGTCP2_CRYPTO_GNUTLS=`echo $LD_NGTCP2_CRYPTO_GNUTLS | $SED -e 's/-L//'`
+    fi
+    AC_CHECK_LIB(ngtcp2_crypto_gnutls, ngtcp2_crypto_ctx_initial,
+      [
+       AC_CHECK_HEADERS(ngtcp2/ngtcp2_crypto.h,
+          NGTCP2_ENABLED=1
+          AC_DEFINE(USE_NGTCP2_CRYPTO_GNUTLS, 1, [if ngtcp2_crypto_gnutls is in use])
+          AC_SUBST(USE_NGTCP2_CRYPTO_GNUTLS, [1])
+          CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_NGTCP2_CRYPTO_GNUTLS"
+          export CURL_LIBRARY_PATH
+          AC_MSG_NOTICE([Added $DIR_NGTCP2_CRYPTO_GNUTLS to CURL_LIBRARY_PATH])
+       )
+      ],
+        dnl not found, revert back to clean variables
+        LDFLAGS=$CLEANLDFLAGS
+        CPPFLAGS=$CLEANCPPFLAGS
+        LIBS=$CLEANLIBS
+    )
+
+  else
+    dnl no ngtcp2_crypto_gnutls pkg-config found, deal with it
+    if test X"$want_tcp2" != Xdefault; then
+      dnl To avoid link errors, we do not allow --with-ngtcp2 without
+      dnl a pkgconfig file
+      AC_MSG_ERROR([--with-ngtcp2 was specified but could not find ngtcp2_crypto_gnutls pkg-config file.])
+    fi
+  fi
+fi
+
+dnl **********************************************************************
+dnl Check for nghttp3 (HTTP/3 with ngtcp2)
+dnl **********************************************************************
+
+OPT_NGHTTP3="yes"
+
+if test "x$NGTCP2_ENABLED" = "x"; then
+  # without ngtcp2, nghttp3 is of no use for us
+  OPT_NGHTTP3="no"
+fi
+
+AC_ARG_WITH(nghttp3,
+AC_HELP_STRING([--with-nghttp3=PATH],[Enable nghttp3 usage])
+AC_HELP_STRING([--without-nghttp3],[Disable nghttp3 usage]),
+  [OPT_NGHTTP3=$withval])
+case "$OPT_NGHTTP3" in
+  no)
+    dnl --without-nghttp3 option used
+    want_nghttp3="no"
+    ;;
+  yes)
+    dnl --with-nghttp3 option used without path
+    want_nghttp3="default"
+    want_nghttp3_path=""
+    ;;
+  *)
+    dnl --with-nghttp3 option used with path
+    want_nghttp3="yes"
+    want_nghttp3_path="$withval/lib/pkgconfig"
+    ;;
+esac
+
+curl_http3_msg="disabled (--with-nghttp3)"
+if test X"$want_nghttp3" != Xno; then
+  dnl backup the pre-nghttp3 variables
+  CLEANLDFLAGS="$LDFLAGS"
+  CLEANCPPFLAGS="$CPPFLAGS"
+  CLEANLIBS="$LIBS"
+
+  CURL_CHECK_PKGCONFIG(libnghttp3, $want_nghttp3_path)
+
+  if test "$PKGCONFIG" != "no" ; then
+    LIB_NGHTTP3=`CURL_EXPORT_PCDIR([$want_nghttp3_path])
+      $PKGCONFIG --libs-only-l libnghttp3`
+    AC_MSG_NOTICE([-l is $LIB_NGHTTP3])
+
+    CPP_NGHTTP3=`CURL_EXPORT_PCDIR([$want_nghttp3_path]) dnl
+      $PKGCONFIG --cflags-only-I libnghttp3`
+    AC_MSG_NOTICE([-I is $CPP_NGHTTP3])
+
+    LD_NGHTTP3=`CURL_EXPORT_PCDIR([$want_nghttp3_path])
+      $PKGCONFIG --libs-only-L libnghttp3`
+    AC_MSG_NOTICE([-L is $LD_NGHTTP3])
+
+    LDFLAGS="$LDFLAGS $LD_NGHTTP3"
+    CPPFLAGS="$CPPFLAGS $CPP_NGHTTP3"
+    LIBS="$LIB_NGHTTP3 $LIBS"
+
+    if test "x$cross_compiling" != "xyes"; then
+      DIR_NGHTTP3=`echo $LD_NGHTTP3 | $SED -e 's/-L//'`
+    fi
+    AC_CHECK_LIB(nghttp3, nghttp3_conn_client_new,
+      [
+       AC_CHECK_HEADERS(nghttp3/nghttp3.h,
+          curl_h3_msg="enabled (ngtcp2 + nghttp3)"
+          NGHTTP3_ENABLED=1
+          AC_DEFINE(USE_NGHTTP3, 1, [if nghttp3 is in use])
+          AC_SUBST(USE_NGHTTP3, [1])
+          CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_NGHTTP3"
+          export CURL_LIBRARY_PATH
+          AC_MSG_NOTICE([Added $DIR_NGHTTP3 to CURL_LIBRARY_PATH])
+          experimental="$experimental HTTP3"
+       )
+      ],
+        dnl not found, revert back to clean variables
+        LDFLAGS=$CLEANLDFLAGS
+        CPPFLAGS=$CLEANCPPFLAGS
+        LIBS=$CLEANLIBS
+    )
+
+  else
+    dnl no nghttp3 pkg-config found, deal with it
+    if test X"$want_nghttp3" != Xdefault; then
+      dnl To avoid link errors, we do not allow --with-nghttp3 without
+      dnl a pkgconfig file
+      AC_MSG_ERROR([--with-nghttp3 was specified but could not find nghttp3 pkg-config file.])
+    fi
+  fi
+
+fi
+
+dnl **********************************************************************
+dnl Check for quiche (QUIC)
+dnl **********************************************************************
+
+OPT_QUICHE="yes"
+
+if test "x$disable_http" = "xyes" -o "x$USE_NGTCP" = "x1"; then
+  # without HTTP or with ngtcp2, quiche is no use
+  OPT_QUICHE="no"
+fi
+
+AC_ARG_WITH(quiche,
+AC_HELP_STRING([--with-quiche=PATH],[Enable quiche usage])
+AC_HELP_STRING([--without-quiche],[Disable quiche usage]),
+  [OPT_QUICHE=$withval])
+case "$OPT_QUICHE" in
+  no)
+    dnl --without-quiche option used
+    want_quiche="no"
+    ;;
+  yes)
+    dnl --with-quiche option used without path
+    want_quiche="default"
+    want_quiche_path=""
+    ;;
+  *)
+    dnl --with-quiche option used with path
+    want_quiche="yes"
+    want_quiche_path="$withval"
+    ;;
+esac
+
+if test X"$want_quiche" != Xno; then
+  dnl backup the pre-quiche variables
+  CLEANLDFLAGS="$LDFLAGS"
+  CLEANCPPFLAGS="$CPPFLAGS"
+  CLEANLIBS="$LIBS"
+
+  CURL_CHECK_PKGCONFIG(quiche, $want_quiche_path)
+
+  if test "$PKGCONFIG" != "no" ; then
+    LIB_QUICHE=`CURL_EXPORT_PCDIR([$want_quiche_path])
+      $PKGCONFIG --libs-only-l quiche`
+    AC_MSG_NOTICE([-l is $LIB_QUICHE])
+
+    CPP_QUICHE=`CURL_EXPORT_PCDIR([$want_quiche_path]) dnl
+      $PKGCONFIG --cflags-only-I quiche`
+    AC_MSG_NOTICE([-I is $CPP_QUICHE])
+
+    LD_QUICHE=`CURL_EXPORT_PCDIR([$want_quiche_path])
+      $PKGCONFIG --libs-only-L quiche`
+    AC_MSG_NOTICE([-L is $LD_QUICHE])
+
+    LDFLAGS="$LDFLAGS $LD_QUICHE"
+    CPPFLAGS="$CPPFLAGS $CPP_QUICHE"
+    LIBS="$LIB_QUICHE $LIBS"
+
+    if test "x$cross_compiling" != "xyes"; then
+      DIR_QUICHE=`echo $LD_QUICHE | $SED -e 's/-L//'`
+    fi
+    AC_CHECK_LIB(quiche, quiche_connect,
+      [
+       AC_CHECK_HEADERS(quiche.h,
+          experimental="$experimental HTTP3"
+          AC_MSG_NOTICE([HTTP3 support is experimental])
+          curl_h3_msg="enabled (quiche)"
+          QUICHE_ENABLED=1
+          AC_DEFINE(USE_QUICHE, 1, [if quiche is in use])
+          AC_SUBST(USE_QUICHE, [1])
+          CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_QUICHE"
+          export CURL_LIBRARY_PATH
+          AC_MSG_NOTICE([Added $DIR_QUICHE to CURL_LIBRARY_PATH]),
+       )
+      ],
+        dnl not found, revert back to clean variables
+        LDFLAGS=$CLEANLDFLAGS
+        CPPFLAGS=$CLEANCPPFLAGS
+        LIBS=$CLEANLIBS
+    )
+  else
+    dnl no quiche pkg-config found, deal with it
+    if test X"$want_quiche" != Xdefault; then
+      dnl To avoid link errors, we do not allow --with-quiche without
+      dnl a pkgconfig file
+      AC_MSG_ERROR([--with-quiche was specified but could not find quiche pkg-config file.])
+    fi
+  fi
+fi
+
+dnl **********************************************************************
 dnl Check for zsh completion path
 dnl **********************************************************************
 
@@ -3059,6 +3860,36 @@
 esac
 
 dnl **********************************************************************
+dnl Check for fish completion path
+dnl **********************************************************************
+
+OPT_FISH_FPATH=default
+AC_ARG_WITH(fish-functions-dir,
+AC_HELP_STRING([--with-fish-functions-dir=PATH],[Install fish completions to PATH])
+AC_HELP_STRING([--without-fish-functions-dir],[Do not install fish completions]),
+  [OPT_FISH_FPATH=$withval])
+case "$OPT_FISH_FPATH" in
+  no)
+    dnl --without-fish-functions-dir option used
+    ;;
+  default|yes)
+    dnl --with-fish-functions-dir option used without path
+    CURL_CHECK_PKGCONFIG(fish)
+    if test "$PKGCONFIG" != "no" ; then
+      FISH_FUNCTIONS_DIR="$($PKGCONFIG --variable completionsdir fish)"
+    else
+      FISH_FUNCTIONS_DIR="$datarootdir/fish/vendor_completions.d"
+    fi
+    AC_SUBST(FISH_FUNCTIONS_DIR)
+    ;;
+  *)
+    dnl --with-fish-functions-dir option used with path
+    FISH_FUNCTIONS_DIR="$withval"
+    AC_SUBST(FISH_FUNCTIONS_DIR)
+    ;;
+esac
+
+dnl **********************************************************************
 dnl Back to "normal" configuring
 dnl **********************************************************************
 
@@ -3080,11 +3911,12 @@
         assert.h \
         unistd.h \
         stdlib.h \
-        limits.h \
         arpa/inet.h \
         net/if.h \
         netinet/in.h \
+	netinet/in6.h \
         sys/un.h \
+        linux/tcp.h \
         netinet/tcp.h \
         netdb.h \
         sys/sockio.h \
@@ -3126,6 +3958,8 @@
 #endif
 #ifdef HAVE_SYS_SELECT_H
 #include <sys/select.h>
+#elif defined(HAVE_UNISTD_H)
+#include <unistd.h>
 #endif
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
@@ -3133,12 +3967,16 @@
 #ifdef HAVE_NETINET_IN_H
 #include <netinet/in.h>
 #endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
 #ifdef HAVE_SYS_UN_H
 #include <sys/un.h>
 #endif
 ]
 )
 
+
 dnl Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
 CURL_CHECK_VARIADIC_MACROS
@@ -3147,22 +3985,19 @@
 CURL_CHECK_STRUCT_TIMEVAL
 CURL_VERIFY_RUNTIMELIBS
 
-AC_CHECK_SIZEOF(size_t)
-AC_CHECK_SIZEOF(long)
-AC_CHECK_SIZEOF(int)
-AC_CHECK_SIZEOF(short)
-CURL_CONFIGURE_LONG
-AC_CHECK_SIZEOF(time_t)
-AC_CHECK_SIZEOF(off_t)
+AX_COMPILE_CHECK_SIZEOF(size_t)
+AX_COMPILE_CHECK_SIZEOF(long)
+AX_COMPILE_CHECK_SIZEOF(int)
+AX_COMPILE_CHECK_SIZEOF(short)
+AX_COMPILE_CHECK_SIZEOF(time_t)
+AX_COMPILE_CHECK_SIZEOF(off_t)
 
-soname_bump=no
-if test x"$curl_cv_native_windows" != "xyes" &&
-   test $ac_cv_sizeof_off_t -ne $curl_sizeof_curl_off_t; then
-  AC_MSG_WARN([This libcurl built is probably not ABI compatible with previous])
-  AC_MSG_WARN([builds! You MUST read lib/README.curl_off_t to figure it out.])
-  soname_bump=yes
-fi
-
+o=$CPPFLAGS
+CPPFLAGS="-I$srcdir/include $CPPFLAGS"
+AX_COMPILE_CHECK_SIZEOF(curl_off_t, [
+#include <curl/system.h>
+])
+CPPFLAGS=$o
 
 AC_CHECK_TYPE(long long,
    [AC_DEFINE(HAVE_LONGLONG, 1,
@@ -3203,7 +4038,42 @@
 #endif
 ])
 
-CURL_CONFIGURE_CURL_SOCKLEN_T
+# check for sa_family_t
+AC_CHECK_TYPE(sa_family_t,
+   AC_DEFINE(CURL_SA_FAMILY_T, sa_family_t, [IP address type in sockaddr]),
+   [
+   # The windows name?
+   AC_CHECK_TYPE(ADDRESS_FAMILY,
+     AC_DEFINE(CURL_SA_FAMILY_T, ADDRESS_FAMILY, [IP address type in sockaddr]),
+     AC_DEFINE(CURL_SA_FAMILY_T, unsigned short, [IP address type in sockaddr]),
+    [
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+    ])
+   ],
+[
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+])
+
+AC_MSG_CHECKING([if time_t is unsigned])
+CURL_RUN_IFELSE(
+  [
+  #include <time.h>
+  #include <limits.h>
+  time_t t = -1;
+  return (t > 0);
+  ],[
+  AC_MSG_RESULT([yes])
+  AC_DEFINE(HAVE_TIME_T_UNSIGNED, 1, [Define this if time_t is unsigned])
+],[
+  AC_MSG_RESULT([no])
+],[
+  dnl cross-compiling, most systems are unsigned
+  AC_MSG_RESULT([no])
+])
 
 CURL_CONFIGURE_PULL_SYS_POLL
 
@@ -3227,7 +4097,6 @@
 CURL_CHECK_FUNC_CLOSESOCKET_CAMEL
 CURL_CHECK_FUNC_CONNECT
 CURL_CHECK_FUNC_FCNTL
-CURL_CHECK_FUNC_FDOPEN
 CURL_CHECK_FUNC_FREEADDRINFO
 CURL_CHECK_FUNC_FREEIFADDRS
 CURL_CHECK_FUNC_FSETXATTR
@@ -3239,6 +4108,9 @@
 CURL_CHECK_FUNC_GETHOSTBYNAME
 CURL_CHECK_FUNC_GETHOSTBYNAME_R
 CURL_CHECK_FUNC_GETHOSTNAME
+CURL_CHECK_FUNC_GETPEERNAME
+CURL_CHECK_FUNC_GETSOCKNAME
+CURL_CHECK_FUNC_IF_NAMETOINDEX
 CURL_CHECK_FUNC_GETIFADDRS
 CURL_CHECK_FUNC_GETSERVBYPORT_R
 CURL_CHECK_FUNC_GMTIME_R
@@ -3279,24 +4151,28 @@
     ;;
 esac
 
-AC_CHECK_FUNCS([fork \
+AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Set if getpwuid_r() declaration is missing")],
+        [[#include <pwd.h>
+          #include <sys/types.h>]])
+
+
+AC_CHECK_FUNCS([fnmatch \
   geteuid \
   getpass_r \
   getppid \
-  getprotobyname \
   getpwuid \
   getpwuid_r \
   getrlimit \
   gettimeofday \
   if_nametoindex \
-  inet_addr \
-  perror \
+  mach_absolute_time \
   pipe \
   setlocale \
   setmode \
   setrlimit \
-  uname \
-  utime
+  usleep \
+  utime \
+  utimes
 ],[
 ],[
   func="$ac_func"
@@ -3319,19 +4195,6 @@
   fi
 ])
 
-dnl Check if the getnameinfo function is available
-dnl and get the types of five of its arguments.
-CURL_CHECK_FUNC_GETNAMEINFO
-
-if test "$ipv6" = "yes"; then
-  if test "$curl_cv_func_getaddrinfo" = "yes"; then
-    AC_DEFINE(ENABLE_IPV6, 1, [Define if you want to enable IPv6 support])
-    IPV6_ENABLED=1
-    AC_SUBST(IPV6_ENABLED)
-  fi
-  CURL_CHECK_NI_WITHSCOPEID
-fi
-
 CURL_CHECK_NONBLOCKING_SOCKET
 
 dnl ************************************************************
@@ -3399,11 +4262,8 @@
 fi
 AM_CONDITIONAL(BUILD_LIBHOSTNAME, test x$build_libhostname = xyes)
 
-CURL_CHECK_OPTION_THREADED_RESOLVER
-
-if test "x$want_thres" = xyes && test "x$want_ares" = xyes; then
-  AC_MSG_ERROR(
-[Options --enable-threaded-resolver and --enable-ares are mutually exclusive])
+if test "x$want_ares" != xyes; then
+  CURL_CHECK_OPTION_THREADED_RESOLVER
 fi
 
 dnl ************************************************************
@@ -3455,6 +4315,16 @@
       dnl first check for function without lib
       AC_CHECK_FUNC(pthread_create, [USE_THREADS_POSIX=1] )
 
+      dnl on HPUX, life is more complicated...
+      case $host in
+      *-hp-hpux*)
+         dnl it doesn't actually work without -lpthread
+         USE_THREADS_POSIX=""
+         ;;
+      *)
+         ;;
+      esac
+
       dnl if it wasn't found without lib, search for it in pthread lib
       if test "$USE_THREADS_POSIX" != "1"
       then
@@ -3487,6 +4357,8 @@
   fi
 fi
 
+CURL_CONVERT_INCLUDE_TO_ISYSTEM
+
 dnl ************************************************************
 dnl disable verbose text strings
 dnl
@@ -3575,7 +4447,6 @@
 [ case "$enableval" in
   no)
        AC_MSG_RESULT(no)
-       AC_DEFINE(CURL_DISABLE_TLS_SRP, 1, [to disable TLS-SRP authentication])
        want_tls_srp=no
        ;;
   *)   AC_MSG_RESULT(yes)
@@ -3628,7 +4499,7 @@
 dnl ************************************************************
 dnl disable cookies support
 dnl
-AC_MSG_CHECKING([whether to enable support for cookies])
+AC_MSG_CHECKING([whether to support cookies])
 AC_ARG_ENABLE(cookies,
 AC_HELP_STRING([--enable-cookies],[Enable cookies support])
 AC_HELP_STRING([--disable-cookies],[Disable cookies support]),
@@ -3644,30 +4515,191 @@
 )
 
 dnl ************************************************************
+dnl disable HTTP authentication support
+dnl
+AC_MSG_CHECKING([whether to support HTTP authentication])
+AC_ARG_ENABLE(http-auth,
+AC_HELP_STRING([--enable-http-auth],[Enable HTTP authentication support])
+AC_HELP_STRING([--disable-http-auth],[Disable HTTP authentication support]),
+[ case "$enableval" in
+  no)
+       AC_MSG_RESULT(no)
+       AC_DEFINE(CURL_DISABLE_HTTP_AUTH, 1, [disable HTTP authentication])
+       ;;
+  *)   AC_MSG_RESULT(yes)
+       ;;
+  esac ],
+       AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl disable DoH support
+dnl
+AC_MSG_CHECKING([whether to support DoH])
+AC_ARG_ENABLE(doh,
+AC_HELP_STRING([--enable-doh],[Enable DoH support])
+AC_HELP_STRING([--disable-doh],[Disable DoH support]),
+[ case "$enableval" in
+  no)
+       AC_MSG_RESULT(no)
+       AC_DEFINE(CURL_DISABLE_DOH, 1, [disable DoH])
+       ;;
+  *)   AC_MSG_RESULT(yes)
+       ;;
+  esac ],
+       AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl disable mime API support
+dnl
+AC_MSG_CHECKING([whether to support the MIME API])
+AC_ARG_ENABLE(mime,
+AC_HELP_STRING([--enable-mime],[Enable mime API support])
+AC_HELP_STRING([--disable-mime],[Disable mime API support]),
+[ case "$enableval" in
+  no)
+       AC_MSG_RESULT(no)
+       AC_DEFINE(CURL_DISABLE_MIME, 1, [disable mime API])
+       ;;
+  *)   AC_MSG_RESULT(yes)
+       ;;
+  esac ],
+       AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl disable date parsing
+dnl
+AC_MSG_CHECKING([whether to support date parsing])
+AC_ARG_ENABLE(dateparse,
+AC_HELP_STRING([--enable-dateparse],[Enable date parsing])
+AC_HELP_STRING([--disable-dateparse],[Disable date parsing]),
+[ case "$enableval" in
+  no)
+       AC_MSG_RESULT(no)
+       AC_DEFINE(CURL_DISABLE_PARSEDATE, 1, [disable date parsing])
+       ;;
+  *)   AC_MSG_RESULT(yes)
+       ;;
+  esac ],
+       AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl disable netrc
+dnl
+AC_MSG_CHECKING([whether to support netrc parsing])
+AC_ARG_ENABLE(netrc,
+AC_HELP_STRING([--enable-netrc],[Enable netrc parsing])
+AC_HELP_STRING([--disable-netrc],[Disable netrc parsing]),
+[ case "$enableval" in
+  no)
+       AC_MSG_RESULT(no)
+       AC_DEFINE(CURL_DISABLE_NETRC, 1, [disable netrc parsing])
+       ;;
+  *)   AC_MSG_RESULT(yes)
+       ;;
+  esac ],
+       AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl disable progress-meter
+dnl
+AC_MSG_CHECKING([whether to support progress-meter])
+AC_ARG_ENABLE(progress-meter,
+AC_HELP_STRING([--enable-progress-meter],[Enable progress-meter])
+AC_HELP_STRING([--disable-progress-meter],[Disable progress-meter]),
+[ case "$enableval" in
+  no)
+       AC_MSG_RESULT(no)
+       AC_DEFINE(CURL_DISABLE_PROGRESS_METER, 1, [disable progress-meter])
+       ;;
+  *)   AC_MSG_RESULT(yes)
+       ;;
+  esac ],
+       AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl disable shuffle DNS support
+dnl
+AC_MSG_CHECKING([whether to support DNS shuffling])
+AC_ARG_ENABLE(dnsshuffle,
+AC_HELP_STRING([--enable-dnsshuffle],[Enable DNS shuffling])
+AC_HELP_STRING([--disable-dnsshuffle],[Disable DNS shuffling]),
+[ case "$enableval" in
+  no)
+       AC_MSG_RESULT(no)
+       AC_DEFINE(CURL_DISABLE_SHUFFLE_DNS, 1, [disable DNS shuffling])
+       ;;
+  *)   AC_MSG_RESULT(yes)
+       ;;
+  esac ],
+       AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl switch on/off alt-svc
+dnl
+curl_altsvc_msg="no      (--enable-alt-svc)";
+AC_MSG_CHECKING([whether to support alt-svc])
+AC_ARG_ENABLE(alt-svc,
+AC_HELP_STRING([--enable-alt-svc],[Enable alt-svc support])
+AC_HELP_STRING([--disable-alt-svc],[Disable alt-svc support]),
+[ case "$enableval" in
+  no)
+       AC_MSG_RESULT(no)
+       ;;
+  *) AC_MSG_RESULT(yes)
+       curl_altsvc_msg="enabled";
+       enable_altsvc="yes"
+       ;;
+  esac ],
+       AC_MSG_RESULT(no)
+)
+
+if test "$enable_altsvc" = "yes"; then
+  AC_DEFINE(USE_ALTSVC, 1, [to enable alt-svc])
+  experimental="$experimental alt-svc"
+fi
+
+dnl *************************************************************
+dnl check whether ESNI support, if desired, is actually available
+dnl
+if test "x$want_esni" != "xno"; then
+  AC_MSG_CHECKING([whether ESNI support is available])
+
+  dnl assume NOT and look for sufficient condition
+  ESNI_ENABLED=0
+  ESNI_SUPPORT=''
+
+  dnl OpenSSL with a chosen ESNI function should be enough
+  dnl so more exhaustive checking seems unnecessary for now
+  if test "x$OPENSSL_ENABLED" = "x1"; then
+    AC_CHECK_FUNCS(SSL_get_esni_status,
+      ESNI_SUPPORT="ESNI support available (OpenSSL with SSL_get_esni_status)"
+      ESNI_ENABLED=1)
+
+  dnl add 'elif' chain here for additional implementations
+  fi
+
+  dnl now deal with whatever we found
+  if test "x$ESNI_ENABLED" = "x1"; then
+    AC_DEFINE(USE_ESNI, 1, [if ESNI support is available])
+    AC_MSG_RESULT($ESNI_SUPPORT)
+    experimental="$experimental ESNI"
+  else
+    AC_MSG_ERROR([--enable-esni ignored: No ESNI support found])
+  fi
+fi
+
+dnl ************************************************************
 dnl hiding of library internal symbols
 dnl
 CURL_CONFIGURE_SYMBOL_HIDING
 
