Added Cyg-Win

This commit is contained in:
Frank Harris 2026-06-06 18:46:40 -04:00
parent 82cbc206eb
commit 413c315806
10586 changed files with 3806249 additions and 0 deletions

View file

@ -0,0 +1,278 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
## curl cipher options
A TLS handshake involves many parameters which take part in the negotiation
between client and server in order to agree on the TLS version and set of
algorithms to use for a connection.
What has become known as a "cipher" or better "cipher suite" in TLS
are names for specific combinations of
[key exchange](https://en.wikipedia.org/wiki/Key_exchange),
[bulk encryption](https://en.wikipedia.org/wiki/Link_encryption),
[message authentication code](https://en.wikipedia.org/wiki/Message_authentication_code)
and with TLSv1.3 the
[authenticated encryption](https://en.wikipedia.org/wiki/Authenticated_encryption).
In addition, there are other parameters that influence the TLS handshake, like
[DHE](https://en.wikipedia.org/wiki/Diffie%e2%80%93Hellman_key_exchange) "groups"
and [ECDHE](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%e2%80%93Hellman)
with its "curves".
### History
curl's way of letting users configure these settings closely followed OpenSSL
in its API. TLS learned new parameters, OpenSSL added new API functions and
curl added command line options.
Several other TLS backends followed the OpenSSL approach, more or less closely,
and curl maps the command line options to these TLS backends. Some TLS
backends do not support all of it and command line options are either
ignored or lead to an error.
Many examples below show the OpenSSL-like use of these options. GnuTLS
however chose a different approach. These are described in a separate
section further below.
## ciphers, the OpenSSL way
With curl's option
[`--tls13-ciphers`](https://curl.se/docs/manpage.html#--tls13-ciphers)
or
[`CURLOPT_TLS13_CIPHERS`](https://curl.se/libcurl/c/CURLOPT_TLS13_CIPHERS.html)
users can control which cipher suites to consider when negotiating TLS 1.3
connections. With option
[`--ciphers`](https://curl.se/docs/manpage.html#--ciphers)
or
[`CURLOPT_SSL_CIPHER_LIST`](https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html)
users can control which cipher suites to consider when negotiating
TLS 1.2 (1.1, 1.0) connections.
By default, curl may negotiate TLS 1.3 and TLS 1.2 connections, so the cipher
suites considered when negotiating a TLS connection are a union of the TLS 1.3
and TLS 1.2 cipher suites. If you want curl to consider only TLS 1.3 cipher
suites for the connection, you have to set the minimum TLS version to 1.3 by
using [`--tlsv1.3`](https://curl.se/docs/manpage.html#--tlsv13)
or [`CURLOPT_SSLVERSION`](https://curl.se/libcurl/c/CURLOPT_SSLVERSION.html)
with `CURL_SSLVERSION_TLSv1_3`.
Both the TLS 1.3 and TLS 1.2 cipher options expect a list of cipher suites
separated by colons (`:`). This list is parsed opportunistically, cipher suites
that are not recognized or implemented are ignored. As long as there is at
least one recognized cipher suite in the list, the list is considered valid.
For both the TLS 1.3 and TLS 1.2 cipher options, the order in which the
cipher suites are specified determine the preference of them. When negotiating
a TLS connection the server picks a cipher suite from the intersection of the
cipher suites supported by the server and the cipher suites sent by curl. If
the server is configured to honor the client's cipher preference, the first
common cipher suite in the list sent by curl is chosen.
### TLS 1.3 cipher suites
Setting TLS 1.3 cipher suites is supported by curl with
OpenSSL (1.1.1+, curl 7.61.0+), LibreSSL (3.4.1+, curl 8.3.0+),
wolfSSL (curl 8.10.0+) and mbedTLS (3.6.0+, curl 8.10.0+).
The list of cipher suites that can be used for the `--tls13-ciphers` option:
```
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256
```
#### wolfSSL notes
In addition to above list the following cipher suites can be used:
`TLS_SM4_GCM_SM3` `TLS_SM4_CCM_SM3` `TLS_SHA256_SHA256` `TLS_SHA384_SHA384`.
Usage of these cipher suites is not recommended. (The last two cipher suites
are NULL ciphers, offering no encryption whatsoever.)
### TLS 1.2 (1.1, 1.0) cipher suites
Setting TLS 1.2 cipher suites is supported by curl with OpenSSL, LibreSSL,
BoringSSL, mbedTLS (curl 8.8.0+), wolfSSL (curl 7.53.0+). Schannel does not
support setting cipher suites directly, but does support setting algorithms
(curl 7.61.0+), see Schannel notes below.
For TLS 1.2 cipher suites there are multiple naming schemes, the two most used
are with OpenSSL names (e.g. `ECDHE-RSA-AES128-GCM-SHA256`) and IANA names
(e.g. `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`). IANA names of TLS 1.2 cipher
suites look similar to TLS 1.3 cipher suite names, to distinguish them note
that TLS 1.2 names contain `_WITH_`, while TLS 1.3 names do not. When setting
TLS 1.2 cipher suites with curl it is recommended that you use OpenSSL names
as these are most widely recognized by the supported SSL backends.
The complete list of cipher suites that may be considered for the `--ciphers`
option is extensive, it consists of more than 300 ciphers suites. Nowadays,
most of them are discouraged, and support for a lot of them has been removed
from the various SSL backends, if ever implemented at all.
A shortened list (based on [recommendations by
Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS)) of cipher suites,
which are (mostly) supported by all SSL backends, that can be used for the
`--ciphers` option:
```
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
DES-CBC3-SHA
```
See this [list](https://github.com/curl/curl/blob/master/docs/CIPHERS-TLS12.md)
for a complete list of TLS 1.2 cipher suites.
#### OpenSSL notes
In addition to specifying a list of cipher suites, OpenSSL also accepts a
format with specific cipher strings (like `TLSv1.2`, `AESGCM`, `CHACHA20`) and
`!`, `-` and `+` operators. Refer to the
[OpenSSL cipher documentation](https://docs.openssl.org/master/man1/openssl-ciphers/#cipher-list-format)
for further information on that format.
#### Schannel notes
Schannel does not support setting individual TLS 1.2 cipher suites directly.
It only allows the enabling and disabling of encryption algorithms. These are
in the form of `CALG_xxx`, see the [Schannel `ALG_ID`
documentation](https://learn.microsoft.com/windows/win32/seccrypto/alg-id)
for a list of these algorithms. Also, (since curl 7.77.0)
`SCH_USE_STRONG_CRYPTO` can be given to pass that flag to Schannel, lookup the
[documentation for the Windows version in
use](https://learn.microsoft.com/windows/win32/secauthn/cipher-suites-in-schannel)
to see how that affects the cipher suite selection. When not specifying the
`--ciphers` and `--tls13-ciphers` options curl passes this flag by default.
### Examples
```sh
curl \
--tls13-ciphers TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 \
--ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 \
https://example.com/
```
Restrict ciphers to `aes128-gcm` and `chacha20`. Works with OpenSSL, LibreSSL,
mbedTLS and wolfSSL.
```sh
curl \
--tlsv1.3 \
--tls13-ciphers TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 \
https://example.com/
```
Restrict to only TLS 1.3 with `aes128-gcm` and `chacha20` ciphers. Works with
OpenSSL, LibreSSL, mbedTLS, wolfSSL and Schannel.
```sh
curl \
--ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 \
https://example.com/
```
Restrict TLS 1.2 ciphers to `aes128-gcm` and `chacha20`, use default TLS 1.3
ciphers (if TLS 1.3 is available). Works with OpenSSL, LibreSSL, BoringSSL,
mbedTLS and wolfSSL.
## ciphers, the GnuTLS way
With GnuTLS, curl allows configuration of all TLS parameters via option
[`--ciphers`](https://curl.se/docs/manpage.html#--ciphers)
or
[`CURLOPT_SSL_CIPHER_LIST`](https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html)
only. The option
[`--tls13-ciphers`](https://curl.se/docs/manpage.html#--tls13-ciphers)
or
[`CURLOPT_TLS13_CIPHERS`](https://curl.se/libcurl/c/CURLOPT_TLS13_CIPHERS.html)
is being ignored.
`--ciphers` is used to set the GnuTLS **priority string** in
the following way:
* When the set string starts with '+', '-' or '!' it is *appended* to the
priority string libcurl itself generates (separated by ':'). This initial
priority depends other settings such as CURLOPT_SSLVERSION(3),
CURLOPT_TLSAUTH_USERNAME(3) (for SRP) or if HTTP/3 (QUIC)
is being negotiated.
* Otherwise, the set string fully *replaces* the libcurl generated one. While
giving full control to the application, the set priority needs to
provide for everything the transfer may need to negotiate. Example: if
the set priority only allows TLSv1.2, all HTTP/3 attempts fail.
Users may specify via `--ciphers` anything that GnuTLS supports: ciphers,
key exchange, MAC, compression, TLS versions, signature algorithms, groups,
elliptic curves, certificate types. In addition, GnuTLS has a variety of
other keywords that tweak its operations. Applications or a system
may define new alias names for priority strings that can then be used here.
Since the order of items in priority strings is significant, it makes no
sense for curl to puzzle other ssl options somehow together. `--ciphers`
is the single way to change priority.
### Examples
```sh
curl \
--ciphers '-CIPHER_ALL:+AES-128-GCM:+CHACHA20-POLY1305' \
https://example.com/
```
Restrict ciphers to `aes128-gcm` and `chacha20` in GnuTLS.
```sh
curl \
--ciphers 'NORMAL:-VERS-ALL:+TLS1.3:-AES-256-GCM' \
https://example.com/
```
Restrict to only TLS 1.3 without the `aes256-gcm` cipher.
```sh
curl \
--ciphers 'NORMAL:-VERS-ALL:+TLS1.2:-CIPHER_ALL:+CAMELLIA-128-GCM' \
https://example.com/
```
Restrict to only TLS 1.2 with the `CAMELLIA-128-GCM` cipher.
## Further reading
- [OpenSSL cipher suite names documentation](https://docs.openssl.org/master/man1/openssl-ciphers/#cipher-suite-names)
- [wolfSSL cipher support documentation](https://www.wolfssl.com/documentation/manuals/wolfssl/chapter04.html#cipher-support)
- [mbedTLS cipher suites reference](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/ssl__ciphersuites_8h/)
- [Schannel cipher suites documentation](https://learn.microsoft.com/windows/win32/secauthn/cipher-suites-in-schannel)
- [IANA cipher suites list](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4)
- [Wikipedia cipher suite article](https://en.wikipedia.org/wiki/Cipher_suite)
- [GnuTLS Priority Strings](https://gnutls.org/manual/html_node/Priority-Strings.html)

View file

@ -0,0 +1,22 @@
COPYRIGHT AND PERMISSION NOTICE
Copyright (c) 1996 - 2026, Daniel Stenberg, <daniel@haxx.se>, and many
contributors, see the THANKS file.
All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not
be used in advertising or otherwise to promote the sale, use or other dealings
in this Software without prior written authorization of the copyright holder.

