1 _ _ ____ _ 2 ___| | | | _ \| | 3 / __| | | | |_) | | 4 | (__| |_| | _ <| |___ 5 \___|\___/|_| \_\_____| 6 7 Known Bugs 8 9These are problems and bugs known to exist at the time of this release. Feel 10free to join in and help us correct one or more of these. Also be sure to 11check the changelog of the current development status, as one or more of these 12problems may have been fixed or changed somewhat since this was written. 13 14 1. HTTP 15 16 2. TLS 17 2.1 IMAPS connection fails with Rustls error 18 2.3 Unable to use PKCS12 certificate with Secure Transport 19 2.4 Secure Transport does not import PKCS#12 client certificates without a password 20 2.5 Client cert handling with Issuer DN differs between backends 21 2.7 Client cert (MTLS) issues with Schannel 22 2.11 Schannel TLS 1.2 handshake bug in old Windows versions 23 2.13 CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel 24 25 3. Email protocols 26 3.1 IMAP SEARCH ALL truncated response 27 3.2 No disconnect command 28 3.4 AUTH PLAIN for SMTP is not working on all servers 29 3.5 APOP authentication fails on POP3 30 3.6 POP3 issue when reading small chunks 31 32 4. Command line 33 4.1 -T /dev/stdin may upload with an incorrect content length 34 4.2 -T - always uploads chunked 35 36 5. Build and portability issues 37 5.1 OS400 port requires deprecated IBM library 38 5.2 curl-config --libs contains private details 39 5.6 Cygwin: make install installs curl-config.1 twice 40 5.11 configure --with-gssapi with Heimdal is ignored on macOS 41 5.12 flaky CI builds 42 5.13 long paths are not fully supported on Windows 43 5.15 Unicode on Windows 44 45 6. Authentication 46 6.2 MIT Kerberos for Windows build 47 6.3 NTLM in system context uses wrong name 48 6.5 NTLM does not support password with § character 49 6.6 libcurl can fail to try alternatives with --proxy-any 50 6.7 Do not clear digest for single realm 51 6.8 Heimdal memory leaks 52 6.9 SHA-256 digest not supported in Windows SSPI builds 53 6.10 curl never completes Negotiate over HTTP 54 6.11 Negotiate on Windows fails 55 6.12 cannot use Secure Transport with Crypto Token Kit 56 6.13 Negotiate against Hadoop HDFS 57 58 7. FTP 59 7.4 FTP with ACCT 60 7.12 FTPS directory listing hangs on Windows with Schannel 61 62 9. SFTP and SCP 63 9.1 SFTP does not do CURLOPT_POSTQUOTE correct 64 9.2 wolfssh: publickey auth does not work 65 9.3 Remote recursive folder creation with SFTP 66 9.4 libssh blocking and infinite loop problem 67 9.5 Cygwin: "WARNING: UNPROTECTED PRIVATE KEY FILE!" 68 69 10. SOCKS 70 71 11. Internals 72 11.1 gssapi library name + version is missing in curl_version_info() 73 11.2 error buffer not set if connection to multiple addresses fails 74 11.3 TFTP tests fail on OpenBSD 75 11.4 HTTP test server 'connection-monitor' problems 76 11.5 Connection information when using TCP Fast Open 77 11.6 test cases sometimes timeout 78 11.7 CURLOPT_CONNECT_TO does not work for HTTPS proxy 79 11.8 WinIDN test failures 80 81 12. LDAP 82 12.1 OpenLDAP hangs after returning results 83 12.2 LDAP on Windows does authentication wrong? 84 12.3 LDAP on Windows does not work 85 12.4 LDAPS requests to ActiveDirectory server hang 86 87 13. TCP/IP 88 13.2 Trying local ports fails on Windows 89 90 15. CMake 91 15.1 cmake outputs: no version information available 92 15.2 support build with GnuTLS 93 15.3 unusable tool_hugehelp.c with MinGW 94 15.6 uses -lpthread instead of Threads::Threads 95 15.7 generated .pc file contains strange entries 96 15.13 CMake build with MIT Kerberos does not work 97 98 16. aws-sigv4 99 16.2 aws-sigv4 does not handle multipart/form-data correctly 100 16.3 aws-sigv4 has problems with particular URLs 101 16.6 aws-sigv4 does not behave well with AWS VPC Lattice 102 103 17. HTTP/2 104 17.1 