-dnl ************************************************************
-dnl enforce SONAME bump
-dnl
-
-AC_MSG_CHECKING([whether to enforce SONAME bump])
-AC_ARG_ENABLE(soname-bump,
-AC_HELP_STRING([--enable-soname-bump],[Enable enforced SONAME bump])
-AC_HELP_STRING([--disable-soname-bump],[Disable enforced SONAME bump]),
-[ case "$enableval" in
-  yes)   AC_MSG_RESULT(yes)
-         soname_bump=yes
-         ;;
-  *)
-         AC_MSG_RESULT(no)
-         ;;
-  esac ],
-        AC_MSG_RESULT($soname_bump)
-)
-AM_CONDITIONAL(SONAME_BUMP, test x$soname_bump = xyes)
-
 dnl
 dnl All the library dependencies put into $LIB apply to libcurl only.
 dnl
@@ -3714,6 +4746,9 @@
 if test "x$HAVE_LIBZ" = "x1"; then
   SUPPORT_FEATURES="$SUPPORT_FEATURES libz"
 fi
+if test "x$HAVE_BROTLI" = "x1"; then
+  SUPPORT_FEATURES="$SUPPORT_FEATURES brotli"
+fi
 if test "x$USE_ARES" = "x1" -o "x$USE_THREADS_POSIX" = "x1" \
                             -o "x$USE_THREADS_WIN32" = "x1"; then
   SUPPORT_FEATURES="$SUPPORT_FEATURES AsynchDNS"
@@ -3729,10 +4764,14 @@
   SUPPORT_FEATURES="$SUPPORT_FEATURES GSS-API"
 fi
 
-if test "x$curl_psl_msg" = "xyes"; then
+if test "x$curl_psl_msg" = "xenabled"; then
   SUPPORT_FEATURES="$SUPPORT_FEATURES PSL"
 fi
 
+if test "x$enable_altsvc" = "xyes"; then
+  SUPPORT_FEATURES="$SUPPORT_FEATURES alt-svc"
+fi
+
 if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \
     \( "x$HAVE_GSSAPI" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \); then
   SUPPORT_FEATURES="$SUPPORT_FEATURES SPNEGO"
@@ -3746,7 +4785,7 @@
 if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1"; then
   if test "x$OPENSSL_ENABLED" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \
       -o "x$GNUTLS_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \
-      -o "x$NSS_ENABLED" = "x1" -o "x$DARWINSSL_ENABLED" = "x1"; then
+      -o "x$NSS_ENABLED" = "x1" -o "x$SECURETRANSPORT_ENABLED" = "x1"; then
     SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM"
 
     if test "x$CURL_DISABLE_HTTP" != "x1" -a \
@@ -3764,11 +4803,23 @@
   SUPPORT_FEATURES="$SUPPORT_FEATURES HTTP2"
 fi
 
+if test "x$USE_NGTCP2" = "x1" -o "x$USE_QUICHE" = "x1"; then
+  SUPPORT_FEATURES="$SUPPORT_FEATURES HTTP3"
+fi
+
+if test "x$CURL_WITH_MULTI_SSL" = "x1"; then
+  SUPPORT_FEATURES="$SUPPORT_FEATURES MultiSSL"
+fi
+
 if test "x$OPENSSL_ENABLED" = "x1" -o "x$GNUTLS_ENABLED" = "x1" \
     -o "x$NSS_ENABLED" = "x1"; then
   SUPPORT_FEATURES="$SUPPORT_FEATURES HTTPS-proxy"
 fi
 
+if test "x$ESNI_ENABLED" = "x1"; then
+  SUPPORT_FEATURES="$SUPPORT_FEATURES ESNI"
+fi
+
 AC_SUBST(SUPPORT_FEATURES)
 
 dnl For supported protocols in pkg-config file
@@ -3808,6 +4859,9 @@
 if test "x$CURL_DISABLE_GOPHER" != "x1"; then
   SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS GOPHER"
 fi
+if test "x$CURL_ENABLE_MQTT" = "x1"; then
+  SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS MQTT"
+fi
 if test "x$CURL_DISABLE_POP3" != "x1"; then
   SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS POP3"
   if test "x$SSL_ENABLED" = "x1"; then
@@ -3824,7 +4878,7 @@
     -a "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" \
     -a \( "x$OPENSSL_ENABLED" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \
       -o "x$GNUTLS_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \
-      -o "x$NSS_ENABLED" = "x1" -o "x$DARWINSSL_ENABLED" = "x1" \); then
+      -o "x$NSS_ENABLED" = "x1" -o "x$SECURETRANSPORT_ENABLED" = "x1" \); then
   SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SMB"
   if test "x$SSL_ENABLED" = "x1"; then
     SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SMBS"
@@ -3840,6 +4894,14 @@
   SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SCP"
   SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SFTP"
 fi
+if test "x$USE_LIBSSH" = "x1"; then
+  SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SCP"
+  SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SFTP"
+fi
+if test "x$USE_WOLFSSH" = "x1"; then
+  SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SCP"
+  SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SFTP"
+fi
 if test "x$CURL_DISABLE_RTSP" != "x1"; then
   SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS RTSP"
 fi
@@ -3871,6 +4933,9 @@
 
 XC_CHECK_BUILD_FLAGS
 
+SSL_BACKENDS=${ssl_backends}
+AC_SUBST(SSL_BACKENDS)
+
 if test "x$want_curldebug_assumed" = "xyes" &&
   test "x$want_curldebug" = "xyes" && test "x$USE_ARES" = "x1"; then
   ac_configure_args="$ac_configure_args --enable-curldebug"
@@ -3896,19 +4961,7 @@
            tests/libtest/Makefile \
            tests/unit/Makefile \
            packages/Makefile \
-           packages/Win32/Makefile \
-           packages/Win32/cygwin/Makefile \
-           packages/Linux/Makefile \
-           packages/Linux/RPM/Makefile \
-           packages/Linux/RPM/curl.spec \
-           packages/Linux/RPM/curl-ssl.spec \
-           packages/Solaris/Makefile \
-           packages/EPM/curl.list \
-           packages/EPM/Makefile \
            packages/vms/Makefile \
-           packages/AIX/Makefile \
-           packages/AIX/RPM/Makefile \
-           packages/AIX/RPM/curl.spec \
            curl-config \
            libcurl.pc
 ])
@@ -3920,44 +4973,49 @@
 
 AC_MSG_NOTICE([Configured to build curl/libcurl:
 
-  curl version:     ${CURLVERSION}
   Host setup:       ${host}
   Install prefix:   ${prefix}
   Compiler:         ${CC}
-  SSL support:      ${curl_ssl_msg}
-  SSH support:      ${curl_ssh_msg}
-  zlib support:     ${curl_zlib_msg}
-  GSS-API support:  ${curl_gss_msg}
-  TLS-SRP support:  ${curl_tls_srp_msg}
+   CFLAGS:          ${CFLAGS}
+   CPPFLAGS:        ${CPPFLAGS}
+   LDFLAGS:         ${LDFLAGS}
+   LIBS:            ${LIBS}
+
+  curl version:     ${CURLVERSION}
+  SSL:              ${curl_ssl_msg}
+  SSH:              ${curl_ssh_msg}
+  zlib:             ${curl_zlib_msg}
+  brotli:           ${curl_brotli_msg}
+  GSS-API:          ${curl_gss_msg}
+  TLS-SRP:          ${curl_tls_srp_msg}
   resolver:         ${curl_res_msg}
-  IPv6 support:     ${curl_ipv6_msg}
-  Unix sockets support: ${curl_unix_sockets_msg}
-  IDN support:      ${curl_idn_msg}
+  IPv6:             ${curl_ipv6_msg}
+  Unix sockets:     ${curl_unix_sockets_msg}
+  IDN:              ${curl_idn_msg}
   Build libcurl:    Shared=${enable_shared}, Static=${enable_static}
   Built-in manual:  ${curl_manual_msg}
   --libcurl option: ${curl_libcurl_msg}
   Verbose errors:   ${curl_verbose_msg}
-  SSPI support:     ${curl_sspi_msg}
+  Code coverage:    ${curl_coverage_msg}
+  SSPI:             ${curl_sspi_msg}
   ca cert bundle:   ${ca}${ca_warning}
   ca cert path:     ${capath}${capath_warning}
   ca fallback:      ${with_ca_fallback}
-  LDAP support:     ${curl_ldap_msg}
-  LDAPS support:    ${curl_ldaps_msg}
-  RTSP support:     ${curl_rtsp_msg}
-  RTMP support:     ${curl_rtmp_msg}
-  metalink support: ${curl_mtlnk_msg}
-  PSL support:      ${curl_psl_msg}
-  HTTP2 support:    ${curl_h2_msg}
+  LDAP:             ${curl_ldap_msg}
+  LDAPS:            ${curl_ldaps_msg}
+  RTSP:             ${curl_rtsp_msg}
+  RTMP:             ${curl_rtmp_msg}
+  Metalink:         ${curl_mtlnk_msg}
+  PSL:              ${curl_psl_msg}
+  Alt-svc:          ${curl_altsvc_msg}
+  HTTP2:            ${curl_h2_msg}
+  HTTP3:            ${curl_h3_msg}
+  ESNI:             ${curl_esni_msg}
   Protocols:        ${SUPPORT_PROTOCOLS}
+  Features:         ${SUPPORT_FEATURES}
 ])
-
-if test "x$soname_bump" = "xyes"; then
-
-cat <<EOM
-  SONAME bump:     yes - WARNING: this library will be built with the SONAME
-                   number bumped due to (a detected) ABI breakage.
-                   See lib/README.curl_off_t for details on this.
-EOM
-
+if test -n "$experimental"; then
+ cat >&2 << _EOF
+  WARNING: $experimental enabled but marked EXPERIMENTAL. Use with caution!
+_EOF
 fi
-
diff --git a/curl-config.in b/curl-config.in
index af484b4..0a7e035 100644
--- a/curl-config.in
+++ b/curl-config.in
@@ -6,7 +6,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 2001 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 2001 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -44,6 +44,7 @@
   --libs      library linking information
   --prefix    curl install prefix
   --protocols newline separated list of enabled protocols
+  --ssl-backends output the SSL backends libcurl was built to support
   --static-libs static libcurl library linking information
   --version   output version information
   --vernum    output the version information as a number (hexadecimal)
@@ -106,17 +107,29 @@
         # when extracting the patch part we strip off everything after a
         # dash as that's used for things like version 1.2.3-CVS
         cpatch=`echo $checkfor | cut -d. -f3 | cut -d- -f1`
-        checknum=`echo "$cmajor*256*256 + $cminor*256 + ${cpatch:-0}" | bc`
-        numuppercase=`echo @VERSIONNUM@ | tr 'a-f' 'A-F'`
-        nownum=`echo "obase=10; ibase=16; $numuppercase" | bc`
 
-        if test "$nownum" -ge "$checknum"; then
-          # silent success
-          exit 0
-        else
-          echo "requested version $checkfor is newer than existing @CURLVERSION@"
-          exit 1
+        vmajor=`echo @CURLVERSION@ | cut -d. -f1`
+        vminor=`echo @CURLVERSION@ | cut -d. -f2`
+        # when extracting the patch part we strip off everything after a
+        # dash as that's used for things like version 1.2.3-CVS
+        vpatch=`echo @CURLVERSION@ | cut -d. -f3 | cut -d- -f1`
+
+        if test "$vmajor" -gt "$cmajor"; then
+            exit 0;
         fi
+        if test "$vmajor" -eq "$cmajor"; then
+            if test "$vminor" -gt "$cminor"; then
+                exit 0
+            fi
+            if test "$vminor" -eq "$cminor"; then
+                if test "$cpatch" -le "$vpatch"; then
+                    exit 0
+                fi
+            fi
+        fi
+
+        echo "requested version $checkfor is newer than existing @CURLVERSION@"
+        exit 1
         ;;
 
     --vernum)
@@ -153,6 +166,9 @@
           echo ${CURLLIBDIR}-lcurl
         fi
         ;;
+    --ssl-backends)
+        echo "@SSL_BACKENDS@"
+        ;;
 
     --static-libs)
         if test "X@ENABLE_STATIC@" != "Xno" ; then
diff --git a/docs/ALTSVC.md b/docs/ALTSVC.md
new file mode 100644
index 0000000..6a462bb
--- /dev/null
+++ b/docs/ALTSVC.md
@@ -0,0 +1,39 @@
+# Alt-Svc
+
+curl features **EXPERIMENTAL** support for the Alt-Svc: HTTP header.
+
+## Enable Alt-Svc in build
+
+`./configure --enable-alt-svc`
+
+## Standard
+
+[RFC 7838](https://tools.ietf.org/html/rfc7838)
+
+# Alt-Svc cache file format
+
+This a text based file with one line per entry and each line consists of nine
+space separated fields.
+
+## Example
+
+    h2 quic.tech 8443 h3-22 quic.tech 8443 "20190808 06:18:37" 0 0
+
+## Fields
+
+1. The ALPN id for the source origin
+2. The host name for the source origin
+3. The port number for the source origin
+4. The ALPN id for the destination host
+5. The host name for the destination host
+6. The host number for the destination host
+7. The expiration date and time of this entry within double quotes. The date format is "YYYYMMDD HH:MM:SS" and the time zone is GMT.
+8. Boolean (1 or 0) if "persist" was set for this entry
+9. Integer priority value (not currently used)
+
+# TODO
+
+- handle multiple response headers, when one of them says `clear` (should
+  override them all)
+- using `Age:` value for caching age as per spec
+- `CURLALTSVC_IMMEDIATELY` support
diff --git a/docs/BINDINGS.md b/docs/BINDINGS.md
index 8f41608..d0e80b8 100644
--- a/docs/BINDINGS.md
+++ b/docs/BINDINGS.md
@@ -10,7 +10,7 @@
  The bindings listed below are not part of the curl/libcurl distribution
  archives, but must be downloaded and installed separately.
 
-[Ada95](http://www.almroth.com/adacurl/index.html)  Written by Andreas Almroth
+[Ada95](https://web.archive.org/web/20070403105909/www.almroth.com/adacurl/index.html) Written by Andreas Almroth
 
 [Basic](http://scriptbasic.com/) ScriptBasic bindings written by Peter Verhas
 
@@ -23,6 +23,8 @@
 Cocoa: [BBHTTP](https://github.com/brunodecarvalho/BBHTTP) written by Bruno de Carvalho
 [curlhandle](https://github.com/karelia/curlhandle) Written by Dan Wood
 
+Clojure: [clj-curl](https://github.com/lsevero/clj-curl) by Lucas Severo
+
 [D](https://dlang.org/library/std/net/curl.html) Written by Kenneth Bogert
 
 [Delphi](https://github.com/Mercury13/curl4delphi) Written by Mikhail Merkuryev
@@ -31,15 +33,15 @@
 
 [Eiffel](https://room.eiffel.com/library/curl) Written by Eiffel Software
 
-[Euphoria](http://rays-web.com/eulibcurl.htm) Written by Ray Smith
+[Euphoria](https://web.archive.org/web/20050204080544/rays-web.com/eulibcurl.htm) Written by Ray Smith
 
 [Falcon](http://www.falconpl.org/index.ftd?page_id=prjs&prj_id=curl)
 
-[Ferite](http://www.ferite.org/) Written by Paul Querna
+[Ferite](https://web.archive.org/web/20150102192018/ferite.org/) Written by Paul Querna
 
 [Gambas](https://gambas.sourceforge.io/)
 
-[glib/GTK+](http://atterer.net/glibcurl/) Written by Richard Atterer
+[glib/GTK+](https://web.archive.org/web/20100526203452/atterer.net/glibcurl) Written by Richard Atterer
 
 Go: [go-curl](https://github.com/andelf/go-curl) by ShuYu Wang
 
@@ -53,6 +55,8 @@
 
 [Julia](https://github.com/forio/Curl.jl) Written by Paul Howe
 
+[Kapito](https://github.com/puzza007/katipo) is an Erlang HTTP library around libcurl.
+
 [Lisp](https://common-lisp.net/project/cl-curl/) Written by Liam Healy
 
 Lua: [luacurl](http://luacurl.luaforge.net/) by Alexander Marinov, [Lua-cURL](https://github.com/Lua-cURL) by Jürgen Hötzel
@@ -61,21 +65,26 @@
 
 [.NET](https://sourceforge.net/projects/libcurl-net/) libcurl-net by Jeffrey Phillips
 
+[Nim](https://nimble.directory/pkg/libcurl) wrapper for libcurl
+
 [node.js](https://github.com/JCMais/node-libcurl) node-libcurl by Jonathan Cardoso Machado
 
-[Object-Pascal](http://www.tekool.com/opcurl) Free Pascal, Delphi and Kylix binding written by Christophe Espern.
+[Object-Pascal](https://web.archive.org/web/20020610214926/www.tekool.com/opcurl) Free Pascal, Delphi and Kylix binding written by Christophe Espern.
 
-[O'Caml](https://sourceforge.net/projects/ocurl/) Written by Lars Nilsson
+[OCaml](https://opam.ocaml.org/packages/ocurl/) Written by Lars Nilsson and ygrek
 
-[Pascal](http://houston.quik.com/jkp/curlpas/) Free Pascal, Delphi and Kylix binding written by Jeffrey Pohlmeyer.
+[Pascal](https://web.archive.org/web/20030804091414/houston.quik.com/jkp/curlpas/) Free Pascal, Delphi and Kylix binding written by Jeffrey Pohlmeyer.
 
-Perl: [WWW--Curl](https://github.com/szbalint/WWW--Curl) Maintained by Cris
+Perl: [WWW::Curl](https://github.com/szbalint/WWW--Curl) Maintained by Cris
 Bailiff and Bálint Szilakszi,
 [perl6-net-curl](https://github.com/azawawi/perl6-net-curl) by Ahmad M. Zawawi
+[NET::Curl](https://metacpan.org/pod/Net::Curl) by Przemyslaw Iskra
 
 [PHP](https://php.net/curl) Originally written by Sterling Hughes
 
-[PostgreSQL](http://gborg.postgresql.org/project/pgcurl/projdisplay.php) Written by Gian Paolo Ciceri
+[PostgreSQL](https://github.com/pramsey/pgsql-http) - HTTP client for PostgreSQL
+
+[PureBasic](https://www.purebasic.com/documentation/http/index.html) uses libcurl in its "native" HTTP subsystem
 
 [Python](http://pycurl.io/) PycURL by Kjetil Jacobsen
 
@@ -83,9 +92,11 @@
 
 [Rexx](https://rexxcurl.sourceforge.io/) Written Mark Hessling
 
+[Ring](https://ring-lang.sourceforge.io/doc1.3/libcurl.html) RingLibCurl by Mahmoud Fayed
+
 RPG, support for ILE/RPG on OS/400 is included in source distribution
 
-Ruby: [curb](http://curb.rubyforge.org/) written by Ross Bamford, [ruby-curl-multi](http://curl-multi.rubyforge.org/) written by Kristjan Petursson and Keith Rarick
+Ruby: [curb](https://github.com/taf2/curb) written by Ross Bamford
 
 [Rust](https://github.com/carllerche/curl-rust) curl-rust - by Carl Lerche
 
@@ -93,24 +104,24 @@
 
 [Scilab](https://help.scilab.org/docs/current/fr_FR/getURL.html) binding by Sylvestre Ledru
 
-[S-Lang](http://www.jedsoft.org/slang/modules/curl.html) by John E Davis
+[S-Lang](https://www.jedsoft.org/slang/modules/curl.html) by John E Davis
 
 [Smalltalk](http://www.squeaksource.com/CurlPlugin/) Written by Danil Osipchuk
 
-[SP-Forth](http://www.forth.org.ru/~ac/lib/lin/curl/) Written by ygrek
+[SP-Forth](https://sourceforge.net/p/spf/spf/ci/master/tree/devel/~ac/lib/lin/curl/) Written by Andrey Cherezov
 
 [SPL](http://www.clifford.at/spl/) Written by Clifford Wolf
 
-[Tcl](http://mirror.yellow5.com/tclcurl/) Tclcurl by Andrés García
+[Tcl](https://web.archive.org/web/20160826011806/mirror.yellow5.com/tclcurl/) Tclcurl by Andrés García
 
 [Visual Basic](https://sourceforge.net/projects/libcurl-vb/) libcurl-vb by Jeffrey Phillips
 
-[Visual Foxpro](http://www.ctl32.com.ar/libcurl.asp) by Carlos Alloatti
+[Visual Foxpro](https://web.archive.org/web/20130730181523/www.ctl32.com.ar/libcurl.asp) by Carlos Alloatti
 
 [Q](https://q-lang.sourceforge.io/) The libcurl module is part of the default install
 
 [wxWidgets](https://wxcode.sourceforge.io/components/wxcurl/) Written by Casey O'Donnell
 
-[XBLite](http://perso.wanadoo.fr/xblite/libraries.html) Written by David Szafranski
+[XBLite](https://web.archive.org/web/20060426150418/perso.wanadoo.fr/xblite/libraries.html) Written by David Szafranski
 
 [Xojo](https://github.com/charonn0/RB-libcURL) Written by Andrew Lambert
diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md
new file mode 100644
index 0000000..8ee9ac6
--- /dev/null
+++ b/docs/BUG-BOUNTY.md
@@ -0,0 +1,106 @@
+# The curl bug bounty
+
+The curl project runs a bug bounty program in association with
+[HackerOne](https://www.hackerone.com) and the [Internet Bug
+Bounty](https://internetbugbounty.org).
+
+# How does it work?
+
+Start out by posting your suspected security vulnerability directly to [curl's
+HackerOne program](https://hackerone.com/curl).
+
+After you have reported a security issue, it has been deemed credible, and a
+patch and advisory has been made public, you may be eligible for a bounty from
+this program.
+
+See all details at [https://hackerone.com/curl](https://hackerone.com/curl)
+
+This bounty is relying on funds from sponsors. If you use curl professionally,
+consider help funding this! See
+[https://opencollective.com/curl](https://opencollective.com/curl) for
+details.
+
+# What are the reward amounts?
+
+The curl projects offer monetary compensation for reported and published
+security vulnerabilities. The amount of money that is rewarded depends on how
+serious the flaw is determined to be.
+
+We offer reward money *up to* a certain amount per severity. The curl security
+team determines the severity of each reported flaw on a case by case basis and
+the exact amount rewarded to the reporter is then decided.
+
+Check out the current award amounts at [https://hackerone.com/curl](https://hackerone.com/curl)
+
+# Who is eligible for a reward?
+
+Everyone and anyone who reports a security problem in a released curl version
+that hasn't already been reported can ask for a bounty.
+
+Vulnerabilities in features that are off by default and documented as
+experimental are not eligible for a reward.
+
+The vulnerability has to be fixed and publicly announced (by the curl project)
+before a bug bounty will be considered.
+
+Bounties need to be requested within twelve months from the publication of the
+vulnerability.
+
+The vulnerabilities must not have been made public before February 1st, 2019.
+We do not retroactively pay for old, already known, or published security
+problems.
+
+# Product vulnerabilities only
+
+This bug bounty only concerns the curl and libcurl products and thus their
+respective source codes - when running on existing hardware. It does not
+include documentation, websites, or other infrastructure.
+
+The curl security team will be the sole arbiter if a reported flaw can be
+subject to a bounty or not.
+
+# How are vulnerabilities graded?
+
+The grading of each reported vulnerability that makes a reward claim will be
+performed by the curl security team. The grading will be based on the CVSS
+(Common Vulnerability Scoring System) 3.0.
+
+# How are reward amounts determined?
+
+The curl security team first gives the vulnerability a score, as mentioned
+above, and based on that level we set an amount depending on the specifics of
+the individual case. Other sponsors of the program might also get involved and
+can raise the amounts depending on the particular issue.
+
+# What happens if the bounty fund is drained?
+
+The bounty fund depends on sponsors. If we pay out more bounties than we add,
+the fund will eventually drain. If that end up happening, we will simply not
+be able to pay out as high bounties as we would like and hope that we can
+convince new sponsors to help us top up the fund again.
+
+# Regarding taxes, etc. on the bounties
+
+In the event that the individual receiving a curl bug bounty needs to pay
+taxes on the reward money, the responsibility lies with the receiver. The
+curl project or its security team never actually receive any of this money,
+hold the money, or pay out the money.
+
+## Bonus levels
+
+In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can
+offer the highest levels of rewards if the issue covers one of the interest
+areas of theirs - and only if the bug is graded *high* or *critical*. A
+non-exhaustive list of vulnerabilities Dropbox is interested in are:
+
+ - RCE
+ - URL parsing vulnerabilities with demonstrable security impact
+
+Dropbox would generally hand out rewards for critical vulnerabilities ranging
+from 12k-32k USD where RCE is on the upper end of the spectrum.
+
+URL parsing vulnerabilities with demonstrable security impact might include
+incorrectly determining the authority of a URL when a special character is
+inserted into the path of the URL (as a hypothetical). This type of
+vulnerability would likely yield 6k-12k unless further impact could be
+demonstrated.
diff --git a/docs/BUGS b/docs/BUGS
index 2936c54..480e0ca 100644
--- a/docs/BUGS
+++ b/docs/BUGS
@@ -9,11 +9,13 @@
  1. Bugs
   1.1 There are still bugs
   1.2 Where to report
-  1.3 What to report
-  1.4 libcurl problems
-  1.5 Who will fix the problems
-  1.6 How to get a stack trace
-  1.7 Bugs in libcurl bindings
+  1.3 Security bugs
+  1.4 What to report
+  1.5 libcurl problems
+  1.6 Who will fix the problems
+  1.7 How to get a stack trace
+  1.8 Bugs in libcurl bindings
+  1.9 Bugs in old versions
 
  2. Bug fixing procedure
  2.1 What happens on first filing
@@ -29,9 +31,8 @@
 
 1.1 There are still bugs
 
-  Curl and libcurl have grown substantially since the beginning. At the time
-  of writing (January 2013), there are about 83,000 lines of source code, and
-  by the time you read this it has probably grown even more.
+  Curl and libcurl keep being developed. Adding features and changing code
+  means that bugs will sneak in, no matter how hard we try not to.
 