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,249 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Features -- what curl can do
## curl tool
- config file support
- multiple URLs in a single command line
- range "globbing" support: [0-13], {one,two,three}
- multiple file upload on a single command line
- redirect stderr
- parallel transfers
## libcurl
- URL RFC 3986 syntax
- custom maximum download time
- custom lowest download speed acceptable
- custom output result after completion
- guesses protocol from hostname unless specified
- supports .netrc
- progress bar with time statistics while downloading
- standard proxy environment variables support
- have run on 101 operating systems and 28 CPU architectures
- selectable network interface for outgoing traffic
- IPv6 support on Unix and Windows
- happy eyeballs dual-stack IPv4 + IPv6 connects
- persistent connections
- SOCKS 4 + 5 support, with or without local name resolving
- *pre-proxy* support, for *proxy chaining*
- supports username and password in proxy environment variables
- operations through HTTP proxy "tunnel" (using CONNECT)
- replaceable memory functions (malloc, free, realloc, etc)
- asynchronous name resolving
- both a push and a pull style interface
- international domain names (IDN)
- transfer rate limiting
- stable API and ABI
- TCP keep alive
- TCP Fast Open
- DNS cache (that can be shared between transfers)
- non-blocking single-threaded parallel transfers
- Unix domain sockets to server or proxy
- DNS-over-HTTPS
- uses non-blocking name resolves
- selectable name resolver backend
## URL API
- parses RFC 3986 URLs
- generates URLs from individual components
- manages "redirects"
## Header API
- easy access to HTTP response headers, from all contexts
- named headers
- iterate over headers
## TLS
- selectable TLS backend(s)
- TLS False Start
- TLS version control
- TLS session resumption
- key pinning
- mutual authentication
- Use dedicated CA cert bundle
- Use OS-provided CA store
- separate TLS options for HTTPS proxy
## HTTP
- HTTP/0.9 responses are optionally accepted
- HTTP/1.0
- HTTP/1.1
- HTTP/2, including multiplexing and server push
- GET
- PUT
- HEAD
- POST
- multipart formpost (RFC 1867-style)
- authentication: Basic, Digest, NTLM (9) and Negotiate (SPNEGO)
to server and proxy
- resume transfers
- follow redirects
- maximum amount of redirects to follow
- custom HTTP request
- cookie get/send fully parsed
- reads/writes the Netscape cookie file format
- custom headers (replace/remove internally generated headers)
- custom user-agent string
- custom referrer string
- range
- proxy authentication
- time conditions
- via HTTP proxy, HTTPS proxy or SOCKS proxy
- HTTP/2 or HTTP/1.1 to HTTPS proxy
- retrieve file modification date
- Content-Encoding support for deflate, gzip, brotli and zstd
- "Transfer-Encoding: chunked" support in uploads
- HSTS
- alt-svc
- ETags
- HTTP/1.1 trailers, both sending and getting
## HTTPS
- HTTP/3
- using client certificates
- verify server certificate
- via HTTP proxy, HTTPS proxy or SOCKS proxy
- select desired encryption
- select usage of a specific TLS version
- ECH
## FTP
- download
- authentication
- Kerberos 5
- active/passive using PORT, EPRT, PASV or EPSV
- single file size information (compare to HTTP HEAD)
- 'type=' URL support
- directory listing
- directory listing names-only
- upload
- upload append
- upload via http-proxy as HTTP PUT
- download resume
- upload resume
- custom ftp commands (before and/or after the transfer)
- simple "range" support
- via HTTP proxy, HTTPS proxy or SOCKS proxy
- all operations can be tunneled through proxy
- customizable to retrieve file modification date
- no directory depth limit
## FTPS
- implicit `ftps://` support that use SSL on both connections
- explicit "AUTH TLS" and "AUTH SSL" usage to "upgrade" plain `ftp://`
connection to use SSL for both or one of the connections
## SSH (both SCP and SFTP)
- selectable SSH backend
- known hosts support
- public key fingerprinting
- both password and public key auth
## SFTP
- both password and public key auth
- with custom commands sent before/after the transfer
- directory listing
## TFTP
- download
- upload
## TELNET
- connection negotiation
- custom telnet options
- stdin/stdout I/O
## LDAP
- full LDAP URL support
## DICT
- extended DICT URL support
## FILE
- URL support
- upload
- resume
## SMB
- SMBv1 over TCP and SSL
- download
- upload
- authentication with NTLMv1
## SMTP
- authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM, Kerberos 5 and
External
- send emails
- mail from support
- mail size support
- mail auth support for trusted server-to-server relaying
- multiple recipients
- via http-proxy
## SMTPS
- implicit `smtps://` support
- explicit "STARTTLS" usage to "upgrade" plain `smtp://` connections to use SSL
- via http-proxy
## POP3
- authentication: Clear Text, APOP and SASL
- SASL based authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM,
Kerberos 5 and External
- list emails
- retrieve emails
- enhanced command support for: CAPA, DELE, TOP, STAT, UIDL and NOOP via
custom requests
- via http-proxy
## POP3S
- implicit `pop3s://` support
- explicit `STLS` usage to "upgrade" plain `pop3://` connections to use SSL
- via http-proxy
## IMAP
- authentication: Clear Text and SASL
- SASL based authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM,
Kerberos 5 and External
- list the folders of a mailbox
- select a mailbox with support for verifying the `UIDVALIDITY`
- fetch emails with support for specifying the UID and SECTION
- upload emails via the append command
- enhanced command support for: EXAMINE, CREATE, DELETE, RENAME, STATUS,
STORE, COPY and UID via custom requests
- via http-proxy
## IMAPS
- implicit `imaps://` support
- explicit "STARTTLS" usage to "upgrade" plain `imap://` connections to use SSL
- via http-proxy
## MQTT
- Subscribe to and publish topics using URL scheme `mqtt://broker/topic`

View file

@ -0,0 +1,171 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# HTTP Cookies
## Cookie overview
Cookies are `name=contents` pairs that an HTTP server tells the client to
hold and then the client sends back those to the server on subsequent
requests to the same domains and paths for which the cookies were set.
Cookies are either "session cookies" which typically are forgotten when the
session is over which is often translated to equal when browser quits, or
the cookies are not session cookies they have expiration dates after which
the client throws them away.
Cookies are set to the client with the Set-Cookie: header and are sent to
servers with the Cookie: header.
For a long time, the only spec explaining how to use cookies was the
original [Netscape spec from 1994](https://curl.se/rfc/cookie_spec.html).
In 2011, [RFC 6265](https://datatracker.ietf.org/doc/html/rfc6265) was finally
published and details how cookies work within HTTP. In 2016, an update which
added support for prefixes was
[proposed](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00),
and in 2017, another update was
[drafted](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-alone-01)
to deprecate modification of 'secure' cookies from non-secure origins. Both
of these drafts have been incorporated into a proposal to
[replace](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-11)
RFC 6265. Cookie prefixes and secure cookie modification protection has been
implemented by curl.
curl considers `http://localhost` to be a *secure context*, meaning that it
allows and uses cookies marked with the `secure` keyword even when done over
plain HTTP for this host. curl does this to match how popular browsers work
with secure cookies.
## Super cookies
A single cookie can be set for a domain that matches multiple hosts. Like if
set for `example.com` it gets sent to both `aa.example.com` as well as
`bb.example.com`.
A challenge with this concept is that there are certain domains for which
cookies should not be allowed at all, because they are *Public
Suffixes*. Similarly, a client never accepts cookies set directly for the
top-level domain like for example `.com`. Cookies set for *too broad*
domains are generally referred to as *super cookies*.
If curl is built with PSL (**Public Suffix List**) support, it detects and
discards cookies that are specified for such suffix domains that should not
be allowed to have cookies.
if curl is *not* built with PSL support, it has no ability to stop super
cookies.
## Cookies saved to disk
Netscape once created a file format for storing cookies on disk so that they
would survive browser restarts. curl adopted that file format to allow
sharing the cookies with browsers, only to see browsers move away from that
format. Modern browsers no longer use it, while curl still does.
The Netscape cookie file format stores one cookie per physical line in the
file with a bunch of associated meta data, each field separated with
TAB. That file is called the cookie jar in curl terminology.
When libcurl saves a cookie jar, it creates a file header of its own in
which there is a URL mention that links to the web version of this document.
## Cookie file format
The cookie file format is text based and stores one cookie per line. Lines
that start with `#` are treated as comments. An exception is lines that
start with `#HttpOnly_`, which is a prefix for cookies that have the
`HttpOnly` attribute set.
Each line that specifies a single cookie consists of seven text fields
separated with TAB characters. A valid line must end with a newline
character.
### Fields in the file
Field number, what type and example data and the meaning of it:
0. string `example.com` - the domain name
1. boolean `FALSE` - include subdomains
2. string `/foobar/` - path
3. boolean `TRUE` - send/receive over HTTPS only
4. number `1462299217` - expires at - seconds since Jan 1st 1970, or 0
5. string `person` - name of the cookie
6. string `daniel` - value of the cookie
## Cookies with curl the command line tool
curl has a full cookie "engine" built in. If you activate it, you can have
curl receive and send cookies exactly as mandated in the specs.
Command line options:
[`-b, --cookie`](https://curl.se/docs/manpage.html#-b)
tell curl a file to read cookies from and start the cookie engine, or if it
is not a file it passes on the given string. `-b name=var` works and so does
`-b cookiefile`.
[`-j, --junk-session-cookies`](https://curl.se/docs/manpage.html#-j)
when used in combination with -b, it skips all "session cookies" on load so
as to appear to start a new cookie session.
[`-c, --cookie-jar`](https://curl.se/docs/manpage.html#-c)
tell curl to start the cookie engine and write cookies to the given file
after the request(s)
## Cookies with libcurl
libcurl offers several ways to enable and interface the cookie engine. These
options are the ones provided by the native API. libcurl bindings may offer
access to them using other means.
[`CURLOPT_COOKIE`](https://curl.se/libcurl/c/CURLOPT_COOKIE.html)
Is used when you want to specify the exact contents of a cookie header to
send to the server.
[`CURLOPT_COOKIEFILE`](https://curl.se/libcurl/c/CURLOPT_COOKIEFILE.html)
Tell libcurl to activate the cookie engine, and to read the initial set of
cookies from the given file. Read-only.
[`CURLOPT_COOKIEJAR`](https://curl.se/libcurl/c/CURLOPT_COOKIEJAR.html)
Tell libcurl to activate the cookie engine, and when the easy handle is
closed save all known cookies to the given cookie jar file. Write-only.
[`CURLOPT_COOKIELIST`](https://curl.se/libcurl/c/CURLOPT_COOKIELIST.html)
Provide detailed information about a single cookie to add to the internal
storage of cookies. Pass in the cookie as an HTTP header with all the
details set, or pass in a line from a Netscape cookie file. This option can
also be used to flush the cookies etc.
[`CURLOPT_COOKIESESSION`](https://curl.se/libcurl/c/CURLOPT_COOKIESESSION.html)
Tell libcurl to ignore all cookies it is about to load that are session
cookies.
[`CURLINFO_COOKIELIST`](https://curl.se/libcurl/c/CURLINFO_COOKIELIST.html)
Extract cookie information from the internal cookie storage as a linked
list.
## Cookies with JavaScript
These days a lot of the web is built up by JavaScript. The web browser loads
complete programs that render the page you see. These JavaScript programs
can also set and access cookies.
Since curl and libcurl are plain HTTP clients without any knowledge of or
capability to handle JavaScript, such cookies are not detected or used.
Often, if you want to mimic what a browser does on such websites, you can
record web browser HTTP traffic when using such a site and then repeat the
cookie operations using curl or libcurl.

