1 _ _ ____ _ 2 ___| | | | _ \| | 3 / __| | | | |_) | | 4 | (__| |_| | _ <| |___ 5 \___|\___/|_| \_\_____| 6 7 Things that could be nice to do in the future 8 9 Things to do in project curl. Please tell us what you think, contribute and 10 send us patches that improve things. 11 12 Be aware that these are things that we could do, or have once been considered 13 things we could do. If you want to work on any of these areas, please 14 consider bringing it up for discussions first on the mailing list so that we 15 all agree it is still a good idea for the project. 16 17 All bugs documented in the KNOWN_BUGS document are subject for fixing. 18 19 1. libcurl 20 1.1 TFO support on Windows 21 1.2 Consult %APPDATA% also for .netrc 22 1.3 struct lifreq 23 1.4 Better and more sharing 24 1.5 get rid of PATH_MAX 25 1.8 CURLOPT_RESOLVE for any port number 26 1.9 Cache negative name resolves 27 1.10 auto-detect proxy 28 1.11 minimize dependencies with dynamically loaded modules 29 1.12 updated DNS server while running 30 1.13 c-ares and CURLOPT_OPENSOCKETFUNCTION 31 1.15 Monitor connections in the connection pool 32 1.16 Try to URL encode given URL 33 1.17 Add support for IRIs 34 1.18 try next proxy if one does not work 35 1.19 provide timing info for each redirect 36 1.20 SRV and URI DNS records 37 1.21 netrc caching and sharing 38 1.22 CURLINFO_PAUSE_STATE 39 1.23 Offer API to flush the connection pool 40 1.25 Expose tried IP addresses that failed 41 1.28 FD_CLOEXEC 42 1.29 WebSocket read callback 43 1.30 config file parsing 44 1.31 erase secrets from heap/stack after use 45 1.32 add asynch getaddrinfo support 46 1.33 make DoH inherit more transfer properties 47 48 2. libcurl - multi interface 49 2.1 More non-blocking 50 2.2 Better support for same name resolves 51 2.3 Non-blocking curl_multi_remove_handle() 52 2.4 Split connect and authentication process 53 2.5 Edge-triggered sockets should work 54 2.6 multi upkeep 55 2.7 Virtual external sockets 56 2.8 dynamically decide to use socketpair 57 58 3. Documentation 59 3.1 Improve documentation about fork safety 60 3.2 Provide cmake config-file 61 62 4. FTP 63 4.1 HOST 64 4.2 Alter passive/active on failure and retry 65 4.3 Earlier bad letter detection 66 4.4 Support CURLOPT_PREQUOTE for dir listings too 67 4.5 ASCII support 68 4.6 GSSAPI via Windows SSPI 69 4.7 STAT for LIST without data connection 70 4.8 Passive transfer could try other IP addresses 71 72 5. HTTP 73 5.1 Provide the error body from a CONNECT response 74 5.2 Obey Retry-After in redirects 75 5.3 Rearrange request header order 76 5.4 Allow SAN names in HTTP/2 server push 77 5.5 auth= in URLs 78 5.6 alt-svc should fallback if alt-svc does not work 79 5.7 Require HTTP version X or higher 80 81 6. TELNET 82 6.1 ditch stdin 83 6.2 ditch telnet-specific select 84 6.3 feature negotiation debug data 85 6.4 exit immediately upon connection if stdin is /dev/null 86 87 7. SMTP 88 7.1 Passing NOTIFY option to CURLOPT_MAIL_RCPT 89 7.2 Enhanced capability support 90 7.3 Add CURLOPT_MAIL_CLIENT option 91 92 8. POP3 93 8.2 Enhanced capability support 94 95 9. IMAP 96 9.1 Enhanced capability support 97 98 10. LDAP 99 10.1 SASL based authentication mechanisms 100 10.2 CURLOPT_SSL_CTX_FUNCTION for LDAPS 101 10.3 Paged searches on LDAP server 102 10.4 Certificate-Based Authentication 103 104 11. SMB 105 11.1 File listing support 106 11.2 Honor file timestamps 107 11.3 Use NTLMv2 108 11.4 Create remote directories 109 110 12. FILE 111 12.1 Directory listing for FILE: 112 113 13. TLS 114 13.1 TLS-PSK with OpenSSL 115 13.2 Provide mutex locking API 116 13.3 Defeat TLS fingerprinting 117 13.4 Cache/share OpenSSL contexts 118 13.5 Export session ids 119 13.6 Provide callback for cert verification 120 13.7 Less memory massaging with Schannel 121 13.8 Support DANE 122 13.9 TLS record padding 123 13.10 Support Authority Information Access certificate extension (AIA) 124 13.11 Some TLS options are not offered for HTTPS proxies 125 13.12 Reduce CA certificate bundle reparsing 126 13.13 Make sure we forbid TLS 1.3 post-handshake authentication 127 13.14 Support the clienthello extension 128 13.15 Select signature algorithms 129 13.16 QUIC peer verification with wolfSSL 130 131 14. GnuTLS 132 14.2 check connection 133 134 15. Schannel 135 15.1 Extend support for client certificate authentication 136 15.2 Extend support for the --ciphers option 137 15.4 Add option to allow abrupt server closure 138 139 16. SASL 140 16.1 Other authentication mechanisms 141 16.2 Add QOP support to GSSAPI authentication 142 143 17. SSH protocols 144 17.1 Multiplexing 145 17.2 Handle growing SFTP files 146 17.3 Read keys from ~/.ssh/id_ecdsa, id_ed25519 147 17.4 Support CURLOPT_PREQUOTE 148 17.5 SSH over HTTPS proxy with more backends 149 17.6 SFTP with SCP:// 150 151 18. Command line tool 152 18.1 sync 153 18.2 glob posts 154 18.4 --proxycommand 155 18.5 UTF-8 filenames in Content-Disposition 156 18.6 Option to make -Z merge lined based outputs on stdout 157 18.8 Consider convenience options for JSON and XML? 158 18.9 Choose the name of file in braces for complex URLs 159 18.10 improve how curl works in a windows console window 160 18.11 Windows: set attribute 'archive' for completed downloads 161 18.12 keep running, read instructions from pipe/socket 162 18.13 Ratelimit or wait between serial requests 163 18.14 --dry-run 164 18.15 --retry should resume 165 18.16 send only part of --data 166 18.17 consider file name from the redirected URL with -O ? 167 18.18 retry on network is unreachable 168 18.19 expand ~/ in config files 169 18.20 host name sections in config files 170 18.21 retry on the redirected-to URL 171 18.23 Set the modification date on an uploaded file 172 18.24 Use multiple parallel transfers for a single download 173 18.25 Prevent terminal injection when writing to terminal 174 18.26 Custom progress meter update interval 175 18.27 -J and -O with %-encoded file names 176 18.28 -J with -C - 177 18.29 --retry and transfer timeouts 178 179 19. Build 180 19.2 Enable PIE and RELRO by default 181 19.3 Do not use GNU libtool on OpenBSD 182 19.4 Package curl for Windows in a signed installer 183 19.5 make configure use --cache-file more and better 184 19.6 build curl with Windows Unicode support 185 186 20. Test suite 187 20.1 SSL tunnel 188 20.2 nicer lacking perl message 189 20.3 more protocols supported 190 20.4 more platforms supported 191 20.5 Add support for concurrent connections 192 20.6 Use the RFC 6265 test suite 193 20.7 Support LD_PRELOAD on macOS 194 20.8 Run web-platform-tests URL tests 195 196 21. MQTT 197 21.1 Support rate-limiting 198 199 22. TFTP 200 22.1 TFTP doesn't convert LF to CRLF for mode=netascii 201 202============================================================================== 203 2041. libcurl 205 2061.1 TFO support on Windows 207 208 libcurl supports the CURLOPT_TCP_FASTOPEN option since 7.49.0 for Linux and 209 Mac OS. Windows supports TCP Fast Open starting with Windows 10, version 1607 210 and we should add support for it. 211 212 TCP Fast Open is supported on several platforms but not on Windows. Work on 213 this was once started but never finished. 