HTTP/2 prior knowledge over proxy 105 17.2 HTTP/2 frames while in the connection pool kill reuse 106 17.3 ENHANCE_YOUR_CALM causes infinite retries 107 17.4 HTTP/2 + TLS spends a lot of time in recv 108 109 18. HTTP/3 110 18.1 connection migration does not work 111 18.2 quiche: QUIC connection is draining 112 113 19. RTSP 114 19.1 Some methods do not support response bodies 115 116============================================================================== 117 1181. HTTP 119 1202. TLS 121 1222.1 IMAPS connection fails with Rustls error 123 124 https://github.com/curl/curl/issues/10457 125 1262.3 Unable to use PKCS12 certificate with Secure Transport 127 128 See https://github.com/curl/curl/issues/5403 129 1302.4 Secure Transport does not import PKCS#12 client certificates without a password 131 132 libcurl calls SecPKCS12Import with the PKCS#12 client certificate, but that 133 function rejects certificates that do not have a password. 134 https://github.com/curl/curl/issues/1308 135 1362.5 Client cert handling with Issuer DN differs between backends 137 138 When the specified client certificate does not match any of the 139 server-specified DNs, the OpenSSL and GnuTLS backends behave differently. 140 The github discussion may contain a solution. 141 142 See https://github.com/curl/curl/issues/1411 143 1442.7 Client cert (MTLS) issues with Schannel 145 146 See https://github.com/curl/curl/issues/3145 147 1482.11 Schannel TLS 1.2 handshake bug in old Windows versions 149 150 In old versions of Windows such as 7 and 8.1 the Schannel TLS 1.2 handshake 151 implementation likely has a bug that can rarely cause the key exchange to 152 fail, resulting in error SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED. 153 154 https://github.com/curl/curl/issues/5488 155 1562.13 CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel 157 158 https://github.com/curl/curl/issues/8741 159 1603. Email protocols 161 1623.1 IMAP SEARCH ALL truncated response 163 164 IMAP "SEARCH ALL" truncates output on large boxes. "A quick search of the 165 code reveals that pingpong.c contains some truncation code, at line 408, when 166 it deems the server response to be too large truncating it to 40 characters" 167 https://curl.se/bug/view.cgi?id=1366 168 1693.2 No disconnect command 170 171 The disconnect commands (LOGOUT and QUIT) may not be sent by IMAP, POP3 and 172 SMTP if a failure occurs during the authentication phase of a connection. 173 1743.4 AUTH PLAIN for SMTP is not working on all servers 175 176 Specifying "--login-options AUTH=PLAIN" on the command line does not seem to 177 work correctly. 178 179 See https://github.com/curl/curl/issues/4080 180 1813.5 APOP authentication fails on POP3 182 183 See https://github.com/curl/curl/issues/10073 184 1853.6 POP3 issue when reading small chunks 186 187 CURL_DBG_SOCK_RMAX=4 ./runtests.pl -v 982 188 189 See https://github.com/curl/curl/issues/12063 190 1914. Command line 192 1934.1 -T /dev/stdin may upload with an incorrect content length 194 195 -T stats the path to figure out its size in bytes to use it as Content-Length 196 if it is a regular file. 197 198 The problem with that is that, on BSDs and some other UNIXes (not Linux), 199 open(path) may not give you a file descriptor with a 0 offset from the start 200 of the file. 201 202 See https://github.com/curl/curl/issues/12177 203 2044.2 -T - always uploads chunked 205 206 When the `<` shell operator is used. curl should realise that stdin is a 207 regular file in this case, and that it can do a non-chunked upload, like it 208 would do if you used -T file. 209 210 See https://github.com/curl/curl/issues/12171 211 2125. Build and portability issues 213 2145.1 OS400 port requires deprecated IBM library 215 216 curl for OS400 requires QADRT to build, which provides ASCII wrappers for 217 libc/POSIX functions in the ILE, but IBM no longer supports or even offers 218 this library to download. 