View file

@ -0,0 +1,582 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Known bugs intro
These are problems and bugs known to exist at the time of this release. Feel
free to join in and help us correct one or more of these. Also be sure to
check the changelog of the current development status, as one or more of these
problems may have been fixed or changed somewhat since this was written.
# TLS
## IMAPS connection fails with Rustls error
[curl issue 10457](https://github.com/curl/curl/issues/10457)
## Access violation sending client cert with Schannel
When using Schannel to do client certs, curl sets `PKCS12_NO_PERSIST_KEY` to
avoid leaking the private key into the filesystem. Unfortunately that flag
instead seems to trigger a crash.
See [curl issue 17626](https://github.com/curl/curl/issues/17626)
## Client cert handling with Issuer `DN` differs between backends
When the specified client certificate does not match any of the
server-specified `DN` fields, the OpenSSL and GnuTLS backends behave
differently. The GitHub discussion may contain a solution.
See [curl issue 1411](https://github.com/curl/curl/issues/1411)
## Client cert (MTLS) issues with Schannel
See [curl issue 3145](https://github.com/curl/curl/issues/3145)
## Schannel TLS 1.2 handshake bug in old Windows versions
In old versions of Windows such as 7 and 8.1 the Schannel TLS 1.2 handshake
implementation likely has a bug that can rarely cause the key exchange to
fail, resulting in error SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED.
[curl issue 5488](https://github.com/curl/curl/issues/5488)
## `CURLOPT_CERTINFO` results in `CURLE_OUT_OF_MEMORY` with Schannel
[curl issue 8741](https://github.com/curl/curl/issues/8741)
## mbedTLS and CURLE_AGAIN handling
[curl issue 15801](https://github.com/curl/curl/issues/15801)
## Native CA roots incomplete on Windows with OpenSSL (or fork)
Certain Windows installations may be missing CA roots.
[curl issue 20897](https://github.com/curl/curl/issues/20897)
[curl issue 12303](https://github.com/curl/curl/issues/12303)
# Email protocols
## IMAP `SEARCH ALL` truncated response
IMAP `SEARCH ALL` truncates output on large boxes. "A quick search of the code
reveals that `pingpong.c` contains some truncation code, at line 408, when it
deems the server response to be too large truncating it to 40 characters"
https://curl.se/bug/view.cgi?id=1366
## No disconnect command
The disconnect commands (`LOGOUT` and `QUIT`) may not be sent by IMAP, POP3
and SMTP if a failure occurs during the authentication phase of a connection.
## `AUTH PLAIN` for SMTP is not working on all servers
Specifying `--login-options AUTH=PLAIN` on the command line does not seem to
work correctly.
See [curl issue 4080](https://github.com/curl/curl/issues/4080)
## `APOP` authentication fails on POP3
See [curl issue 10073](https://github.com/curl/curl/issues/10073)
## POP3 issue when reading small chunks
CURL_DBG_SOCK_RMAX=4 ./runtests.pl -v 982
See [curl issue 12063](https://github.com/curl/curl/issues/12063)
# Command line
## `-T /dev/stdin` may upload with an incorrect content length
`-T` stats the path to figure out its size in bytes to use it as
`Content-Length` if it is a regular file.
The problem with that is that on BSD and some other UNIX systems (not Linux),
open(path) may not give you a file descriptor with a 0 offset from the start
of the file.
See [curl issue 12177](https://github.com/curl/curl/issues/12177)
## `-T -` always uploads chunked
When the `<` shell operator is used. curl should realize that stdin is a
regular file in this case, and that it can do a non-chunked upload, like it
would do if you used `-T` file.
See [curl issue 12171](https://github.com/curl/curl/issues/12171)
## Windows stdin relay accepts unauthenticated local connections
curl features a Windows-only stdin relay in `src/tool_doswin.c` that creates a
loopback TCP listener and spawns a thread to accept the first incoming
connection, then forwards stdin to it. There is no authentication or peer
validation on the accepted socket. A local attacker can race to connect to the
ephemeral loopback port (discoverable via local port enumeration/scan) before
curl connects, causing the thread to send stdin/upload data to the attacker or
to disrupt the transfer.
The function should verify the client-side with a random number similar to the
socketpair emulation function in libcurl. It cannot verify the source address
and port since there is this widespread habit on Windows to run tools that
MITM even local TCP connections for security.
# Build and portability issues
## OS400 port requires deprecated IBM library
curl for OS400 requires `QADRT` to build, which provides ASCII wrappers for
libc/POSIX functions in the ILE, but IBM no longer supports or even offers
this library to download.
See [curl issue 5176](https://github.com/curl/curl/issues/5176)
## `curl-config --libs` contains private details
`curl-config --libs` include details set in `LDFLAGS` when configure is run
that might be needed only for building libcurl. Further, `curl-config
--cflags` suffers from the same effects with `CFLAGS`/`CPPFLAGS`.
## `LDFLAGS` passed too late making libs linked incorrectly
Compiling latest curl on HP-UX and linking against a custom OpenSSL (which is
on the default loader/linker path), fails because the generated Makefile has
`LDFLAGS` passed on after `LIBS`.
See [curl issue 14893](https://github.com/curl/curl/issues/14893)
## Cygwin: make install installs curl-config.1 twice
[curl issue 8839](https://github.com/curl/curl/issues/8839)
## flaky CI builds
We run many CI builds for each commit and PR on GitHub, and especially a
number of the Windows builds are flaky. This means that we rarely get all CI
builds go green and complete without errors. This is unfortunate as it makes
us sometimes miss actual build problems and it is surprising to newcomers to
the project who (rightfully) do not expect this.
See [curl issue 6972](https://github.com/curl/curl/issues/6972)
## long paths are not fully supported on Windows
curl on Windows cannot access long paths (paths longer than 260 characters).
As a workaround, the Windows path prefix `\\?\` which disables all path
interpretation may work to allow curl to access the path. For example:
`\\?\c:\longpath`.
See [curl issue 8361](https://github.com/curl/curl/issues/8361)
## Unicode on Windows
Passing in a Unicode filename with -o:
[curl issue 11461](https://github.com/curl/curl/issues/11461)
Passing in Unicode character with -d:
[curl issue 12231](https://github.com/curl/curl/issues/12231)
Windows Unicode builds use the home directory in current locale.
The Windows Unicode builds of curl use the current locale, but expect Unicode
UTF-8 encoded paths for internal use such as open, access and stat. The user's
home directory is retrieved via curl_getenv in the current locale and not as
UTF-8 encoded Unicode.
See [curl pull request 7252](https://github.com/curl/curl/pull/7252) and [curl pull request 7281](https://github.com/curl/curl/pull/7281)
Cannot handle Unicode arguments in non-Unicode builds on Windows
If a URL or filename cannot be encoded using the user's current code page then
it can only be encoded properly in the Unicode character set. Windows uses
UTF-16 encoding for Unicode and stores it in wide characters, however curl and
libcurl are not equipped for that at the moment except when built with
_UNICODE and UNICODE defined. Except for Cygwin, Windows cannot use UTF-8 as a
locale.
https://curl.se/bug/?i=345
https://curl.se/bug/?i=731
https://curl.se/bug/?i=3747
NTLM authentication and Unicode
NTLM authentication involving Unicode username or password only works properly
if built with UNICODE defined together with the Schannel backend. The original
problem was mentioned in: https://curl.se/mail/lib-2009-10/0024.html and
https://curl.se/bug/view.cgi?id=896
The Schannel version verified to work as mentioned in
https://curl.se/mail/lib-2012-07/0073.html
# Authentication
## Digest `auth-int` for PUT/POST
We do not support auth-int for Digest using PUT or POST
## MIT Kerberos for Windows build
libcurl fails to build with MIT Kerberos for Windows (`KfW`) due to its
library header files exporting symbols/macros that should be kept private to
the library.
## NTLM in system context uses wrong name
NTLM authentication using SSPI (on Windows) when (lib)curl is running in
"system context" makes it use wrong(?) username - at least when compared to
what `winhttp` does. See https://curl.se/bug/view.cgi?id=535
## NTLM does not support password with Unicode 'SECTION SIGN' character
Code point: U+00A7
https://en.wikipedia.org/wiki/Section_sign
[curl issue 2120](https://github.com/curl/curl/issues/2120)
## libcurl can fail to try alternatives with `--proxy-any`
When connecting via a proxy using `--proxy-any`, a failure to establish an
authentication causes libcurl to abort trying other options if the failed
method has a higher preference than the alternatives. As an example,
`--proxy-any` against a proxy which advertise Negotiate and NTLM, but which
fails to set up Kerberos authentication does not proceed to try authentication
using NTLM.
[curl issue 876](https://github.com/curl/curl/issues/876)
## Do not clear digest for single realm
[curl issue 3267](https://github.com/curl/curl/issues/3267)
## SHA-256 digest not supported in Windows SSPI builds
Windows builds of curl that have SSPI enabled use the native Windows API calls
to create authentication strings. The call to `InitializeSecurityContext` fails
with `SEC_E_QOP_NOT_SUPPORTED` which causes curl to fail with
`CURLE_AUTH_ERROR`.
Microsoft does not document supported digest algorithms and that `SEC_E` error
code is not a documented error for `InitializeSecurityContext` (digest).
[curl issue 6302](https://github.com/curl/curl/issues/6302)
## curl never completes Negotiate over HTTP
Apparently it is not working correctly...?
See [curl issue 5235](https://github.com/curl/curl/issues/5235)
## Negotiate on Windows fails
When using `--negotiate` (or NTLM) with curl on Windows, SSL/TLS handshake
fails despite having a valid kerberos ticket cached. Works without any issue
in Unix/Linux.
[curl issue 5881](https://github.com/curl/curl/issues/5881)
## Negotiate authentication against Hadoop
[curl issue 8264](https://github.com/curl/curl/issues/8264)
# FTP
## FTP with ACCT
When doing an operation over FTP that requires the `ACCT` command (but not when
logging in), the operation fails since libcurl does not detect this and thus
fails to issue the correct command: https://curl.se/bug/view.cgi?id=635
## FTPS server compatibility on Windows with Schannel
FTPS is not widely used with the Schannel TLS backend and so there may be more
bugs compared to other TLS backends such as OpenSSL. In the past users have
reported hanging and failed connections. It is likely some changes to curl
since then fixed the issues. None of the reported issues can be reproduced any
longer.
If you encounter an issue connecting to your server via FTPS with the latest
curl and Schannel then please search for open issues or file a new issue.
# SFTP and SCP
## SFTP does not do `CURLOPT_POSTQUOTE` correct
When libcurl sends `CURLOPT_POSTQUOTE` commands when connected to an SFTP
server using the multi interface, the commands are not being sent correctly
and instead the connection is canceled (the operation is considered done)
prematurely. There is a half-baked (busy-looping) patch provided in the bug
report but it cannot be accepted as-is. See
https://curl.se/bug/view.cgi?id=748
## Remote recursive folder creation with SFTP
On this servers, the curl fails to create directories on the remote server
even when the `CURLOPT_FTP_CREATE_MISSING_DIRS` option is set.
See [curl issue 5204](https://github.com/curl/curl/issues/5204)
## libssh blocking and infinite loop problem
In the `SSH_SFTP_INIT` state for libssh, the ssh session working mode is set
to blocking mode. If the network is suddenly disconnected during sftp
transmission, curl is stuck, even if curl is configured with a timeout.
[curl issue 8632](https://github.com/curl/curl/issues/8632)
## Cygwin: "WARNING: UNPROTECTED PRIVATE KEY FILE!"
Running SCP and SFTP tests on Cygwin makes this warning message appear.
[curl issue 11244](https://github.com/curl/curl/issues/11244)
# Connection
## `--interface` with link-scoped IPv6 address
When you give the `--interface` option telling curl to use a specific
interface for its outgoing traffic in combination with an IPv6 address in the
URL that uses a link-local scope, curl might pick the wrong address from the
named interface and the subsequent transfer fails.
Example command line:
curl --interface eth0 'http://[fe80:928d:xxff:fexx:xxxx]/'
The fact that the given IP address is link-scoped should probably be used as
input to somehow make curl make a better choice for this.
[curl issue 14782](https://github.com/curl/curl/issues/14782)
## Does not acknowledge getaddrinfo sorting policy
Even if a user edits `/etc/gai.conf` to prefer IPv4, curl still prefers and
tries IPv6 addresses first.
[curl issue 16718](https://github.com/curl/curl/issues/16718)
## SOCKS-SSPI discards the security context
After a successful SSPI/GSS-API exchange, the function queries and logs the
authenticated username and reports the supported data-protection level, but
then immediately deletes the negotiated SSPI security context and frees the
credentials before returning. The negotiated context is not stored on the
connection and is therefore never used to protect later SOCKS5 traffic.
## cannot use absolute Unix domain filename for SOCKS on Windows
curl supports using a Unix domain socket path for speaking SOCKS to a proxy,
by providing a filename in the URL used for `-x` (`CURLOPT_PROXY`), but that
path cannot be a proper absolute Windows path with a drive letter etc.
A solution for this probably requires that we add and provide a
`--unix-socket` (`CURLOPT_UNIX_SOCKET_PATH`) option alternative for proxy
communication.
See [curl issue 19825](https://github.com/curl/curl/issues/19825)
# Internals
## GSSAPI library name + version is missing in `curl_version_info()`
The struct needs to be expanded and code added to store this info.
See [curl issue 13492](https://github.com/curl/curl/issues/13492)
## error buffer not set if connection to multiple addresses fails
If you ask libcurl to resolve a hostname like example.com to IPv6 addresses
when you only have IPv4 connectivity. libcurl fails with
`CURLE_COULDNT_CONNECT`, but the error buffer set by `CURLOPT_ERRORBUFFER`
remains empty. Issue: [curl issue 544](https://github.com/curl/curl/issues/544)
## HTTP test server 'connection-monitor' problems
The `connection-monitor` feature of the HTTP test server does not work
properly if some tests are run in unexpected order. Like 1509 and then 1525.
See [curl issue 868](https://github.com/curl/curl/issues/868)
## Connection information when using TCP Fast Open
`CURLINFO_LOCAL_PORT` (and possibly a few other) fails when TCP Fast Open is
enabled.
See [curl issue 1332](https://github.com/curl/curl/issues/1332) and
[curl issue 4296](https://github.com/curl/curl/issues/4296)
## test cases sometimes timeout
Occasionally, one of the tests timeouts. Inexplicably.
See [curl issue 13350](https://github.com/curl/curl/issues/13350)
## `CURLOPT_CONNECT_TO` does not work for HTTPS proxy
It is unclear if the same option should even cover the proxy connection or if
if requires a separate option.
See [curl issue 14481](https://github.com/curl/curl/issues/14481)
## WinIDN test failures
Test 165 disabled when built with WinIDN.
## setting a disabled option should return `CURLE_NOT_BUILT_IN`
When curl has been built with specific features or protocols disabled, setting
such options with `curl_easy_setopt()` should rather return
`CURLE_NOT_BUILT_IN` instead of `CURLE_UNKNOWN_OPTION` to signal the
difference to the application
See [curl issue 15472](https://github.com/curl/curl/issues/15472)
# LDAP
## OpenLDAP hangs after returning results
By configuration defaults, OpenLDAP automatically chase referrals on secondary
socket descriptors. The OpenLDAP backend is asynchronous and thus should
monitor all socket descriptors involved. Currently, these secondary
descriptors are not monitored, causing OpenLDAP library to never receive data
from them.
As a temporary workaround, disable referrals chasing by configuration.
The fix is not easy: proper automatic referrals chasing requires a synchronous
bind callback and monitoring an arbitrary number of socket descriptors for a
single easy handle (currently limited to 5).
Generic LDAP is synchronous: OK.
See [curl issue 622](https://github.com/curl/curl/issues/622) and
https://curl.se/mail/lib-2016-01/0101.html
## LDAP on Windows does authentication wrong?
[curl issue 3116](https://github.com/curl/curl/issues/3116)
## LDAP on Windows does not work
A simple curl command line getting `ldap://ldap.forumsys.com` returns an error
that says `no memory` !
[curl issue 4261](https://github.com/curl/curl/issues/4261)
## LDAPS requests to Active Directory server hang
[curl issue 9580](https://github.com/curl/curl/issues/9580)
# TCP/IP
## telnet code does not handle partial writes properly
It probably does not happen too easily because of how slow and infrequent
sends are normally performed.
## Trying local ports fails on Windows
This makes `--local-port [range]` to not work since curl cannot properly
detect if a port is already in use, so it tries the first port, uses that and
then subsequently fails anyway if that was actually in use.
[curl issue 8112](https://github.com/curl/curl/issues/8112)
# CMake
## cmake outputs: no version information available
Something in the SONAME generation seems to be wrong in the cmake build.
[curl issue 11158](https://github.com/curl/curl/issues/11158)
## uses `-lpthread` instead of `Threads::Threads`
See [curl issue 6166](https://github.com/curl/curl/issues/6166)
## generated `.pc` file contains strange entries
The `Libs.private` field of the generated `.pc` file contains `-lgcc -lgcc_s
-lc -lgcc -lgcc_s`.
See [curl issue 6167](https://github.com/curl/curl/issues/6167)
## CMake build with MIT Kerberos does not work
Minimum CMake version was bumped in curl 7.71.0 (#5358) Since CMake 3.2
try_compile started respecting the `CMAKE_EXE_FLAGS`. The code dealing with
MIT Kerberos detection sets few variables to potentially weird mix of space,
and ;-separated flags. It had to blow up at some point. All the CMake checks
that involve compilation are doomed from that point, the configured tree
cannot be built.
[curl issue 6904](https://github.com/curl/curl/issues/6904)
# Authentication
## `--aws-sigv4` does not handle multipart/form-data correctly
[curl issue 13351](https://github.com/curl/curl/issues/13351)
# HTTP/2
## HTTP/2 prior knowledge over proxy
[curl issue 12641](https://github.com/curl/curl/issues/12641)
## HTTP/2 frames while in the connection pool kill reuse
If the server sends HTTP/2 frames (like for example an HTTP/2 PING frame) to
curl while the connection is held in curl's connection pool, the socket is
found readable when considered for reuse and that makes curl think it is dead
and then it is closed and a new connection gets created instead.
This is *best* fixed by adding monitoring to connections while they are kept
in the pool so that pings can be responded to appropriately.
## `ENHANCE_YOUR_CALM` causes infinite retries
Infinite retries with 2 parallel requests on one connection receiving `GOAWAY`
with `ENHANCE_YOUR_CALM` error code.
See [curl issue 5119](https://github.com/curl/curl/issues/5119)
## HTTP/2 + TLS spends a lot of time in recv
It has been observed that by making the speed limit less accurate we could
improve this performance. (by reverting
[db5c9f4f9e0779](https://github.com/curl/curl/commit/db5c9f4f9e0779b49624752b135281a0717b277b))
Can we find a golden middle ground?
See https://curl.se/mail/lib-2024-05/0026.html and
[curl issue 13416](https://github.com/curl/curl/issues/13416)
# HTTP/3
## connection migration does not work
[curl issue 7695](https://github.com/curl/curl/issues/7695)
## quiche: QUIC connection is draining
The transfer ends with error "QUIC connection is draining".
[curl issue 12037](https://github.com/curl/curl/issues/12037)
# RTSP
## Some methods do not support response bodies
The RTSP implementation is written to assume that a number of RTSP methods
always get responses without bodies, even though there seems to be no
indication in the RFC that this is always the case.
[curl issue 12414](https://github.com/curl/curl/issues/12414)