214 215 See https://github.com/curl/curl/pull/3378 216 2171.2 Consult %APPDATA% also for .netrc 218 219 %APPDATA%\.netrc is not considered when running on Windows. should not it? 220 221 See https://github.com/curl/curl/issues/4016 222 2231.3 struct lifreq 224 225 Use 'struct lifreq' and SIOCGLIFADDR instead of 'struct ifreq' and 226 SIOCGIFADDR on newer Solaris versions as they claim the latter is obsolete. 227 To support IPv6 interface addresses for network interfaces properly. 228 2291.4 Better and more sharing 230 231 The share interface could benefit from allowing the alt-svc cache to be 232 possible to share between easy handles. 233 234 See https://github.com/curl/curl/issues/4476 235 236 The share interface offers CURL_LOCK_DATA_CONNECT to have multiple easy 237 handle share a connection cache, but due to how connections are used they are 238 still not thread-safe when used shared. 239 240 See https://github.com/curl/curl/issues/4915 and lib1541.c 241 242 The share interface offers CURL_LOCK_DATA_HSTS to have multiple easy handle 243 share a HSTS cache, but this is not thread-safe. 244 2451.5 get rid of PATH_MAX 246 247 Having code use and rely on PATH_MAX is not nice: 248 https://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html 249 250 Currently the libssh2 SSH based code uses it, but to remove PATH_MAX from 251 there we need libssh2 to properly tell us when we pass in a too small buffer 252 and its current API (as of libssh2 1.2.7) does not. 253 2541.8 CURLOPT_RESOLVE for any port number 255 256 This option allows applications to set a replacement IP address for a given 257 host + port pair. Consider making support for providing a replacement address 258 for the host name on all port numbers. 259 260 See https://github.com/curl/curl/issues/1264 261 2621.9 Cache negative name resolves 263 264 A name resolve that has failed is likely to fail when made again within a 265 short period of time. Currently we only cache positive responses. 266 2671.10 auto-detect proxy 268 269 libcurl could be made to detect the system proxy setup automatically and use 270 that. On Windows, macOS and Linux desktops for example. 271 272 The pull-request to use libproxy for this was deferred due to doubts on the 273 reliability of the dependency and how to use it: 274 https://github.com/curl/curl/pull/977 275 276 libdetectproxy is a (C++) library for detecting the proxy on Windows 277 https://github.com/paulharris/libdetectproxy 278 2791.11 minimize dependencies with dynamically loaded modules 280 281 We can create a system with loadable modules/plug-ins, where these modules 282 would be the ones that link to 3rd party libs. That would allow us to avoid 283 having to load ALL dependencies since only the necessary ones for this 284 app/invoke/used protocols would be necessary to load. See 285 https://github.com/curl/curl/issues/349 286 2871.12 updated DNS server while running 288 289 If /etc/resolv.conf gets updated while a program using libcurl is running, it 290 is may cause name resolves to fail unless res_init() is called. We should 291 consider calling res_init() + retry once unconditionally on all name resolve 292 failures to mitigate against this. Firefox works like that. Note that Windows 293 does not have res_init() or an alternative. 294 295 https://github.com/curl/curl/issues/2251 296 2971.13 c-ares and CURLOPT_OPENSOCKETFUNCTION 298 299 curl will create most sockets via the CURLOPT_OPENSOCKETFUNCTION callback and 300 close them with the CURLOPT_CLOSESOCKETFUNCTION callback. However, c-ares 301 does not use those functions and instead opens and closes the sockets 302 itself. This means that when curl passes the c-ares socket to the 303 CURLMOPT_SOCKETFUNCTION it is not owned by the application like other sockets. 304 305 See https://github.com/curl/curl/issues/2734 306 3071.15 Monitor connections in the connection pool 308 309 libcurl's connection cache or pool holds a number of open connections for the 310 purpose of possible subsequent connection reuse. It may contain a few up to a 311 significant amount of connections. Currently, libcurl leaves all connections 312 as they are and first when a connection is iterated over for matching or 313 reuse purpose it is verified that it is still alive. 314 315 Those connections may get closed by the server side for idleness or they may 316 get an HTTP/2 ping from the peer to verify that they are still alive. By 317 adding monitoring of the connections while in the pool, libcurl can detect 318 dead connections (and close them) better and earlier, and it can handle 319 HTTP/2 pings to keep such ones alive even when not actively doing transfers 320 on them. 321 3221.16 Try to URL encode given URL 323 324 Given a URL that for example contains spaces, libcurl could have an option 325 that would try somewhat harder than it does now and convert spaces to %20 and 326 perhaps URL encoded byte values over 128 etc (basically do what the redirect 327 following code already does). 328 329 https://github.com/curl/curl/issues/514 330 3311.17 Add support for IRIs 332 333 IRIs (RFC 3987) allow localized, non-ascii, names in the URL. To properly 334 support this, curl/libcurl would need to translate/encode the given input 335 from the input string encoding into percent encoded output "over the wire". 336 337 To make that work smoothly for curl users even on Windows, curl would 338 probably need to be able to convert from several input encodings. 339 3401.18 try next proxy if one does not work 341 342 Allow an application to specify a list of proxies to try, and failing to 343 connect to the first go on and try the next instead until the list is 344 exhausted. Browsers support this feature at least when they specify proxies 345 using PACs. 346 347 https://github.com/curl/curl/issues/896 348 3491.19 provide timing info for each redirect 350 351 curl and libcurl provide timing information via a set of different 352 time-stamps (CURLINFO_*_TIME). When curl is following redirects, those 353 returned time value are the accumulated sums. An improvement could be to 354 offer separate timings for each redirect. 355 356 https://github.com/curl/curl/issues/6743 357 3581.20 SRV and URI DNS records 359 360 Offer support for resolving SRV and URI DNS records for libcurl to know which 361 server to connect to for various protocols (including HTTP). 362 3631.21 netrc caching and sharing 364 365 The netrc file is read and parsed each time a connection is setup, which 366 means that if a transfer needs multiple connections for authentication or 367 redirects, the file might be reread (and parsed) multiple times. This makes 368 it impossible to provide the file as a pipe. 369 3701.22 CURLINFO_PAUSE_STATE 371 372 Return information about the transfer's current pause state, in both 373 directions. https://github.com/curl/curl/issues/2588 374 3751.23 Offer API to flush the connection pool 376 377 Sometimes applications want to flush all the existing connections kept alive. 