   Of course there are lots of bugs left. And lots of misfeatures.
 
@@ -52,7 +53,29 @@
   If you feel you need to ask around first, find a suitable mailing list and
   post there. The lists are available on https://curl.haxx.se/mail/
 
-1.3 What to report
+1.3 Security bugs
+
+  If you find a bug or problem in curl or libcurl that you think has a
+  security impact, for example a bug that can put users in danger or make them
+  vulnerable if the bug becomes public knowledge, then please report that bug
+  using our security development process.
+
+  Security related bugs or bugs that are suspected to have a security impact,
+  should be reported on the curl security tracker at HackerOne:
+
+        https://hackerone.com/curl
+
+  This ensures that the report reaches the curl security team so that they
+  first can be deal with the report away from the public to minimize the harm
+  and impact it will have on existing users out there who might be using the
+  vulnerable versions.
+
+  The curl project's process for handling security related issues is
+  documented here:
+
+        https://curl.haxx.se/dev/secprocess.html
+
+1.4 What to report
 
   When reporting a bug, you should include all information that will help us
   understand what's wrong, what you expected to happen and how to repeat the
@@ -84,7 +107,7 @@
   The address and how to subscribe to the mailing lists are detailed in the
   MANUAL file.
 
-1.4 libcurl problems
+1.5 libcurl problems
 
   When you've written your own application with libcurl to perform transfers,
   it is even more important to be specific and detailed when reporting bugs.
@@ -104,7 +127,7 @@
   valgrind or similar before you post memory-related or "crashing" problems to
   us.
 
-1.5 Who will fix the problems
+1.6 Who will fix the problems
 
   If the problems or bugs you describe are considered to be bugs, we want to
   have the problems fixed.
@@ -123,7 +146,7 @@
   We get reports from many people every month and each report can take a
   considerable amount of time to really go to the bottom with.
 
-1.6 How to get a stack trace
+1.7 How to get a stack trace
 
   First, you must make sure that you compile all sources with -g and that you
   don't 'strip' the final executable. Try to avoid optimizing the code as
@@ -143,7 +166,7 @@
   crashed. Include the stack trace with your detailed bug report. It'll help a
   lot.
 
-1.7 Bugs in libcurl bindings
+1.8 Bugs in libcurl bindings
 
   There will of course pop up bugs in libcurl bindings. You should then
   primarily approach the team that works on that particular binding and see
@@ -153,6 +176,38 @@
   please convert your program over to plain C and follow the steps outlined
   above.
 
+1.9 Bugs in old versions
+
+  The curl project typically releases new versions every other month, and we
+  fix several hundred bugs per year. For a huge table of releases, number of
+  bug fixes and more, see: https://curl.haxx.se/docs/releases.html
+
+  The developers in the curl project do not have bandwidth or energy enough to
+  maintain several branches or to spend much time on hunting down problems in
+  old versions when chances are we already fixed them or at least that they've
+  changed nature and appearance in later versions.
+
+  When you experience a problem and want to report it, you really SHOULD
+  include the version number of the curl you're using when you experience the
+  issue. If that version number shows us that you're using an out-of-date
+  curl, you should also try out a modern curl version to see if the problem
+  persists or how/if it has changed in appearance.
+
+  Even if you cannot immediately upgrade your application/system to run the
+  latest curl version, you can most often at least run a test version or
+  experimental build or similar, to get this confirmed or not.
+
+  At times people insist that they cannot upgrade to a modern curl version,
+  but instead they "just want the bug fixed". That's fine, just don't count on
+  us spending many cycles on trying to identify which single commit, if that's
+  even possible, that at some point in the past fixed the problem you're now
+  experiencing.
+
+  Security wise, it is almost always a bad idea to lag behind the current curl
+  versions by a lot. We keeping discovering and reporting security problems
+  over time see you can see in this table:
+  https://curl.haxx.se/docs/vulnerabilities.html
+
 2. Bug fixing procedure
 
 2.1 What happens on first filing
@@ -240,8 +295,8 @@
   The issue and pull request trackers on https://github.com/curl/curl will
   only hold "active" entries (using a non-precise definition of what active
   actually is, but they're at least not completely dead). Those that are
-  abandonded or in other ways dormant will be closed and sometimes added to
+  abandoned or in other ways dormant will be closed and sometimes added to
   TODO and KNOWN_BUGS instead.
 
   This way, we only have "active" issues open on github. Irrelevant issues and
-  pull requests will not distract developes or casual visitors.
+  pull requests will not distract developers or casual visitors.
diff --git a/docs/CHECKSRC.md b/docs/CHECKSRC.md
index b42de84..10e2f4d 100644
--- a/docs/CHECKSRC.md
+++ b/docs/CHECKSRC.md
@@ -30,6 +30,16 @@
 problems it detects. At the time of this writing, the existing checksrc
 warnings are:
 
+- `ASSIGNWITHINCONDITION`: Assignment within a conditional expression. The
+  code style mandates the assignment to be done outside of it.
+
+- `ASTERISKNOSPACE`: A pointer was declared like `char* name` instead of the more
+   appropriate `char *name` style. The asterisk should sit next to the name.
+
+- `ASTERISKSPACE`: A pointer was declared like `char * name` instead of the
+   more appropriate `char *name` style. The asterisk should sit right next to
+   the name without a space in between.
+
 - `BADCOMMAND`: There's a bad !checksrc! instruction in the code. See the
    **Ignore certain warnings** section below for details.
 
@@ -49,17 +59,32 @@
 
 - `FOPENMODE`: `fopen()` needs a macro for the mode string, use it
 
-- `INDENTATION`: detected a wrong start column for code. Note that this warning
-   only checks some specific places and will certainly miss many bad
+- `INDENTATION`: detected a wrong start column for code. Note that this
+   warning only checks some specific places and will certainly miss many bad
    indentations.
 
 - `LONGLINE`: A line is longer than 79 columns.
 
+- `MULTISPACE`: Multiple spaces were found where only one should be used.
+
+- `NOSPACEEQUALS`: An equals sign was found without preceding space. We prefer
+  `a = 2` and *not* `a=2`.
+
+- `OPENCOMMENT`: File ended with a comment (`/*`) still "open".
+
 - `PARENBRACE`: `){` was used without sufficient space in between.
 
 - `RETURNNOSPACE`: `return` was used without space between the keyword and the
    following value.
 
+- `SEMINOSPACE`: There was no space (or newline) following a semicolon.
+
+- `SIZEOFNOPAREN`: Found use of sizeof without parentheses. We prefer
+  `sizeof(int)` style.
+
+- `SNPRINTF` - Found use of `snprintf()`. Since we use an internal replacement
+   with a different return code etc, we prefer `msnprintf()`.
+
 - `SPACEAFTERPAREN`: there was a space after open parenthesis, `( text`.
 
 - `SPACEBEFORECLOSE`: there was a space before a close parenthesis, `text )`.
@@ -69,7 +94,7 @@
 - `SPACEBEFOREPAREN`: there was a space before an open parenthesis, `if (`,
    where one was not expected
 
-- `SPACESEMILCOLON`: there was a space before semicolon, ` ;`.
+- `SPACESEMICOLON`: there was a space before semicolon, ` ;`.
 
 - `TABS`: TAB characters are not allowed!
 
@@ -78,6 +103,19 @@
 - `UNUSEDIGNORE`: a checksrc inlined warning ignore was asked for but not used,
    that's an ignore that should be removed or changed to get used.
 
+### Extended warnings
+
+Some warnings are quite computationally expensive to perform, so they are
+turned off by default. To enable these warnings, place a `.checksrc` file in
+the directory where they should be activated with commands to enable the
+warnings you are interested in. The format of the file is to enable one
+warning per line like so: `enable <EXTENDEDWARNING>`
+
+Currently there is one extended warning which can be enabled:
+
+- `COPYRIGHTYEAR`: the current changeset hasn't updated the copyright year in
+   the source file
+
 ## Ignore certain warnings
 
 Due to the nature of the source code and the flaws of the checksrc tool, there
diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md
index 99d261b..19aedf3 100644
--- a/docs/CIPHERS.md
+++ b/docs/CIPHERS.md
@@ -1,7 +1,17 @@
 # Ciphers
 
-With curl's options `CURLOPT_SSL_CIPHER_LIST` and `--ciphers` users can
-control which ciphers to consider when negotiating TLS connections.
+With curl's options
+[`CURLOPT_SSL_CIPHER_LIST`](https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html)
+and
+[`--ciphers`](https://curl.haxx.se/docs/manpage.html#--ciphers)
+users can control which ciphers to consider when negotiating TLS connections.
+
+TLS 1.3 ciphers are supported since curl 7.61 for OpenSSL 1.1.1+ with options
+[`CURLOPT_TLS13_CIPHERS`](https://curl.haxx.se/libcurl/c/CURLOPT_TLS13_CIPHERS.html)
+and
+[`--tls13-ciphers`](https://curl.haxx.se/docs/manpage.html#--tls13-ciphers)
+. If you are using a different SSL backend you can try setting TLS 1.3 cipher
+suites by using the respective regular cipher option.
 
 The names of the known ciphers differ depending on which TLS backend that
 libcurl was built to use. This is an attempt to list known cipher names.
@@ -10,6 +20,8 @@
 
 (based on [OpenSSL docs](https://www.openssl.org/docs/man1.1.0/apps/ciphers.html))
 
+When specifying multiple cipher names, separate them with colon (`:`).
+
 ### SSL3 cipher suites
 
 `NULL-MD5`
@@ -142,6 +154,16 @@
 `ECDHE-RSA-CAMELLIA128-SHA256`
 `ECDHE-RSA-CAMELLIA256-SHA384`
 
+### TLS 1.3 cipher suites
+
+(Note these ciphers are set with `CURLOPT_TLS13_CIPHERS` and `--tls13-ciphers`)
+
+`TLS_AES_256_GCM_SHA384`
+`TLS_CHACHA20_POLY1305_SHA256`
+`TLS_AES_128_GCM_SHA256`
+`TLS_AES_128_CCM_8_SHA256`
+`TLS_AES_128_CCM_SHA256`
+
 ## NSS
 
 ### Totally insecure
@@ -248,9 +270,16 @@
 `ecdhe_ecdsa_chacha20_poly1305_sha_256`
 `dhe_rsa_chacha20_poly1305_sha_256`
 
+### TLS 1.3 cipher suites
+
+`aes_128_gcm_sha_256`
+`aes_256_gcm_sha_384`
+`chacha20_poly1305_sha_256`
+
 ## GSKit
 
-Ciphers are internally defined as numeric codes (http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_set_buffer.htm),
+Ciphers are internally defined as
+[numeric codes](https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_set_buffer.htm),
 but libcurl maps them to the following case-insensitive names.
 
 ### SSL2 cipher suites (insecure: disabled by default)
@@ -424,3 +453,64 @@
 `ECDHE-PSK-CHACHA20-POLY1305`,
 `DHE-PSK-CHACHA20-POLY1305`,
 `EDH-RSA-DES-CBC3-SHA`,
+
+## Schannel
+
+Schannel allows the enabling and disabling of encryption algorithms, but not
+specific ciphersuites. They are
+[defined](https://docs.microsoft.com/windows/desktop/SecCrypto/alg-id) by
+Microsoft.
+
+There is also the case that the selected algorithm is not supported by the
+protocol or does not match the ciphers offered by the server during the SSL
+negotiation. In this case curl will return error
+`CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH`
+and the request will fail.
+
+`CALG_MD2`,
+`CALG_MD4`,
+`CALG_MD5`,
+`CALG_SHA`,
+`CALG_SHA1`,
+`CALG_MAC`,
+`CALG_RSA_SIGN`,
+`CALG_DSS_SIGN`,
+`CALG_NO_SIGN`,
+`CALG_RSA_KEYX`,
+`CALG_DES`,
+`CALG_3DES_112`,
+`CALG_3DES`,
+`CALG_DESX`,
+`CALG_RC2`,
+`CALG_RC4`,
+`CALG_SEAL`,
+`CALG_DH_SF`,
+`CALG_DH_EPHEM`,
+`CALG_AGREEDKEY_ANY`,
+`CALG_HUGHES_MD5`,
+`CALG_SKIPJACK`,
+`CALG_TEK`,
+`CALG_CYLINK_MEK`,
+`CALG_SSL3_SHAMD5`,
+`CALG_SSL3_MASTER`,
+`CALG_SCHANNEL_MASTER_HASH`,
+`CALG_SCHANNEL_MAC_KEY`,
+`CALG_SCHANNEL_ENC_KEY`,
+`CALG_PCT1_MASTER`,
+`CALG_SSL2_MASTER`,
+`CALG_TLS1_MASTER`,
+`CALG_RC5`,
+`CALG_HMAC`,
+`CALG_TLS1PRF`,
+`CALG_HASH_REPLACE_OWF`,
+`CALG_AES_128`,
+`CALG_AES_192`,
+`CALG_AES_256`,
+`CALG_AES`,
+`CALG_SHA_256`,
+`CALG_SHA_384`,
+`CALG_SHA_512`,
+`CALG_ECDH`,
+`CALG_ECMQV`,
+`CALG_ECDSA`,
+`CALG_ECDH_EPHEM`,
diff --git a/docs/CMakeLists.txt b/docs/CMakeLists.txt
new file mode 100644
index 0000000..22863bc
--- /dev/null
+++ b/docs/CMakeLists.txt
@@ -0,0 +1,24 @@
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+#add_subdirectory(examples)
+add_subdirectory(libcurl)
+add_subdirectory(cmdline-opts)
diff --git a/docs/CODE_OF_CONDUCT.md b/docs/CODE_OF_CONDUCT.md
index 04ea66e..1f71c38 100644
--- a/docs/CODE_OF_CONDUCT.md
+++ b/docs/CODE_OF_CONDUCT.md
@@ -28,5 +28,5 @@
 maintainers.
 
 This Code of Conduct is adapted from the [Contributor
-Covenant](http://contributor-covenant.org), version 1.1.0, available at
-[http://contributor-covenant.org/version/1/1/0/](http://contributor-covenant.org/version/1/1/0/)
+Covenant](https://contributor-covenant.org/), version 1.1.0, available at
+[https://contributor-covenant.org/version/1/1/0/](https://contributor-covenant.org/version/1/1/0/)
diff --git a/docs/CODE_STYLE.md b/docs/CODE_STYLE.md
index ba5f710..0ceb5b9 100644
--- a/docs/CODE_STYLE.md
+++ b/docs/CODE_STYLE.md
@@ -44,8 +44,8 @@
 
 ## Comments
 
-Since we write C89 code, `//` comments are not allowed. They weren't
-introduced in the C standard until C99. We use only `/*` and `*/` comments:
+Since we write C89 code, **//** comments are not allowed. They weren't
+introduced in the C standard until C99. We use only **/* comments */**.
 
     /* this is a comment */
 
@@ -87,8 +87,8 @@
 
 ## 'else' on the following line
 
-When adding an `else` clause to a conditional expression using braces, we add
-it on a new line after the closing brace. Like this:
+When adding an **else** clause to a conditional expression using braces, we
+add it on a new line after the closing brace. Like this:
 
     if(age < 40) {
       /* clearly a youngster */
@@ -149,8 +149,8 @@
 
 ## Space around operators
 
-Please use spaces on both sides of operators in C expressions.  Postfix `(),
-[], ->, ., ++, --` and Unary `+, - !, ~, &` operators excluded they should
+Please use spaces on both sides of operators in C expressions.  Postfix **(),
+[], ->, ., ++, --** and Unary **+, - !, ~, &** operators excluded they should
 have no space.
 
 Examples:
@@ -167,63 +167,71 @@
     complement = ~bits;
     empty = (!*string) ? TRUE : FALSE;
 
+## No parentheses for return values
+
+We use the 'return' statement without extra parentheses around the value:
+
+    int works(void)
+    {
+      return TRUE;
+    }
+
+## Parentheses for sizeof arguments
+
+When using the sizeof operator in code, we prefer it to be written with
+parentheses around its argument:
+
+    int size = sizeof(int);
+
 ## Column alignment
 
-Some statements cannot be completed on a single line because the line would
-be too long, the statement too hard to read, or due to other style guidelines
+Some statements cannot be completed on a single line because the line would be
+too long, the statement too hard to read, or due to other style guidelines
 above. In such a case the statement will span multiple lines.
 
 If a continuation line is part of an expression or sub-expression then you
 should align on the appropriate column so that it's easy to tell what part of
 the statement it is. Operators should not start continuation lines. In other
-cases follow the 2-space indent guideline. Here are some examples from libcurl:
+cases follow the 2-space indent guideline. Here are some examples from
+libcurl:
 
-~~~c
     if(Curl_pipeline_wanted(handle->multi, CURLPIPE_HTTP1) &&
        (handle->set.httpversion != CURL_HTTP_VERSION_1_0) &&
        (handle->set.httpreq == HTTPREQ_GET ||
         handle->set.httpreq == HTTPREQ_HEAD))
       /* didn't ask for HTTP/1.0 and a GET or HEAD */
       return TRUE;
-~~~
 
-~~~c
-  case CURLOPT_KEEP_SENDING_ON_ERROR:
-    data->set.http_keep_sending_on_error = (0 != va_arg(param, long)) ?
-                                           TRUE : FALSE;
-    break;
-~~~
+If no parenthesis, use the default indent:
 
-~~~c
     data->set.http_disable_hostname_check_before_authentication =
       (0 != va_arg(param, long)) ? TRUE : FALSE;
-~~~
 
-~~~c
-  if(option) {
-    result = parse_login_details(option, strlen(option),
-                                 (userp ? &user : NULL),
-                                 (passwdp ? &passwd : NULL),
-                                 NULL);
-  }
-~~~
+Function invoke with an open parenthesis:
 
-~~~c
-        DEBUGF(infof(data, "Curl_pp_readresp_ %d bytes of trailing "
-                     "server response left\n",
-                     (int)clipamount));
-~~~
+    if(option) {
+      result = parse_login_details(option, strlen(option),
+                                   (userp ? &user : NULL),
+                                   (passwdp ? &passwd : NULL),
+                                   NULL);
+    }
+
+Align with the "current open" parenthesis:
+
+    DEBUGF(infof(data, "Curl_pp_readresp_ %d bytes of trailing "
+                 "server response left\n",
+                 (int)clipamount));
 
 ## Platform dependent code
 
-Use `#ifdef HAVE_FEATURE` to do conditional code. We avoid checking for
+Use **#ifdef HAVE_FEATURE** to do conditional code. We avoid checking for
 particular operating systems or hardware in the #ifdef lines. The HAVE_FEATURE
 shall be generated by the configure script for unix-like systems and they are
-hard-coded in the config-[system].h files for the others.
+hard-coded in the `config-[system].h` files for the others.
 
 We also encourage use of macros/functions that possibly are empty or defined
 to constants when libcurl is built without that feature, to make the code
-seamless. Like this style where the `magic()` function works differently
+seamless. Like this example where the **magic()** function works differently
 depending on a build-time conditional:
 
     #ifdef HAVE_MAGIC
diff --git a/docs/CONTRIBUTE.md b/docs/CONTRIBUTE.md
index e77c365..978b87d 100644
--- a/docs/CONTRIBUTE.md
+++ b/docs/CONTRIBUTE.md
@@ -20,8 +20,8 @@
 We also hang out on IRC in #curl on irc.freenode.net
 
 If you're at all interested in the code side of things, consider clicking
-'watch' on the [curl repo on github](https://github.com/curl/curl) to get
-notified on pull requests and new issues posted there.
+'watch' on the [curl repo on github](https://github.com/curl/curl) to be
+notified of pull requests and new issues posted there.
 
 ### License and copyright
 
@@ -103,7 +103,7 @@
 ### Documentation
 
 Writing docs is dead boring and one of the big problems with many open source
-projects. But someone's gotta do it! It makes things a lot easier if you 
+projects. But someone's gotta do it! It makes things a lot easier if you
 submit a small description of your fix or your new features with every
 contribution so that it can be swiftly added to the package documentation.
 
@@ -134,7 +134,7 @@
 list](https://curl.haxx.se/mail/list.cgi?list=curl-library).
 
 Either way, your change will be reviewed and discussed there and you will be
-expected to correct flaws pointed out and update accordingly, or the change 
+expected to correct flaws pointed out and update accordingly, or the change
 risks stalling and eventually just getting deleted without action. As a
 submitter of a change, you are the owner of that change until it has been merged.
 
@@ -149,9 +149,28 @@
 request](https://github.com/curl/curl/pulls) to the curl project to have
 changes merged.
 
-We prefer pull requests to mailed patches, as it makes it a proper git commit
-that is easy to merge and they are easy to track and not that easy to loose
-in the flood of many emails, like they sometimes do on the mailing lists.
+We strongly prefer pull requests to mailed patches, as it makes it a proper
+git commit that is easy to merge and they are easy to track and not that easy
+to loose in the flood of many emails, like they sometimes do on the mailing
+lists.
+
+Every pull request submitted will automatically be tested in several different
+ways. Every pull request is verified for each of the following:
+
+ - ... it still builds, warning-free, on Linux and macOS, with both
+   clang and gcc
+ - ... it still builds fine on Windows with several MSVC versions
+ - ... it still builds with cmake on Linux, with gcc and clang
+ - ... it follows rudimentary code style rules
+ - ... the test suite still runs 100% fine
+ - ... the release tarball (the "dist") still works
+ - ... it builds fine in-tree as well as out-of-tree
+ - ... code coverage doesn't shrink drastically
+
+If the pull-request fails one of these tests, it will show up as a red X and
+you are expected to fix the problem. If you don't understand when the issue is
+or have other problems to fix the complaint, just ask and other project
+members will likely be able to help out.
 
 When you adjust your pull requests after review, consider squashing the
 commits so that we can review the full updated version more easily.
@@ -161,8 +180,8 @@
 Make the patch against as recent source versions as possible.
 
 If you've followed the tips in this document and your patch still hasn't been
-incorporated or responded to after some weeks, consider resubmitting it to
-the list or better yet: change it to a pull request.
+incorporated or responded to after some weeks, consider resubmitting it to the
+list or better yet: change it to a pull request.
 