View file

@ -0,0 +1,257 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Mail etiquette
## About the lists
### Mailing Lists
The mailing lists we have are all listed and described on the [curl
website](https://curl.se/mail/).
Each mailing list is targeted to a specific set of users and subjects, please
use the one or the ones that suit you the most.
Each mailing list has hundreds up to thousands of readers, meaning that each
mail sent is received and read by a large number of people. People from
various cultures, regions, religions and continents.
### Netiquette
Netiquette is a common term for how to behave on the Internet. Of course, in
each particular group and subculture there are differences in what is
acceptable and what is considered good manners.
This document outlines what we in the curl project consider to be good
etiquette, and primarily this focus on how to behave on and how to use our
mailing lists.
### Do Not Mail a Single Individual
Many people send one question to one person. One person gets many mails, and
there is only one person who can give you a reply. The question may be
something that other people would also like to ask. These other people have no
way to read the reply, but to ask the one person the question. The one person
consequently gets overloaded with mail.
If you really want to contact an individual and perhaps pay for his or her
services, by all means go ahead, but if it is another curl question, take it
to a suitable list instead.
### Subscription Required
All curl mailing lists require that you are subscribed to allow a mail to go
through to all the subscribers.
If you post without being subscribed (or from a different mail address than
the one you are subscribed with), your mail is silently discarded. You
have to subscribe first, then post.
The reason for this unfortunate and strict subscription policy is of course to
stop spam from pestering the lists.
### Moderation of new posters
Several of the curl mailing lists automatically make all posts from new
subscribers be moderated. After you have subscribed and sent your first mail
to a list, that mail is not let through to the list until a mailing list
administrator has verified that it is OK and permits it to get posted.
Once a first post has been made that proves the sender is actually talking
about curl-related subjects, the moderation "flag" is switched off and future
posts go through without being moderated.
The reason for this moderation policy is that we do suffer from spammers who
actually subscribe and send spam to our lists.
### Handling trolls and spam
Despite our good intentions and hard work to keep spam off the lists and to
maintain a friendly and positive atmosphere, there are times when spam and or
trolls get through.
Troll - "someone who posts inflammatory, extraneous, or off-topic messages in
an online community"
Spam - "use of electronic messaging systems to send unsolicited bulk messages"
No matter what, we NEVER EVER respond to trolls or spammers on the list. If
you believe the list admin should do something in particular, contact them
off-list. The subject is taken care of as much as possible to prevent repeated
offenses, but responding on the list to such messages never leads to anything
good and only puts the light even more on the offender: which was the entire
purpose of it getting sent to the list in the first place.
Do not feed the trolls.
### How to unsubscribe
You can unsubscribe the same way you subscribed in the first place. You go to
the page for the particular mailing list you are subscribed to and you enter
your email address and password and press the unsubscribe button.
Also, the instructions to unsubscribe are included in the headers of every
mail that is sent out to all curl related mailing lists and there is a footer
in each mail that links to the "admin" page on which you can unsubscribe and
change other options.
You NEVER EVER email the mailing list requesting someone else to take you off
the list.
### I posted, now what?
If you are not subscribed with the same email address that you used to send
the email, your post is silently discarded.
If you posted for the first time to the mailing list, you first need to wait
for an administrator to allow your email to go through (moderated). This
normally happens quickly but in case we are asleep, you may have to wait a few
hours.
Once your email goes through it is sent out to several hundred or even
thousands of recipients. Your email may cover an area that not that many
people know about or are interested in. Or possibly the person who knows about
it is on vacation or under a heavy work load right now. You may have to wait
for a response and you should not expect to get a response at all. Ideally,
you get an answer within a couple of days.
You do yourself and all of us a service when you include as many details as
possible already in your first email. Mention your operating system and
environment. Tell us which curl version you are using and tell us what you
did, what happened and what you expected would happen. Preferably, show us
what you did with details enough to allow others to help point out the problem
or repeat the steps in their locations.
Failing to include details only delays responses and make people respond and
ask for more details and you have to send follow-up emails that include them.
Expect the responses to primarily help YOU debug the issue, or ask YOU
questions that can lead you or others towards a solution or explanation to
whatever you experience.
If you are a repeat offender to the guidelines outlined in this document,
chances are that people ignore you and your chances to get responses in the
future greatly diminish.
### Your emails are public
Your email, its contents and all its headers and the details in those headers
are received by every subscriber of the mailing list that you send your email
to.
Your email as sent to a curl mailing list ends up in mail archives, on the
curl website and elsewhere, for others to see and read. Today and in the
future. In addition to the archives, the mail is sent out to thousands of
individuals. There is no way to undo a sent email.
When sending emails to a curl mailing list, do not include sensitive
information such as usernames and passwords; use fake ones, temporary ones or
remove them completely from the mail. Note that this includes base64 encoded
HTTP Basic auth headers.
This public nature of the curl mailing lists makes automatically inserted mail
footers about mails being "private" or "only meant for the recipient" or
similar even more silly than usual. Because they are absolutely not private
when sent to a public mailing list.
## Sending mail
### Reply or New Mail
Please do not reply to an existing message as a short-cut to post a message to
the lists.
Many mail programs and web archivers use information within mails to keep them
together as "threads", as collections of posts that discuss a certain subject.
If you do not intend to reply on the same or similar subject, do not hit reply
on an existing mail and change the subject, create a new mail.
### Reply to the List
When replying to a message from the list, make sure that you do "group reply"
or "reply to all", and not reply to the author of the single mail you reply
to.
We are actively discouraging replying to the single person by setting the
correct field in outgoing mails back asking for replies to get sent to the
mailing list address, making it harder for people to reply to the author only
by mistake.
### Use a Sensible Subject
Please use a subject of the mail that makes sense and that is related to the
contents of your mail. It makes it a lot easier to find your mail afterwards
and it makes it easier to track mail threads and topics.
### Do Not Top-Post
If you reply to a message, do not use top-posting. Top-posting is when you
write the new text at the top of a mail and you insert the previous quoted
mail conversation below. It forces users to read the mail in a backwards order
to properly understand it.
This is why top posting is so bad (in top posting order):
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in email?
Apart from the screwed up read order (especially when mixed together in a
thread when someone responds using the mandated bottom-posting style), it also
makes it impossible to quote only parts of the original mail.
When you reply to a mail. You let the mail client insert the previous mail
quoted. Then you put the cursor on the first line of the mail and you move
down through the mail, deleting all parts of the quotes that do not add
context for your comments. When you want to add a comment you do so, inline,
right after the quotes that relate to your comment. Then you continue
downwards again.
When most of the quotes have been removed and you have added your own words,
you are done.
### HTML is not for mails
Please switch off those HTML encoded messages. You can mail all those funny
mails to your friends. We speak plain text mails.
### Quoting
Quote as little as possible. Enough to provide the context you cannot leave
out.
### Digest
We allow subscribers to subscribe to the "digest" version of the mailing
lists. A digest is a collection of mails lumped together in one single mail.
Should you decide to reply to a mail sent out as a digest, there are two
things you MUST consider if you really, really cannot subscribe normally
instead:
Cut off all mails and chatter that is not related to the mail you want to
reply to.
Change the subject name to something sensible and related to the subject,
preferably even the actual subject of the single mail you wanted to reply to
### Please Tell Us How You Solved The Problem
Many people mail questions to the list, people spend some of their time and
make an effort in providing good answers to these questions.
If you are the one who asks, please consider responding once more in case one
of the hints was what solved your problems. The guys who write answers feel
good to know that they provided a good answer and that you fixed the problem.
Far too often, the person who asked the question is never heard from again,
and we never get to know if they are gone because the problem was solved or
perhaps because the problem was unsolvable.
Getting the solution posted also helps other users that experience the same
problem(s). They get to see (possibly in the web archives) that the suggested
fixes actually have helped at least one person.

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,50 @@
_ _ ____ _
___| | | | _ \| |
/ __| | | | |_) | |
| (__| |_| | _ <| |___
\___|\___/|_| \_\_____|
README
Curl is a command line tool for transferring data specified with URL
syntax. Find out how to use curl by reading the curl.1 man page or the
MANUAL document. Find out how to install Curl by reading the INSTALL
document.
libcurl is the library curl is using to do its job. It is readily
available to be used by your software. Read the libcurl.3 man page to
learn how.
You find answers to the most frequent questions we get in the FAQ.md
document.
Study the COPYING file for distribution terms.
Those documents and more can be found in the docs/ directory.
CONTACT
If you have problems, questions, ideas or suggestions, please contact us
by posting to a suitable mailing list. See https://curl.se/mail/
All contributors to the project are listed in the THANKS document.
WEBSITE
Visit the curl website for the latest news and downloads:
https://curl.se/
GIT
To download the latest source code off the GIT server, do this:
git clone https://github.com/curl/curl
(you will get a directory named curl created, filled with the source code)
SECURITY PROBLEMS
Report suspected security problems privately and not in public.
https://curl.se/dev/vuln-disclosure.html

View file

@ -0,0 +1,18 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
![curl logo](https://curl.se/logo/curl-logo.svg)
# Documentation
You find a mix of various documentation in this directory and subdirectories,
using several different formats. Some of them are not ideal for reading
directly in your browser.
If you would rather see the rendered version of the documentation, check out the
curl website's [documentation section](https://curl.se/docs/) for
general curl stuff or the [libcurl section](https://curl.se/libcurl/) for
libcurl related documentation.