378 An API could allow a forced flush or just a forced loop that would properly 379 close all connections that have been closed by the server already. 380 3811.25 Expose tried IP addresses that failed 382 383 When libcurl fails to connect to a host, it could offer the application the 384 addresses that were used in the attempt. Source + dest IP, source + dest port 385 and protocol (UDP or TCP) for each failure. Possibly as a callback. Perhaps 386 also provide "reason". 387 388 https://github.com/curl/curl/issues/2126 389 3901.28 FD_CLOEXEC 391 392 It sets the close-on-exec flag for the file descriptor, which causes the file 393 descriptor to be automatically (and atomically) closed when any of the 394 exec-family functions succeed. Should probably be set by default? 395 396 https://github.com/curl/curl/issues/2252 397 3981.29 WebSocket read callback 399 400 Call the read callback once the connection is established to allow sending 401 the first message in the connection. 402 403 https://github.com/curl/curl/issues/11402 404 4051.30 config file parsing 406 407 Consider providing an API, possibly in a separate companion library, for 408 parsing a config file like curl's -K/--config option to allow applications to 409 get the same ability to read curl options from files. 410 411 See https://github.com/curl/curl/issues/3698 412 4131.31 erase secrets from heap/stack after use 414 415 Introducing a concept and system to erase secrets from memory after use, it 416 could help mitigate and lessen the impact of (future) security problems etc. 417 However: most secrets are passed to libcurl as clear text from the 418 application and then clearing them within the library adds nothing... 419 420 https://github.com/curl/curl/issues/7268 421 4221.32 add asynch getaddrinfo support 423 424 Use getaddrinfo_a() to provide an asynch name resolver backend to libcurl 425 that does not use threads and does not depend on c-ares. The getaddrinfo_a 426 function is (probably?) glibc specific but that is a widely used libc among 427 our users. 428 429 https://github.com/curl/curl/pull/6746 430 4311.33 make DoH inherit more transfer properties 432 433 Some options are not inherited because they are not relevant for the DoH SSL 434 connections, or inheriting the option may result in unexpected behavior. For 435 example the user's debug function callback is not inherited because it would 436 be unexpected for internal handles (ie DoH handles) to be passed to that 437 callback. 438 439 If an option is not inherited then it is not possible to set it separately 440 for DoH without a DoH-specific option. For example: 441 CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and 442 CURLOPT_DOH_SSL_VERIFYSTATUS. 443 444 See https://github.com/curl/curl/issues/6605 445 4462. libcurl - multi interface 447 4482.1 More non-blocking 449 450 Make sure we do not ever loop because of non-blocking sockets returning 451 EWOULDBLOCK or similar. Blocking cases include: 452 453 - Name resolves on non-windows unless c-ares or the threaded resolver is used. 454 455 - The threaded resolver may block on cleanup: 456 https://github.com/curl/curl/issues/4852 457 458 - file:// transfers 459 460 - TELNET transfers 461 462 - GSSAPI authentication for FTP transfers 463 464 - The "DONE" operation (post transfer protocol-specific actions) for the 465 protocols SFTP, SMTP, FTP. Fixing multi_done() for this is a worthy task. 466 467 - curl_multi_remove_handle for any of the above. See section 2.3. 468 4692.2 Better support for same name resolves 470 471 If a name resolve has been initiated for name NN and a second easy handle 472 wants to resolve that name as well, make it wait for the first resolve to end 473 up in the cache instead of doing a second separate resolve. This is 474 especially needed when adding many simultaneous handles using the same host 475 name when the DNS resolver can get flooded. 476 4772.3 Non-blocking curl_multi_remove_handle() 478 479 The multi interface has a few API calls that assume a blocking behavior, like 480 add_handle() and remove_handle() which limits what we can do internally. The 481 multi API need to be moved even more into a single function that "drives" 482 everything in a non-blocking manner and signals when something is done. A 483 remove or add would then only ask for the action to get started and then 484 multi_perform() etc still be called until the add/remove is completed. 485 4862.4 Split connect and authentication process 487 488 The multi interface treats the authentication process as part of the connect 489 phase. As such any failures during authentication will not trigger the relevant 490 QUIT or LOGOFF for protocols such as IMAP, POP3 and SMTP. 491 4922.5 Edge-triggered sockets should work 493 494 The multi_socket API should work with edge-triggered socket events. One of 495 the internal actions that need to be improved for this to work perfectly is 496 the 'maxloops' handling in transfer.c:readwrite_data(). 497 4982.6 multi upkeep 499 500 In libcurl 7.62.0 we introduced curl_easy_upkeep. It unfortunately only works 501 on easy handles. We should introduces a version of that for the multi handle, 502 and also consider doing "upkeep" automatically on connections in the 503 connection pool when the multi handle is in used. 504 505 See https://github.com/curl/curl/issues/3199 506 5072.7 Virtual external sockets 508 509 libcurl performs operations on the given file descriptor that presumes it is 510 a socket and an application cannot replace them at the moment. Allowing an 511 application to fully replace those would allow a larger degree of freedom and 512 flexibility. 513 514 See https://github.com/curl/curl/issues/5835 515 5162.8 dynamically decide to use socketpair 517 518 For users who do not use curl_multi_wait() or do not care for 519 curl_multi_wakeup(), we could introduce a way to make libcurl NOT 520 create a socketpair in the multi handle. 521 522 See https://github.com/curl/curl/issues/4829 523 5243. Documentation 525 5263.1 Improve documentation about fork safety 527 528 See https://github.com/curl/curl/issues/6968 529 5303.2 Provide cmake config-file 531 532 A config-file package is a set of files provided by us to allow applications 533 to write cmake scripts to find and use libcurl easier. See 534 https://github.com/curl/curl/issues/885 535 5364. FTP 537 5384.1 HOST 539 540 HOST is a command for a client to tell which host name to use, to offer FTP 541 servers named-based virtual hosting: 542 543 https://datatracker.ietf.org/doc/html/rfc7151 544 5454.2 Alter passive/active on failure and retry 546 547 When trying to connect passively to a server which only supports active 548 connections, libcurl returns CURLE_FTP_WEIRD_PASV_REPLY and closes the 549 connection. There could be a way to fallback to an active connection (and 550 vice versa). https://curl.se/bug/feature.cgi?id=1754793 551 5524.3 Earlier bad letter detection 553 554 Make the detection of (bad) %0d and %0a codes in FTP URL parts earlier in the 555 process to avoid doing a resolve and connect in vain. 556 5574.4 Support CURLOPT_PREQUOTE for dir listings too 558 559 The lack of support is mostly an oversight and requires the FTP state machine 560 to get updated to get fixed. 