 ### Write good commit messages
 
@@ -175,14 +194,15 @@
     possible as to why this change is made, and possibly what things
     it fixes and everything else that is related]
            -- empty line --
+    [Closes/Fixes #1234 - if this closes or fixes a github issue]
     [Bug: URL to source of the report or more related discussion]
     [Reported-by: John Doe - credit the reporter]
     [whatever-else-by: credit all helpers, finders, doers]
     ---- stop ----
 
-Don't forget to use commit --author="" if you commit someone else's work,
-and make sure that you have your own user and email setup correctly in git
-before you commit
+Don't forget to use commit --author="" if you commit someone else's work, and
+make sure that you have your own user and email setup correctly in git before
+you commit
 
 ### Write Access to git Repository
 
diff --git a/docs/CURL-DISABLE.md b/docs/CURL-DISABLE.md
new file mode 100644
index 0000000..83436b4
--- /dev/null
+++ b/docs/CURL-DISABLE.md
@@ -0,0 +1,110 @@
+# Code defines to disable features and protocols
+
+## CURL_DISABLE_COOKIES
+
+Disable support for HTTP cookies.
+
+## CURL_DISABLE_CRYPTO_AUTH
+
+Disable support for authentication methods using crypto.
+
+## CURL_DISABLE_DICT
+
+Disable the DICT protocol
+
+## CURL_DISABLE_DOH
+
+Disable DNS-over-HTTPS
+
+## CURL_DISABLE_FILE
+
+Disable the FILE protocol
+
+## CURL_DISABLE_FTP
+
+Disable the FTP (and FTPS) protocol
+
+## CURL_DISABLE_GOPHER
+
+Disable the GOPHER protocol.
+
+## CURL_DISABLE_HTTP
+
+Disable the HTTP(S) protocols. Note that this then also disable HTTP proxy
+support.
+
+## CURL_DISABLE_HTTP_AUTH
+
+Disable support for all HTTP authentication methods.
+
+## CURL_DISABLE_IMAP
+
+Disable the IMAP(S) protocols.
+
+## CURL_DISABLE_LDAP
+
+Disable the LDAP(S) protocols.
+
+## CURL_DISABLE_LDAPS
+
+Disable the LDAPS protocol.
+
+## CURL_DISABLE_LIBCURL_OPTION
+
+Disable the --libcurl option from the curl tool.
+
+## CURL_DISABLE_MIME
+
+Disable MIME support.
+
+## CURL_DISABLE_NETRC
+
+Disable the netrc parser.
+
+## CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
+
+Disable the auto load config support in the OpenSSL backend.
+
+## CURL_DISABLE_PARSEDATE
+
+Disable date parsing
+
+## CURL_DISABLE_POP
+
+Disable the POP(S) protocols
+
+## CURL_DISABLE_PROGRESS_METER
+
+Disable the built-in progress meter
+
+## CURL_DISABLE_PROXY
+
+Disable support for proxies
+
+## CURL_DISABLE_RTSP
+
+Disable the RTSP protocol.
+
+## CURL_DISABLE_SHUFFLE_DNS
+
+Disable the shuffle DNS feature
+
+## CURL_DISABLE_SMB
+
+Disable the SMB(S) protocols
+
+## CURL_DISABLE_SMTP
+
+Disable the SMTP(S) protocols
+
+## CURL_DISABLE_TELNET
+
+Disable the TELNET protocol
+
+## CURL_DISABLE_TFTP
+
+Disable the TFTP protocol
+
+## CURL_DISABLE_VERBOSE_STRINGS
+
+Disable verbose strings and error messages.
diff --git a/docs/DEPRECATE.md b/docs/DEPRECATE.md
new file mode 100644
index 0000000..26877c4
--- /dev/null
+++ b/docs/DEPRECATE.md
@@ -0,0 +1,12 @@
+# Items to be removed from future curl releases
+
+If any of these deprecated features is a cause for concern for you, please
+email the curl-library mailing list as soon as possible and explain to us why
+this is a problem for you and how your use case can't be satisfied properly
+using a work around.
+
+## Past removals
+
+ - Pipelining
+ - axTLS
+ - PolarSSL
diff --git a/docs/ESNI.md b/docs/ESNI.md
new file mode 100644
index 0000000..7feaa75
--- /dev/null
+++ b/docs/ESNI.md
@@ -0,0 +1,139 @@
+# TLS: ESNI support in curl and libcurl
+
+## Summary
+
+**ESNI** means **Encrypted Server Name Indication**, a TLS 1.3
+extension which is currently the subject of an
+[IETF Draft][tlsesni].
+
+This file is intended to show the latest current state of ESNI support
+in **curl** and **libcurl**.
+
+At end of August 2019, an [experimental fork of curl][niallorcurl],
+built using an [experimental fork of OpenSSL][sftcdopenssl], which in
+turn provided an implementation of ESNI, was demonstrated
+interoperating with a server belonging to the [DEfO
+Project][defoproj].
+
+Further sections here describe
+
+-   resources needed for building and demonstrating **curl** support
+    for ESNI,
+
+-   progress to date,
+
+-   TODO items, and
+
+-   additional details of specific stages of the progress.
+
+## Resources needed
+
+To build and demonstrate ESNI support in **curl** and/or **libcurl**,
+you will need
+
+-   a TLS library, supported by **libcurl**, which implements ESNI;
+
+-   an edition of **curl** and/or **libcurl** which supports the ESNI
+    implementation of the chosen TLS library;
+
+-   an environment for building and running **curl**, and at least
+    building **OpenSSL**;
+
+-   a server, supporting ESNI, against which to run a demonstration
+    and perhaps a specific target URL;
+
+-   some instructions.
+
+The following set of resources is currently known to be available.
+
+| Set  | Component    | Location                      | Remarks                                    |
+|:-----|:-------------|:------------------------------|:-------------------------------------------|
+| DEfO | TLS library  | [sftcd/openssl][sftcdopenssl] | Tag *esni-2019-08-30* avoids bleeding edge |
+|      | curl fork    | [niallor/curl][niallorcurl]   | Tag *esni-2019-08-30* likewise             |
+|      | instructions | [ESNI-README][niallorreadme]  |                                            |
+
+## Progress
+
+### PR 4011 (Jun 2019) expected in curl release 7.67.0 (Oct 2019)
+
+-   Details [below](#pr4011);
+
+-   New **curl** feature: `CURL_VERSION_ESNI`;
+
+-   New configuration option: `--enable-esni`;
+
+-   Build-time check for availability of resources needed for ESNI
+    support;
+
+-   Pre-processor symbol `USE_ESNI` for conditional compilation of
+    ESNI support code, subject to configuration option and
+    availability of needed resources.
+
+## TODO
+
+-   (next PR) Add libcurl options to set ESNI parameters.
+
+-   (next PR) Add curl tool command line options to set ESNI parameters.
+
+-   (WIP) Extend DoH functions so that published ESNI parameters can be
+    retrieved from DNS instead of being required as options.
+
+-   (WIP) Work with OpenSSL community to finalize ESNI API.
+
+-   Track OpenSSL ESNI API in libcurl
+
+-   Identify and implement any changes needed for CMake.
+
+-   Optimize build-time checking of available resources.
+
+-   Encourage ESNI support work on other TLS/SSL backends.
+
+## Additional detail
+
+### PR 4011
+
+**TLS: Provide ESNI support framework for curl and libcurl**
+
+The proposed change provides a framework to facilitate work to
+implement ESNI support in curl and libcurl. It is not intended
+either to provide ESNI functionality or to favour any particular
+TLS-providing backend. Specifically, the change reserves a
+feature bit for ESNI support (symbol `CURL_VERSION_ESNI`),
+implements setting and reporting of this bit, includes dummy
+book-keeping for the symbol, adds a build-time configuration
+option (`--enable-esni`), provides an extensible check for
+resources available to provide ESNI support, and defines a
+compiler pre-processor symbol (`USE_ESNI`) accordingly.
+
+Proposed-by: @niallor (Niall O'Reilly)\
+Encouraged-by: @sftcd (Stephen Farrell)\
+See-also: [this message](https://curl.haxx.se/mail/lib-2019-05/0108.html)
+
+Limitations:
+-   Book-keeping (symbols-in-versions) needs real release number, not 'DUMMY'.
+
+-   Framework is incomplete, as it covers autoconf, but not CMake.
+
+-   Check for available resources, although extensible, refers only to
+    specific work in progress ([described
+    here](https://github.com/sftcd/openssl/tree/master/esnistuff)) to
+    implement ESNI for OpenSSL, as this is the immediate motivation
+    for the proposed change.
+
+## References
+
+Cloudflare blog: [Encrypting SNI: Fixing One of the Core Internet Bugs][corebug]
+
+Cloudflare blog: [Encrypt it or lose it: how encrypted SNI works][esniworks]
+
+IETF Draft: [Encrypted Server Name Indication for TLS 1.3][tlsesni]
+
+---
+
+[tlsesni]:		https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
+[esniworks]:	https://blog.cloudflare.com/encrypted-sni/
+[corebug]:		https://blog.cloudflare.com/esni/
+[defoproj]:		https://defo.ie/
+[sftcdopenssl]: https://github.com/sftcd/openssl/
+[niallorcurl]:	https://github.com/niallor/curl/
+[niallorreadme]: https://github.com/niallor/curl/blob/master/ESNI-README.md
diff --git a/docs/EXPERIMENTAL.md b/docs/EXPERIMENTAL.md
new file mode 100644
index 0000000..34974fb
--- /dev/null
+++ b/docs/EXPERIMENTAL.md
@@ -0,0 +1,23 @@
+# Experimental
+
+Some features and functionality in curl and libcurl are considered
+**EXPERIMENTAL**.
+
+Experimental support in curl means:
+
+1. Experimental features are provided to allow users to try them out and
+   provide feedback on functionality and API etc before they ship and get
+   "carved in stone".
+2. You must enable the feature when invoking configure as otherwise curl will
+   not be built with the feature present.
+3. We strongly advice against using this feature in production.
+4. **We reserve the right to change behavior** of the feature without sticking
+   to our API/ABI rules as we do for regular features, as long as it is marked
+   experimental.
+5. Experimental features are clearly marked so in documentation. Beware.
+
+## Experimental features right now
+
+ - HTTP/3 support and options
+ - alt-svc support and options
+ - MQTT
diff --git a/docs/FAQ b/docs/FAQ
index d1a8a1f..53f1c9e 100644
--- a/docs/FAQ
+++ b/docs/FAQ
@@ -30,7 +30,6 @@
   2.2 Does curl work/build with other SSL libraries?
   2.3 Where can I find a copy of LIBEAY32.DLL?
   2.4 Does curl support SOCKS (RFC 1928) ?
-  2.5 Install libcurl for both 32bit and 64bit?
 
  3. Usage Problems
   3.1 curl: (1) SSL is disabled, https: not supported
@@ -44,8 +43,8 @@
   3.9 How do I use curl in my favorite programming language?
   3.10 What about SOAP, WebDAV, XML-RPC or similar protocols over HTTP?
   3.11 How do I POST with a different Content-Type?
-  3.12 Why do FTP specific features over HTTP proxy fail?
-  3.13 Why does my single/double quotes fail?
+  3.12 Why do FTP-specific features over HTTP proxy fail?
+  3.13 Why do my single/double quotes fail?
   3.14 Does curl support Javascript or PAC (automated proxy config)?
   3.15 Can I do recursive fetches with curl?
   3.16 What certificates do I need when I use SSL?
@@ -73,7 +72,7 @@
   4.8 I found a bug!
   4.9 Curl can't authenticate to the server that requires NTLM?
   4.10 My HTTP request using HEAD, PUT or DELETE doesn't work!
-  4.11 Why does my HTTP range requests return the full document?
+  4.11 Why do my HTTP range requests return the full document?
   4.12 Why do I get "certificate verify failed" ?
   4.13 Why is curl -R on Windows one hour off?
   4.14 Redirects work in browser but not with curl!
@@ -118,6 +117,7 @@
   7.1 What is PHP/CURL?
   7.2 Who wrote PHP/CURL?
   7.3 Can I perform multiple requests using the same handle?
+  7.4 Does PHP/CURL have dependencies?
 
 ==============================================================================
 
@@ -162,7 +162,7 @@
   We pronounce curl with an initial k sound. It rhymes with words like girl
   and earl. This is a short WAV file to help you:
 
-     http://media.merriam-webster.com/soundc11/c/curl0001.wav
+     https://media.merriam-webster.com/soundc11/c/curl0001.wav
 
   There are numerous sub-projects and related projects that also use the word
   curl in the project names in various combinations, but you should take
@@ -218,9 +218,9 @@
   very well at the side. Curl's output can be piped into another program or
   redirected to another file for the next program to interpret.
 
-  We focus on protocol related issues and improvements. If you wanna do more
+  We focus on protocol related issues and improvements. If you want to do more
   magic with the supported protocols than curl currently does, chances are good
-  we will agree. If you wanna add more protocols, we may very well agree.
+  we will agree. If you want to add more protocols, we may very well agree.
 
   If you want someone else to do all the work while you wait for us to
   implement it for you, that is not a very friendly attitude. We spend a
@@ -253,11 +253,10 @@
   any way by the project.
 
   We still get help from companies. Haxx provides web site, bandwidth, mailing
-  lists etc, sourceforge.net hosts project services we take advantage from,
-  like the bug tracker, and GitHub hosts the primary git repository at
-  https://github.com/curl/curl. Also again, some companies have sponsored
-  certain parts of the development in the past and I hope some will continue to
-  do so in the future.
+  lists etc, GitHub hosts the primary git repository and other services like
+  the bug tracker at https://github.com/curl/curl. Also again, some companies
+  have sponsored certain parts of the development in the past and I hope some
+  will continue to do so in the future.
 
   If you want to support our project, consider a donation or a banner-program
   or even better: by helping us with coding, documenting or testing etc.
@@ -324,7 +323,7 @@
 
   1.11 Why don't you update ca-bundle.crt
 
-  The ca cert bundle that used to be shipped with curl was very outdated and 
+  The ca cert bundle that used to be shipped with curl was very outdated and
   must be replaced with an up-to-date version by anyone who wants to verify
   peers. It is no longer provided by curl. The last curl release that ever
   shipped a ca cert bundle was curl 7.18.0.
@@ -366,11 +365,11 @@
   Comprehensible explanations of the meaning of such numbers and how to obtain
   them (resp.) are here
 
-  http://www.bis.doc.gov/licensing/exportingbasics.htm
-  http://www.bis.doc.gov/licensing/do_i_needaneccn.html
+  https://www.bis.doc.gov/licensing/exportingbasics.htm
+  https://www.bis.doc.gov/licensing/do_i_needaneccn.html
 
   An incomprehensible description of the two numbers above is here
-  http://www.access.gpo.gov/bis/ear/pdf/ccl5-pt2.pdf
+  https://www.bis.doc.gov/index.php/documents/new-encryption/1653-ccl5-pt2-3
 
   1.14 How do I submit my patch?
 
@@ -447,10 +446,10 @@
   backends.
 
   curl can be built to use one of the following SSL alternatives: OpenSSL,
-  GnuTLS, yassl, NSS, PolarSSL, axTLS, Secure Transport (native iOS/OS X),
-  WinSSL (native Windows) or GSKit (native IBM i). They all have their pros
-  and cons, and we try to maintain a comparison of them here:
-  https://curl.haxx.se/docs/ssl-compared.html
+  libressl, BoringSSL, GnuTLS, wolfSSL, NSS, mbedTLS, MesaLink, Secure
+  Transport (native iOS/OS X), Schannel (native Windows), GSKit (native IBM
+  i), or BearSSL. They all have their pros and cons, and we try to maintain a
+  comparison of them here: https://curl.haxx.se/docs/ssl-compared.html
 
   2.3 Where can I find a copy of LIBEAY32.DLL?
 
@@ -465,32 +464,6 @@
 
   Yes, SOCKS 4 and 5 are supported.
 
-  2.5 Install libcurl for both 32bit and 64bit?
-
-  In curl's configure procedure one of the regular include files gets created
-  with platform specific information. The file 'curl/curlbuild.h' in the
-  installed libcurl file tree is therefore somewhat tied to that particular
-  platform.
-
-  To allow applications to get built for either 32bit or 64bit you need to
-  install libcurl headers for both setups and unfortunately curl doesn't do
-  this automatically.
-
-  A commonly used procedure is this:
-
-     $ ./configure [32bit platform]
-     $ mv curl/curlbuild.h curl/curlbuild-32bit.h
-     $ ./configure [64bit platform]
-     $ mv curl/curlbuild.h curl/curlbuild-64bit.h
-
-  Then you make a toplevel curl/curlbuild.h replacement that only does this:
-
-     #ifdef IS_32BIT
-     #include "curlbuild-32bit.h"
-     else
-     #include "curlbuild-64bit.h"
-     #endif
-
 
 3. Usage problems
 
@@ -510,7 +483,7 @@
   and logs and check out why the configure script doesn't find the SSL libs
   and/or include files.
 
-  Also, check out the other paragraph in this FAQ labelled "configure doesn't
+  Also, check out the other paragraph in this FAQ labeled "configure doesn't
   find OpenSSL even when it is installed".
 
   3.2 How do I tell curl to resume a transfer?
@@ -520,13 +493,13 @@
 
   3.3 Why doesn't my posting using -F work?
 
-  You can't arbitrarily use -F or -d, the choice between -F or -d depends on the 
-  HTTP operation you need curl to do and what the web server that will receive 
-  your post expects. 
+  You can't arbitrarily use -F or -d, the choice between -F or -d depends on the
+  HTTP operation you need curl to do and what the web server that will receive
+  your post expects.
 
-  If the form you're trying to submit uses the type 'multipart/form-data', then 
-  and only then you must use the -F type. In all the most common cases, you 
-  should use -d which then causes a posting with the type 
+  If the form you're trying to submit uses the type 'multipart/form-data', then
+  and only then you must use the -F type. In all the most common cases, you
+  should use -d which then causes a posting with the type
   'application/x-www-form-urlencoded'.
 
   This is described in some detail in the MANUAL and TheArtOfHttpScripting
@@ -584,10 +557,9 @@
 
   3.9 How do I use curl in my favorite programming language?
 
-  There exist many language interfaces/bindings for curl that integrates it
-  better with various languages. If you are fluid in a script language, you
-  may very well opt to use such an interface instead of using the command line
-  tool.
+  Many programming languages have interfaces/bindings that allow you to use
+  curl without having to use the command line tool. If you are fluent in such
+  a language, you may prefer to use one of these interfaces instead.
 
   Find out more about which languages that support curl directly, and how to
   install and use them, in the libcurl section of the curl web site:
@@ -599,13 +571,14 @@
   about bindings on the curl-library list too, but be prepared that people on
   that list may not know anything about bindings.
 
-  In October 2009, there were interfaces available for the following
-  languages: Ada95, Basic, C, C++, Ch, Cocoa, D, Dylan, Eiffel, Euphoria,
-  Ferite, Gambas, glib/GTK+, Haskell, ILE/RPG, Java, Lisp, Lua, Mono, .NET,
-  Object-Pascal, OCaml, Pascal, Perl, PHP, PostgreSQL, Python, R, Rexx, Ruby,
-  Scheme, S-Lang, Smalltalk, SP-Forth, SPL, Tcl, Visual Basic, Visual FoxPro,
-  Q, wxwidgets and XBLite. By the time you read this, additional ones may have
-  appeared!
+  In February 2019, there were interfaces available for the following
+  languages: Ada95, Basic, C, C++, Ch, Cocoa, D, Delphi, Dylan, Eiffel,
+  Euphoria, Falcon, Ferite, Gambas, glib/GTK+, Go, Guile, Harbour, Haskell,
+  Java, Julia, Lisp, Lua, Mono, .NET, node.js, Object-Pascal, OCaml, Pascal,
+  Perl, PHP, PostgreSQL, Python, R, Rexx, Ring, RPG, Ruby, Rust, Scheme,
+  Scilab, S-Lang, Smalltalk, SP-Forth, SPL, Tcl, Visual Basic, Visual FoxPro,
+  Q, wxwidgets, XBLite and Xoho. By the time you read this, additional ones
+  may have appeared!
 
   3.10 What about SOAP, WebDAV, XML-RPC or similar protocols over HTTP?
 
@@ -624,11 +597,11 @@
 
         curl -d "datatopost" -H "Content-Type: text/xml" [URL]
 
-  3.12 Why do FTP specific features over HTTP proxy fail?
+  3.12 Why do FTP-specific features over HTTP proxy fail?
 
   Because when you use a HTTP proxy, the protocol spoken on the network will
   be HTTP, even if you specify a FTP URL. This effectively means that you
-  normally can't use FTP specific features such as FTP upload and FTP quote
+  normally can't use FTP-specific features such as FTP upload and FTP quote
   etc.
 
   There is one exception to this rule, and that is if you can "tunnel through"
@@ -636,7 +609,7 @@
   and is generally not available as proxy admins usually disable tunneling to
   ports other than 443 (which is used for HTTPS access through proxies).
 
-  3.13 Why does my single/double quotes fail?
+  3.13 Why do my single/double quotes fail?
 
   To specify a command line option that includes spaces, you might need to
   put the entire option within quotes. Like in:
@@ -699,8 +672,8 @@
 
   CLIENT CERTIFICATE
 
-  The server you communicate with may require that you can provide this in 
-  order to prove that you actually are who you claim to be.  If the server 
+  The server you communicate with may require that you can provide this in
+  order to prove that you actually are who you claim to be.  If the server
   doesn't require this, you don't need a client certificate.
 
   A client certificate is always used together with a private key, and the
@@ -772,7 +745,7 @@
   directory, you get the actual root directory.
 
   To specify a file in your user's home directory, you need to use the correct
-  URL syntax which for sftp might look similar to:
+  URL syntax which for SFTP might look similar to:
 
     curl -O -u user:password sftp://example.com/~/file.txt
 
@@ -900,7 +873,7 @@
 
     4.5.3 "403 Forbidden"
 
-    The server understood the request, but is refusing to fulfil it.
+    The server understood the request, but is refusing to fulfill it.
     Authorization will not help and the request SHOULD NOT be repeated.
 
     4.5.4 "404 Not Found"
@@ -921,7 +894,7 @@
        <H1>Moved Permanently</H1> The document has moved <A
        HREF="http://same_url_now_with_a_trailing_slash/">here</A>.
 
-    it might be because you request a directory URL but without the trailing
+    it might be because you requested a directory URL but without the trailing
     slash. Try the same operation again _with_ the trailing URL, or use the
     -L/--location option to follow the redirection.
 
@@ -952,8 +925,8 @@
   anyone would call security.
 
   Also note that regular HTTP (using Basic authentication) and FTP passwords
-  are sent in clear across the network. All it takes for anyone to fetch them
-  is to listen on the network.  Eavesdropping is very easy. Use more secure
+  are sent as cleartext across the network. All it takes for anyone to fetch
+  them is to listen on the network. Eavesdropping is very easy. Use more secure
   authentication methods (like Digest, Negotiate or even NTLM) or consider the
   SSL-based alternatives HTTPS and FTPS.
 
@@ -988,7 +961,7 @@
   software you're trying to interact with. This is not anything curl can do
   anything about.
 
-  4.11 Why does my HTTP range requests return the full document?
+  4.11 Why do my HTTP range requests return the full document?
 
   Because the range may not be supported by the server, or the server may
   choose to ignore it and return the full document anyway.
@@ -1024,7 +997,7 @@
   compilers or prior curl versions it may set a time that appears one hour off.
   This happens due to a flaw in how Windows stores and uses file modification
   times and it is not easily worked around. For more details read this:
-  http://www.codeproject.com/datetime/dstbugs.asp
+  https://www.codeproject.com/Articles/1144/Beating-the-Daylight-Savings-Time-bug-and-getting
 
   4.14 Redirects work in browser but not with curl!
 
@@ -1038,8 +1011,8 @@
   redirects the browser to another given URL.
 
   There is no way to make curl follow these redirects. You must either
-  manually figure out what the page is set to do, or you write a script that
-  parses the results and fetches the new URL.
+  manually figure out what the page is set to do, or write a script that parses
+  the results and fetches the new URL.
 
   4.15 FTPS doesn't work
 
@@ -1051,7 +1024,7 @@
   speak SSL. FTPS:// connections default to port 990.
 
   To use explicit FTPS, you use a FTP:// URL and the --ftp-ssl option (or one
-  of its related flavours). This is the most common method, and the one
+  of its related flavors). This is the most common method, and the one
   mandated by RFC4217. This kind of connection will then of course use the
   standard FTP port 21 by default.
 
@@ -1142,7 +1115,7 @@
   an embedded device with only a single network connection) may want to act
   immediately if its lone network connection goes down.  That can be achieved
   by having the application monitor the network connection on its own using an
-  OS-specific mechanism, then signalling libcurl to abort (see also item 5.13).
+  OS-specific mechanism, then signaling libcurl to abort (see also item 5.13).
 
   4.20 curl doesn't return error for HTTP non-200 responses!
 
@@ -1176,7 +1149,7 @@
   The reason for this is that we first generate the request to send using the
   old 1.1 style and show that request in the verbose output, and then we
   convert it over to the binary header-compressed HTTP/2 style. The actual
-  "1.1" part from that request is then not actually used in the transfer. 
+  "1.1" part from that request is then not actually used in the transfer.
   The binary HTTP/2 headers are not human readable.
 
 5. libcurl Issues
@@ -1259,9 +1232,9 @@
   libcurl will reuse connections for all transfers that are made using the
   same libcurl handle.
 
-  When you use the easy interface the connection cache is kept within the easy 
-  handle. If you instead use the multi interface, the connection cache will be 
-  kept within the multi handle and will be shared among all the easy handles 
+  When you use the easy interface the connection cache is kept within the easy
+  handle. If you instead use the multi interface, the connection cache will be
+  kept within the multi handle and will be shared among all the easy handles
   that are used within the same multi handle.
 
   5.7 Link errors when building libcurl on Windows!
@@ -1321,7 +1294,7 @@
   you want to change name resolver function you must rebuild libcurl and tell
   it to use a different function.
 