View file

@ -0,0 +1,628 @@
curl and libcurl 8.20.0
Public curl releases: 274
Command line options: 273
curl_easy_setopt() options: 308
Public functions in libcurl: 100
Authors: 1463
Contributors: 3664
This release includes the following changes:
o async-thrdd: use thread queue for resolving [144]
o build: make NTLM disabled by default [90]
o cmake: drop support for CMake 3.17 and older [108]
o lib: add thread pool and queue [74]
o lib: drop support for < c-ares 1.16.0 [64]
o lib: make SMB support opt-in [18]
o multi.h: add CURLMNWC_CLEAR_ALL [127]
o rtmp: drop support [91]
This release includes the following bugfixes:
o altsvc: cap the list at 5,000 entries [183]
o altsvc: drop the prio field from the struct [185]
o altsvc: skip expired entries read from file [187]
o asyn-ares: connect async [220]
o asyn-ares: drop orphaned variable references [86]
o asyn-ares: fix HTTPS-lookup when not on port 443 [100]
o asyn-thrdd: drop redundant `result` check [291]
o asyn-thrdd: fix clang-tidy unused value warning [125]
o async-ares: fix query counter handling [195]
o autotools: limit checksrc target to ignore non-repo test sources [12]
o badwords-all: exit with correct code on errors [50]
o badwords: combine the whitelisting into a single regex [1]
o badwords: detect the the and with with [51]
o badwords: only check comments and strings in source code [61]
o badwords: rework exceptions, fix many of them [15]
o boringssl: fix more coexist cases with Schannel/WinCrypt [170]
o build: adjust/add casts to fix `-Wformat-signedness` [218]
o build: assume `snprintf()` in `mprintf`, drop feature check [107]
o build: compiler warning silencing tidy-ups [4]
o build: drop `openssl` module dependency for BoringSSL from `libcurl.pc` [33]
o build: drop duplicate `pthread.h` includes [158]
o build: drop redundant `USE_QUICHE` guards [159]
o build: enable `-Wimplicit-int-enum-cast` compiler warning, fix issues [84]
o build: fix `-Wformat-signedness` by adjusting printf masks [226]
o build: link `bcrypt.lib` via vcxproj files [239]
o build: skip detecting `pipe2()` for Apple targets [227]
o build: stop building and installing `runtests.1` and `testcurl.1` [235]
o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [132]
o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [63]
o cf-ip-happy: limit concurrent attempts [191]
o cf-socket: avoid low risk integer overflow on ancient Solaris [56]
o cfilters: fix Curl_pollset_poll() return code mixup [206]
o clang-tidy: avoid assignments in `if` expressions [175]
o clang-tidy: enable more checks, fix fallouts [254]
o cmake: add CMake Config-based dependency detection [87]
o cmake: add CMake Config-based dependency detection for c-ares, wolfSSL [134]
o cmake: do not install `wcurl` when `BUILD_CURL_EXE=OFF` [265]
o cmake: do not install shell completions when `BUILD_CURL_EXE=OFF` [263]
o cmake: document functions used from Windows system DLLs [103]
o cmake: enable pthreads for BoringSSL/AWS-LC [196]
o cmake: resolve targets recursively when generating `libcurl.pc` [45]
o cmake: rework binutils ld hack to not read `LOCATION` property [41]
o cmake: silence bad library `Threads::Threads` warning [131]
o cmake: use `AIX` built-in variable (with CMake 4.0+) [163]
o config2setopts: make --capath work in proxy disabled builds [113]
o configure: fix `--with-ngtcp2=<path>` option for crypto libs [26]
o configure: fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic [3]
o configure: prefer dependency-specific variables over `$withval` [35]
o configure: remove superfluous experimental warning for HTTP/3 [169]
o configure: silence useless clang warnings in C89 builds [156]
o configure: tidy up comments [202]
o connect: fix typo on error message
o cookie: fix rejection when tabs in value [189]
o curl-wolfssl.m4: fix to use the correct value for pkg-config directory [36]
o curl.h: replace macros with C++-friendly method to enforce 3 args [110]
o curl_ctype.h: fix spelling in a couple of locally used macros [28]
o curl_get_line: error out on read errors [9]
o curl_get_line: fix potential infinite loop when filename is a directory [46]
o curl_ngtcp2: extend and update callbacks for 1.22.0+ [165]
o curl_ntlm_core: drop redundant PP condition [140]
o curl_ntlm_core: use wolfCrypt DES API with wolfSSL [200]
o curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard [210]
o curl_sha512_256: support delegating to wolfSSL API [149]
o curl_version_info.md: clarify age details [69]
o CURLOPT_HAPROXY_CLIENT_IP.md: mention assumption on data format [96]
o CURLOPT_RTSP_SESSION_ID.md: clarify reuse "dangers" [270]
o CURLOPT_RTSP_SESSION_ID.md: expand the comment [267]
o CURLOPT_RTSP_SESSION_ID.md: minor language fix
o CURLOPT_SOCKS5_AUTH.md: an access property [212]
o CURLOPT_SSL_CTX_FUNCTION.md: expand on effects connection reuse [105]
o CURLOPT_UPLOAD_FLAGS.md: expand [223]
o curlx_now(), prevent zero timestamp [93]
o DEPRECATE: fix minor release number typo
o digest: pass in the user name quoted (as well) [34]
o dns: https-eyeballing async [229]
o dnscache: own source file, improvements [116]
o docs/cmdline-opts/write-out.md: tls_earlydata was adeded in 8.13.0
o docs/cmdline-opts: tidy up retry-connrefused [190]
o docs/lib: fix typos [53]
o docs/libcurl: improve easy setopt examples [266]
o docs: clarify retry-max-time timing [294]
o docs: CURLOPT_LOGIN_OPTIONS is a login property [228]
o docs: enable more compiler warnings for C snippets, fix 3 finds [71]
o docs: list more dependencies for running Python HTTP tests [123]
o docs: mention more zip bomb precautions [166]
o docs: minor wording tweaks
o docs: noproxy wants the punycoded hostname version [214]
o docs: SSH host verification is done at connect time [197]
o docs: use the correct CURLOPT_WRITEFUNCTION signature [142]
o doh: fix memory-leak when doing a second DoH resolve [55]
o doh: remove superfluous doh_req check [222]
o examples/websocket: fix to sleep more on Windows [92]
o examples: drop warning silencers no longer hit [14]
o examples: fix typo in comment [75]
o file: init fd to -1 to prevent close fd 0 on early failure [40]
o fopen: for temp files, inherit permissions only for owner [146]
o ftp: do not strdup DATA hostname [29]
o ftp: make the MDTM date parser stricter (again) [115]
o ftp: reject PWD responses containing control characters [95]
o gcc: guard `#pragma diagnostic` in core code for <4.6 [94]
o generate.bat: remove extra % from VC11 and VC12 runs
o genserv.pl: make external calls safe [119]
o getinfo: initialize `PureInfo` field `used_proxy` [43]
o getinfo: repair CURLINFO_TLS_SESSION [193]
o gnutls: fix clang-tidy warning with !verbose [126]
o gtls: fail for large files in `load_file()` [174]
o h3: HTTPS-RR use in HTTP/3 [221]
o Happy Eyeballs: add resolution time delay [238]
o haproxy: use correct ip version on client supplied address [275]
o hostip: clear the sockaddr_in6 structure before use [20]
o hostip: init the curl_jmpenv_lock appropriately [278]
o hostip: resolve user supplied ip addresses [259]
o HSTS: cap the list [177]
o hsts: make the HSTS read callback handle name dupes [141]
o hsts: skip expired HSTS entries read from file [188]
o hsts: when a dupe host adds subdomains, use that [130]
o http2: clear the h2 session at delete [99]
o http2: prevent secure schemes pushed over insecure connections [181]
o http2: return error on OOM in push headers [65]
o HTTP3.md: drop outdated mentions of OpenSSL-QUIC [2]
o http: clear credentials better on redirect [204]
o http: clear digest nonce on cross-orgin redirect [269]
o http: clear the proxy credentials as well on port or scheme change [246]
o http: fix auth_used and auth_avail [154]
o http: fix Curl_compareheader for multi value headers [11]
o http: make Curl_compareheader handle multiple commas in header
o http: on 303, switch to GET [208]
o http: use header_has_value() instead of duplicate code [251]
o imap: reset the UIDVALIDITY state between transfers [7]
o include: drop 'will' from public headers [73]
o INSTALL.md: update Cygwin instructions [198]
o keylog.h: replace literal number with macro in declaration [171]
o keylog: drop unused/redundant includes and guards [172]
o ldap: drop duplicate `ldap_set_option()` on Windows [42]
o ldap: fix to initialize cleartext connection on Windows [49]
o lib1560: fix comment typo
o lib1960: fix test failure [255]
o lib: accept larger input to md5/hmac/sha256/sha512 functions [194]
o lib: always use Curl_1st_fatal instead of Curl_1st_err [89]
o lib: fix typos in comments [240]
o lib: make resolving HTTPS DNS records reliable: [176]
o lib: minor comment typos [237]
o lib: move request specific allocations to the request struct [256]
o lib: replace `PRI*32` printf masks with C89 ones [201]
o libssh2: allocate libssh2-friendly memory in kbd_callback [225]
o libssh2: fix error handling on quote errors [21]
o libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0 [215]
o libssh: fix `-Wsign-compare` in 32-bit builds [217]
o libssh: path length precaution [164]
o libssh: propagate error back in SFTP function [178]
o libtest: drop duplicate include [111]
o location/follow: mention netrc [138]
o man: fix argument type for `CURLSHOPT_[UN]SHARE` options [211]
o mbedtls: cleanup more without care for 'initialized' [262]
o mbedtls: fix ECJPAKE matching [135]
o mbedtls: remove failf() call with first argument as NULL [249]
o md4, md5: switch to wolfCrypt API in wolfSSL builds [139]
o mime: only allow 40 levels of calls [241]
o misc: fix code quality findings [209]
o mk-ca-bundle.pl: make `ca-bundle.crt` timestamp match `certdata.txt`'s [44]
o multi: enhance pending handles fairness [284]
o multi: fix connection retry for non-http [180]
o multi: improve wakeup and wait code [118]
o netrc: find login-less password when user is given in URL [6]
o netrc: remove unused parsenetrc() macro for netrc-disabled [121]
o netrc: skip malformed macdef lines [67]
o openssl channel_binding: lookup digest algorithm without NID [117]
o openssl: drop obsolete SSLv2 logic [27]
o openssl: fix build with 4.0.0-beta1 no-deprecated [184]
o openssl: fix memory leaks in ECH code (OpenSSL 3) [78]
o openssl: fix unused variable warnings in !verbose builds [252]
o openssl: trace count of found / imported Windows native CA roots [8]
o OS400: add new definitions to the ILE/RPG binding. [153]
o os400sys: fix typo in comment (symetry -> symmetry) [58]
o parsedate: bsearch the time zones [232]
o parsedate: fix wrong treatment of "military time zones" [182]
o parsedate: refactor [230]
o perl: harden external command invocations [133]
o progress: count amount of data "delivered" to application [66]
o protocol.h: fix the CURLPROTO_MASK [31]
o protocol: disable connection reuse for SMB(S) [199]
o protocol: use scheme names lowercase [38]
o proxy: chunked response, error code [143]
o pytest: add additional quiche check for flaky test_05_01 [22]
o pytest: check 429 handling [268]
o rand: use `BCryptGenRandom()` in UWP builds [88]
o ratelimit: reset on start [150]
o request: reset resp_trailer in new requests [186]
o runtests: skip setting ed25519 SSH key format [264]
o rustls: fix memory leak on repeated SSLKEYLOGFILE fails [280]
o rustls: handle EOF during initial handshake [203]
o schannel: increase renegotiation timeout to 60 seconds [261]
o scripts: drop redundant double-quotes: `"$var"` -> `$var` (Perl) [109]
o scripts: harden / tidy up more Perl `system()` calls [70]
o sectrust: fail on missing OCSP stapling [250]
o sendf: fix CR detection if no LF is in the chunk [219]
o setopt: clear proxy auth properties when switching [192]
o setopt: fix typos in comments [257]
o setopt: move CURLOPT_CURLU [260]
o setup connection filter: mark as setup [234]
o sha256, sha512_256: switch to wolfCrypt API [147]
o sha256: support delegating to wolfSSL API [148]
o share: concurrency handling, easy updates [104]
o share: do bitshifts after the type is checked to be valid [216]
o socks: reject zero-length GSSAPI/SSPI tokens from proxy [157]
o socks: use dns filter for resolving [244]
o spelling: fix typos [173]
o src: use ftruncate() unconditionally [128]
o sshserver.pl: harden more `system()` calls [81]
o sshserver.pl: pass command-line to `system()` safely [82]
o strerr: correct the strerror_s() return code condition [25]
o sws: fix potential OOB write [80]
o synctime: fix off-by-one read and write to a read-only buffer (Windows) [85]
o test 766: flag as timing-dependent [136]
o test1675: unit tests for URL API helper functions [248]
o test459: switch to mode="warn" for stderr check [5]
o testcurl.pl: replace shell commands with Perl `rmtree()` [76]
o tests/unit/README: describe how to unit test static functions [60]
o tests: avoid infinite recursion for `make check` [253]
o tests: use %b64[] instead of "raw" base64 [245]
o tool: check for curlinfo->age when determining if ssh backend [77]
o tool: fix memory mixups [106]
o tool: fix retries in parallel mode [137]
o tool: fix two more allocator mismatches [155]
o tool_cb_hdr: only truncate etags output when regular file [129]
o tool_cb_rea: make waitfd() return void [168]
o tool_cb_wrt: fix no-clobber error handling [39]
o tool_cfgable: free the SSL signature algorithms [62]
o tool_dirhie: fix to create drive-relative directory [276]
o tool_formparse: propagate my_get_line errors when reading headers [102]
o tool_getparam: use correct free function for libcurl memory [68]
o tool_ipfs: accept IPFS gateway URL without set port number [13]
o tool_msgs: avoid null pointer deref for early errors [98]
o tool_operate: actually apply the --parallel-max-host limit [167]
o tool_operate: drop the scheme-guessing in the -G handling [54]
o tool_operate: fix condition for loading `curl-ca-bundle.crt` (Windows) [79]
o tool_operate: fix memory-leak on failed uploads [124]
o tool_operate: fix minor memory-leak on early error [23]
o tool_operate: reset the upload glob counter for next URL [162]
o tool_operhlp: fix `add_file_name_to_url()` result on OOM [32]
o tool_operhlp: iterate through all slashes to find name [114]
o tool_operhlp: propagate low-level OOM in `add_file_name_to_url()` [112]