561 562 https://github.com/curl/curl/issues/8602 563 5644.5 ASCII support 565 566 FTP ASCII transfers do not follow RFC 959. They do not convert the data 567 accordingly. 568 5694.6 GSSAPI via Windows SSPI 570 571 In addition to currently supporting the SASL GSSAPI mechanism (Kerberos V5) 572 via third-party GSS-API libraries, such as Heimdal or MIT Kerberos, also add 573 support for GSSAPI authentication via Windows SSPI. 574 5754.7 STAT for LIST without data connection 576 577 Some FTP servers allow STAT for listing directories instead of using LIST, 578 and the response is then sent over the control connection instead of as the 579 otherwise usedw data connection: https://www.nsftools.com/tips/RawFTP.htm#STAT 580 581 This is not detailed in any FTP specification. 582 5834.8 Passive transfer could try other IP addresses 584 585 When doing FTP operations through a proxy at localhost, the reported spotted 586 that curl only tried to connect once to the proxy, while it had multiple 587 addresses and a failed connect on one address should make it try the next. 588 589 After switching to passive mode (EPSV), curl could try all IP addresses for 590 "localhost". Currently it tries ::1, but it should also try 127.0.0.1. 591 592 See https://github.com/curl/curl/issues/1508 593 5945. HTTP 595 5965.1 Provide the error body from a CONNECT response 597 598 When curl receives a body response from a CONNECT request to a proxy, it will 599 always just read and ignore it. It would make some users happy if curl 600 instead optionally would be able to make that responsible available. Via a new 601 callback? Through some other means? 602 603 See https://github.com/curl/curl/issues/9513 604 6055.2 Obey Retry-After in redirects 606 607 The Retry-After is said to dicate "the minimum time that the user agent is 608 asked to wait before issuing the redirected request" and libcurl does not 609 obey this. 610 611 See https://github.com/curl/curl/issues/11447 612 6135.3 Rearrange request header order 614 615 Server implementers often make an effort to detect browser and to reject 616 clients it can detect to not match. One of the last details we cannot yet 617 control in libcurl's HTTP requests, which also can be exploited to detect 618 that libcurl is in fact used even when it tries to impersonate a browser, is 619 the order of the request headers. I propose that we introduce a new option in 620 which you give headers a value, and then when the HTTP request is built it 621 sorts the headers based on that number. We could then have internally created 622 headers use a default value so only headers that need to be moved have to be 623 specified. 624 6255.4 Allow SAN names in HTTP/2 server push 626 627 curl only allows HTTP/2 push promise if the provided :authority header value 628 exactly matches the host name given in the URL. It could be extended to allow 629 any name that would match the Subject Alternative Names in the server's TLS 630 certificate. 631 632 See https://github.com/curl/curl/pull/3581 633 6345.5 auth= in URLs 635 636 Add the ability to specify the preferred authentication mechanism to use by 637 using ;auth=<mech> in the login part of the URL. 638 639 For example: 640 641 http://test:pass;auth=NTLM@example.com would be equivalent to specifying 642 --user test:pass;auth=NTLM or --user test:pass --ntlm from the command line. 643 644 Additionally this should be implemented for proxy base URLs as well. 645 6465.6 alt-svc should fallback if alt-svc does not work 647 648 The alt-svc: header provides a set of alternative services for curl to use 649 instead of the original. If the first attempted one fails, it should try the 650 next etc and if all alternatives fail go back to the original. 651 652 See https://github.com/curl/curl/issues/4908 653 6545.7 Require HTTP version X or higher 655 656 curl and libcurl provide options for trying higher HTTP versions (for example 657 HTTP/2) but then still allows the server to pick version 1.1. We could 658 consider adding a way to require a minimum version. 659 660 See https://github.com/curl/curl/issues/7980 661 6626. TELNET 663 6646.1 ditch stdin 665 666 Reading input (to send to the remote server) on stdin is a crappy solution 667 for library purposes. We need to invent a good way for the application to be 668 able to provide the data to send. 669 6706.2 ditch telnet-specific select 671 672 Move the telnet support's network select() loop go away and merge the code 673 into the main transfer loop. Until this is done, the multi interface will not 674 work for telnet. 675 6766.3 feature negotiation debug data 677 678 Add telnet feature negotiation data to the debug callback as header data. 679 6806.4 exit immediately upon connection if stdin is /dev/null 681 682 If it did, curl could be used to probe if there is an server there listening 683 on a specific port. That is, the following command would exit immediately 684 after the connection is established with exit code 0: 685 686 curl -s --connect-timeout 2 telnet://example.com:80 </dev/null 687 6887. SMTP 689 6907.1 Passing NOTIFY option to CURLOPT_MAIL_RCPT 691 692 Is there a way to pass the NOTIFY option to the CURLOPT_MAIL_RCPT option ? I 693 set a string that already contains a bracket. For instance something like 694 that: curl_slist_append( recipients, "<foo@bar> NOTIFY=SUCCESS,FAILURE" ); 695 696 https://github.com/curl/curl/issues/8232 697 6987.2 Enhanced capability support 699 700 Add the ability, for an application that uses libcurl, to obtain the list of 701 capabilities returned from the EHLO command. 702 7037.3 Add CURLOPT_MAIL_CLIENT option 704 705 Rather than use the URL to specify the mail client string to present in the 706 HELO and EHLO commands, libcurl should support a new CURLOPT specifically for 707 specifying this data as the URL is non-standard and to be honest a bit of a 708 hack ;-) 709 710 Please see the following thread for more information: 711 https://curl.se/mail/lib-2012-05/0178.html 712 713 7148. POP3 715 7168.2 Enhanced capability support 717 718 Add the ability, for an application that uses libcurl, to obtain the list of 719 capabilities returned from the CAPA command. 720 7219. IMAP 722 7239.1 Enhanced capability support 724 725 Add the ability, for an application that uses libcurl, to obtain the list of 726 capabilities returned from the CAPABILITY command. 