-  - The non-IPv6 resolver that can use one of four different host name resolve 
+  - The non-IPv6 resolver that can use one of four different host name resolve
   calls (depending on what your system supports):
 
       A - gethostbyname()
@@ -1444,7 +1417,7 @@
   timed out.
 
   The most flexible way is by writing your own time-out logic and using
-  CURLOPT_PROGRESSFUNCTION (perhaps in combination with other callbacks) and
+  CURLOPT_XFERINFOFUNCTION (perhaps in combination with other callbacks) and
   use that to figure out exactly when the right condition is met when the
   transfer should get stopped.
 
diff --git a/docs/FEATURES b/docs/FEATURES
index 24fa56d..1d23fcc 100644
--- a/docs/FEATURES
+++ b/docs/FEATURES
@@ -180,12 +180,14 @@
  - explicit "STARTTLS" usage to "upgrade" plain imap:// connections to use SSL
  - via http-proxy
 
+MQTT
+ - Subscribe to and publish topics using url scheme mqtt://broker/topic
+
 FOOTNOTES
 =========
 
-  *1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL (native
-       Windows), Secure Transport (native iOS/OS X) or GSKit (native IBM i)
-  *2 = requires OpenLDAP
+  *1 = requires a TLS library
+  *2 = requires OpenLDAP or WinLDAP
   *3 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos) or
        SSPI (native Windows)
   *4 = requires a GSS-API implementation, however, only Windows SSPI is
@@ -197,8 +199,7 @@
   *8 = requires libssh2
   *9 = requires OpenSSL, GnuTLS, mbedTLS, NSS, yassl, Secure Transport or SSPI
        (native Windows)
-  *10 = requires any of the SSL libraries in (*1) above other than axTLS, which
-        does not support SSLv3
+  *10 = requires an SSL library that supports SSLv3
   *11 = requires libidn or Windows
   *12 = requires libz
   *13 = requires libmetalink, and either an Apple or Microsoft operating
diff --git a/docs/GOVERNANCE.md b/docs/GOVERNANCE.md
new file mode 100644
index 0000000..8174717
--- /dev/null
+++ b/docs/GOVERNANCE.md
@@ -0,0 +1,167 @@
+# Decision making in the curl project
+
+A rough guide to how we make decisions and who does what.
+
+## BDFL
+
+This project was started by and has to some extent been pushed forward over
+the years with Daniel Stenberg as the driving force. It matches a standard
+BDFL (Benevolent Dictator For Life) style project.
+
+This setup has been used due to convenience and the fact that is has worked
+fine this far. It is not because someone thinks of it as a superior project
+leadership model. It will also only continue working as long as Daniel manages
+to listen in to what the project and the general user population wants and
+expects from us.
+
+## Legal entity
+
+There is no legal entity. The curl project is just a bunch of people scattered
+around the globe with the common goal to produce source code that creates
+great products. We are not part of any umbrella organization and we are not
+located in any specific country. We are totally independent.
+
+The copyrights in the project are owned by the individuals and organizations
+that wrote those parts of the code.
+
+## Decisions
+
+The curl project is not a democracy, but everyone is entitled to state their
+opinion and may argue for their sake within the community.
+
+All and any changes that have been done or will be done are eligible to bring
+up for discussion, to object to or to praise. Ideally, we find consensus for
+the appropriate way forward in any given situation or challenge.
+
+If there is no obvious consensus, a maintainer who's knowledgeable in the
+specific area will take an "executive" decision that they think is the right
+for the project.
+
+## Donations
+
+Donating plain money to curl is best done to curl's [Open Collective
+fund](https://opencollective.com/curl). Open Collective is a US based
+non-profit organization that holds on to funds for us. This fund is then used
+for paying the curl security bug bounties, to reimburse project related
+expenses etc.
+
+Donations to the project can also come in form of server hosting, providing
+services and paying for people to work on curl related code etc. Usually, such
+donations are services paid for directly by the sponsors.
+
+We grade sponsors in a few different levels and if they meet the criterias,
+they can be mentioned on the Sponsors page on the curl web site.
+
+## Commercial Support
+
+The curl project does not do or offer commercial support. It only hosts
+mailing lists, runs bug trackers etc to facilitate communication and work.
+
+However, Daniel works for wolfSSL and we offer commercial curl support there.
+
+## Key roles
+
+### Maintainers
+
+A maintainer in the curl project is an individual who has been given
+permissions to push commits to one of the git repositories.
+
+Maintainers are free to push commits to the repositories at their own will.
+Maintainers are however expected to listen to feedback from users and any
+change that is non-trivial in size or nature *should* be brought to the
+project as a PR to allow others to comment/object before merge.
+
+### Former maintainers
+
+A maintainer who stops being active in the project will at some point get
+their push permissions removed. We do this for security reasons but also to
+make sure that we always have the list of maintainers as "the team that push
+stuff to curl".
+
+Getting push permissions removed is not a punishment. Everyone who ever worked
+on maintaining curl is considered a hero, for all time hereafter.
+
+### Security team members
+
+We have a security team. That's the team of people who are subscribed to the
+curl-security mailing list; the receivers of security reports from users and
+developers. This list of people will vary over time but should be skilled
+developers familiar with the curl project.
+
+The security team works best when it consists of a small set of active
+persons. We invite new members when the team seems to need it, and we also
+expect to retire security team members as they "drift off" from the project or
+just find themselves unable to perform their duties there.
+
+### Server admins
+
+We run a web server, a mailing list and more on the curl project's primary
+server. That physical machine is owned and run by Haxx. Daniel is the primary
+admin of all things curl related server stuff, but Björn Stenberg and Linus
+Feltzing serve as backup admins for when Daniel is gone or unable.
+
+The primary server is paid for by Haxx. The machine is physically located in a
+server bunker in Stockholm Sweden, operated by the company Portlane.
+
+The web site contents are served to the web via Fastly and Daniel is the
+primary curl contact with Fastly.
+
+### BDFL
+
+That's Daniel.
+
+# Maintainers
+
+A curl maintainer is a project volunteer who has the authority and rights to
+merge changes into a git repository in the curl project.
+
+Anyone can aspire to become a curl maintainer.
+
+### Duties
+
+There are no mandatory duties. We hope and wish that maintainers consider
+reviewing patches and help merging them, especially when the changes are
+within the area of personal expertise and experience.
+
+### Requirements
+
+- only merge code that meets our quality and style guide requirements.
+- *never* merge code without doing a PR first, unless the change is "trivial"
+- if in doubt, ask for input/feedback from others
+
+### Recommendations
+
+- we require two-factor authentication enabled on your github account to
+  reduce risk of malicious source code tampering
+- consider enabling signed git commits for additional verification of changes
+
+### Merge advice
+
+When you're merging patches/PRs...
+
+- make sure the commit messages follow our template
+- squash patch sets into a few logical commits even if the PR didn't, if
+  necessary
+- avoid the "merge" button on github, do it "manually" instead to get full
+  control and full audit trail (github leaves out you as "Committer:")
+- remember to credit the reporter and the helpers!
+
+## Who are maintainers?
+
+The [list of maintainers](https://github.com/orgs/curl/people). Be aware that
+the level of presence and activity in the project vary greatly between
+different individuals and over time.
+
+### Become a maintainer?
+
+If you think you can help making the project better by shouldering some
+maintaining responsibilities, then please get in touch.
+
+You will be expected to be familiar with the curl project and its ways of
+working. You need to have gotten a few quality patches merged as a proof of
+this.
+
+### Stop being a maintainer
+
+If you (appear to) not be active in the project anymore, you may be removed as
+a maintainer. Thank you for your service!
diff --git a/docs/HELP-US.md b/docs/HELP-US.md
new file mode 100644
index 0000000..aae2b9f
--- /dev/null
+++ b/docs/HELP-US.md
@@ -0,0 +1,70 @@
+# How to get started helping out in the curl project
+
+We are always in need of more help. If you are new to the project and are
+looking for ways to contribute and help out, this document aims to give a few
+good starting points.
+
+A good idea is to start by subscribing to the [curl-library mailing
+list](https://cool.haxx.se/mailman/listinfo/curl-library) to keep track of the
+current discussion topics.
+
+## Scratch your own itch
+
+One of the best ways is to start working on any problems or issues you have
+found yourself or perhaps got annoyed at in the past. It can be a spelling
+error in an error text or a weirdly phrased section in a man page. Hunt it
+down and report the bug. Or make your first pull request with a fix for that.
+
+## Help wanted
+
+In the issue tracker we occasionally mark bugs with [help
+wanted](https://github.com/curl/curl/labels/help%20wanted), as a sign that the
+bug is acknowledged to exist and that there's nobody known to work on this
+issue for the moment. Those are bugs that are fine to "grab" and provide a
+pull request for. The complexity level of these will of course vary, so pick
+one that piques your interest.
+
+## Work on known bugs
+
+Some bugs are known and haven't yet received attention and work enough to get
+fixed. We collect such known existing flaws in the
+[KNOWN_BUGS](https://curl.haxx.se/docs/knownbugs.html) page. Many of them link
+to the original bug report with some additional details, but some may also
+have aged a bit and may require some verification that the bug still exists in
+the same way and that what was said about it in the past is still valid.
+
+## Fix autobuild problems
+
+On the [autobuilds page](https://curl.haxx.se/dev/builds.html) we show a
+collection of test results from the automatic curl build and tests that are
+performed by volunteers. Fixing compiler warnings and errors shown there is
+something we value greatly. Also, if you own or run systems or architectures
+that aren't already tested in the autobuilds, we also appreciate more
+volunteers running builds automatically to help us keep curl portable.
+
+## TODO items
+
+Ideas for features and functions that we have considered worthwhile to
+implement and provide are kept in the
+[TODO](https://curl.haxx.se/docs/todo.html) file. Some of the ideas are
+rough. Some are well thought out. Some probably aren't really suitable
+anymore.
+
+Before you invest a lot of time on a TODO item, do bring it up for discussion
+on the mailing list. For discussion on applicability but also for ideas and
+brainstorming on specific ways to do the implementation etc.
+
+## You decide
+
+You can also come up with a completely new thing you think we should do. Or
+not do. Or fix. Or add to the project. You then either bring it to the mailing
+list first to see if people will shoot down the idea at once, or you bring a
+first draft of the idea as a pull request and take the discussion there around
+the specific implementation. Either way is fine.
+
+## CONTRIBUTE
+
+We offer [guidelines](https://curl.haxx.se/dev/contribute.html) that are
+suitable to be familiar with before you decide to contribute to curl. If
+you're used to open source development, you'll probably not find many
+surprises in there.
diff --git a/docs/HISTORY.md b/docs/HISTORY.md
index 551e7d2..a628d05 100644
--- a/docs/HISTORY.md
+++ b/docs/HISTORY.md
@@ -218,6 +218,8 @@
 
 March: security vulnerability: libcurl Arbitrary File Access
 
+April: added CMake support
+
 August: security vulnerability: libcurl embedded zero in cert name
 
 December: Added support for IMAP, POP3 and SMTP
@@ -247,6 +249,13 @@
 
  Gopher support added (re-added actually, see January 2006)
 
+2011
+----
+
+February: added support for the axTLS backend
+
+April: added the cyassl backend (later renamed to WolfSSL)
+
 2012
 ----
 
@@ -275,3 +284,76 @@
  March: first real release supporting HTTP/2
 
  September: Web site had 245,000 unique visitors and served 236GB data
+
+ SMB and SMBS support
+
+2015
+----
+
+ June: support for multiplexing with HTTP/2
+
+ August: support for HTTP/2 server push
+
+ December: Public Suffix List
+
+2016
+----
+
+ January: the curl tool defaults to HTTP/2 for HTTPS URLs
+
+ December: curl 7.52.0 introduced support for HTTPS-proxy!
+
+ First TLS 1.3 support
+
+2017
+----
+
+ July: OSS-Fuzz started fuzzing libcurl
+
+ September: Added Multi-SSL support
+
+ The web site serves 3100 GB/month
+
+    Public curl releases:         169
+    Command line options:         211
+    curl_easy_setopt() options:   249
+    Public functions in libcurl:  74
+    Contributors:                 1609
+
+ October: SSLKEYLOGFILE support, new MIME API
+
+ November: brotli
+
+2018
+----
+
+ January: new SSH backend powered by libssh
+
+ March: starting with the 1803 release of Windows 10, curl is shipped bundled
+ with Microsoft's operating system.
+
+ July: curl shows headers using bold type face
+
+ October: added DNS-over-HTTPS (DoH) and the URL API
+
+ MesaLink is a new supported TLS backend
+
+ libcurl now does HTTP/2 (and multiplexing) by default on HTTPS URLs
+
+ curl and libcurl are installed in an estimated 5 *billion* instances
+ world-wide.
+
+ October 31: Curl and libcurl 7.62.0
+
+    Public curl releases:         177
+    Command line options:         219
+    curl_easy_setopt() options:   261
+    Public functions in libcurl:  80
+    Contributors:                 1808
+
+2019
+----
+
+ August: the first HTTP/3 requests with curl.
+
+ September: 7.66.0 is released and the tool offers parallel downloads
diff --git a/docs/HTTP-COOKIES.md b/docs/HTTP-COOKIES.md
index a1b2834..31af9f6 100644
--- a/docs/HTTP-COOKIES.md
+++ b/docs/HTTP-COOKIES.md
@@ -18,7 +18,16 @@
   original [Netscape spec from 1994](https://curl.haxx.se/rfc/cookie_spec.html).
 
   In 2011, [RFC6265](https://www.ietf.org/rfc/rfc6265.txt) was finally
-  published and details how cookies work within HTTP.
+  published and details how cookies work within HTTP. In 2016, an update which
+  added support for prefixes was
+  [proposed](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00),
+  and in 2017, another update was
+  [drafted](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01)
+  to deprecate modification of 'secure' cookies from non-secure origins. Both
+  of these drafts have been incorporated into a proposal to
+  [replace](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02)
+  RFC6265. Cookie prefixes and secure cookie modification protection has been
+  implemented by curl.
 
 ## Cookies saved to disk
 
@@ -34,6 +43,27 @@
   When libcurl saves a cookiejar, it creates a file header of its own in which
   there is a URL mention that will link to the web version of this document.
 
+## Cookie file format
+
+  The cookie file format is text based and stores one cookie per line. Lines
+  that start with `#` are treated as comments.
+
+  Each line that each specifies a single cookie consists of seven text fields
+  separated with TAB characters. A valid line must end with a newline
+  character.
+
+### Fields in the file
+
+  Field number, what type and example data and the meaning of it:
+
+  0. string `example.com` - the domain name
+  1. boolean `FALSE` - include subdomains
+  2. string `/foobar/` - path
+  3. boolean `TRUE` - send/receive over HTTPS only
+  4. number `1462299217` - expires at - seconds since Jan 1st 1970, or 0
+  5. string `person` - name of the cookie
+  6. string `daniel` - value of the cookie
+
 ## Cookies with curl the command line tool
 
   curl has a full cookie "engine" built in. If you just activate it, you can
diff --git a/docs/HTTP2.md b/docs/HTTP2.md
index efbe699..4c72a29 100644
--- a/docs/HTTP2.md
+++ b/docs/HTTP2.md
@@ -7,7 +7,7 @@
 Build prerequisites
 -------------------
   - nghttp2
-  - OpenSSL, libressl, BoringSSL, NSS, GnutTLS, mbedTLS, wolfSSL or SChannel
+  - OpenSSL, libressl, BoringSSL, NSS, GnutTLS, mbedTLS, wolfSSL or Schannel
     with a new enough version.
 
 [nghttp2](https://nghttp2.org/)
@@ -18,7 +18,7 @@
 than HTTP/1.1 (which we implement on our own) and that nghttp2 is an already
 existing and well functional library.
 
-We require at least version 1.0.0.
+We require at least version 1.12.0.
 
 Over an http:// URL
 -------------------
@@ -55,14 +55,15 @@
 backends. You may need a fairly updated SSL library version for it to provide
 the necessary TLS features. Right now we support:
 
-  - OpenSSL:   ALPN and NPN
-  - libressl:  ALPN and NPN
-  - BoringSSL: ALPN and NPN
-  - NSS:       ALPN and NPN
-  - GnuTLS:    ALPN
-  - mbedTLS:   ALPN
-  - SChannel:  ALPN
-  - wolfSSL:   ALPN
+  - OpenSSL:          ALPN and NPN
+  - libressl:         ALPN and NPN
+  - BoringSSL:        ALPN and NPN
+  - NSS:              ALPN and NPN
+  - GnuTLS:           ALPN
+  - mbedTLS:          ALPN
+  - Schannel:         ALPN
+  - wolfSSL:          ALPN
+  - Secure Transport: ALPN
 
 Multiplexing
 ------------
diff --git a/docs/HTTP3.md b/docs/HTTP3.md
new file mode 100644
index 0000000..2769439
--- /dev/null
+++ b/docs/HTTP3.md
@@ -0,0 +1,155 @@
+# HTTP3 (and QUIC)
+
+## Resources
+
+[HTTP/3 Explained](https://daniel.haxx.se/http3-explained/) - the online free
+book describing the protocols involved.
+
+[QUIC implementation](https://github.com/curl/curl/wiki/QUIC-implementation) -
+the wiki page describing the plan for how to support QUIC and HTTP/3 in curl
+and libcurl.
+
+[quicwg.org](https://quicwg.org/) - home of the official protocol drafts
+
+## QUIC libraries
+
+QUIC libraries we're experimenting with:
+
+[ngtcp2](https://github.com/ngtcp2/ngtcp2)
+
+[quiche](https://github.com/cloudflare/quiche)
+
+## Experimental!
+
+HTTP/3 and QUIC support in curl is considered **EXPERIMENTAL** until further
+notice. It needs to be enabled at build-time.
+
+Further development and tweaking of the HTTP/3 support in curl will happen in
+in the master branch using pull-requests, just like ordinary changes.
+
+# ngtcp2 version
+
+## Build with OpenSSL
+
+Build (patched) OpenSSL
+
+     % git clone --depth 1 -b OpenSSL_1_1_1d-quic-draft-27 https://github.com/tatsuhiro-t/openssl
+     % cd openssl
+     % ./config enable-tls1_3 --prefix=<somewhere1>
+     % make
+     % make install_sw
+
+Build nghttp3
+
+     % cd ..
+     % git clone https://github.com/ngtcp2/nghttp3
+     % cd nghttp3
+     % autoreconf -i
+     % ./configure --prefix=<somewhere2> --enable-lib-only
+     % make
+     % make install
+
+Build ngtcp2
+
+     % cd ..
+     % git clone https://github.com/ngtcp2/ngtcp2
+     % cd ngtcp2
+     % autoreconf -i
+     % ./configure PKG_CONFIG_PATH=<somewhere1>/lib/pkgconfig:<somewhere2>/lib/pkgconfig LDFLAGS="-Wl,-rpath,<somewhere1>/lib" --prefix=<somewhere3>
+     % make
+     % make install
+
+Build curl
+
+     % cd ..
+     % git clone https://github.com/curl/curl
+     % cd curl
+     % ./buildconf
+     % LDFLAGS="-Wl,-rpath,<somewhere1>/lib" ./configure --with-ssl=<somewhere1> --with-nghttp3=<somewhere2> --with-ngtcp2=<somewhere3> --enable-alt-svc
+     % make
+
+## Build with GnuTLS
+
+Build (patched) GnuTLS
+
+     % git clone --depth 1 -b tmp-quic https://gitlab.com/gnutls/gnutls.git
+     % cd gnutls
+     % ./bootstrap
+     % ./configure --disable-doc --prefix=<somewhere1>
+     % make
+     % make install
+
+Build nghttp3
+
+     % cd ..
+     % git clone https://github.com/ngtcp2/nghttp3
+     % cd nghttp3
+     % autoreconf -i
+     % ./configure --prefix=<somewhere2> --enable-lib-only
+     % make
+     % make install
+
+Build ngtcp2
+
+     % cd ..
+     % git clone https://github.com/ngtcp2/ngtcp2
+     % cd ngtcp2
+     % autoreconf -i
+     % ./configure PKG_CONFIG_PATH=<somewhere1>/lib/pkgconfig:<somewhere2>/lib/pkgconfig LDFLAGS="-Wl,-rpath,<somewhere1>/lib" --prefix=<somewhere3>
+     % make
+     % make install
+
+Build curl
+
+     % cd ..
+     % git clone https://github.com/curl/curl
+     % cd curl
+     % ./buildconf
+     % ./configure --without-ssl --with-gnutls=<somewhere1> --with-nghttp3=<somewhere2> --with-ngtcp2=<somewhere3> --enable-alt-svc
+     % make
+
+# quiche version
+
+## build
+
+Clone quiche and BoringSSL:
+
+     % git clone --recursive https://github.com/cloudflare/quiche
+
+Build BoringSSL (it needs to be built manually so it can be reused with curl):
+
+     % cd quiche/deps/boringssl
+     % mkdir build
+     % cd build
+     % cmake -DCMAKE_POSITION_INDEPENDENT_CODE=on ..
+     % make
+     % cd ..
+     % mkdir -p .openssl/lib
+     % cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib
+     % ln -s $PWD/include .openssl
+
+Build quiche:
+
+     % cd ../..
+     % QUICHE_BSSL_PATH=$PWD/deps/boringssl cargo build --release --features pkg-config-meta
+
+Build curl:
+
+     % cd ..
+     % git clone https://github.com/curl/curl
+     % cd curl
+     % ./buildconf
+     % ./configure LDFLAGS="-Wl,-rpath,$PWD/../quiche/target/release" --with-ssl=$PWD/../quiche/deps/boringssl/.openssl --with-quiche=$PWD/../quiche/target/release --enable-alt-svc
+     % make
+
+## Run
+
+Use HTTP/3 directly:
+
+    curl --http3 https://nghttp2.org:8443/
+
+Upgrade via Alt-Svc:
+
+    curl --alt-svc altsvc.cache https://quic.aiortc.org/
+
+See this [list of public HTTP/3 servers](https://bagder.github.io/HTTP3-test/)
diff --git a/docs/INSTALL.cmake b/docs/INSTALL.cmake
index 9c5c2d9..03328cb 100644
--- a/docs/INSTALL.cmake
+++ b/docs/INSTALL.cmake
@@ -26,7 +26,7 @@
    - Builds libcurl without large file support
    - Does not support all SSL libraries (only OpenSSL, WinSSL, DarwinSSL, and
      mbed TLS)
-   - Doesn't build with SCP and SFTP support (libssh2)
+   - Doesn't build with SCP and SFTP support (libssh2) (see issue #1155)
    - Doesn't allow different resolver backends (no c-ares build support)
    - No RTMP support built
    - Doesn't allow build curl and libcurl debug enabled
@@ -34,19 +34,9 @@
    - Doesn't allow you to disable specific protocols from the build
    - Doesn't find or use krb4 or GSS
    - Rebuilds test files too eagerly, but still can't run the tests
+   - Doesn't detect the correct strerror_r flavor when cross-compiling (issue #1123)
 
 
-Important notice
-==================
-   If you got your curl sources from a distribution tarball, make sure to
-   delete the generic 'include/curl/curlbuild.h' file that comes with it:
-       rm -f curl/include/curl/curlbuild.h
-
-   The purpose of this file is to provide reasonable definitions for systems
-   where autoconfiguration is not available. CMake will create its own
-   version of this file in its build directory. If the "generic" version
-   is not deleted, weird build errors may occur on some systems.
-
 Command Line CMake
 ==================
    A CMake build of curl is similar to the autotools build of curl. It
@@ -98,4 +88,3 @@
         GUI.  Once you have selected all the options you want, click the
         "Generate" button.
         6. Run the native build tool that you used CMake to generate.
-
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index ff56600..63d4142 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -7,6 +7,18 @@
 package. This document describes how to compile, build and install curl and
 libcurl from source code.
 
+## Building using vcpkg
+
+You can download and install curl and libcurl using the [vcpkg](https://github.com/Microsoft/vcpkg/) dependency manager:
+
+    git clone https://github.com/Microsoft/vcpkg.git
+    cd vcpkg
+    ./bootstrap-vcpkg.sh
+    ./vcpkg integrate install
+    vcpkg install curl[tool]
+
+The curl port in vcpkg is kept up to date by Microsoft team members and community contributors. If the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.
+
 ## Building from git
 
 If you get your code off a git repository instead of a release tarball, see
@@ -45,26 +57,26 @@
 The configure script always tries to find a working SSL library unless
 explicitly told not to. If you have OpenSSL installed in the default search
 path for your compiler/linker, you don't need to do anything special. If you
-have OpenSSL installed in /usr/local/ssl, you can run configure like:
+have OpenSSL installed in `/usr/local/ssl`, you can run configure like:
 
     ./configure --with-ssl
 
-If you have OpenSSL installed somewhere else (for example, /opt/OpenSSL) and
+If you have OpenSSL installed somewhere else (for example, `/opt/OpenSSL`) and
 you have pkg-config installed, set the pkg-config path first, like this:
 
     env PKG_CONFIG_PATH=/opt/OpenSSL/lib/pkgconfig ./configure --with-ssl
 
 Without pkg-config installed, use this:
 
-   ./configure --with-ssl=/opt/OpenSSL
+    ./configure --with-ssl=/opt/OpenSSL
 
 If you insist on forcing a build without SSL support, even though you may
 have OpenSSL installed in your system, you can run configure like this:
 
-   ./configure --without-ssl
+    ./configure --without-ssl
 
 If you have OpenSSL installed, but with the libraries in one place and the
-header files somewhere else, you have to set the LDFLAGS and CPPFLAGS
+header files somewhere else, you have to set the `LDFLAGS` and `CPPFLAGS`
 environment variables prior to running configure.  Something like this should
 work:
 
@@ -72,10 +84,9 @@
 
 If you have shared SSL libs installed in a directory where your run-time
 linker doesn't find them (which usually causes configure failures), you can
-provide the -R option to ld on some operating systems to set a hard-coded
-path to the run-time linker:
+provide this option to gcc to set a hard-coded path to the run-time linker:
 
-    LDFLAGS=-R/usr/local/ssl/lib ./configure --with-ssl
+    LDFLAGS=-Wl,-R/usr/local/ssl/lib ./configure --with-ssl
 
 ## More Options
 
@@ -102,13 +113,13 @@
 libressl.
 