o tool_setopt: return error on OOM correctly [152]
o tool_urlglob: fix memory-leak on glob range overflow [19]
o top-complexity: prevent filename-based shell injection risk [101]
o transfer: clear the old autoreferer [236]
o transfer: clear the URL pointer in OOM to avoid UAF [179]
o transfer: enable custom methods again on next transfer [30]
o transfer: enhance secure check [10]
o unit1675: fix `-Wformat-signedness` [274]
o url: do not reuse a non-tls starttls connection if new requires TLS [145]
o url: improve connection reuse on negotiate [160]
o url: init req.no_body in DO so that it works for h2 push [161]
o url: set default upload flags to CURLULFLAG_SEEN [224]
o url: use the socks type for socks proxy [47]
o url: use URL for url even in comments [52]
o urlapi: fix handling of "file:///" [122]
o urlapi: make dedotdotify handle leading dots correctly [97]
o urlapi: same origin tests [213]
o urlapi: stop extracting hostname from file:// URLs on Windows [247]
o urlapi: verify the last letter of a scheme when set explicitly [16]
o urldata.h: fix typo and lingering backtick [279]
o urldata: connection bit ipv6_ip is wrong [59]
o urldata: import port types and conn destination format [57]
o urldata: make hstslist only present in HSTS builds [120]
o urldata: make speeder_c uint32 [37]
o urldata: move cookiehost to struct SingleRequest [242]
o urldata: remove trailers_state [17]
o vquic: fix variable name in fallback code [207]
o vtls: fix comment typos and tidy up a type [285]
o vtls: log when key logging is enabled. [288]
o vtls_scache: check reentrancy [243]
o vtls_scache: include cert_blob independently of verifypeer [231]
o wolfssl: document v5.0.0 (2021-11-01) as minimum required [151]
o wolfssl: fix `-Wmissing-prototypes` [233]
o wolfssl: fix handling of abrupt connection close [24]
o write-out.md: minor language fix [273]
o write-out.md: tls_earlydata was adeded in 8.13.0
o ws: fix a blocking curl_ws_send() to report written length correctly [258]
o x509asn1: fix to return error in an error case from `encodeOID()` [83]
o x509asn1: fixed and adapted for ASN1tostr unit testing [48]
o x509asn1: improve encodeOID [72]
This release includes the following known bugs:
See https://curl.se/docs/knownbugs.html
For all changes ever done in curl:
See https://curl.se/changes.html
Planned upcoming removals include:
o local crypto implementations
o NTLM
o SMB
o TLS-SRP support
See https://curl.se/dev/deprecate.html
This release would not have looked like this without help, code, reports and
advice from friends like these:
Alex Hamilton, am-perip on hackerone, Arkadi Vainbrand, bird on github,
BlackFuffey on github, Carlos Carrillo, Carlos Henrique Lima Melara,
crawfordxx, Cutiapreta on hackerone, Dag-Erling Smørgrav, Dan Arnfield,
Dan Fandrich, Daniel McCarney, Daniel Schulte, Daniel Stenberg,
dependabot[bot], Dexter Gerig, Dio Putra, Dwij Mehta, Ercan Ermis,
fds242 on github, finkjsc on github, Fiona Klute, Flavio Amieiro,
Geeknik Labs, Greg Kroah-Hartman, Harry Sintonen, Henrique Pereira,
herbenderbler on github, Ian Spence, Izan on hackerone, James Fuller,
Jason Stangroome, John Haugabook, Juan Belón, Kai Pastor, Kaixuan Li, kpcyrd,
lg_oled77c5pua on hackerone, M42kL33 on hackerone, m777m0 on hackerone,
Marcel Raad, Martin Dürrmeier, Mehtab Zafar, Michael Hendricks,
Michael Kaufmann, Muhamad Arga Reksapati, Ngoc Hieu, nitrogene on github,
Orgad Shaneh, Osama Hamad, Otis Cui Lei, Patrick Monnerat, Quac Tran,
Ray Satiro, renovate[bot], Richard Tollerton, Rob Crittenden,
Samuel Henrique, Scott Boudreaux, Sergey Fedorov, sergio-nsk on github,
Stefan Eissing, Ted Lyngmo, Terrance Wong, Tim Omta, Viktor Szakats,
Vladimír Marek, xkilua on hackerone, Yalguun Tumenkhuu, Yedaya Katsman,
Yiwei Hou, Yoshiro Yoneya
(73 contributors)
References to bug reports and discussions on issues:
[1] = https://curl.se/bug/?i=20880
[2] = https://curl.se/bug/?i=20914
[3] = https://curl.se/bug/?i=20889
[4] = https://curl.se/bug/?i=20908
[5] = https://curl.se/bug/?i=20910
[6] = https://curl.se/bug/?i=20950
[7] = https://curl.se/bug/?i=20962
[8] = https://curl.se/bug/?i=20899
[9] = https://curl.se/bug/?i=20958
[10] = https://curl.se/bug/?i=20951
[11] = https://curl.se/bug/?i=20894
[12] = https://curl.se/bug/?i=20898
[13] = https://curl.se/bug/?i=20957
[14] = https://curl.se/bug/?i=20896
[15] = https://curl.se/bug/?i=20886
[16] = https://curl.se/bug/?i=20893
[17] = https://curl.se/bug/?i=20960
[18] = https://curl.se/bug/?i=20846
[19] = https://curl.se/bug/?i=20956
[20] = https://curl.se/bug/?i=20885
[21] = https://curl.se/bug/?i=20883
[22] = https://curl.se/bug/?i=20952
[23] = https://curl.se/bug/?i=20954
[24] = https://curl.se/bug/?i=21002
[25] = https://curl.se/bug/?i=20955
[26] = https://curl.se/bug/?i=18022
[27] = https://curl.se/bug/?i=20945
[28] = https://curl.se/bug/?i=20810
[29] = https://curl.se/bug/?i=20953
[30] = https://curl.se/bug/?i=21037
[31] = https://curl.se/bug/?i=21031
[32] = https://curl.se/bug/?i=21011
[33] = https://curl.se/bug/?i=20926
[34] = https://curl.se/bug/?i=20940
[35] = https://curl.se/bug/?i=20944
[36] = https://curl.se/bug/?i=20943
[37] = https://curl.se/bug/?i=21036
[38] = https://curl.se/bug/?i=21033
[39] = https://curl.se/bug/?i=20939
[40] = https://curl.se/bug/?i=21029
[41] = https://curl.se/bug/?i=20839
[42] = https://curl.se/bug/?i=20930
[43] = https://curl.se/bug/?i=21020
[44] = https://curl.se/bug/?i=20528
[45] = https://curl.se/bug/?i=20840
[46] = https://curl.se/bug/?i=20823
[47] = https://curl.se/bug/?i=21025
[48] = https://curl.se/bug/?i=21013
[49] = https://curl.se/bug/?i=20927
[50] = https://curl.se/bug/?i=20934
[51] = https://curl.se/bug/?i=20934
[52] = https://curl.se/bug/?i=20935
[53] = https://curl.se/bug/?i=20933
[54] = https://curl.se/bug/?i=20992
[55] = https://curl.se/bug/?i=20929
[56] = https://curl.se/bug/?i=21111
[57] = https://curl.se/bug/?i=20918
[58] = https://curl.se/bug/?i=20923
[59] = https://curl.se/bug/?i=20919
[60] = https://curl.se/bug/?i=21018
[61] = https://curl.se/bug/?i=20909
[62] = https://curl.se/bug/?i=20915
[63] = https://curl.se/bug/?i=21057
[64] = https://curl.se/bug/?i=20911
[65] = https://hackerone.com/reports/3636044
[66] = https://curl.se/bug/?i=20787
[67] = https://curl.se/bug/?i=21049
[68] = https://curl.se/bug/?i=21075
[69] = https://curl.se/bug/?i=21052
[70] = https://curl.se/bug/?i=21007
[71] = https://curl.se/bug/?i=21006
[72] = https://curl.se/bug/?i=21003
[73] = https://curl.se/bug/?i=21005
[74] = https://curl.se/bug/?i=20916
[75] = https://curl.se/bug/?i=21001
[76] = https://curl.se/bug/?i=21053
[77] = https://curl.se/bug/?i=21050
[78] = https://curl.se/bug/?i=20993
[79] = https://curl.se/bug/?i=20989
[80] = https://curl.se/bug/?i=20988
[81] = https://curl.se/bug/?i=20997
[82] = https://curl.se/bug/?i=20996
[83] = https://curl.se/bug/?i=20991
[84] = https://curl.se/bug/?i=20990
[85] = https://curl.se/bug/?i=20987
[86] = https://curl.se/bug/?i=20999
[87] = https://curl.se/bug/?i=20814
[88] = https://curl.se/bug/?i=20983
[89] = https://curl.se/bug/?i=20980
[90] = https://curl.se/bug/?i=20698
[91] = https://curl.se/bug/?i=20673
[92] = https://curl.se/bug/?i=20978
[93] = https://curl.se/bug/?i=21034
[94] = https://curl.se/bug/?i=20892
[95] = https://curl.se/bug/?i=20949
[96] = https://curl.se/bug/?i=21042
[97] = https://curl.se/bug/?i=20974
[98] = https://curl.se/bug/?i=20967
[99] = https://curl.se/bug/?i=20975
[100] = https://curl.se/bug/?i=20966
[101] = https://curl.se/bug/?i=20969
[102] = https://curl.se/bug/?i=20963
[103] = https://curl.se/bug/?i=20965
[104] = https://curl.se/bug/?i=20870
[105] = https://curl.se/bug/?i=21164
[106] = https://curl.se/bug/?i=21099
[107] = https://curl.se/bug/?i=20763
[108] = https://curl.se/bug/?i=20407
[109] = https://curl.se/bug/?i=21009
[110] = https://curl.se/bug/?i=20709
[111] = https://curl.se/bug/?i=21046
[112] = https://curl.se/bug/?i=21011
[113] = https://curl.se/bug/?i=21063
[114] = https://curl.se/bug/?i=21165
[115] = https://curl.se/bug/?i=21041
[116] = https://curl.se/bug/?i=20864
[117] = https://curl.se/bug/?i=20590
[118] = https://curl.se/bug/?i=20832
[119] = https://curl.se/bug/?i=20971
[120] = https://curl.se/bug/?i=21068
[121] = https://curl.se/bug/?i=21067
[122] = https://curl.se/bug/?i=21070
[123] = https://curl.se/bug/?i=21110
[124] = https://curl.se/bug/?i=21062
[125] = https://curl.se/bug/?i=21061
[126] = https://curl.se/bug/?i=21060
[127] = https://curl.se/bug/?i=20968
[128] = https://curl.se/bug/?i=21109
[129] = https://curl.se/bug/?i=21103
[130] = https://curl.se/bug/?i=21108
[131] = https://curl.se/bug/?i=21170
[132] = https://curl.se/bug/?i=21167
[133] = https://curl.se/bug/?i=21097
[134] = https://curl.se/bug/?i=21098
[135] = https://curl.se/bug/?i=21264
[136] = https://curl.se/bug/?i=21155
[137] = https://curl.se/bug/?i=20669
[138] = https://curl.se/bug/?i=21091
[139] = https://curl.se/bug/?i=21093
[140] = https://curl.se/bug/?i=21096
[141] = https://curl.se/bug/?i=21201
[142] = https://curl.se/bug/?i=21265
[143] = https://curl.se/bug/?i=21084
[144] = https://curl.se/bug/?i=20936
[145] = https://curl.se/bug/?i=21082
[146] = https://curl.se/bug/?i=21092
[147] = https://curl.se/bug/?i=21090
[148] = https://curl.se/bug/?i=21078
[149] = https://curl.se/bug/?i=21077
[150] = https://curl.se/bug/?i=21086
[151] = https://curl.se/bug/?i=21080
[152] = https://curl.se/bug/?i=21083
[153] = https://curl.se/bug/?i=20672
[154] = https://curl.se/bug/?i=21274
[155] = https://curl.se/bug/?i=21150
[156] = https://curl.se/bug/?i=21263
[157] = https://curl.se/bug/?i=21159
[158] = https://curl.se/bug/?i=21144
[159] = https://curl.se/bug/?i=21135
[160] = https://curl.se/bug/?i=21203
[161] = https://curl.se/bug/?i=21194
[162] = https://curl.se/bug/?i=21402
[163] = https://curl.se/bug/?i=21134
[164] = https://curl.se/bug/?i=21193
[165] = https://curl.se/bug/?i=21152
[166] = https://curl.se/bug/?i=21143
[167] = https://curl.se/bug/?i=21147
[168] = https://curl.se/bug/?i=21127
[169] = https://curl.se/bug/?i=21139
[170] = https://curl.se/bug/?i=21136
[171] = https://curl.se/bug/?i=21141
[172] = https://curl.se/bug/?i=21137
[173] = https://curl.se/bug/?i=21198
[174] = https://curl.se/bug/?i=21256
[175] = https://curl.se/bug/?i=21256
[176] = https://curl.se/bug/?i=21175
[177] = https://curl.se/bug/?i=21190
[178] = https://curl.se/bug/?i=21122
[179] = https://curl.se/bug/?i=21123
[180] = https://curl.se/bug/?i=21121
[181] = https://curl.se/bug/?i=21113
[182] = https://curl.se/bug/?i=21251
[183] = https://curl.se/bug/?i=21183
[184] = https://curl.se/bug/?i=21119
[185] = https://curl.se/bug/?i=21188
[186] = https://curl.se/bug/?i=21112
[187] = https://curl.se/bug/?i=21187
[188] = https://curl.se/bug/?i=21186
[189] = https://curl.se/bug/?i=21185
[190] = https://curl.se/bug/?i=21182
[191] = https://curl.se/bug/?i=21252
[192] = https://curl.se/bug/?i=21453
[193] = https://curl.se/bug/?i=21290
[194] = https://curl.se/bug/?i=21174
[195] = https://curl.se/bug/?i=21399
[196] = https://curl.se/bug/?i=21168
[197] = https://curl.se/bug/?i=21173
[198] = https://curl.se/bug/?i=20995
[199] = https://curl.se/bug/?i=21238
[200] = https://curl.se/bug/?i=21247
[201] = https://curl.se/bug/?i=21234
[202] = https://curl.se/bug/?i=21246
[203] = https://curl.se/bug/?i=21242
[204] = https://curl.se/bug/?i=21345
[206] = https://curl.se/bug/?i=21231
[207] = https://curl.se/bug/?i=21281
[208] = https://curl.se/bug/?i=20715
[209] = https://curl.se/bug/?i=21393
[210] = https://curl.se/bug/?i=21235
[211] = https://curl.se/bug/?i=21232
[212] = https://curl.se/bug/?i=21230
[213] = https://curl.se/bug/?i=21328
[214] = https://curl.se/bug/?i=21228
[215] = https://curl.se/bug/?i=21229
[216] = https://curl.se/bug/?i=21224
[217] = https://curl.se/bug/?i=21225
[218] = https://curl.se/bug/?i=21339
[219] = https://curl.se/bug/?i=21221
[220] = https://curl.se/bug/?i=21205
[221] = https://curl.se/bug/?i=21253
[222] = https://curl.se/bug/?i=21216
[223] = https://curl.se/bug/?i=21218
[224] = https://curl.se/bug/?i=21217
[225] = https://curl.se/bug/?i=21336
[226] = https://curl.se/bug/?i=21335
[227] = https://curl.se/bug/?i=21236
[228] = https://curl.se/bug/?i=21215
[229] = https://curl.se/bug/?i=21267
[230] = https://curl.se/bug/?i=21394
[231] = https://curl.se/bug/?i=21222
[232] = https://curl.se/bug/?i=21266
[233] = https://curl.se/bug/?i=21392
[234] = https://curl.se/bug/?i=21437
[235] = https://curl.se/bug/?i=21461
[236] = https://curl.se/bug/?i=21322
[237] = https://curl.se/bug/?i=21388
[238] = https://curl.se/bug/?i=21354
[239] = https://curl.se/bug/?i=21386
[240] = https://curl.se/bug/?i=21385
[241] = https://curl.se/bug/?i=21384
[242] = https://curl.se/bug/?i=21312
[243] = https://curl.se/bug/?i=21383
[244] = https://curl.se/bug/?i=21297
[245] = https://curl.se/bug/?i=21313
[246] = https://curl.se/bug/?i=21304
[247] = https://curl.se/bug/?i=21296
[248] = https://curl.se/bug/?i=21296
[249] = https://curl.se/bug/?i=21441
[250] = https://curl.se/bug/?i=21444
[251] = https://curl.se/bug/?i=21302
[252] = https://curl.se/bug/?i=21380
[253] = https://curl.se/bug/?i=21378
[254] = https://curl.se/bug/?i=20794
[255] = https://curl.se/bug/?i=21377
[256] = https://curl.se/bug/?i=21301
[257] = https://curl.se/bug/?i=21303
[258] = https://curl.se/bug/?i=21372
[259] = https://curl.se/bug/?i=21146
[260] = https://curl.se/bug/?i=21298
[261] = https://curl.se/bug/?i=21270
[262] = https://curl.se/bug/?i=21440
[263] = https://curl.se/bug/?i=21460
[264] = https://curl.se/bug/?i=21360
[265] = https://curl.se/bug/?i=21458
[266] = https://curl.se/bug/?i=21364
[267] = https://curl.se/bug/?i=21363
[268] = https://curl.se/bug/?i=21357
[269] = https://curl.se/bug/?i=21359
[270] = https://curl.se/bug/?i=21358
[273] = https://curl.se/bug/?i=21455
[274] = https://curl.se/bug/?i=21351
[275] = https://curl.se/bug/?i=21340
[276] = https://curl.se/bug/?i=21449
[278] = https://curl.se/bug/?i=21432
[279] = https://curl.se/bug/?i=21430
[280] = https://curl.se/bug/?i=21427
[284] = https://curl.se/bug/?i=21396
[285] = https://curl.se/bug/?i=21421
[288] = https://curl.se/bug/?i=19814
[291] = https://curl.se/bug/?i=21415
[294] = https://curl.se/bug/?i=21411