219 220 See https://github.com/curl/curl/issues/5176 221 2225.2 curl-config --libs contains private details 223 224 "curl-config --libs" include details set in LDFLAGS when configure is run 225 that might be needed only for building libcurl. Further, curl-config --cflags 226 suffers from the same effects with CFLAGS/CPPFLAGS. 227 2285.6 Cygwin: make install installs curl-config.1 twice 229 230 https://github.com/curl/curl/issues/8839 231 2325.11 configure --with-gssapi with Heimdal is ignored on macOS 233 234 ... unless you also pass --with-gssapi-libs 235 236 https://github.com/curl/curl/issues/3841 237 2385.12 flaky CI builds 239 240 We run many CI builds for each commit and PR on github, and especially a 241 number of the Windows builds are flaky. This means that we rarely get all CI 242 builds go green and complete without errors. This is unfortunate as it makes 243 us sometimes miss actual build problems and it is surprising to newcomers to 244 the project who (rightfully) do not expect this. 245 246 See https://github.com/curl/curl/issues/6972 247 2485.13 long paths are not fully supported on Windows 249 250 curl on Windows cannot access long paths (paths longer than 260 characters). 251 However, as a workaround, the Windows path prefix \\?\ which disables all 252 path interpretation may work to allow curl to access the path. For example: 253 \\?\c:\longpath. 254 255 See https://github.com/curl/curl/issues/8361 256 2575.15 Unicode on Windows 258 259 Passing in a Unicode filename with -o: 260 261 https://github.com/curl/curl/issues/11461 262 263 Passing in Unicode character with -d: 264 265 https://github.com/curl/curl/issues/12231 266 267 Windows Unicode builds use homedir in current locale 268 269 The Windows Unicode builds of curl use the current locale, but expect Unicode 270 UTF-8 encoded paths for internal use such as open, access and stat. The 271 user's home directory is retrieved via curl_getenv in the current locale and 272 not as UTF-8 encoded Unicode. 273 274 See https://github.com/curl/curl/pull/7252 and 275 https://github.com/curl/curl/pull/7281 276 277 Cannot handle Unicode arguments in non-Unicode builds on Windows 278 279 If a URL or filename cannot be encoded using the user's current codepage then 280 it can only be encoded properly in the Unicode character set. Windows uses 281 UTF-16 encoding for Unicode and stores it in wide characters, however curl 282 and libcurl are not equipped for that at the moment except when built with 283 _UNICODE and UNICODE defined. Except for Cygwin, Windows cannot use UTF-8 as 284 a locale. 285 286 https://curl.se/bug/?i=345 287 https://curl.se/bug/?i=731 288 https://curl.se/bug/?i=3747 289 290 NTLM authentication and Unicode 291 292 NTLM authentication involving Unicode username or password only works 293 properly if built with UNICODE defined together with the Schannel backend. 294 The original problem was mentioned in: 295 https://curl.se/mail/lib-2009-10/0024.html 296 https://curl.se/bug/view.cgi?id=896 297 298 The Schannel version verified to work as mentioned in 299 https://curl.se/mail/lib-2012-07/0073.html 300 3016. Authentication 302 3036.2 MIT Kerberos for Windows build 304 305 libcurl fails to build with MIT Kerberos for Windows (KfW) due to KfW's 306 library header files exporting symbols/macros that should be kept private to 307 the KfW library. See ticket #5601 at https://krbdev.mit.edu/rt/ 308 3096.3 NTLM in system context uses wrong name 310 311 NTLM authentication using SSPI (on Windows) when (lib)curl is running in 312 "system context" makes it use wrong(?) username - at least