  - GnuTLS: `--without-ssl --with-gnutls`.
- - Cyassl: `--without-ssl --with-cyassl`
+ - wolfSSL: `--without-ssl --with-wolfssl`
  - NSS: `--without-ssl --with-nss`
- - PolarSSL: `--without-ssl --with-polarssl`
  - mbedTLS: `--without-ssl --with-mbedtls`
- - axTLS: `--without-ssl --with-axtls`
- - schannel: `--without-ssl --with-winssl`
- - secure transport: `--with-winssl --with-darwinssl`
+ - schannel: `--without-ssl --with-schannel`
+ - secure transport: `--without-ssl --with-secure-transport`
+ - MesaLink: `--without-ssl --with-mesalink`
+ - BearSSL: `--without-ssl --with-bearssl`
 
 # Windows
 
@@ -122,9 +133,9 @@
  KB140584 is a must for any Windows developer. Especially important is full
  understanding if you are not going to follow the advice given above.
 
- - [How To Use the C Run-Time](https://support.microsoft.com/kb/94248/en-us)
- - [How to link with the correct C Run-Time CRT library](https://support.microsoft.com/kb/140584/en-us)
- - [Potential Errors Passing CRT Objects Across DLL Boundaries](https://msdn.microsoft.com/en-us/library/ms235460)
+ - [How To Use the C Run-Time](https://support.microsoft.com/help/94248/how-to-use-the-c-run-time)
+ - [Run-Time Library Compiler Options](https://docs.microsoft.com/cpp/build/reference/md-mt-ld-use-run-time-library)
+ - [Potential Errors Passing CRT Objects Across DLL Boundaries](https://docs.microsoft.com/cpp/c-runtime-library/potential-errors-passing-crt-objects-across-dll-boundaries)
 
 If your app is misbehaving in some strange way, or it is suffering from
 memory corruption, before asking for further help, please try first to
@@ -149,7 +160,7 @@
    and SSPI support.
 
 If you have any problems linking libraries or finding header files, be sure
-to verify that the provided "Makefile.m32" files use the proper paths, and
+to verify that the provided `Makefile.m32` files use the proper paths, and
 adjust as necessary. It is also possible to override these paths with
 environment variables, for example:
 
@@ -173,81 +184,25 @@
 ## Cygwin
 
 Almost identical to the unix installation. Run the configure script in the
-curl source tree root with `sh configure`. Make sure you have the sh
-executable in /bin/ or you'll see the configure fail toward the end.
+curl source tree root with `sh configure`. Make sure you have the `sh`
+executable in `/bin/` or you'll see the configure fail toward the end.
 
 Run `make`
 
-## Borland C++ compiler
-
-Ensure that your build environment is properly set up to use the compiler and
-associated tools. PATH environment variable must include the path to bin
-subdirectory of your compiler installation, eg: `c:\Borland\BCC55\bin`
-
-It is advisable to set environment variable BCCDIR to the base path of the
-compiler installation.
-
-    set BCCDIR=c:\Borland\BCC55
-
-In order to build a plain vanilla version of curl and libcurl run the
-following command from curl's root directory:
-
-    make borland
-
-To build curl and libcurl with zlib and OpenSSL support set environment
-variables `ZLIB_PATH` and `OPENSSL_PATH` to the base subdirectories of the
-already built zlib and OpenSSL libraries and from curl's root directory run
-command:
-
-    make borland-ssl-zlib
-
-libcurl library will be built in 'lib' subdirectory while curl tool is built
-in 'src' subdirectory. In order to use libcurl library it is advisable to
-modify compiler's configuration file bcc32.cfg located in
-`c:\Borland\BCC55\bin` to reflect the location of libraries include paths for
-example the '-I' line could result in something like:
-
-    -I"c:\Borland\BCC55\include;c:\curl\include;c:\openssl\inc32"
-
-bcc3.cfg `-L` line could also be modified to reflect the location of of
-libcurl library resulting for example:
-
-    -L"c:\Borland\BCC55\lib;c:\curl\lib;c:\openssl\out32"
-
-In order to build sample program `simple.c` from the docs\examples
-subdirectory run following command from mentioned subdirectory:
-
-    bcc32 simple.c libcurl.lib cw32mt.lib
-
-In order to build sample program simplessl.c an SSL enabled libcurl is
-required, as well as the OpenSSL libeay32.lib and ssleay32.lib libraries.
-
 ## Disabling Specific Protocols in Windows builds
 
 The configure utility, unfortunately, is not available for the Windows
 environment, therefore, you cannot use the various disable-protocol options of
 the configure utility on this platform.
 
-However, you can use the following defines to disable specific
-protocols:
-
- - `HTTP_ONLY`             disables all protocols except HTTP
- - `CURL_DISABLE_FTP`      disables FTP
- - `CURL_DISABLE_LDAP`     disables LDAP
- - `CURL_DISABLE_TELNET`   disables TELNET
- - `CURL_DISABLE_DICT`     disables DICT
- - `CURL_DISABLE_FILE`     disables FILE
- - `CURL_DISABLE_TFTP`     disables TFTP
- - `CURL_DISABLE_HTTP`     disables HTTP
- - `CURL_DISABLE_IMAP`     disables IMAP
- - `CURL_DISABLE_POP3`     disables POP3
- - `CURL_DISABLE_SMTP`     disables SMTP
+You can use specific defines to disable specific protocols and features. See
+[CURL-DISABLE.md](CURL-DISABLE-md) for the full list.
 
 If you want to set any of these defines you have the following options:
 
- - Modify lib/config-win32.h
- - Modify lib/curl_setup.h
- - Modify winbuild/Makefile.vc
+ - Modify `lib/config-win32.h`
+ - Modify `lib/curl_setup.h`
+ - Modify `winbuild/Makefile.vc`
  - Modify the "Preprocessor Definitions" in the libcurl project
 
 Note: The pre-processor settings can be found using the Visual Studio IDE
@@ -258,12 +213,12 @@
 ## Using BSD-style lwIP instead of Winsock TCP/IP stack in Win32 builds
 
 In order to compile libcurl and curl using BSD-style lwIP TCP/IP stack it is
-necessary to make definition of preprocessor symbol USE_LWIPSOCK visible to
+necessary to make definition of preprocessor symbol `USE_LWIPSOCK` visible to
 libcurl and curl compilation processes. To set this definition you have the
 following alternatives:
 
- - Modify lib/config-win32.h and src/config-win32.h
- - Modify winbuild/Makefile.vc
+ - Modify `lib/config-win32.h` and `src/config-win32.h`
+ - Modify `winbuild/Makefile.vc`
  - Modify the "Preprocessor Definitions" in the libcurl project
 
 Note: The pre-processor settings can be found using the Visual Studio IDE
@@ -278,8 +233,8 @@
 `USE_LWIPSOCK` preprocessor definition which is for libcurl internals only.
 
 Compilation has been verified with [lwIP
-1.4.0](http://download.savannah.gnu.org/releases/lwip/lwip-1.4.0.zip) and
-[contrib-1.4.0](http://download.savannah.gnu.org/releases/lwip/contrib-1.4.0.zip).
+1.4.0](https://download.savannah.gnu.org/releases/lwip/lwip-1.4.0.zip) and
+[contrib-1.4.0](https://download.savannah.gnu.org/releases/lwip/contrib-1.4.0.zip).
 
 This BSD-style lwIP TCP/IP stack support must be considered experimental given
 that it has been verified that lwIP 1.4.0 still needs some polish, and libcurl
@@ -293,13 +248,13 @@
 
 ## Legacy Windows and SSL
 
-WinSSL (specifically SChannel from Windows SSPI), is the native SSL library in
-Windows. However, WinSSL in Windows <= XP is unable to connect to servers that
+Schannel (from Windows SSPI), is the native SSL library in Windows. However,
+Schannel in Windows <= XP is unable to connect to servers that
 no longer support the legacy handshakes and algorithms used by those
 versions. If you will be using curl in one of those earlier versions of
 Windows you should choose another SSL backend such as OpenSSL.
 
-# Apple iOS and Mac OS X
+# Apple iOS and macOS
 
 On modern Apple operating systems, curl can be built to use Apple's SSL/TLS
 implementation, Secure Transport, instead of OpenSSL. To build with Secure
@@ -314,12 +269,12 @@
 OS. The `--cert` and `--engine` options, and their libcurl equivalents, are
 currently unimplemented in curl with Secure Transport.
 
-For OS X users: In OS X 10.8 ("Mountain Lion"), Apple made a major overhaul to
-the Secure Transport API that, among other things, added support for the newer
-TLS 1.1 and 1.2 protocols. To get curl to support TLS 1.1 and 1.2, you must
-build curl on Mountain Lion or later, or by using the equivalent SDK. If you
-set the `MACOSX_DEPLOYMENT_TARGET` environmental variable to an earlier
-version of OS X prior to building curl, then curl will use the new Secure
+For macOS users: In OS X 10.8 ("Mountain Lion"), Apple made a major overhaul
+to the Secure Transport API that, among other things, added support for the
+newer TLS 1.1 and 1.2 protocols. To get curl to support TLS 1.1 and 1.2, you
+must build curl on Mountain Lion or later, or by using the equivalent SDK. If
+you set the `MACOSX_DEPLOYMENT_TARGET` environmental variable to an earlier
+version of macOS prior to building curl, then curl will use the new Secure
 Transport API on Mountain Lion and later, and fall back on the older API when
 the same curl binary is executed on older cats. For example, running these
 commands in curl's directory in the shell will build the code such that it
@@ -329,11 +284,52 @@
     ./configure --with-darwinssl
     make
 
+# Android
+
+When building curl for Android it's recommended to use a Linux environment
+since using curl's `configure` script is the easiest way to build curl
+for Android. Before you can build curl for Android, you need to install the
+Android NDK first. This can be done using the SDK Manager that is part of
+Android Studio. Once you have installed the Android NDK, you need to figure out
+where it has been installed and then set up some environment variables before
+launching `configure`. On macOS, those variables could look like this to compile
+for `aarch64` and API level 29:
+
+    export NDK=~/Library/Android/sdk/ndk/20.1.5948944
+    export HOST_TAG=darwin-x86_64
+    export TOOLCHAIN=$NDK/toolchains/llvm/prebuilt/$HOST_TAG
+    export AR=$TOOLCHAIN/bin/aarch64-linux-android-ar
+    export AS=$TOOLCHAIN/bin/aarch64-linux-android-as
+    export CC=$TOOLCHAIN/bin/aarch64-linux-android29-clang
+    export CXX=$TOOLCHAIN/bin/aarch64-linux-android29-clang++
+    export LD=$TOOLCHAIN/bin/aarch64-linux-android-ld
+    export RANLIB=$TOOLCHAIN/bin/aarch64-linux-android-ranlib
+    export STRIP=$TOOLCHAIN/bin/aarch64-linux-android-strip
+
+When building on Linux or targeting other API levels or architectures, you need
+to adjust those variables accordingly. After that you can build curl like this:
+
+    ./configure --host aarch64-linux-android --with-pic --disable-shared
+
+Note that this won't give you SSL/TLS support. If you need SSL/TLS, you have
+to build curl against a SSL/TLS layer, e.g. OpenSSL, because it's impossible for
+curl to access Android's native SSL/TLS layer. To build curl for Android using
+OpenSSL, follow the OpenSSL build instructions and then install `libssl.a` and
+`libcrypto.a` to `$TOOLCHAIN/sysroot/usr/lib` and copy `include/openssl` to
+`$TOOLCHAIN/sysroot/usr/include`. Now you can build curl for Android using
+OpenSSL like this:
+    
+    ./configure --host aarch64-linux-android --with-pic --disable-shared --with-ssl="$TOOLCHAIN/sysroot/usr"
+
+Note, however, that you must target at least Android M (API level 23) or `configure`
+won't be able to detect OpenSSL since `stderr` (and the like) weren't defined
+before Android M.
+
 # Cross compile
 
 Download and unpack the curl package.
 
-'cd' to the new directory. (e.g. `cd curl-7.12.3`)
+`cd` to the new directory. (e.g. `cd curl-7.12.3`)
 
 Set environment variables to point to the cross-compile toolchain and call
 configure with any options you need.  Be sure and specify the `--host` and
@@ -372,7 +368,7 @@
 
 There are a number of configure options that can be used to reduce the size of
 libcurl for embedded applications where binary size is an important factor.
-First, be sure to set the CFLAGS variable when configuring with any relevant
+First, be sure to set the `CFLAGS` variable when configuring with any relevant
 compiler optimization flags to reduce the size of the binary.  For gcc, this
 would mean at minimum the -Os option, and potentially the `-march=X`,
 `-mdynamic-no-pic` and `-flto` options as well, e.g.
@@ -405,8 +401,8 @@
 
 The GNU compiler and linker have a number of options that can reduce the
 size of the libcurl dynamic libraries on some platforms even further.
-Specify them by providing appropriate CFLAGS and LDFLAGS variables on the
-configure command-line, e.g.
+Specify them by providing appropriate `CFLAGS` and `LDFLAGS` variables on
+the configure command-line, e.g.
 
     CFLAGS="-Os -ffunction-sections -fdata-sections
             -fno-unwind-tables -fno-asynchronous-unwind-tables -flto"
@@ -428,7 +424,7 @@
 Note that the curl test harness can detect the use of some, but not all, of
 the `--disable` statements suggested above. Use will cause tests relying on
 those features to fail.  The test harness can be manually forced to skip the
-relevant tests by specifying certain key words on the runtests.pl command
+relevant tests by specifying certain key words on the `runtests.pl` command
 line.  Following is a list of appropriate key words:
 
  - `--disable-cookies`          !cookies
diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md
index a733e1f..635e7b2 100644
--- a/docs/INTERNALS.md
+++ b/docs/INTERNALS.md
@@ -7,13 +7,13 @@
  - [Windows vs Unix](#winvsunix)
  - [Library](#Library)
    - [`Curl_connect`](#Curl_connect)
-   - [`Curl_do`](#Curl_do)
+   - [`multi_do`](#multi_do)
    - [`Curl_readwrite`](#Curl_readwrite)
-   - [`Curl_done`](#Curl_done)
+   - [`multi_done`](#multi_done)
    - [`Curl_disconnect`](#Curl_disconnect)
  - [HTTP(S)](#http)
  - [FTP](#ftp)
-   - [Kerberos](#kerberos)
+ - [Kerberos](#kerberos)
  - [TELNET](#telnet)
  - [FILE](#file)
  - [SMB](#smb)
@@ -34,10 +34,17 @@
  - [`curl_off_t`](#curl_off_t)
  - [curlx](#curlx)
  - [Content Encoding](#contentencoding)
- - [hostip.c explained](#hostip)
+ - [`hostip.c` explained](#hostip)
  - [Track Down Memory Leaks](#memoryleak)
  - [`multi_socket`](#multi_socket)
  - [Structs in libcurl](#structs)
+   - [Curl_easy](#Curl_easy)
+   - [connectdata](#connectdata)
+   - [Curl_multi](#Curl_multi)
+   - [Curl_handler](#Curl_handler)
+   - [conncache](#conncache)
+   - [Curl_share](#Curl_share)
+   - [CookieInfo](#CookieInfo)
 
 <a name="intro"></a>
 Intro
@@ -66,7 +73,7 @@
 Portability
 ===========
 
- We write curl and libcurl to compile with C89 compilers.  On 32bit and up
+ We write curl and libcurl to compile with C89 compilers.  On 32-bit and up
  machines. Most of libcurl assumes more or less POSIX compliance but that's
  not a requirement.
 
@@ -78,20 +85,18 @@
 ------------
 
  - OpenSSL      0.9.7
- - GnuTLS       1.2
+ - GnuTLS       3.1.10
  - zlib         1.1.4
  - libssh2      0.16
  - c-ares       1.6.0
- - libidn       0.4.1
- - cyassl       2.0.0
+ - libidn2      2.0.0
+ - wolfSSL      2.0.0
  - openldap     2.0
  - MIT Kerberos 1.2.4
  - GSKit        V5R3M0
  - NSS          3.14.x
- - axTLS        2.1.0
- - PolarSSL     1.3.0
  - Heimdal      ?
- - nghttp2      1.0.0
+ - nghttp2      1.12.0
 
 Operating Systems
 -----------------
@@ -119,7 +124,7 @@
  - GNU M4       1.4
  - perl         5.004
  - roffit       0.5
- - groff        ? (any version that supports "groff -Tps -man [in] [out]")
+ - groff        ? (any version that supports `groff -Tps -man [in] [out]`)
  - ps2pdf (gs)  ?
 
 <a name="winvsunix"></a>
@@ -133,7 +138,7 @@
 
    In curl, this is solved with defines and macros, so that the source looks
    the same in all places except for the header file that defines them. The
-   macros in use are sclose(), sread() and swrite().
+   macros in use are `sclose()`, `sread()` and `swrite()`.
 
  2. Windows requires a couple of init calls for the socket stuff.
 
@@ -172,14 +177,14 @@
  There are plenty of entry points to the library, namely each publicly defined
  function that libcurl offers to applications. All of those functions are
  rather small and easy-to-follow. All the ones prefixed with `curl_easy` are
- put in the lib/easy.c file.
+ put in the `lib/easy.c` file.
 
  `curl_global_init()` and `curl_global_cleanup()` should be called by the
  application to initialize and clean up global stuff in the library. As of
  today, it can handle the global SSL initing if SSL is enabled and it can init
  the socket layer on windows machines. libcurl itself has no "global" scope.
 
- All printf()-style functions use the supplied clones in lib/mprintf.c. This
+ All printf()-style functions use the supplied clones in `lib/mprintf.c`. This
  makes sure we stay absolutely platform independent.
 
  [ `curl_easy_init()`][2] allocates an internal struct and makes some
@@ -198,8 +203,8 @@
  `curl_multi_wait()`, and `curl_multi_perform()` until the transfer is done
  and then returns.
 
- Some of the most important key functions in url.c are called from multi.c
- when certain key steps are to be made in the transfer operation.
+ Some of the most important key functions in `url.c` are called from
+ `multi.c` when certain key steps are to be made in the transfer operation.
 
 <a name="Curl_connect"></a>
 Curl_connect()
@@ -207,32 +212,32 @@
 
    Analyzes the URL, it separates the different components and connects to the
    remote host. This may involve using a proxy and/or using SSL. The
-   `Curl_resolv()` function in lib/hostip.c is used for looking up host names
-   (it does then use the proper underlying method, which may vary between
-   platforms and builds).
+   `Curl_resolv()` function in `lib/hostip.c` is used for looking up host
+   names (it does then use the proper underlying method, which may vary
+   between platforms and builds).
 
    When `Curl_connect` is done, we are connected to the remote site. Then it
    is time to tell the server to get a document/file. `Curl_do()` arranges
    this.
 
-   This function makes sure there's an allocated and initiated 'connectdata'
+   This function makes sure there's an allocated and initiated `connectdata`
    struct that is used for this particular connection only (although there may
    be several requests performed on the same connect). A bunch of things are
    inited/inherited from the `Curl_easy` struct.
 
-<a name="Curl_do"></a>
-Curl_do()
+<a name="multi_do"></a>
+multi_do()
 ---------
 
-   `Curl_do()` makes sure the proper protocol-specific function is called. The
-   functions are named after the protocols they handle.
+   `multi_do()` makes sure the proper protocol-specific function is called.
+   The functions are named after the protocols they handle.
 
    The protocol-specific functions of course deal with protocol-specific
    negotiations and setup. They have access to the `Curl_sendf()` (from
-   lib/sendf.c) function to send printf-style formatted data to the remote
+   `lib/sendf.c`) function to send printf-style formatted data to the remote
    host and when they're ready to make the actual file transfer they call the
-   `Curl_Transfer()` function (in lib/transfer.c) to setup the transfer and
-   returns.
+   `Curl_setup_transfer()` function (in `lib/transfer.c`) to setup the
+   transfer and returns.
 
    If this DO function fails and the connection is being re-used, libcurl will
    then close this connection, setup a new connection and re-issue the DO
@@ -240,28 +245,24 @@
    we have discovered a dead connection before the DO function and thus we
    might wrongly be re-using a connection that was closed by the remote peer.
 
-   Some time during the DO function, the `Curl_setup_transfer()` function must
-   be called with some basic info about the upcoming transfer: what socket(s)
-   to read/write and the expected file transfer sizes (if known).
-
 <a name="Curl_readwrite"></a>
 Curl_readwrite()
 ----------------
 
    Called during the transfer of the actual protocol payload.
 
-   During transfer, the progress functions in lib/progress.c are called at
+   During transfer, the progress functions in `lib/progress.c` are called at
    frequent intervals (or at the user's choice, a specified callback might get
-   called). The speedcheck functions in lib/speedcheck.c are also used to
+   called). The speedcheck functions in `lib/speedcheck.c` are also used to
    verify that the transfer is as fast as required.
 
-<a name="Curl_done"></a>
-Curl_done()
+<a name="multi_done"></a>
+multi_done()
 -----------
 
    Called after a transfer is done. This function takes care of everything
    that has to be done after a transfer. This function attempts to leave
-   matters in a state so that `Curl_do()` should be possible to call again on
+   matters in a state so that `multi_do()` should be possible to call again on
    the same connection (in a persistent connection case). It might also soon
    be closed with `Curl_disconnect()`.
 
@@ -284,11 +285,12 @@
 =======
 
  HTTP offers a lot and is the protocol in curl that uses the most lines of
- code. There is a special file (lib/formdata.c) that offers all the multipart
- post functions.
+ code. There is a special file `lib/formdata.c` that offers all the
+ multipart post functions.
 
- base64-functions for user+password stuff (and more) is in (lib/base64.c) and
- all functions for parsing and sending cookies are found in (lib/cookie.c).
+ base64-functions for user+password stuff (and more) is in `lib/base64.c`
+ and all functions for parsing and sending cookies are found in
+ `lib/cookie.c`.
 
  HTTPS uses in almost every case the same procedure as HTTP, with only two
  exceptions: the connect procedure is different and the function used to read
@@ -301,25 +303,27 @@
 
  An interesting detail with the HTTP(S) request, is the `Curl_add_buffer()`
  series of functions we use. They append data to one single buffer, and when
- the building is finished the entire request is sent off in one single write. This is done this way to overcome problems with flawed firewalls and lame servers.
+ the building is finished the entire request is sent off in one single write.
+ This is done this way to overcome problems with flawed firewalls and lame
+ servers.
 
 <a name="ftp"></a>
 FTP
 ===
 
  The `Curl_if2ip()` function can be used for getting the IP number of a
- specified network interface, and it resides in lib/if2ip.c.
+ specified network interface, and it resides in `lib/if2ip.c`.
 
  `Curl_ftpsendf()` is used for sending FTP commands to the remote server. It
  was made a separate function to prevent us programmers from forgetting that
- they must be CRLF terminated. They must also be sent in one single write() to
- make firewalls and similar happy.
+ they must be CRLF terminated. They must also be sent in one single `write()`
+ to make firewalls and similar happy.
 
 <a name="kerberos"></a>
 Kerberos
---------
+========
 
- Kerberos support is mainly in lib/krb5.c and lib/security.c but also
+ Kerberos support is mainly in `lib/krb5.c` and `lib/security.c` but also
  `curl_sasl_sspi.c` and `curl_sasl_gssapi.c` for the email protocols and
  `socks_gssapi.c` and `socks_sspi.c` for SOCKS5 proxy specifics.
 
@@ -327,55 +331,57 @@
 TELNET
 ======
 
- Telnet is implemented in lib/telnet.c.
+ Telnet is implemented in `lib/telnet.c`.
 
 <a name="file"></a>
 FILE
 ====
 
- The file:// protocol is dealt with in lib/file.c.
+ The `file://` protocol is dealt with in `lib/file.c`.
 
 <a name="smb"></a>
 SMB
 ===
 
- The smb:// protocol is dealt with in lib/smb.c.
+ The `smb://` protocol is dealt with in `lib/smb.c`.
 