View file

@ -0,0 +1,97 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# SSL problems
First, let's establish that we often refer to TLS and SSL interchangeably as
SSL here. The current protocol is called TLS, it was called SSL a long time
ago.
There are several known reasons why a connection that involves SSL might
fail. This is a document that attempts to detail the most common ones and
how to mitigate them.
## CA certs
CA certs are used to digitally verify the server's certificate. You need a
"ca bundle" for this. See lots of more details on this in the `SSLCERTS`
document.
## CA bundle missing intermediate certificates
When using said CA bundle to verify a server cert, you may experience
problems if your CA store does not contain the certificates for the
intermediates if the server does not provide them.
The TLS protocol mandates that the intermediate certificates are sent in the
handshake, but as browsers have ways to survive or work around such
omissions, missing intermediates in TLS handshakes still happen that browser
users do not notice.
Browsers work around this problem in two ways: they cache intermediate
certificates from previous transfers and some implement the TLS "AIA"
extension that lets the client explicitly download such certificates on
demand.
## Protocol version
Some broken servers fail to support the protocol negotiation properly that
SSL servers are supposed to handle. This may cause the connection to fail
completely. Sometimes you may need to explicitly select an SSL version to
use when connecting to make the connection succeed.
An additional complication can be that modern SSL libraries sometimes are
built with support for older SSL and TLS versions disabled.
All versions of SSL and the TLS versions before 1.2 are considered insecure
and should be avoided. Use TLS 1.2 or later.
## Ciphers
Clients give servers a list of ciphers to select from. If the list does not
include any ciphers the server wants/can use, the connection handshake
fails.
curl has recently disabled the user of a whole bunch of seriously insecure
ciphers from its default set (slightly depending on SSL backend in use).
You may have to explicitly provide an alternative list of ciphers for curl
to use to allow the server to use a weak cipher for you.
Note that these weak ciphers are identified as flawed. For example, this
includes symmetric ciphers with less than 128-bit keys and RC4.
Schannel in Windows XP is not able to connect to servers that no longer
support the legacy handshakes and algorithms used by those versions, so we
advise against building curl to use Schannel on really old Windows versions.
Reference: [Prohibiting RC4 Cipher
Suites](https://datatracker.ietf.org/doc/html/draft-popov-tls-prohibiting-rc4-01)
## Allow BEAST
BEAST is the name of a TLS 1.0 attack that surfaced 2011. When adding means
to mitigate this attack, it turned out that some broken servers out there in
the wild did not work properly with the BEAST mitigation in place.
To make such broken servers work, the --ssl-allow-beast option was
introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability
but on the other hand it allows curl to connect to that kind of strange
servers.
## Disabling certificate revocation checks
Some SSL backends may do certificate revocation checks (CRL, OCSP, etc)
depending on the OS or build configuration. The --ssl-no-revoke option was
introduced in 7.44.0 to disable revocation checking but currently is only
supported for Schannel (the native Windows SSL library), with an exception
in the case of Windows' Untrusted Publishers block list which it seems cannot
be bypassed. This option may have broader support to accommodate other SSL
backends in the future.
References:
https://curl.se/docs/ssl-compared.html

View file

@ -0,0 +1,155 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# TLS Certificate Verification
## Native vs file based
If curl was built with Schannel support, then curl uses the Windows native CA
store for verification. On Apple operating systems, it is possible to use Apple's
"SecTrust" services for certain TLS backends, details below.
All other TLS libraries use a file based CA store by
default.
## Verification
Every trusted server certificate is digitally signed by a Certificate
Authority, a CA.
In your local CA store you have a collection of certificates from *trusted*
certificate authorities that TLS clients like curl use to verify servers.
curl does certificate verification by default. This is done by verifying the
signature and making sure the certificate was crafted for the server name
provided in the URL.
If you communicate with HTTPS, FTPS or other TLS-using servers using
certificates signed by a CA whose certificate is present in the store, you can
be sure that the remote server really is the one it claims to be.
If the remote server uses a self-signed certificate, if you do not install a
CA cert store, if the server uses a certificate signed by a CA that is not
included in the store you use or if the remote host is an impostor
impersonating your favorite site, the certificate check fails and reports an
error.
If you think it wrongly failed the verification, consider one of the following
sections.
### Skip verification
Tell curl to *not* verify the peer with `-k`/`--insecure`.
We **strongly** recommend this is avoided and that even if you end up doing
this for experimentation or development, **never** skip verification in
production.
### Use a custom CA store
Get a CA certificate that can verify the remote server and use the proper
option to point out this CA cert for verification when connecting - for this
specific transfer only.
With the curl command line tool: `--cacert [file]`
If you use the curl command line tool without a native CA store, then you can
specify your own CA cert file by setting the environment variable
`CURL_CA_BUNDLE` to the path of your choice. `SSL_CERT_FILE` and `SSL_CERT_DIR`
are also supported.
If you are using the curl command line tool on Windows, curl searches for a CA
cert file named `curl-ca-bundle.crt` in these directories and in this order:
1. application's directory
2. current working directory
3. Windows System directory (e.g. C:\Windows\System32)
4. Windows Directory (e.g. C:\Windows)
5. all directories along %PATH%
curl 8.11.0 added a build-time option to disable this search behavior, and
another option to restrict search to the application's directory.
### Use the native store
In several environments, in particular on Microsoft and Apple operating
systems, you can ask curl to use the system's native CA store when verifying
the certificate. Depending on how curl was built, this may already be the
default.
With the curl command line tool: `--ca-native`.
### Modify the CA store
Add the CA cert for your server to the existing default CA certificate store.
Usually you can figure out the path to the local CA store by looking at the
verbose output that `curl -v` shows when you connect to an HTTPS site.
### Change curl's default CA store
The default CA certificate store curl uses is set at build time. When you
build curl you can point out your preferred path.
### Extract CA cert from a server
curl -w %{certs} https://example.com > cacert.pem
The certificate has `BEGIN CERTIFICATE` and `END CERTIFICATE` markers.
### Get the Mozilla CA store
Download a version of the Firefox CA store converted to PEM format on the [CA
Extract](https://curl.se/docs/caextract.html) page. It always features the
latest Firefox bundle.
## Native CA store
### Windows + Schannel
If curl was built with Schannel, then curl uses the certificates that are
built into the OS. These are the same certificates that appear in the
Internet Options control panel (under Windows).
Any custom security rules for certificates are honored.
Schannel runs CRL checks on certificates unless peer verification is disabled.
### Apple + OpenSSL/GnuTLS
When curl is built with Apple SecTrust enabled and uses an OpenSSL compatible
TLS backend or GnuTLS, the default verification is handled by that Apple
service. As in:
curl https://example.com
You may still provide your own certificates on the command line, such as:
curl --cacert mycerts.pem https://example.com
In this situation, Apple SecTrust is **not** used and verification is done
**only** with the trust anchors found in `mycerts.pem`. If you want **both**
Apple SecTrust and your own file to be considered, use:
curl --ca-native --cacert mycerts.pem https://example.com
#### Other Combinations
How well the use of native CA stores work in all other combinations depends
on the TLS backend and the OS. Many TLS backends offer functionality to access
the native CA on a range of operating systems. Some provide this only on specific
configurations.
Specific support in curl exists for Windows and OpenSSL compatible TLS backends.
It tries to load the certificates from the Windows "CA" and "ROOT" stores for
transfers requesting the native CA. Due to Window's delayed population of those
stores, this might not always find all certificates.
## HTTPS proxy
curl can do HTTPS to the proxy separately from the connection to the server.
This TLS connection is handled and verified separately from the server
connection so instead of `--insecure` and `--cacert` to control the
certificate verification, you use `--proxy-insecure` and `--proxy-cacert`.
With these options, you make sure that the TLS connection and the trust of the
proxy can be kept totally separate from the TLS connection to the server.