when compared to 313 what winhttp does. See https://curl.se/bug/view.cgi?id=535 314 3156.5 NTLM does not support password with § character 316 317 https://github.com/curl/curl/issues/2120 318 3196.6 libcurl can fail to try alternatives with --proxy-any 320 321 When connecting via a proxy using --proxy-any, a failure to establish an 322 authentication causes libcurl to abort trying other options if the failed 323 method has a higher preference than the alternatives. As an example, 324 --proxy-any against a proxy which advertise Negotiate and NTLM, but which 325 fails to set up Kerberos authentication does not proceed to try 326 authentication using NTLM. 327 328 https://github.com/curl/curl/issues/876 329 3306.7 Do not clear digest for single realm 331 332 https://github.com/curl/curl/issues/3267 333 3346.8 Heimdal memory leaks 335 336 Running test 2077 and 2078 with curl built to do GSS with Heimdal causes 337 valgrind errors (memory leak). 338 339 https://github.com/curl/curl/issues/14446 340 3416.9 SHA-256 digest not supported in Windows SSPI builds 342 343 Windows builds of curl that have SSPI enabled use the native Windows API calls 344 to create authentication strings. The call to InitializeSecurityContext fails 345 with SEC_E_QOP_NOT_SUPPORTED which causes curl to fail with CURLE_AUTH_ERROR. 346 347 Microsoft does not document supported digest algorithms and that SEC_E error 348 code is not a documented error for InitializeSecurityContext (digest). 349 350 https://github.com/curl/curl/issues/6302 351 3526.10 curl never completes Negotiate over HTTP 353 354 Apparently it is not working correctly...? 355 356 See https://github.com/curl/curl/issues/5235 357 3586.11 Negotiate on Windows fails 359 360 When using --negotiate (or NTLM) with curl on Windows, SSL/TLS handshake 361 fails despite having a valid kerberos ticket cached. Works without any issue 362 in Unix/Linux. 363 364 https://github.com/curl/curl/issues/5881 365 3666.12 cannot use Secure Transport with Crypto Token Kit 367 368 https://github.com/curl/curl/issues/7048 369 3706.13 Negotiate authentication against Hadoop HDFS 371 372 https://github.com/curl/curl/issues/8264 373 3747. FTP 375 3767.4 FTP with ACCT 377 378 When doing an operation over FTP that requires the ACCT command (but not when 379 logging in), the operation fails since libcurl does not detect this and thus 380 fails to issue the correct command: https://curl.se/bug/view.cgi?id=635 381 3827.12 FTPS server compatibility on Windows with Schannel 383 384 FTPS is not widely used with the Schannel TLS backend and so there may be 385 more bugs compared to other TLS backends such as OpenSSL. In the past users 386 have reported hanging and failed connections. It is likely some changes to 387 curl since then fixed the issues. None of the reported issues can be 388 reproduced any longer. 389 390 If you encounter an issue connecting to your server via FTPS with the latest 391 curl and Schannel then please search for open issues or file a new issue. 392 3939. SFTP and SCP 394 3959.1 SFTP does not do CURLOPT_POSTQUOTE correct 396 397 When libcurl sends CURLOPT_POSTQUOTE commands when connected to a SFTP server 398 using the multi interface, the commands are not being sent correctly and 399 instead the connection is "cancelled" (the operation is considered done) 400 prematurely. There is a half-baked (busy-looping) patch provided in the bug 401 report but it cannot be accepted as-is. See 402 https://curl.se/bug/view.cgi?id=748 403 4049.2 wolfssh: publickey auth does not work 405 406 When building curl to use the wolfSSH backend for SFTP, the publickey 407 authentication does not work. This is simply functionality not written for curl 408 yet, the necessary API for make this work is provided by wolfSSH. 