 <a name="ldap"></a>
 LDAP
 ====
 
- Everything LDAP is in lib/ldap.c and lib/openldap.c
+ Everything LDAP is in `lib/ldap.c` and `lib/openldap.c`.
 
 <a name="email"></a>
 E-mail
 ======
 
- The e-mail related source code is in lib/imap.c, lib/pop3.c and lib/smtp.c.
+ The e-mail related source code is in `lib/imap.c`, `lib/pop3.c` and
+ `lib/smtp.c`.
 
 <a name="general"></a>
 General
 =======
 
  URL encoding and decoding, called escaping and unescaping in the source code,
- is found in lib/escape.c.
+ is found in `lib/escape.c`.
 
- While transferring data in Transfer() a few functions might get used.
- `curl_getdate()` in lib/parsedate.c is for HTTP date comparisons (and more).
+ While transferring data in `Transfer()` a few functions might get used.
+ `curl_getdate()` in `lib/parsedate.c` is for HTTP date comparisons (and
+ more).
 
- lib/getenv.c offers `curl_getenv()` which is for reading environment
+ `lib/getenv.c` offers `curl_getenv()` which is for reading environment
  variables in a neat platform independent way. That's used in the client, but
- also in lib/url.c when checking the proxy environment variables. Note that
- contrary to the normal unix getenv(), this returns an allocated buffer that
- must be free()ed after use.
+ also in `lib/url.c` when checking the proxy environment variables. Note that
+ contrary to the normal unix `getenv()`, this returns an allocated buffer that
+ must be `free()`ed after use.
 
- lib/netrc.c holds the .netrc parser
+ `lib/netrc.c` holds the `.netrc` parser.
 
- lib/timeval.c features replacement functions for systems that don't have
- gettimeofday() and a few support functions for timeval conversions.
+ `lib/timeval.c` features replacement functions for systems that don't have
+ `gettimeofday()` and a few support functions for timeval conversions.
 
  A function named `curl_version()` that returns the full curl version string
- is found in lib/version.c.
+ is found in `lib/version.c`.
 
 <a name="persistent"></a>
 Persistent Connections
@@ -389,7 +395,7 @@
    as well as all the options etc that the library-user may choose.
 
  - The `Curl_easy` struct holds the "connection cache" (an array of
-   pointers to 'connectdata' structs).
+   pointers to `connectdata` structs).
 
  - This enables the 'curl handle' to be reused on subsequent transfers.
 
@@ -437,10 +443,10 @@
  in future libcurl versions.
 
  To deal with this internally in the best way possible, we have a generic SSL
- function API as provided by the vtls/vtls.[ch] system, and they are the only
+ function API as provided by the `vtls/vtls.[ch]` system, and they are the only
  SSL functions we must use from within libcurl. vtls is then crafted to use
  the appropriate lower-level function calls to whatever SSL library that is in
- use. For example vtls/openssl.[ch] for the OpenSSL library.
+ use. For example `vtls/openssl.[ch]` for the OpenSSL library.
 
 <a name="symbols"></a>
 Library Symbols
@@ -459,7 +465,7 @@
 
  I've made things simple. Almost every function in libcurl returns a CURLcode,
  that must be `CURLE_OK` if everything is OK or otherwise a suitable error
- code as the curl/curl.h include file defines. The very spot that detects an
+ code as the `curl/curl.h` include file defines. The very spot that detects an
  error must use the `Curl_failf()` function to set the human-readable error
  description.
 
@@ -481,20 +487,20 @@
 Client
 ======
 
- main() resides in `src/tool_main.c`.
+ `main()` resides in `src/tool_main.c`.
 
- `src/tool_hugehelp.c` is automatically generated by the mkhelp.pl perl script
- to display the complete "manual" and the `src/tool_urlglob.c` file holds the
- functions used for the URL-"globbing" support. Globbing in the sense that the
- {} and [] expansion stuff is there.
+ `src/tool_hugehelp.c` is automatically generated by the `mkhelp.pl` perl
+ script to display the complete "manual" and the `src/tool_urlglob.c` file
+ holds the functions used for the URL-"globbing" support. Globbing in the
+ sense that the `{}` and `[]` expansion stuff is there.
 
- The client mostly sets up its 'config' struct properly, then
+ The client mostly sets up its `config` struct properly, then
  it calls the `curl_easy_*()` functions of the library and when it gets back
  control after the `curl_easy_perform()` it cleans up the library, checks
  status and exits.
 
- When the operation is done, the ourWriteOut() function in src/writeout.c may
- be called to report about the operation. That function is using the
+ When the operation is done, the `ourWriteOut()` function in `src/writeout.c`
+ may be called to report about the operation. That function is using the
  `curl_easy_getinfo()` function to extract useful information from the curl
  session.
 
@@ -505,30 +511,32 @@
 Memory Debugging
 ================
 
- The file lib/memdebug.c contains debug-versions of a few functions. Functions
- such as malloc, free, fopen, fclose, etc that somehow deal with resources
- that might give us problems if we "leak" them. The functions in the memdebug
- system do nothing fancy, they do their normal function and then log
- information about what they just did. The logged data can then be analyzed
- after a complete session,
+ The file `lib/memdebug.c` contains debug-versions of a few functions.
+ Functions such as `malloc()`, `free()`, `fopen()`, `fclose()`, etc that
+ somehow deal with resources that might give us problems if we "leak" them.
+ The functions in the memdebug system do nothing fancy, they do their normal
+ function and then log information about what they just did. The logged data
+ can then be analyzed after a complete session,
 
- memanalyze.pl is the perl script present in tests/ that analyzes a log file
- generated by the memory tracking system. It detects if resources are
+ `memanalyze.pl` is the perl script present in `tests/` that analyzes a log
+ file generated by the memory tracking system. It detects if resources are
  allocated but never freed and other kinds of errors related to resource
  management.
 
- Internally, definition of preprocessor symbol DEBUGBUILD restricts code which
- is only compiled for debug enabled builds. And symbol CURLDEBUG is used to
- differentiate code which is _only_ used for memory tracking/debugging.
+ Internally, definition of preprocessor symbol `DEBUGBUILD` restricts code
+ which is only compiled for debug enabled builds. And symbol `CURLDEBUG` is
+ used to differentiate code which is _only_ used for memory
+ tracking/debugging.
 
- Use -DCURLDEBUG when compiling to enable memory debugging, this is also
- switched on by running configure with --enable-curldebug. Use -DDEBUGBUILD
- when compiling to enable a debug build or run configure with --enable-debug.
+ Use `-DCURLDEBUG` when compiling to enable memory debugging, this is also
+ switched on by running configure with `--enable-curldebug`. Use
+ `-DDEBUGBUILD` when compiling to enable a debug build or run configure with
+ `--enable-debug`.
 
- curl --version will list 'Debug' feature for debug enabled builds, and
+ `curl --version` will list 'Debug' feature for debug enabled builds, and
  will list 'TrackMemory' feature for curl debug memory tracking capable
  builds. These features are independent and can be controlled when running
- the configure script. When --enable-debug is given both features will be
+ the configure script. When `--enable-debug` is given both features will be
  enabled, unless some restriction prevents memory tracking from being used.
 
 <a name="test"></a>
@@ -539,12 +547,12 @@
  curl archive tree, and it contains a bunch of scripts and a lot of test case
  data.
 
- The main test script is runtests.pl that will invoke test servers like
- httpserver.pl and ftpserver.pl before all the test cases are performed. The
- test suite currently only runs on Unix-like platforms.
+ The main test script is `runtests.pl` that will invoke test servers like
+ `httpserver.pl` and `ftpserver.pl` before all the test cases are performed.
+ The test suite currently only runs on Unix-like platforms.
 
- You'll find a description of the test suite in the tests/README file, and the
- test case data files in the tests/FILEFORMAT file.
+ You'll find a description of the test suite in the `tests/README` file, and
+ the test case data files in the `tests/FILEFORMAT` file.
 
  The test suite automatically detects if curl was built with the memory
  debugging enabled, and if it was, it will detect memory leaks, too.
@@ -572,7 +580,7 @@
  prevent linking errors later on). Then I simply build the areslib project
  (the other projects adig/ahost seem to fail under MSVC).
 
- Next was libcurl. I opened lib/config-win32.h and I added a:
+ Next was libcurl. I opened `lib/config-win32.h` and I added a:
  `#define USE_ARES 1`
 
  Next thing I did was I added the path for the ares includes to the include
@@ -581,8 +589,8 @@
  Lastly, I also changed libcurl to be single-threaded rather than
  multi-threaded, again this was to prevent some duplicate symbol errors. I'm
  not sure why I needed to change everything to single-threaded, but when I
- didn't I got redefinition errors for several CRT functions (malloc, stricmp,
- etc.)
+ didn't I got redefinition errors for several CRT functions (`malloc()`,
+ `stricmp()`, etc.)
 
 <a name="curl_off_t"></a>
 `curl_off_t`
@@ -590,9 +598,10 @@
 
  `curl_off_t` is a data type provided by the external libcurl include
  headers. It is the type meant to be used for the [`curl_easy_setopt()`][1]
- options that end with LARGE. The type is 64bit large on most modern
+ options that end with LARGE. The type is 64-bit large on most modern
  platforms.
 
+<a name="curlx"></a>
 curlx
 =====
 
@@ -602,29 +611,15 @@
  additional functions.
 
  We provide them through a single header file for easy access for apps:
- "curlx.h"
+ `curlx.h`
 
 `curlx_strtoofft()`
 -------------------
    A macro that converts a string containing a number to a `curl_off_t` number.
    This might use the `curlx_strtoll()` function which is provided as source
    code in strtoofft.c. Note that the function is only provided if no
-   strtoll() (or equivalent) function exist on your platform. If `curl_off_t`
-   is only a 32 bit number on your platform, this macro uses strtol().
-
-`curlx_tvnow()`
----------------
-   returns a struct timeval for the current time.
-
-`curlx_tvdiff()`
---------------
-   returns the difference between two timeval structs, in number of
-   milliseconds.
-
-`curlx_tvdiff_secs()`
----------------------
-   returns the same as `curlx_tvdiff` but with full usec resolution (as a
-   double)
+   `strtoll()` (or equivalent) function exist on your platform. If `curl_off_t`
+   is only a 32-bit number on your platform, this macro uses `strtol()`.
 
 Future
 ------
@@ -656,29 +651,30 @@
 ## About content encodings
 
  [HTTP/1.1][4] specifies that a client may request that a server encode its
- response. This is usually used to compress a response using one of a set of
- commonly available compression techniques. These schemes are 'deflate' (the
- zlib algorithm), 'gzip' and 'compress'. A client requests that the server
- perform an encoding by including an Accept-Encoding header in the request
- document. The value of the header should be one of the recognized tokens
- 'deflate', ... (there's a way to register new schemes/tokens, see sec 3.5 of
- the spec). A server MAY honor the client's encoding request. When a response
- is encoded, the server includes a Content-Encoding header in the
- response. The value of the Content-Encoding header indicates which scheme was
- used to encode the data.
+ response. This is usually used to compress a response using one (or more)
+ encodings from a set of commonly available compression techniques. These
+ schemes include `deflate` (the zlib algorithm), `gzip`, `br` (brotli) and
+ `compress`. A client requests that the server perform an encoding by including
+ an `Accept-Encoding` header in the request document. The value of the header
+ should be one of the recognized tokens `deflate`, ... (there's a way to
+ register new schemes/tokens, see sec 3.5 of the spec). A server MAY honor
+ the client's encoding request. When a response is encoded, the server
+ includes a `Content-Encoding` header in the response. The value of the
+ `Content-Encoding` header indicates which encodings were used to encode the
+ data, in the order in which they were applied.
 
- A client may tell a server that it can understand several different encoding
- schemes. In this case the server may choose any one of those and use it to
- encode the response (indicating which one using the Content-Encoding header).
  It's also possible for a client to attach priorities to different schemes so
  that the server knows which it prefers. See sec 14.3 of RFC 2616 for more
- information on the Accept-Encoding header.
+ information on the `Accept-Encoding` header. See sec
+ [3.1.2.2 of RFC 7231][15] for more information on the `Content-Encoding`
+ header.
 
 ## Supported content encodings
 
- The 'deflate' and 'gzip' content encoding are supported by libcurl. Both
- regular and chunked transfers work fine.  The zlib library is required for
- this feature.
+ The `deflate`, `gzip` and `br` content encodings are supported by libcurl.
+ Both regular and chunked transfers work fine.  The zlib library is required
+ for the `deflate` and `gzip` encodings, while the brotli decoding library is
+ for the `br` encoding.
 
 ## The libcurl interface
 
@@ -686,44 +682,45 @@
 
   [`curl_easy_setopt`][1](curl, [`CURLOPT_ACCEPT_ENCODING`][5], string)
 
- where string is the intended value of the Accept-Encoding header.
+ where string is the intended value of the `Accept-Encoding` header.
 
- Currently, libcurl only understands how to process responses that use the
- "deflate" or "gzip" Content-Encoding, so the only values for
- [`CURLOPT_ACCEPT_ENCODING`][5] that will work (besides "identity," which does
- nothing) are "deflate" and "gzip" If a response is encoded using the
- "compress" or methods, libcurl will return an error indicating that the
- response could not be decoded.  If <string> is NULL no Accept-Encoding header
- is generated.  If <string> is a zero-length string, then an Accept-Encoding
+ Currently, libcurl does support multiple encodings but only
+ understands how to process responses that use the `deflate`, `gzip` and/or
+ `br` content encodings, so the only values for [`CURLOPT_ACCEPT_ENCODING`][5]
+ that will work (besides `identity`, which does nothing) are `deflate`,
+ `gzip` and `br`. If a response is encoded using the `compress` or methods,
+ libcurl will return an error indicating that the response could
+ not be decoded.  If `<string>` is NULL no `Accept-Encoding` header is
+ generated. If `<string>` is a zero-length string, then an `Accept-Encoding`
  header containing all supported encodings will be generated.
 
  The [`CURLOPT_ACCEPT_ENCODING`][5] must be set to any non-NULL value for
  content to be automatically decoded.  If it is not set and the server still
  sends encoded content (despite not having been asked), the data is returned
- in its raw form and the Content-Encoding type is not checked.
+ in its raw form and the `Content-Encoding` type is not checked.
 
 ## The curl interface
 
- Use the [--compressed][6] option with curl to cause it to ask servers to
+ Use the [`--compressed`][6] option with curl to cause it to ask servers to
  compress responses using any format supported by curl.
 
 <a name="hostip"></a>
-hostip.c explained
-==================
+`hostip.c` explained
+====================
 
- The main compile-time defines to keep in mind when reading the host*.c source
- file are these:
+ The main compile-time defines to keep in mind when reading the `host*.c`
+ source file are these:
 
 ## `CURLRES_IPV6`
 
- this host has getaddrinfo() and family, and thus we use that. The host may
+ this host has `getaddrinfo()` and family, and thus we use that. The host may
  not be able to resolve IPv6, but we don't really have to take that into
  account. Hosts that aren't IPv6-enabled have `CURLRES_IPV4` defined.
 
 ## `CURLRES_ARES`
 
  is defined if libcurl is built to use c-ares for asynchronous name
- resolves. This can be Windows or *nix.
+ resolves. This can be Windows or \*nix.
 
 ## `CURLRES_THREADED`
 
@@ -736,20 +733,20 @@
  libcurl is not built to use an asynchronous resolver, `CURLRES_SYNCH` is
  defined.
 
-## host*.c sources
+## `host*.c` sources
 
- The host*.c sources files are split up like this:
+ The `host*.c` sources files are split up like this:
 
- - hostip.c      - method-independent resolver functions and utility functions
- - hostasyn.c    - functions for asynchronous name resolves
- - hostsyn.c     - functions for synchronous name resolves
- - asyn-ares.c   - functions for asynchronous name resolves using c-ares
- - asyn-thread.c - functions for asynchronous name resolves using threads
- - hostip4.c     - IPv4 specific functions
- - hostip6.c     - IPv6 specific functions
+ - `hostip.c`      - method-independent resolver functions and utility functions
+ - `hostasyn.c`    - functions for asynchronous name resolves
+ - `hostsyn.c`     - functions for synchronous name resolves
+ - `asyn-ares.c`   - functions for asynchronous name resolves using c-ares
+ - `asyn-thread.c` - functions for asynchronous name resolves using threads
+ - `hostip4.c`     - IPv4 specific functions
+ - `hostip6.c`     - IPv6 specific functions
 
- The hostip.h is the single united header file for all this. It defines the
- `CURLRES_*` defines based on the config*.h and `curl_setup.h` defines.
+ The `hostip.h` is the single united header file for all this. It defines the
+ `CURLRES_*` defines based on the `config*.h` and `curl_setup.h` defines.
 
 <a name="memoryleak"></a>
 Track Down Memory Leaks
@@ -761,14 +758,13 @@
   than one thread. If you want/need to use it in a multi-threaded app. Please
   adjust accordingly.
 
-
 ## Build
 
-  Rebuild libcurl with -DCURLDEBUG (usually, rerunning configure with
-  --enable-debug fixes this). 'make clean' first, then 'make' so that all
+  Rebuild libcurl with `-DCURLDEBUG` (usually, rerunning configure with
+  `--enable-debug` fixes this). `make clean` first, then `make` so that all
   files are actually rebuilt properly. It will also make sense to build
-  libcurl with the debug option (usually -g to the compiler) so that debugging
-  it will be easier if you actually do find a leak in the library.
+  libcurl with the debug option (usually `-g` to the compiler) so that
+  debugging it will be easier if you actually do find a leak in the library.
 
   This will create a library that has memory debugging enabled.
 
@@ -776,7 +772,7 @@
 
   Add a line in your application code:
 
-       `curl_memdebug("dump");`
+       `curl_dbg_memdebug("dump");`
 
   This will make the malloc debug system output a full trace of all resource
   using functions to the given file name. Make sure you rebuild your program
@@ -792,7 +788,7 @@
 
 ## Analyze the Flow
 
-  Use the tests/memanalyze.pl perl script to analyze the dump file:
+  Use the `tests/memanalyze.pl` perl script to analyze the dump file:
 
     tests/memanalyze.pl dump
 
@@ -808,45 +804,46 @@
 
  Implementation of the `curl_multi_socket` API
 
-  The main ideas of this API are simply:
+ The main ideas of this API are simply:
 
-   1 - The application can use whatever event system it likes as it gets info
-       from libcurl about what file descriptors libcurl waits for what action
-       on. (The previous API returns `fd_sets` which is very select()-centric).
+ 1. The application can use whatever event system it likes as it gets info
+    from libcurl about what file descriptors libcurl waits for what action
+    on. (The previous API returns `fd_sets` which is very
+    `select()`-centric).
 
-   2 - When the application discovers action on a single socket, it calls
-       libcurl and informs that there was action on this particular socket and
-       libcurl can then act on that socket/transfer only and not care about
-       any other transfers. (The previous API always had to scan through all
-       the existing transfers.)
+ 2. When the application discovers action on a single socket, it calls
+    libcurl and informs that there was action on this particular socket and
+    libcurl can then act on that socket/transfer only and not care about
+    any other transfers. (The previous API always had to scan through all
+    the existing transfers.)
 
-  The idea is that [`curl_multi_socket_action()`][7] calls a given callback
-  with information about what socket to wait for what action on, and the
-  callback only gets called if the status of that socket has changed.
+ The idea is that [`curl_multi_socket_action()`][7] calls a given callback
+ with information about what socket to wait for what action on, and the
+ callback only gets called if the status of that socket has changed.
 
-  We also added a timer callback that makes libcurl call the application when
-  the timeout value changes, and you set that with [`curl_multi_setopt()`][9]
-  and the [`CURLMOPT_TIMERFUNCTION`][10] option. To get this to work,
-  Internally, there's an added struct to each easy handle in which we store
-  an "expire time" (if any). The structs are then "splay sorted" so that we
-  can add and remove times from the linked list and yet somewhat swiftly
-  figure out both how long there is until the next nearest timer expires
-  and which timer (handle) we should take care of now. Of course, the upside
-  of all this is that we get a [`curl_multi_timeout()`][8] that should also
-  work with old-style applications that use [`curl_multi_perform()`][11].
+ We also added a timer callback that makes libcurl call the application when
+ the timeout value changes, and you set that with [`curl_multi_setopt()`][9]
+ and the [`CURLMOPT_TIMERFUNCTION`][10] option. To get this to work,
+ Internally, there's an added struct to each easy handle in which we store
+ an "expire time" (if any). The structs are then "splay sorted" so that we
+ can add and remove times from the linked list and yet somewhat swiftly
+ figure out both how long there is until the next nearest timer expires
+ and which timer (handle) we should take care of now. Of course, the upside
+ of all this is that we get a [`curl_multi_timeout()`][8] that should also
+ work with old-style applications that use [`curl_multi_perform()`][11].
 
-  We created an internal "socket to easy handles" hash table that given
-  a socket (file descriptor) returns the easy handle that waits for action on
-  that socket.  This hash is made using the already existing hash code
-  (previously only used for the DNS cache).
+ We created an internal "socket to easy handles" hash table that given
+ a socket (file descriptor) returns the easy handle that waits for action on
+ that socket.  This hash is made using the already existing hash code
+ (previously only used for the DNS cache).
 
-  To make libcurl able to report plain sockets in the socket callback, we had
-  to re-organize the internals of the [`curl_multi_fdset()`][12] etc so that
-  the conversion from sockets to `fd_sets` for that function is only done in
-  the last step before the data is returned. I also had to extend c-ares to
-  get a function that can return plain sockets, as that library too returned
-  only `fd_sets` and that is no longer good enough. The changes done to c-ares
-  are available in c-ares 1.3.1 and later.
+ To make libcurl able to report plain sockets in the socket callback, we had
+ to re-organize the internals of the [`curl_multi_fdset()`][12] etc so that
+ the conversion from sockets to `fd_sets` for that function is only done in
+ the last step before the data is returned. I also had to extend c-ares to
+ get a function that can return plain sockets, as that library too returned
+ only `fd_sets` and that is no longer good enough. The changes done to c-ares
+ are available in c-ares 1.3.1 and later.
 
 <a name="structs"></a>
 Structs in libcurl
@@ -855,40 +852,42 @@
 This section should cover 7.32.0 pretty accurately, but will make sense even
 for older and later versions as things don't change drastically that often.
 
+<a name="Curl_easy"></a>
 ## Curl_easy
 
   The `Curl_easy` struct is the one returned to the outside in the external API
-  as a "CURL *". This is usually known as an easy handle in API documentations
+  as a `CURL *`. This is usually known as an easy handle in API documentations
   and examples.
 
   Information and state that is related to the actual connection is in the
-  'connectdata' struct. When a transfer is about to be made, libcurl will
+  `connectdata` struct. When a transfer is about to be made, libcurl will
   either create a new connection or re-use an existing one. The particular
   connectdata that is used by this handle is pointed out by
   `Curl_easy->easy_conn`.
 
   Data and information that regard this particular single transfer is put in
-  the SingleRequest sub-struct.
+  the `SingleRequest` sub-struct.
 
   When the `Curl_easy` struct is added to a multi handle, as it must be in
-  order to do any transfer, the ->multi member will point to the `Curl_multi`
-  struct it belongs to. The ->prev and ->next members will then be used by the
-  multi code to keep a linked list of `Curl_easy` structs that are added to
-  that same multi handle. libcurl always uses multi so ->multi *will* point to
-  a `Curl_multi` when a transfer is in progress.
+  order to do any transfer, the `->multi` member will point to the `Curl_multi`
+  struct it belongs to. The `->prev` and `->next` members will then be used by
+  the multi code to keep a linked list of `Curl_easy` structs that are added to
+  that same multi handle. libcurl always uses multi so `->multi` *will* point
+  to a `Curl_multi` when a transfer is in progress.
 
-  ->mstate is the multi state of this particular `Curl_easy`. When
+  `->mstate` is the multi state of this particular `Curl_easy`. When
   `multi_runsingle()` is called, it will act on this handle according to which
   state it is in. The mstate is also what tells which sockets to return for a
   specific `Curl_easy` when [`curl_multi_fdset()`][12] is called etc.
 
-  The libcurl source code generally use the name 'data' for the variable that
+  The libcurl source code generally use the name `data` for the variable that
   points to the `Curl_easy`.
 
   When doing multiplexed HTTP/2 transfers, each `Curl_easy` is associated with
   an individual stream, sharing the same connectdata struct. Multiplexing
   makes it even more important to keep things associated with the right thing!
 
+<a name="connectdata"></a>
 ## connectdata
 
   A general idea in libcurl is to keep connections around in a connection
@@ -896,16 +895,16 @@
   re-use an existing one instead of creating a new as it creates a significant
   performance boost.
 
-  Each 'connectdata' identifies a single physical connection to a server. If
+  Each `connectdata` identifies a single physical connection to a server. If
   the connection can't be kept alive, the connection will be closed after use
   and then this struct can be removed from the cache and freed.
 