727 72810. LDAP 729 73010.1 SASL based authentication mechanisms 731 732 Currently the LDAP module only supports ldap_simple_bind_s() in order to bind 733 to an LDAP server. However, this function sends username and password details 734 using the simple authentication mechanism (as clear text). However, it should 735 be possible to use ldap_bind_s() instead specifying the security context 736 information ourselves. 737 73810.2 CURLOPT_SSL_CTX_FUNCTION for LDAPS 739 740 CURLOPT_SSL_CTX_FUNCTION works perfectly for HTTPS and email protocols, but 741 it has no effect for LDAPS connections. 742 743 https://github.com/curl/curl/issues/4108 744 74510.3 Paged searches on LDAP server 746 747 https://github.com/curl/curl/issues/4452 748 74910.4 Certificate-Based Authentication 750 751 LDAPS not possible with MAC and Windows with Certificate-Based Authentication 752 753 https://github.com/curl/curl/issues/9641 754 75511. SMB 756 75711.1 File listing support 758 759 Add support for listing the contents of a SMB share. The output should 760 probably be the same as/similar to FTP. 761 76211.2 Honor file timestamps 763 764 The timestamp of the transferred file should reflect that of the original 765 file. 766 76711.3 Use NTLMv2 768 769 Currently the SMB authentication uses NTLMv1. 770 77111.4 Create remote directories 772 773 Support for creating remote directories when uploading a file to a directory 774 that does not exist on the server, just like --ftp-create-dirs. 775 776 77712. FILE 778 77912.1 Directory listing for FILE: 780 781 Add support for listing the contents of a directory accessed with FILE. The 782 output should probably be the same as/similar to FTP. 783 784 78513. TLS 786 78713.1 TLS-PSK with OpenSSL 788 789 Transport Layer Security pre-shared key ciphersuites (TLS-PSK) is a set of 790 cryptographic protocols that provide secure communication based on pre-shared 791 keys (PSKs). These pre-shared keys are symmetric keys shared in advance among 792 the communicating parties. 793 794 https://github.com/curl/curl/issues/5081 795 79613.2 Provide mutex locking API 797 798 Provide a libcurl API for setting mutex callbacks in the underlying SSL 799 library, so that the same application code can use mutex-locking 800 independently of OpenSSL or GnutTLS being used. 801 80213.3 Defeat TLS fingerprinting 803 804 By changing the order of TLS extensions provided in the TLS handshake, it is 805 sometimes possible to circumvent TLS fingerprinting by servers. The TLS 806 extension order is of course not the only way to fingerprint a client. 807 808 See https://github.com/curl/curl/issues/8119 809 81013.4 Cache/share OpenSSL contexts 811 812 "Look at SSL cafile - quick traces look to me like these are done on every 813 request as well, when they should only be necessary once per SSL context (or 814 once per handle)". The major improvement we can rather easily do is to make 815 sure we do not create and kill a new SSL "context" for every request, but 816 instead make one for every connection and reuse that SSL context in the same 817 style connections are reused. It will make us use slightly more memory but it 818 will libcurl do less creations and deletions of SSL contexts. 819 820 Technically, the "caching" is probably best implemented by getting added to 821 the share interface so that easy handles who want to and can reuse the 822 context specify that by sharing with the right properties set. 823 824 https://github.com/curl/curl/issues/1110 825 82613.5 Export session ids 827 828 Add an interface to libcurl that enables "session IDs" to get 829 exported/imported. Cris Bailiff said: "OpenSSL has functions which can 830 serialise the current SSL state to a buffer of your choice, and recover/reset 831 the state from such a buffer at a later date - this is used by mod_ssl for 832 apache to implement and SSL session ID cache". 833 83413.6 Provide callback for cert verification 835 836 OpenSSL supports a callback for customised verification of the peer 837 certificate, but this does not seem to be exposed in the libcurl APIs. Could 838 it be? There is so much that could be done if it were. 839 84013.7 Less memory massaging with Schannel 841 842 The Schannel backend does a lot of custom memory management we would rather 843 avoid: the repeated alloc + free in sends and the custom memory + realloc 844 system for encrypted and decrypted data. That should be avoided and reduced 845 for 1) efficiency and 2) safety. 846 84713.8 Support DANE 848 849 DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL 850 keys and certs over DNS using DNSSEC as an alternative to the CA model. 851 https://www.rfc-editor.org/rfc/rfc6698.txt 852 853 An initial patch was posted by Suresh Krishnaswamy on March 7th 2013 854 (https://curl.se/mail/lib-2013-03/0075.html) but it was a too simple 855 approach. See Daniel's comments: 856 https://curl.se/mail/lib-2013-03/0103.html . libunbound may be the 857 correct library to base this development on. 858 859 Björn Stenberg wrote a separate initial take on DANE that was never 860 completed. 861 86213.9 TLS record padding 863 864 TLS (1.3) offers optional record padding and OpenSSL provides an API for it. 865 I could make sense for libcurl to offer this ability to applications to make 866 traffic patterns harder to figure out by network traffic observers. 867 868 See https://github.com/curl/curl/issues/5398 869 87013.10 Support Authority Information Access certificate extension (AIA) 871 872 AIA can provide various things like CRLs but more importantly information 873 about intermediate CA certificates that can allow validation path to be 874 fulfilled when the HTTPS server does not itself provide them. 875 876 Since AIA is about downloading certs on demand to complete a TLS handshake, 877 it is probably a bit tricky to get done right. 878 879 See https://github.com/curl/curl/issues/2793 880 88113.11 Some TLS options are not offered for HTTPS proxies 882 883 Some TLS related options to the command line tool and libcurl are only 884 provided for the server and not for HTTPS proxies. --proxy-tls-max, 885 --proxy-tlsv1.3, --proxy-curves and a few more. 886 For more Documentation on this see: 887 https://curl.se/libcurl/c/tls-options.html 888 889 https://github.com/curl/curl/issues/12286 890 89113.12 Reduce CA certificate bundle reparsing 892 893 When using the OpenSSL backend, curl will load and reparse the CA bundle at 894 the creation of the "SSL context" when it sets up a connection to do a TLS 895 handshake. A more effective way would be to somehow cache the CA bundle to 896 avoid it having to be repeatedly reloaded and reparsed. 897 898 See https://github.com/curl/curl/issues/9379 899 90013.13 Make sure we forbid TLS 1.3 post-handshake authentication 901 902 RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3 903 post-handshake authentication. We should make sure to live up to that. 904 905 See https://github.com/curl/curl/issues/5396 906 90713.14 Support the clienthello extension 908 909 Certain stupid networks and middle boxes have a problem with SSL handshake 910 packets that are within a certain size range because how that sets some bits 911 that previously (in older TLS version) were not set. The clienthello 912 extension adds padding to avoid that size range. 