409 410 See https://github.com/curl/curl/issues/4820 411 4129.3 Remote recursive folder creation with SFTP 413 414 On this servers, the curl fails to create directories on the remote server 415 even when the CURLOPT_FTP_CREATE_MISSING_DIRS option is set. 416 417 See https://github.com/curl/curl/issues/5204 418 4199.4 libssh blocking and infinite loop problem 420 421 In the SSH_SFTP_INIT state for libssh, the ssh session working mode is set to 422 blocking mode. If the network is suddenly disconnected during sftp 423 transmission, curl is stuck, even if curl is configured with a timeout. 424 425 https://github.com/curl/curl/issues/8632 426 4279.5 Cygwin: "WARNING: UNPROTECTED PRIVATE KEY FILE!" 428 429 Running SCP and SFTP tests on Cygwin makes this warning message appear. 430 431 https://github.com/curl/curl/issues/11244 432 43310. SOCKS 434 43511. Internals 436 43711.1 gssapi library name + version is missing in curl_version_info() 438 439 The struct needs to be expanded and code added to store this info. 440 441 See https://github.com/curl/curl/issues/13492 442 44311.2 error buffer not set if connection to multiple addresses fails 444 445 If you ask libcurl to resolve a hostname like example.com to IPv6 addresses 446 when you only have IPv4 connectivity. libcurl fails with 447 CURLE_COULDNT_CONNECT, but the error buffer set by CURLOPT_ERRORBUFFER 448 remains empty. Issue: https://github.com/curl/curl/issues/544 449 45011.3 TFTP tests fail on OpenBSD 451 452 When adding an OpenBSD job with tests to GHA, some tests consistently fail 453 to run. 454 455 See https://github.com/curl/curl/issues/13623 456 45711.4 HTTP test server 'connection-monitor' problems 458 459 The 'connection-monitor' feature of the sws HTTP test server does not work 460 properly if some tests are run in unexpected order. Like 1509 and then 1525. 461 462 See https://github.com/curl/curl/issues/868 463 46411.5 Connection information when using TCP Fast Open 465 466 CURLINFO_LOCAL_PORT (and possibly a few other) fails when TCP Fast Open is 467 enabled. 468 469 See https://github.com/curl/curl/issues/1332 and 470 https://github.com/curl/curl/issues/4296 471 47211.6 test cases sometimes timeout 473 474 Occasionally, one of the tests timeouts. Inexplicably. 475 476 See https://github.com/curl/curl/issues/13350 477 47811.7 CURLOPT_CONNECT_TO does not work for HTTPS proxy 479 480 It is unclear if the same option should even cover the proxy connection or if 481 if requires a separate option. 482 483 See https://github.com/curl/curl/issues/14481 484 48511.8 WinIDN test failures 486 487 Test 165 disabled when built with WinIDN. 488 48912. LDAP 490 49112.1 OpenLDAP hangs after returning results 492 493 By configuration defaults, OpenLDAP automatically chase referrals on 494 secondary socket descriptors. The OpenLDAP backend is asynchronous and thus 495 should monitor all socket descriptors involved. Currently, these secondary 496 descriptors are not monitored, causing OpenLDAP library to never receive 497 data from them. 498 499 As a temporary workaround, disable referrals chasing by configuration. 500 501 The fix is not easy: proper automatic referrals chasing requires a 502 synchronous bind callback and monitoring an arbitrary number of socket 503 descriptors for a single easy handle (currently limited to 5). 504 505 Generic LDAP is synchronous: OK. 506 507 See https://github.com/curl/curl/issues/622 and 508 https://curl.se/mail/lib-2016-01/0101.html 509 51012.2 LDAP on Windows does authentication wrong? 511 512 https://github.com/curl/curl/issues/3116 513 51412.3 LDAP on Windows does not work 515 516 A simple curl command line getting "ldap://ldap.forumsys.com" returns an 517 error that says "no memory" ! 