   Thus, the same `Curl_easy` can be used multiple times and each time select
-  another connectdata struct to use for the connection. Keep this in mind, as
-  it is then important to consider if options or choices are based on the
+  another `connectdata` struct to use for the connection. Keep this in mind,
+  as it is then important to consider if options or choices are based on the
   connection or the `Curl_easy`.
 
-  Functions in libcurl will assume that connectdata->data points to the
+  Functions in libcurl will assume that `connectdata->data` points to the
   `Curl_easy` that uses this connection (for the moment).
 
   As a special complexity, some protocols supported by libcurl require a
@@ -920,15 +919,16 @@
   this single struct and thus can be considered a single connection for most
   internal concerns.
 
-  The libcurl source code generally use the name 'conn' for the variable that
+  The libcurl source code generally use the name `conn` for the variable that
   points to the connectdata.
 
+<a name="Curl_multi"></a>
 ## Curl_multi
 
   Internally, the easy interface is implemented as a wrapper around multi
   interface functions. This makes everything multi interface.
 
-  `Curl_multi` is the multi handle struct exposed as "CURLM *" in external
+  `Curl_multi` is the multi handle struct exposed as `CURLM *` in external
   APIs.
 
   This struct holds a list of `Curl_easy` structs that have been added to this
@@ -955,31 +955,33 @@
   `->conn_cache` points to the connection cache. It keeps track of all
   connections that are kept after use. The cache has a maximum size.
 
-  `->closure_handle` is described in the 'connectdata' section.
+  `->closure_handle` is described in the `connectdata` section.
 
-  The libcurl source code generally use the name 'multi' for the variable that
+  The libcurl source code generally use the name `multi` for the variable that
   points to the `Curl_multi` struct.
 
+<a name="Curl_handler"></a>
 ## Curl_handler
 
   Each unique protocol that is supported by libcurl needs to provide at least
   one `Curl_handler` struct. It defines what the protocol is called and what
   functions the main code should call to deal with protocol specific issues.
-  In general, there's a source file named [protocol].c in which there's a
-  "struct `Curl_handler` `Curl_handler_[protocol]`" declared. In url.c there's
+  In general, there's a source file named `[protocol].c` in which there's a
+  `struct Curl_handler Curl_handler_[protocol]` declared. In `url.c` there's
   then the main array with all individual `Curl_handler` structs pointed to
   from a single array which is scanned through when a URL is given to libcurl
   to work with.
 
   `->scheme` is the URL scheme name, usually spelled out in uppercase. That's
-  "HTTP" or "FTP" etc. SSL versions of the protocol need their own `Curl_handler` setup so HTTPS separate from HTTP.
+  "HTTP" or "FTP" etc. SSL versions of the protocol need their own
+  `Curl_handler` setup so HTTPS separate from HTTP.
 
   `->setup_connection` is called to allow the protocol code to allocate
   protocol specific data that then gets associated with that `Curl_easy` for
   the rest of this transfer. It gets freed again at the end of the transfer.
-  It will be called before the 'connectdata' for the transfer has been
+  It will be called before the `connectdata` for the transfer has been
   selected/created. Most protocols will allocate its private
-  'struct [PROTOCOL]' here and assign `Curl_easy->req.protop` to point to it.
+  `struct [PROTOCOL]` here and assign `Curl_easy->req.protop` to point to it.
 
   `->connect_it` allows a protocol to do some specific actions after the TCP
   connect is done, that can still be considered part of the connection phase.
@@ -1006,25 +1008,25 @@
   `->do_more` gets called during the `DO_MORE` state. The FTP protocol uses
   this state when setting up the second connection.
 
-  ->`proto_getsock`
-  ->`doing_getsock`
-  ->`domore_getsock`
-  ->`perform_getsock`
+  `->proto_getsock`
+  `->doing_getsock`
+  `->domore_getsock`
+  `->perform_getsock`
   Functions that return socket information. Which socket(s) to wait for which
   action(s) during the particular multi state.
 
-  ->disconnect is called immediately before the TCP connection is shutdown.
+  `->disconnect` is called immediately before the TCP connection is shutdown.
 
-  ->readwrite gets called during transfer to allow the protocol to do extra
+  `->readwrite` gets called during transfer to allow the protocol to do extra
   reads/writes
 
-  ->defport is the default report TCP or UDP port this protocol uses
+  `->defport` is the default report TCP or UDP port this protocol uses
 
-  ->protocol is one or more bits in the `CURLPROTO_*` set. The SSL versions
+  `->protocol` is one or more bits in the `CURLPROTO_*` set. The SSL versions
   have their "base" protocol set and then the SSL variation. Like
   "HTTP|HTTPS".
 
-  ->flags is a bitmask with additional information about the protocol that will
+  `->flags` is a bitmask with additional information about the protocol that will
   make it get treated differently by the generic engine:
 
   - `PROTOPT_SSL` - will make it connect and negotiate SSL
@@ -1039,7 +1041,7 @@
     limit which "direction" of socket actions that the main engine will
     concern itself with.
 
-  - `PROTOPT_NONETWORK` - a protocol that doesn't use network (read file:)
+  - `PROTOPT_NONETWORK` - a protocol that doesn't use network (read `file:`)
 
   - `PROTOPT_NEEDSPWD` - this protocol needs a password and will use a default
     one unless one is provided
@@ -1047,16 +1049,18 @@
   - `PROTOPT_NOURLQUERY` - this protocol can't handle a query part on the URL
     (?foo=bar)
 
+<a name="conncache"></a>
 ## conncache
 
   Is a hash table with connections for later re-use. Each `Curl_easy` has a
   pointer to its connection cache. Each multi handle sets up a connection
   cache that all added `Curl_easy`s share by default.
 
+<a name="Curl_share"></a>
 ## Curl_share
 
   The libcurl share API allocates a `Curl_share` struct, exposed to the
-  external API as "CURLSH *".
+  external API as `CURLSH *`.
 
   The idea is that the struct can have a set of its own versions of caches and
   pools and then by providing this struct in the `CURLOPT_SHARE` option, those
@@ -1069,17 +1073,18 @@
   The `Curl_share` struct can currently hold cookies, DNS cache and the SSL
   session cache.
 
+<a name="CookieInfo"></a>
 ## CookieInfo
 
   This is the main cookie struct. It holds all known cookies and related
-  information. Each `Curl_easy` has its own private CookieInfo even when
+  information. Each `Curl_easy` has its own private `CookieInfo` even when
   they are added to a multi handle. They can be made to share cookies by using
   the share API.
 
 
 [1]: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html
 [2]: https://curl.haxx.se/libcurl/c/curl_easy_init.html
-[3]: http://c-ares.haxx.se/
+[3]: https://c-ares.haxx.se/
 [4]: https://tools.ietf.org/html/rfc7230 "RFC 7230"
 [5]: https://curl.haxx.se/libcurl/c/CURLOPT_ACCEPT_ENCODING.html
 [6]: https://curl.haxx.se/docs/manpage.html#--compressed
@@ -1091,3 +1096,4 @@
 [12]: https://curl.haxx.se/libcurl/c/curl_multi_fdset.html
 [13]: https://curl.haxx.se/libcurl/c/curl_multi_add_handle.html
 [14]: https://curl.haxx.se/libcurl/c/curl_multi_info_read.html
+[15]: https://tools.ietf.org/html/rfc7231#section-3.1.2.2
diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS
index 2405ee9..93cb369 100644
--- a/docs/KNOWN_BUGS
+++ b/docs/KNOWN_BUGS
@@ -12,50 +12,60 @@
 problems may have been fixed or changed somewhat since this was written!
 
  1. HTTP
- 1.1 CURLFORM_CONTENTLEN in an array
- 1.2 Disabling HTTP Pipelining
+ 1.2 Multiple methods in a single WWW-Authenticate: header
  1.3 STARTTRANSFER time is wrong for HTTP POSTs
  1.4 multipart formposts file name encoding
  1.5 Expect-100 meets 417
  1.6 Unnecessary close when 401 received waiting for 100
- 1.8 DNS timing is wrong for HTTP redirects
+ 1.7 Deflate error after all content was received
+ 1.8 DoH isn't used for all name resolves when enabled
  1.9 HTTP/2 frames while in the connection pool kill reuse
- 1.10 Strips trailing dot from host name
  1.11 CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
 
  2. TLS
  2.1 CURLINFO_SSL_VERIFYRESULT has limited support
  2.2 DER in keychain
- 2.3 GnuTLS backend skips really long certificate fields
  2.4 DarwinSSL won't import PKCS#12 client certificates without a password
+ 2.5 Client cert handling with Issuer DN differs between backends
+ 2.6 CURL_GLOBAL_SSL
+ 2.7 Client cert (MTLS) issues with Schannel
+ 2.8 Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname
+ 2.9 TLS session cache doesn't work with TFO
+ 2.10 Store TLS context per transfer instead of per connection
 
  3. Email protocols
  3.1 IMAP SEARCH ALL truncated response
  3.2 No disconnect command
- 3.3 SMTP to multiple recipients
- 3.4 POP3 expects "CRLF.CRLF" eob for some single-line responses
+ 3.3 POP3 expects "CRLF.CRLF" eob for some single-line responses
+ 3.4 AUTH PLAIN for SMTP is not working on all servers
 
  4. Command line
- 4.1 -J with %-encoded file nameas
+ 4.1 -J and -O with %-encoded file names
  4.2 -J with -C - fails
  4.3 --retry and transfer timeouts
+ 4.4 --upload-file . hang if delay in STDIN
+ 4.5 Improve --data-urlencode space encoding
 
  5. Build and portability issues
- 5.1 Windows Borland compiler
  5.2 curl-config --libs contains private details
- 5.4 AIX shared build with c-ares fails
+ 5.3 curl compiled on OSX 10.13 failed to run on OSX 10.10
+ 5.4 Cannot compile against a static build of OpenLDAP
  5.5 can't handle Unicode arguments in Windows
  5.6 cmake support gaps
  5.7 Visual Studio project gaps
  5.8 configure finding libs in wrong directory
  5.9 Utilize Requires.private directives in libcurl.pc
- 5.10 Fix the gcc typechecks
+ 5.10 IDN tests failing on Windows / MSYS2
+ 5.11 configure --with-gssapi with Heimdal is ignored on macOS
 
  6. Authentication
  6.1 NTLM authentication and unicode
  6.2 MIT Kerberos for Windows build
  6.3 NTLM in system context uses wrong name
  6.4 Negotiate and Kerberos V5 need a fake user name
+ 6.5 NTLM doesn't support password with § character
+ 6.6 libcurl can fail to try alternatives with --proxy-any
+ 6.7 Don't clear digest for single realm
 
  7. FTP
  7.1 FTP without or slow 220 response
@@ -66,17 +76,17 @@
  7.6 FTP with NULs in URL parts
  7.7 FTP and empty path parts in the URL
  7.8 Premature transfer end but healthy control channel
+ 7.9 Passive transfer tries only one IP address
+ 7.10 FTPS needs session reuse
 
  8. TELNET
- 8.1 TELNET and time limtiations don't work
+ 8.1 TELNET and time limitations don't work
  8.2 Microsoft telnet server
 
  9. SFTP and SCP
  9.1 SFTP doesn't do CURLOPT_POSTQUOTE correct
 
  10. SOCKS
- 10.1 SOCKS proxy connections are done blocking
- 10.2 SOCKS don't support timeouts
  10.3 FTPS over SOCKS
  10.4 active FTP over a SOCKS
 
@@ -84,31 +94,35 @@
  11.1 Curl leaks .onion hostnames in DNS
  11.2 error buffer not set if connection to multiple addresses fails
  11.3 c-ares deviates from stock resolver on http://1346569778
+ 11.4 HTTP test server 'connection-monitor' problems
+ 11.5 Connection information when using TCP Fast Open
+ 11.6 slow connect to localhost on Windows
+ 11.7 signal-based resolver timeouts
+ 11.8 DoH leaks memory after followlocation
+ 11.9 DoH doesn't inherit all transfer options
+ 11.10 Blocking socket operations in non-blocking API
 
  12. LDAP and OpenLDAP
  12.1 OpenLDAP hangs after returning results
+ 12.2 LDAP on Windows does authentication wrong?
+ 12.3 LDAP on Windows doesn't work
 
  13. TCP/IP
  13.1 --interface for ipv6 binds to unusable IP address
 
+ 14 DICT
+ 14.1 DICT responses show the underlying protocol
 
 ==============================================================================
 
 1. HTTP
 
-1.1 CURLFORM_CONTENTLEN in an array
+1.2 Multiple methods in a single WWW-Authenticate: header
 
- It is not possible to pass a 64-bit value using CURLFORM_CONTENTLEN with
- CURLFORM_ARRAY, when compiled on 32-bit platforms that support 64-bit
- integers. This is because the underlying structure 'curl_forms' uses a dual
- purpose char* for storing these values in via casting. For more information
- see the now closed related issue:
- https://github.com/curl/curl/issues/608
-
-1.2 Disabling HTTP Pipelining
-
- Disabling HTTP Pipelining when there are ongoing transfers can lead to
- heap corruption and crash. https://curl.haxx.se/bug/view.cgi?id=1411
+ The HTTP responses headers WWW-Authenticate: can provide information about
+ multiple authentication methods as multiple headers or as several methods
+ within a single header. The latter way, several methods in the same physical
+ line, is not supported by libcurl's parser. (For no good reason.)
 
 1.3 STARTTRANSFER time is wrong for HTTP POSTs
 
@@ -138,14 +152,27 @@
 1.6 Unnecessary close when 401 received waiting for 100
 
  libcurl closes the connection if an HTTP 401 reply is received while it is
- waiting for the the 100-continue response.
+ waiting for the 100-continue response.
  https://curl.haxx.se/mail/lib-2008-08/0462.html
 
-1.8 DNS timing is wrong for HTTP redirects
+1.7 Deflate error after all content was received
 
- When extracting timing information after HTTP redirects, only the last
- transfer's results are returned and not the totals:
- https://github.com/curl/curl/issues/522
+ There's a situation where we can get an error in a HTTP response that is
+ compressed, when that error is detected after all the actual body contents
+ have been received and delivered to the application. This is tricky, but is
+ ultimately a broken server.
+
+ See https://github.com/curl/curl/issues/2719
+
+1.8 DoH isn't used for all name resolves when enabled
+
+ Even if DoH is specified to be used, there are some name resolves that are
+ done without it. This should be fixed. When the internal function
+ `Curl_resolver_wait_resolv()` is called, it doesn't use DoH to complete the
+ resolve as it otherwise should.
+
+ See https://github.com/curl/curl/pull/3857 and
+ https://github.com/curl/curl/pull/3850
 
 1.9 HTTP/2 frames while in the connection pool kill reuse
 
@@ -157,41 +184,6 @@
  This is *best* fixed by adding monitoring to connections while they are kept
  in the pool so that pings can be responded to appropriately.
 
-1.10 Strips trailing dot from host name
-
- When given a URL wit a trailing dot for the host name part:
- "https://example.com./", libcurl will strip off the dot and use the name
- without a dot internally and send it dot-less in HTTP Host: headers and in
- the TLS SNI field.
-
- The HTTP part violates RFC 7230 section 5.4 but the SNI part is accordance
- with RFC 6066 section 3.
-
- URLs using these trailing dots are very rare in the wild and we have not seen
- or gotten any real-world problems with such URLs reported. The popular
- browsers seem to have stayed with not stripping the dot for both uses (thus
- they violate RFC 6066 instead of RFC 7230).
-
- Daniel took the discussion to the HTTPbis mailing list in March 2016:
- https://lists.w3.org/Archives/Public/ietf-http-wg/2016JanMar/0430.html but
- there was not major rush or interest to fix this. The impression I get is
- that most HTTP people rather not rock the boat now and instead prioritize web
- compatibility rather than to strictly adhere to these RFCs.
-
- Our current approach allows a knowing client to send a custom HTTP header
- with the dot added.
-
- It can also be noted that while adding a trailing dot to the host name in
- most (all?) cases will make the name resolve to the same set of IP addresses,
- many HTTP servers will not happily accept the trailing dot there unless that
- has been specifically configured to be a fine virtual host.
-
- If URLs with trailing dots for host names become more popular or even just
- used more than for just plain fun experiments, I'm sure we will have reason
- to go back and reconsider.
-
- See https://github.com/curl/curl/issues/716 for the discussion.
-
 1.11 CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
 
  I'm using libcurl to POST form data using a FILE* with the CURLFORM_STREAM
@@ -216,18 +208,71 @@
  Curl doesn't recognize certificates in DER format in keychain, but it works
  with PEM.  https://curl.haxx.se/bug/view.cgi?id=1065
 
-2.3 GnuTLS backend skips really long certificate fields
-
- libcurl calls gnutls_x509_crt_get_dn() with a fixed buffer size and if the
- field is too long in the cert, it'll just return an error and the field will
- be displayed blank.
-
 2.4 DarwinSSL won't import PKCS#12 client certificates without a password
 
  libcurl calls SecPKCS12Import with the PKCS#12 client certificate, but that
  function rejects certificates that do not have a password.
  https://github.com/curl/curl/issues/1308
 
+2.5 Client cert handling with Issuer DN differs between backends
+
+ When the specified client certificate doesn't match any of the
+ server-specified DNs, the OpenSSL and GnuTLS backends behave differently.
+ The github discussion may contain a solution.
+
+ See https://github.com/curl/curl/issues/1411
+
+2.6 CURL_GLOBAL_SSL
+
+ Since libcurl 7.57.0, the flag CURL_GLOBAL_SSL is a no-op. The change was
+ merged in https://github.com/curl/curl/commit/d661b0afb571a
+
+ It was removed since it was
+
+ A) never clear for applications on how to deal with init in the light of
+    different SSL backends (the option was added back in the days when life
+    was simpler)
+
+ B) multissl introduced dynamic switching between SSL backends which
+    emphasized (A) even more
+
+ C) libcurl uses some TLS backend functionality even for non-TLS functions (to
+    get "good" random) so applications trying to avoid the init for
+    performance reasons would do wrong anyway
+
+ D) never very carefully documented so all this mostly just happened to work
+    for some users
+
+ However, in spite of the problems with the feature, there were some users who
+ apparently depended on this feature and who now claim libcurl is broken for
+ them. The fix for this situation is not obvious as a downright revert of the
+ patch is totally ruled out due to those reasons above.
+
+ https://github.com/curl/curl/issues/2276
+
+2.7 Client cert (MTLS) issues with Schannel
+
+ See https://github.com/curl/curl/issues/3145
+
+2.8 Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname
+
+ This seems to be a limitation in the underlying Schannel API.
+
+ https://github.com/curl/curl/issues/3284
+
+2.9 TLS session cache doesn't work with TFO
+
+ See https://github.com/curl/curl/issues/4301
+
+2.10 Store TLS context per transfer instead of per connection
+
+ The GnuTLS `backend->cred` and the OpenSSL `backend->ctx` data and their
+ proxy versions (and possibly other TLS backends), could be better moved to be
+ stored in the Curl_easy handle instead of in per connection so that a single
+ transfer that makes multiple connections can reuse the context and reduce
+ memory consumption.
+
+ https://github.com/curl/curl/issues/5102
 
 3. Email protocols
 
@@ -243,24 +288,22 @@
  The disconnect commands (LOGOUT and QUIT) may not be sent by IMAP, POP3 and
  SMTP if a failure occurs during the authentication phase of a connection.
 
-3.3 SMTP to multiple recipients
-
- When sending data to multiple recipients, curl will abort and return failure
- if one of the recipients indicate failure (on the "RCPT TO"
- command). Ordinary mail programs would proceed and still send to the ones
- that can receive data. This is subject for change in the future.
- https://curl.haxx.se/bug/view.cgi?id=1116
-
-3.4 POP3 expects "CRLF.CRLF" eob for some single-line responses
+3.3 POP3 expects "CRLF.CRLF" eob for some single-line responses
 
  You have to tell libcurl not to expect a body, when dealing with one line
  response commands. Please see the POP3 examples and test cases which show
  this for the NOOP and DELE commands. https://curl.haxx.se/bug/?i=740
 
+3.4 AUTH PLAIN for SMTP is not working on all servers
+
+ Specifying "--login-options AUTH=PLAIN" on the command line doesn't seem to
+ work correctly.
+
+ See https://github.com/curl/curl/issues/4080
 
 4. Command line
 
-4.1 -J with %-encoded file nameas
+4.1 -J and -O with %-encoded file names
 
  -J/--remote-header-name doesn't decode %-encoded file names. RFC6266 details
  how it should be done. The can of worm is basically that we have no charset
@@ -270,6 +313,13 @@
  embedded slashes should be cut off.
  https://curl.haxx.se/bug/view.cgi?id=1294
 
+ -O also doesn't decode %-encoded names, and while it has even less
+ information about the charset involved the process is similar to the -J case.
+
+ Note that we won't add decoding to -O without the user asking for it with
+ some other means as well, since -O has always been documented to use the name
+ exactly as specified in the URL.
+
 4.2 -J with -C - fails
 
  When using -J (with -O), automatically resumed downloading together with "-C
@@ -287,25 +337,36 @@
  https://curl.haxx.se/mail/lib-2008-01/0080.html and Mandriva bug report
  https://qa.mandriva.com/show_bug.cgi?id=22565
 
+4.4 --upload-file . hangs if delay in STDIN
+
+ "(echo start; sleep 1; echo end) | curl --upload-file . http://mywebsite -vv"
+
+ ... causes a hang when it shouldn't.
+
+ See https://github.com/curl/curl/issues/2051
+
+4.5 Improve --data-urlencode space encoding
+
+ ASCII space characters in --data-urlencode are currently encoded as %20
+ rather than +, which RFC 1866 says should be used.
+
+ See https://github.com/curl/curl/issues/3229
 
 5. Build and portability issues
 
-5.1 Windows Borland compiler
-
- When building with the Windows Borland compiler, it fails because the "tlib"
- tool doesn't support hyphens (minus signs) in file names and we have such in
- the build.  https://curl.haxx.se/bug/view.cgi?id=1222
-
 5.2 curl-config --libs contains private details
 
  "curl-config --libs" will include details set in LDFLAGS when configure is
  run that might be needed only for building libcurl. Further, curl-config
  --cflags suffers from the same effects with CFLAGS/CPPFLAGS.
 
-5.4 AIX shared build with c-ares fails
+5.3 curl compiled on OSX 10.13 failed to run on OSX 10.10
 
- curl version 7.12.2 fails on AIX if compiled with --enable-ares.  The
- workaround is to combine --enable-ares with --disable-shared
+ See https://github.com/curl/curl/issues/2905
+
+5.4 Cannot compile against a static build of OpenLDAP
+
+ See https://github.com/curl/curl/issues/2367
 
 5.5 can't handle Unicode arguments in Windows
 
@@ -323,12 +384,17 @@
  The cmake build setup lacks several features that the autoconf build
  offers. This includes:
 
-  - symbol hiding when the shared library is built
   - use of correct soname for the shared library build
+
   - support for several TLS backends are missing
+
   - the unit tests cause link failures in regular non-static builds
+
   - no nghttp2 check
 
+  - unusable tool_hugehelp.c with MinGW, see
+    https://github.com/curl/curl/issues/3125
+
 5.7 Visual Studio project gaps
 
  The Visual Studio projects lack some features that the autoconf and nmake
@@ -364,32 +430,37 @@
 
  https://github.com/curl/curl/issues/864
 
-5.10 Fix the gcc typechecks
+5.10 IDN tests failing on Windows / MSYS2
 
- Issue #846 identifies a problem with the gcc-typechecks and how the types are
- documented and checked for CURLINFO_CERTINFO but our attempts to fix the
- issue were futile and needs more attention.
+ It seems like MSYS2 does some UTF-8-to-something-else conversion for Windows
+ compatibility.
 
- https://github.com/curl/curl/issues/846
+ https://github.com/curl/curl/issues/3747
+
+5.11 configure --with-gssapi with Heimdal is ignored on macOS
+
+ ... unless you also pass --with-gssapi-libs
+
+ https://github.com/curl/curl/issues/3841
 
 6. Authentication
 
 6.1 NTLM authentication and unicode
 
  NTLM authentication involving unicode user name or password only works
- properly if built with UNICODE defined together with the WinSSL/schannel
+ properly if built with UNICODE defined together with the WinSSL/Schannel
  backend. The original problem was mentioned in:
  https://curl.haxx.se/mail/lib-2009-10/0024.html
  https://curl.haxx.se/bug/view.cgi?id=896
 
- The WinSSL/schannel version verified to work as mentioned in
+ The WinSSL/Schannel version verified to work as mentioned in
  https://curl.haxx.se/mail/lib-2012-07/0073.html
 
 6.2 MIT Kerberos for Windows build
 
  libcurl fails to build with MIT Kerberos for Windows (KfW) due to KfW's
  library header files exporting symbols/macros that should be kept private to
- the KfW library. See ticket #5601 at http://krbdev.mit.edu/rt/
+ the KfW library. See ticket #5601 at https://krbdev.mit.edu/rt/
 
 6.3 NTLM in system context uses wrong name
 
@@ -409,6 +480,24 @@
  new conn->bits.want_authentication whi