913 914 https://datatracker.ietf.org/doc/html/rfc7685 915 https://github.com/curl/curl/issues/2299 916 91713.15 Select signature algorithms 918 919 Consider adding an option or a way for users to select TLS signature 920 algorithm. The signature algorithms set by a client are used directly in the 921 supported signature algorithm in the client hello message. 922 923 https://github.com/curl/curl/issues/12982 924 92513.16 QUIC peer verification with wolfSSL 926 927 Peer certificate verification is missing in the QUIC (ngtcp2) implementation 928 using wolfSSL. 929 93014. GnuTLS 931 93214.2 check connection 933 934 Add a way to check if the connection seems to be alive, to correspond to the 935 SSL_peak() way we use with OpenSSL. 936 93715. Schannel 938 93915.1 Extend support for client certificate authentication 940 941 The existing support for the -E/--cert and --key options could be 942 extended by supplying a custom certificate and key in PEM format, see: 943 - Getting a Certificate for Schannel 944 https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx 945 94615.2 Extend support for the --ciphers option 947 948 The existing support for the --ciphers option could be extended 949 by mapping the OpenSSL/GnuTLS cipher suites to the Schannel APIs, see 950 - Specifying Schannel Ciphers and Cipher Strengths 951 https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx 952 95315.4 Add option to allow abrupt server closure 954 955 libcurl w/schannel will error without a known termination point from the 956 server (such as length of transfer, or SSL "close notify" alert) to prevent 957 against a truncation attack. Really old servers may neglect to send any 958 termination point. An option could be added to ignore such abrupt closures. 959 960 https://github.com/curl/curl/issues/4427 961 96216. SASL 963 96416.1 Other authentication mechanisms 965 966 Add support for other authentication mechanisms such as OLP, 967 GSS-SPNEGO and others. 968 96916.2 Add QOP support to GSSAPI authentication 970 971 Currently the GSSAPI authentication only supports the default QOP of auth 972 (Authentication), whilst Kerberos V5 supports both auth-int (Authentication 973 with integrity protection) and auth-conf (Authentication with integrity and 974 privacy protection). 975 976 97717. SSH protocols 978 97917.1 Multiplexing 980 981 SSH is a perfectly fine multiplexed protocols which would allow libcurl to do 982 multiple parallel transfers from the same host using the same connection, 983 much in the same spirit as HTTP/2 does. libcurl however does not take 984 advantage of that ability but will instead always create a new connection for 985 new transfers even if an existing connection already exists to the host. 986 987 To fix this, libcurl would have to detect an existing connection and "attach" 988 the new transfer to the existing one. 989 99017.2 Handle growing SFTP files 991 992 The SFTP code in libcurl checks the file size *before* a transfer starts and 993 then proceeds to transfer exactly that amount of data. If the remote file 994 grows while the transfer is in progress libcurl will not notice and will not 995 adapt. The OpenSSH SFTP command line tool does and libcurl could also just 996 attempt to download more to see if there is more to get... 997 998 https://github.com/curl/curl/issues/4344 999 100017.3 Read keys from ~/.ssh/id_ecdsa, id_ed25519 1001 1002 The libssh2 backend in curl is limited to only reading keys from id_rsa and 1003 id_dsa, which makes it fail connecting to servers that use more modern key 1004 types. 1005 1006 https://github.com/curl/curl/issues/8586 1007 100817.4 Support CURLOPT_PREQUOTE 1009 1010 The two other QUOTE options are supported for SFTP, but this was left out for 1011 unknown reasons. 1012 101317.5 SSH over HTTPS proxy with more backends 1014 1015 The SSH based protocols SFTP and SCP did not work over HTTPS proxy at 1016 all until PR https://github.com/curl/curl/pull/6021 brought the 1017 functionality with the libssh2 backend. Presumably, this support 1018 can/could be added for the other backends as well. 1019 102017.6 SFTP with SCP:// 1021 1022 OpenSSH 9 switched their 'scp' tool to speak SFTP under the hood. Going 1023 forward it might be worth having curl or libcurl attempt SFTP if SCP fails to 1024 follow suite. 1025 102618. Command line tool 1027 102818.1 sync 1029 1030 "curl --sync http://example.com/feed[1-100].rss" or 1031 "curl --sync http://example.net/{index,calendar,history}.html" 1032 1033 Downloads a range or set of URLs using the remote name, but only if the 1034 remote file is newer than the local file. A Last-Modified HTTP date header 1035 should also be used to set the mod date on the downloaded file. 1036 103718.2 glob posts 1038 1039 Globbing support for -d and -F, as in 'curl -d "name=foo[0-9]" URL'. 1040 This is easily scripted though. 1041 104218.4 --proxycommand 1043 1044 Allow the user to make curl run a command and use its stdio to make requests 1045 and not do any network connection by itself. Example: 1046 1047 curl --proxycommand 'ssh pi@raspberrypi.local -W 10.1.1.75 80' \ 1048 http://some/otherwise/unavailable/service.php 1049 1050 See https://github.com/curl/curl/issues/4941 1051 105218.5 UTF-8 filenames in Content-Disposition 1053 1054 RFC 6266 documents how UTF-8 names can be passed to a client in the 1055 Content-Disposition header, and curl does not support this. 1056 1057 https://github.com/curl/curl/issues/1888 1058 105918.6 Option to make -Z merge lined based outputs on stdout 1060 1061 When a user requests multiple lined based files using -Z and sends them to 1062 stdout, curl will not "merge" and send complete lines fine but may send 1063 partial lines from several sources. 1064 1065 https://github.com/curl/curl/issues/5175 1066 106718.8 Consider convenience options for JSON and XML? 1068 1069 Could we add `--xml` or `--json` to add headers needed to call rest API: 1070 1071 `--xml` adds -H 'Content-Type: application/xml' -H "Accept: application/xml" and 1072 `--json` adds -H 'Content-Type: application/json' -H "Accept: application/json" 1073 1074 Setting Content-Type when doing a GET or any other method without a body 1075 would be a bit strange I think - so maybe only add CT for requests with body? 1076 Maybe plain `--xml` and ` --json` are a bit too brief and generic. Maybe 1077 `--http-json` etc? 1078 1079 See https://github.com/curl/curl/issues/5203 1080 108118.9 Choose the name of file in braces for complex URLs 1082 1083 When using braces to download a list of URLs and you use complicated names 1084 in the list of alternatives, it could be handy to allow curl to use other 1085 names when saving. 