518 519 https://github.com/curl/curl/issues/4261 520 52112.4 LDAPS requests to ActiveDirectory server hang 522 523 https://github.com/curl/curl/issues/9580 524 52513. TCP/IP 526 52713.2 Trying local ports fails on Windows 528 529 This makes '--local-port [range]' to not work since curl cannot properly 530 detect if a port is already in use, so it tries the first port, uses that and 531 then subsequently fails anyway if that was actually in use. 532 533 https://github.com/curl/curl/issues/8112 534 53515. CMake 536 53715.1 cmake outputs: no version information available 538 539 Something in the SONAME generation seems to be wrong in the cmake build. 540 541 https://github.com/curl/curl/issues/11158 542 54315.6 uses -lpthread instead of Threads::Threads 544 545 See https://github.com/curl/curl/issues/6166 546 54715.7 generated .pc file contains strange entries 548 549 The Libs.private field of the generated .pc file contains -lgcc -lgcc_s -lc 550 -lgcc -lgcc_s 551 552 See https://github.com/curl/curl/issues/6167 553 55415.13 CMake build with MIT Kerberos does not work 555 556 Minimum CMake version was bumped in curl 7.71.0 (#5358) Since CMake 3.2 557 try_compile started respecting the CMAKE_EXE_FLAGS. The code dealing with 558 MIT Kerberos detection sets few variables to potentially weird mix of space, 559 and ;-separated flags. It had to blow up at some point. All the CMake checks 560 that involve compilation are doomed from that point, the configured tree 561 cannot be built. 562 563 https://github.com/curl/curl/issues/6904 564 56516. aws-sigv4 566 56716.2 aws-sigv4 does not handle multipart/form-data correctly 568 569 https://github.com/curl/curl/issues/13351 570 57116.3 aws-sigv4 has problems with particular URLs 572 573 https://github.com/curl/curl/issues/13058 574 57516.6 aws-sigv4 does not behave well with AWS VPC Lattice 576 577 https://github.com/curl/curl/issues/11007 578 57917. HTTP/2 580 58117.1 HTTP/2 prior knowledge over proxy 582 583 https://github.com/curl/curl/issues/12641 584 58517.2 HTTP/2 frames while in the connection pool kill reuse 586 587 If the server sends HTTP/2 frames (like for example an HTTP/2 PING frame) to 588 curl while the connection is held in curl's connection pool, the socket is 589 found readable when considered for reuse and that makes curl think it is dead 590 and then it is closed and a new connection gets created instead. 591 592 This is *best* fixed by adding monitoring to connections while they are kept 593 in the pool so that pings can be responded to appropriately. 594 59517.3 ENHANCE_YOUR_CALM causes infinite retries 596 597 Infinite retries with 2 parallel requests on one connection receiving GOAWAY 598 with ENHANCE_YOUR_CALM error code. 599 600 See https://github.com/curl/curl/issues/5119 601 60217.4 HTTP/2 + TLS spends a lot of time in recv 603 604 It has been observered that by making the speed limit less accurate we could 605 improve this performance. (by reverting 606 https://github.com/curl/curl/commit/db5c9f4f9e0779b49624752b135281a0717b277b) 607 Can we find a golden middle ground? 608 609 See https://curl.se/mail/lib-2024-05/0026.html and 610 https://github.com/curl/curl/issues/13416 611 61218. HTTP/3 613 61418.1 connection migration does not work 615 616 https://github.com/curl/curl/issues/7695 617 61818.2 quiche: QUIC connection is draining 619 620 The transfer ends with error "QUIC connection is draining". 621 622 https://github.com/curl/curl/issues/12037 623 62419. RTSP 625 62619.1 Some methods do not support response bodies 627 628 The RTSP implementation is written to assume that a number of RTSP methods 629 always get responses without bodies, even though there seems to be no 630 indication in the RFC that this is always the case. 631 632 https://github.com/curl/curl/issues/12414 633