1086 1087 Consider a way to offer that. Possibly like 1088 {partURL1:name1,partURL2:name2,partURL3:name3} where the name following the 1089 colon is the output name. 1090 1091 See https://github.com/curl/curl/issues/221 1092 109318.10 improve how curl works in a windows console window 1094 1095 If you pull the scrollbar when transferring with curl in a Windows console 1096 window, the transfer is interrupted and can get disconnected. This can 1097 probably be improved. See https://github.com/curl/curl/issues/322 1098 109918.11 Windows: set attribute 'archive' for completed downloads 1100 1101 The archive bit (FILE_ATTRIBUTE_ARCHIVE, 0x20) separates files that shall be 1102 backed up from those that are either not ready or have not changed. 1103 1104 Downloads in progress are neither ready to be backed up, nor should they be 1105 opened by a different process. Only after a download has been completed it's 1106 sensible to include it in any integer snapshot or backup of the system. 1107 1108 See https://github.com/curl/curl/issues/3354 1109 111018.12 keep running, read instructions from pipe/socket 1111 1112 Provide an option that makes curl not exit after the last URL (or even work 1113 without a given URL), and then make it read instructions passed on a pipe or 1114 over a socket to make further instructions so that a second subsequent curl 1115 invoke can talk to the still running instance and ask for transfers to get 1116 done, and thus maintain its connection pool, DNS cache and more. 1117 111818.13 Ratelimit or wait between serial requests 1119 1120 Consider a command line option that can make curl do multiple serial requests 1121 slow, potentially with a (random) wait between transfers. There is also a 1122 proposed set of standard HTTP headers to let servers let the client adapt to 1123 its rate limits: 1124 https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/ 1125 1126 See https://github.com/curl/curl/issues/5406 1127 112818.14 --dry-run 1129 1130 A command line option that makes curl show exactly what it would do and send 1131 if it would run for real. 1132 1133 See https://github.com/curl/curl/issues/5426 1134 113518.15 --retry should resume 1136 1137 When --retry is used and curl actually retries transfer, it should use the 1138 already transferred data and do a resumed transfer for the rest (when 1139 possible) so that it does not have to transfer the same data again that was 1140 already transferred before the retry. 1141 1142 See https://github.com/curl/curl/issues/1084 1143 114418.16 send only part of --data 1145 1146 When the user only wants to send a small piece of the data provided with 1147 --data or --data-binary, like when that data is a huge file, consider a way 1148 to specify that curl should only send a piece of that. One suggested syntax 1149 would be: "--data-binary @largefile.zip!1073741823-2147483647". 1150 1151 See https://github.com/curl/curl/issues/1200 1152 115318.17 consider file name from the redirected URL with -O ? 1154 1155 When a user gives a URL and uses -O, and curl follows a redirect to a new 1156 URL, the file name is not extracted and used from the newly redirected-to URL 1157 even if the new URL may have a much more sensible file name. 1158 1159 This is clearly documented and helps for security since there is no surprise 1160 to users which file name that might get overwritten. But maybe a new option 1161 could allow for this or maybe -J should imply such a treatment as well as -J 1162 already allows for the server to decide what file name to use so it already 1163 provides the "may overwrite any file" risk. 1164 1165 This is extra tricky if the original URL has no file name part at all since 1166 then the current code path will error out with an error message, and we cannot 1167 *know* already at that point if curl will be redirected to a URL that has a 1168 file name... 1169 1170 See https://github.com/curl/curl/issues/1241 1171 117218.18 retry on network is unreachable 1173 1174 The --retry option retries transfers on "transient failures". We later added 1175 --retry-connrefused to also retry for "connection refused" errors. 1176 1177 Suggestions have been brought to also allow retry on "network is unreachable" 1178 errors and while totally reasonable, maybe we should consider a way to make 1179 this more configurable than to add a new option for every new error people 1180 want to retry for? 1181 1182 https://github.com/curl/curl/issues/1603 1183 118418.19 expand ~/ in config files 1185 1186 For example .curlrc could benefit from being able to do this. 1187 1188 See https://github.com/curl/curl/issues/2317 1189 119018.20 host name sections in config files 1191 1192 config files would be more powerful if they could set different 1193 configurations depending on used URLs, host name or possibly origin. Then a 1194 default .curlrc could a specific user-agent only when doing requests against 1195 a certain site. 1196 119718.21 retry on the redirected-to URL 1198 1199 When curl is told to --retry a failed transfer and follows redirects, it 1200 might get an HTTP 429 response from the redirected-to URL and not the 1201 original one, which then could make curl decide to rather retry the transfer 1202 on that URL only instead of the original operation to the original URL. 1203 1204 Perhaps extra emphasized if the original transfer is a large POST that 1205 redirects to a separate GET, and that GET is what gets the 529 1206 1207 See https://github.com/curl/curl/issues/5462 1208 120918.23 Set the modification date on an uploaded file 1210 1211 For SFTP and possibly FTP, curl could offer an option to set the 1212 modification time for the uploaded file. 1213 1214 See https://github.com/curl/curl/issues/5768 1215 121618.24 Use multiple parallel transfers for a single download 1217 1218 To enhance transfer speed, downloading a single URL can be split up into 1219 multiple separate range downloads that get combined into a single final 1220 result. 1221 1222 An ideal implementation would not use a specified number of parallel 1223 transfers, but curl could: 1224 - First start getting the full file as transfer A 1225 - If after N seconds have passed and the transfer is expected to continue for 1226 M seconds or more, add a new transfer (B) that asks for the second half of 1227 A's content (and stop A at the middle). 1228 - If splitting up the work improves the transfer rate, it could then be done 1229 again. Then again, etc up to a limit. 1230 1231 This way, if transfer B fails (because Range: is not supported) it will let 1232 transfer A remain the single one. N and M could be set to some sensible 1233 defaults. 1234 1235 See https://github.com/curl/curl/issues/5774 1236 123718.25 Prevent terminal injection when writing to terminal 1238 1239 curl could offer an option to make escape sequence either non-functional or 1240 avoid cursor moves or similar to reduce the risk of a user getting tricked by 1241 clever tricks. 1242 1243 See https://github.com/curl/curl/issues/6150 1244 124518.26 Custom progress meter update interval 1246 1247 Users who are for example doing large downloads in CI or remote setups might 1248 want the occasional progress meter update to see that the transfer is 1249 progressing and has not stuck, but they may not appreciate the 1250 many-times-a-second frequency curl can end up doing it with now. 1251 125218.27 -J and -O with %-encoded file names 1253 1254 -J/--remote-header-name does not decode %-encoded file names. RFC 6266 details 1255 how it should be done. The can of worm is basically that we have no charset 1256 handling in curl and ascii >=128 is a challenge for us. Not to mention that 1257 decoding also means that we need to check for nastiness that is attempted, 1258 like "../" sequences and the like. Probably everything to the left of any 1259 embedded slashes should be cut off. 1260 https://curl.se/bug/view.cgi?id=1294 1261 1262 -O also does not decode %-encoded names, and while it has even less 1263 information about the charset involved the process is similar to the -J case. 1264 1265 Note that we will not add decoding to -O without the user asking for it with 1266 some other means as well, since -O has always been documented to use the name 1267 exactly as specified in the URL. 1268 126918.28 -J with -C - 1270 1271 When using -J (with -O), automatically resumed downloading together with "-C 1272 -" fails. Without -J the same command line works. This happens because the 1273 resume logic is worked out before the target file name (and thus its 1274 pre-transfer size) has been figured out. This can be improved. 1275 1276 https://curl.se/bug/view.cgi?id=1169 1277 127818.29 --retry and transfer timeouts 1279 1280 If using --retry and the transfer timeouts (possibly due to using -m or 1281 -y/-Y) the next attempt does not resume the transfer properly from what was 1282 downloaded in the previous attempt but will truncate and restart at the 1283 original position where it was at before the previous failed attempt. See 1284 https://curl.se/mail/lib-2008-01/0080.html and Mandriva bug report 1285 https://qa.mandriva.com/show_bug.cgi?id=22565 1286 1287 128819. Build 1289 129019.2 Enable PIE and RELRO by default 1291 1292 Especially when having programs that execute curl via the command line, PIE 1293 renders the exploitation of memory corruption vulnerabilities a lot more 1294 difficult. This can be attributed to the additional information leaks being 1295 required to conduct a successful attack. RELRO, on the other hand, masks 1296 different binary sections like the GOT as read-only and thus kills a handful 1297 of techniques that come in handy when attackers are able to arbitrarily 1298 overwrite memory. A few tests showed that enabling these features had close 1299 to no impact, neither on the performance nor on the general functionality of 1300 curl. 1301 130219.3 Do not use GNU libtool on OpenBSD 1303 When compiling curl on OpenBSD with "--enable-debug" it will give linking 1304 errors when you use GNU libtool. This can be fixed by using the libtool 1305 provided by OpenBSD itself. However for this the user always needs to invoke 1306 make with "LIBTOOL=/usr/bin/libtool". It would be nice if the script could 1307 have some magic to detect if this system is an OpenBSD host and then use the 1308 OpenBSD libtool instead. 1309 1310 See https://github.com/curl/curl/issues/5862 1311 131219.4 Package curl for Windows in a signed installer 1313 1314 See https://github.com/curl/curl/issues/5424 1315 131619.5 make configure use --cache-file more and better 1317 1318 The configure script can be improved to cache more values so that repeated 1319 invokes run much faster. 1320 1321 See https://github.com/curl/curl/issues/7753 1322 132319.6 build curl with Windows Unicode support 1324 1325 The user wants an easier way to tell autotools to build curl with Windows 1326 Unicode support, like ./configure --enable-windows-unicode 1327 1328 See https://github.com/curl/curl/issues/7229 1329 133020. Test suite 1331 133220.1 SSL tunnel 1333 1334 Make our own version of stunnel for simple port forwarding to enable HTTPS 1335 and FTP-SSL tests without the stunnel dependency, and it could allow us to 1336 provide test tools built with either OpenSSL or GnuTLS 1337 133820.2 nicer lacking perl message 1339 1340 If perl was not found by the configure script, do not attempt to run the tests 1341 but explain something nice why it does not. 1342 134320.3 more protocols supported 1344 1345 Extend the test suite to include more protocols. The telnet could just do FTP 1346 or http operations (for which we have test servers). 1347 134820.4 more platforms supported 1349 1350 Make the test suite work on more platforms. OpenBSD and Mac OS. Remove 1351 fork()s and it should become even more portable. 1352 135320.5 Add support for concurrent connections 1354 1355 Tests 836, 882 and 938 were designed to verify that separate connections are 1356 not used when using different login credentials in protocols that should not 1357 reuse a connection under such circumstances. 1358 1359 Unfortunately, ftpserver.pl does not appear to support multiple concurrent 1360 connections. The read while() loop seems to loop until it receives a 1361 disconnect from the client, where it then enters the waiting for connections 1362 loop. When the client opens a second connection to the server, the first 1363 connection has not been dropped (unless it has been forced - which we 1364 should not do in these tests) and thus the wait for connections loop is never 1365 entered to receive the second connection. 1366 136720.6 Use the RFC 6265 test suite 1368 1369 A test suite made for HTTP cookies (RFC 6265) by Adam Barth is available at 1370 https://github.com/abarth/http-state/tree/master/tests 1371 1372 It'd be really awesome if someone would write a script/setup that would run 1373 curl with that test suite and detect deviances. Ideally, that would even be 1374 incorporated into our regular test suite. 1375 137620.7 Support LD_PRELOAD on macOS 1377 1378 LD_RELOAD does not work on macOS, but there are tests which require it to run 1379 properly. Look into making the preload support in runtests.pl portable such 1380 that it uses DYLD_INSERT_LIBRARIES on macOS. 1381 138220.8 Run web-platform-tests URL tests 1383 1384 Run web-platform-tests URL tests and compare results with browsers on wpt.fyi 1385 1386 It would help us find issues to fix and help us document where our parser 1387 differs from the WHATWG URL spec parsers. 1388 1389 See https://github.com/curl/curl/issues/4477 1390 139121. MQTT 1392 139321.1 Support rate-limiting 1394 1395 The rate-limiting logic is done in the PERFORMING state in multi.c but MQTT 1396 is not (yet) implemented to use that. 1397 139822. TFTP 1399 140022.1 TFTP doesn't convert LF to CRLF for mode=netascii 1401 1402 RFC 3617 defines that an TFTP transfer can be done using "netascii" 1403 mode. curl does not support extracting that mode from the URL nor does it treat 1404 such transfers specifically. It should probably do LF to CRLF translations 1405 for them. 1406 1407 See https://github.com/curl/curl/issues/12655 1408