View file

@ -0,0 +1,708 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# The Art Of Scripting HTTP Requests Using curl
## Background
This document assumes that you are familiar with HTML and general networking.
The increasing amount of applications moving to the web has made "HTTP
Scripting" more frequently requested and wanted. To be able to automatically
extract information from the web, to fake users, to post or upload data to
web servers are all important tasks today.
curl is a command line tool for doing all sorts of URL manipulations and
transfers, but this particular document focuses on how to use it when doing
HTTP requests for fun and profit. This documents assumes that you know how to
invoke `curl --help` or `curl --manual` to get basic information about it.
curl is not written to do everything for you. It makes the requests, it gets
the data, it sends data and it retrieves the information. You probably need
to glue everything together using some kind of script language or repeated
manual invokes.
## The HTTP Protocol
HTTP is the protocol used to fetch data from web servers. It is a simple
protocol that is built upon TCP/IP. The protocol also allows information to
get sent to the server from the client using a few different methods, as is
shown here.
HTTP is plain ASCII text lines being sent by the client to a server to
request a particular action, and then the server replies a few text lines
before the actual requested content is sent to the client.
The client, curl, sends an HTTP request. The request contains a method (like
GET, POST, HEAD etc), a number of request headers and sometimes a request
body. The HTTP server responds with a status line (indicating if things went
well), response headers and most often also a response body. The "body" part
is the plain data you requested, like the actual HTML or the image etc.
## See the Protocol
Using curl's option [`--verbose`](https://curl.se/docs/manpage.html#-v) (`-v`
as a short option) displays what kind of commands curl sends to the server,
as well as a few other informational texts.
`--verbose` is the single most useful option when it comes to debug or even
understand the curl<->server interaction.
Sometimes even `--verbose` is not enough. Then
[`--trace`](https://curl.se/docs/manpage.html#-trace) and
[`--trace-ascii`](https://curl.se/docs/manpage.html#--trace-ascii)
offer even more details as they show **everything** curl sends and
receives. Use it like this:
curl --trace-ascii debugdump.txt https://www.example.com/
## See the Timing
Many times you may wonder what exactly is taking all the time, or you want to
know the amount of milliseconds between two points in a transfer. For those,
and other similar situations, the
[`--trace-time`](https://curl.se/docs/manpage.html#--trace-time) option is
what you need. It prepends the time to each trace output line:
curl --trace-ascii d.txt --trace-time https://example.com/
## See which Transfer
When doing parallel transfers, it is relevant to see which transfer is doing
what. When response headers are received (and logged) you need to know which
transfer these are for.
[`--trace-ids`](https://curl.se/docs/manpage.html#--trace-ids) option is what
you need. It prepends the transfer and connection identifier to each trace
output line:
curl --trace-ascii d.txt --trace-ids https://example.com/
## See the Response
By default curl sends the response to stdout. You need to redirect it
somewhere to avoid that, most often that is done with `-o` or `-O`.
# URL
## Spec
The Uniform Resource Locator format is how you specify the address of a
particular resource on the Internet. You know these, you have seen URLs like
https://curl.se/ or https://example.com/ a million times. RFC 3986 is the
canonical spec. The formal name is not URL, it is **URI**.
## Host
The hostname is usually resolved using DNS or your /etc/hosts file to an IP
address and that is what curl communicates with. Alternatively you specify
the IP address directly in the URL instead of a name.
For development and other trying out situations, you can point to a different
IP address for a hostname than what would otherwise be used, by using curl's
[`--resolve`](https://curl.se/docs/manpage.html#--resolve) option:
curl --resolve www.example.org:80:127.0.0.1 https://www.example.org/
## Port number
Each protocol curl supports operates on a default port number, be it over TCP
or in some cases UDP. Normally you do not have to take that into
consideration, but at times you run test servers on other ports or
similar. Then you can specify the port number in the URL with a colon and a
number immediately following the hostname. Like when doing HTTP to port
1234:
curl https://www.example.org:1234/
The port number you specify in the URL is the number that the server uses to
offer its services. Sometimes you may use a proxy, and then you may
need to specify that proxy's port number separately from what curl needs to
connect to the server. Like when using an HTTP proxy on port 4321:
curl --proxy http://proxy.example.org:4321 https://remote.example.org/
## Username and password
Some services are setup to require HTTP authentication and then you need to
provide name and password which is then transferred to the remote site in
various ways depending on the exact authentication protocol used.
You can opt to either insert the user and password in the URL or you can
provide them separately:
curl https://user:password@example.org/
or
curl -u user:password https://example.org/
You need to pay attention that this kind of HTTP authentication is not what
is usually done and requested by user-oriented websites these days. They tend
to use forms and cookies instead.
## Path part
The path part is sent off to the server to request that it sends back the
associated response. The path is what is to the right side of the slash that
follows the hostname and possibly port number.
# Fetch a page
## GET
The simplest and most common request/operation made using HTTP is to GET a
URL. The URL could itself refer to a webpage, an image or a file. The client
issues a GET request to the server and receives the document it asked for.
If you issue the command line
curl https://curl.se/
you get a webpage returned in your terminal window. The entire HTML document
this URL identifies.
All HTTP replies contain a set of response headers that are normally hidden,
use curl's [`--include`](https://curl.se/docs/manpage.html#-i) (`-i`)
option to display them as well as the rest of the document.
## HEAD
You can ask the remote server for ONLY the headers by using the
[`--head`](https://curl.se/docs/manpage.html#-I) (`-I`) option which makes
curl issue a HEAD request. In some special cases servers deny the HEAD method
while others still work, which is a particular kind of annoyance.
The HEAD method is defined and made so that the server returns the headers
exactly the way it would do for a GET, but without a body. It means that you
may see a `Content-Length:` in the response headers, but there must not be an
actual body in the HEAD response.
## Multiple URLs in a single command line
A single curl command line may involve one or many URLs. The most common case
is probably to use one, but you can specify any amount of URLs. Yes any. No
limits. You then get requests repeated over and over for all the given URLs.
Example, send two GET requests:
curl https://url1.example.com https://url2.example.com
If you use [`--data`](https://curl.se/docs/manpage.html#-d) to POST to
the URL, using multiple URLs means that you send that same POST to all the
given URLs.
Example, send two POSTs:
curl --data name=curl https://url1.example.com https://url2.example.com
## Multiple HTTP methods in a single command line
Sometimes you need to operate on several URLs in a single command line and do
different HTTP methods on each. For this, you might enjoy the
[`--next`](https://curl.se/docs/manpage.html#-:) option. It is a separator
that separates a bunch of options from the next. All the URLs before `--next`
get the same method and get all the POST data merged into one.
When curl reaches the `--next` on the command line, it resets the method and
the POST data and allow a new set.
Perhaps this is best shown with a few examples. To send first a HEAD and then
a GET:
curl -I https://example.com --next https://example.com
To first send a POST and then a GET:
curl -d score=10 https://example.com/post.cgi --next https://example.com/results.html
# HTML forms
## Forms explained
Forms are the general way a website can present an HTML page with fields for
the user to enter data in, and then press some kind of 'OK' or 'Submit'
button to get that data sent to the server. The server then typically uses
the posted data to decide how to act. Like using the entered words to search
in a database, or to add the info in a bug tracking system, display the
entered address on a map or using the info as a login-prompt verifying that
the user is allowed to see what it is about to see.
Of course there has to be some kind of program on the server end to receive
the data you send. You cannot invent something out of the air.
## GET
A GET-form uses the method GET, as specified in HTML like:
```html
<form method="GET" action="junk.cgi">
<input type=text name="birthyear">
<input type=submit name=press value="OK">
</form>
```
In your favorite browser, this form appears with a text box to fill in and a
press-button labeled "OK". If you fill in '1905' and press the OK button,
your browser then creates a new URL to get for you. The URL gets
`junk.cgi?birthyear=1905&press=OK` appended to the path part of the previous
URL.
If the original form was seen on the page `www.example.com/when/birth.html`,
the second page you get becomes
`www.example.com/when/junk.cgi?birthyear=1905&press=OK`.
Most search engines work this way.
To make curl do the GET form post for you, enter the expected created URL:
curl "https://www.example.com/when/junk.cgi?birthyear=1905&press=OK"
## POST
The GET method makes all input field names get displayed in the URL field of
your browser. That is generally a good thing when you want to be able to
bookmark that page with your given data, but it is an obvious disadvantage if
you entered secret information in one of the fields or if there are a large
amount of fields creating a long and unreadable URL.
The HTTP protocol then offers the POST method. This way the client sends the
data separated from the URL and thus you do not see any of it in the URL
address field.
The form would look similar to the previous one:
```html
<form method="POST" action="junk.cgi">
<input type=text name="birthyear">
<input type=submit name=press value=" OK ">
</form>
```
To use curl to post this form with the same data filled in as before, we
could do it like:
curl --data "birthyear=1905&press=%20OK%20" https://www.example.com/when/junk.cgi
This kind of POST uses the Content-Type `application/x-www-form-urlencoded`
and is the most widely used POST kind.
The data you send to the server MUST already be properly encoded, curl does
not do that for you. For example, if you want the data to contain a space,
you need to replace that space with `%20`, etc. Failing to comply with this
most likely causes your data to be received wrongly and messed up.
Recent curl versions can in fact URL encode POST data for you, like this:
curl --data-urlencode "name=I am Daniel" https://www.example.com
If you repeat `--data` several times on the command line, curl concatenates
all the given data pieces - and put a `&` symbol between each data segment.
## File Upload POST
Back in late 1995 they defined an additional way to post data over HTTP. It
is documented in the RFC 1867, why this method sometimes is referred to as
RFC 1867-posting.
This method is mainly designed to better support file uploads. A form that
allows a user to upload a file could be written like this in HTML:
<form method="POST" enctype='multipart/form-data' action="upload.cgi">
<input name=upload type=file>
<input type=submit name=press value="OK">
</form>
This clearly shows that the Content-Type about to be sent is
`multipart/form-data`.
To post to a form like this with curl, you enter a command line like:
curl --form upload=@localfilename --form press=OK [URL]
## Hidden Fields
A common way for HTML based applications to pass state information between
pages is to add hidden fields to the forms. Hidden fields are already filled
in, they are not displayed to the user and they get passed along as all the
other fields.
A similar example form with one visible field, one hidden field and one
submit button could look like:
```html
<form method="POST" action="foobar.cgi">
<input type=text name="birthyear">
<input type=hidden name="person" value="daniel">
<input type=submit name="press" value="OK">
</form>
```
To POST this with curl, you do not have to think about if the fields are
hidden or not. To curl they are all the same:
curl --data "birthyear=1905&press=OK&person=daniel" [URL]
## Figure Out What A POST Looks Like
When you are about to fill in a form and send it to a server by using curl
instead of a browser, you are of course interested in sending a POST exactly
the way your browser does.
An easy way to get to see this, is to save the HTML page with the form on
your local disk, modify the 'method' to a GET, and press the submit button
(you could also change the action URL if you want to).
You then clearly see the data get appended to the URL, separated with a
`?`-letter as GET forms are supposed to.
# HTTP upload
## PUT
Perhaps the best way to upload data to an HTTP server is to use PUT. Then
again, this of course requires that someone put a program or script on the
server end that knows how to receive an HTTP PUT stream.
Put a file to an HTTP server with curl:
curl --upload-file uploadfile https://www.example.com/receive.cgi
# HTTP Authentication
## Basic Authentication
HTTP Authentication is the ability to tell the server your username and
password so that it can verify that you are allowed to do the request you are
doing. The Basic authentication used in HTTP (which is the type curl uses by
default) is **plain text** based, which means it sends username and password
only slightly obfuscated, but still fully readable by anyone that sniffs on
the network between you and the remote server.
To tell curl to use a user and password for authentication:
curl --user myname:password https://www.example.com
## Other Authentication
The site might require a different authentication method (check the headers
returned by the server), and then
[`--ntlm`](https://curl.se/docs/manpage.html#--ntlm),
[`--digest`](https://curl.se/docs/manpage.html#--digest),
[`--negotiate`](https://curl.se/docs/manpage.html#--negotiate) or even
[`--anyauth`](https://curl.se/docs/manpage.html#--anyauth) might be
options that suit you.
## Proxy Authentication
Sometimes your HTTP access is only available through the use of an HTTP
proxy. This seems to be especially common at various companies. An HTTP proxy
may require its own user and password to allow the client to get through to
the Internet. To specify those with curl, run something like:
curl --proxy-user proxyuser:proxypassword curl.se
If your proxy requires the authentication to be done using the NTLM method,
use [`--proxy-ntlm`](https://curl.se/docs/manpage.html#--proxy-ntlm), if
it requires Digest use
[`--proxy-digest`](https://curl.se/docs/manpage.html#--proxy-digest).
If you use any one of these user+password options but leave out the password
part, curl prompts for the password interactively.
## Hiding credentials
Do note that when a program is run, its parameters might be possible to see
when listing the running processes of the system. Thus, other users may be
able to watch your passwords if you pass them as plain command line
options. There are ways to circumvent this.
It is worth noting that while this is how HTTP Authentication works, many
websites do not use this concept when they provide logins etc. See the Web
Login chapter further below for more details on that.
# More HTTP Headers
## Referer
An HTTP request may include a 'referer' field (yes it is misspelled), which
can be used to tell from which URL the client got to this particular
resource. Some programs/scripts check the referer field of requests to verify
that this was not arriving from an external site or an unknown page. While
this is a stupid way to check something so easily forged, many scripts still
do it. Using curl, you can put anything you want in the referer-field and
thus more easily be able to fool the server into serving your request.
Use curl to set the referer field with:
curl --referer https://www.example.come https://www.example.com
## User Agent
Similar to the referer field, all HTTP requests may set the User-Agent
field. It names what user agent (client) that is being used. Many
applications use this information to decide how to display pages. Silly web
programmers try to make different pages for users of different browsers to
make them look the best possible for their particular browsers. They usually
also do different kinds of JavaScript etc.
At times, you may learn that getting a page with curl does not return the
same page that you see when getting the page with your browser. Then you know
it is time to set the User Agent field to fool the server into thinking you
are one of those browsers.
By default, curl uses curl/VERSION, such as User-Agent: curl/8.11.0.
To make curl look like Internet Explorer 5 on a Windows 2000 box:
curl --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" [URL]
Or why not look like you are using Netscape 4.73 on an old Linux box:
curl --user-agent "Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)" [URL]
## Redirects
## Location header
When a resource is requested from a server, the reply from the server may
include a hint about where the browser should go next to find this page, or a
new page keeping newly generated output. The header that tells the browser to
redirect is `Location:`.
curl does not follow `Location:` headers by default, but displays such
pages in the same manner it displays all HTTP replies. It does however
feature an option that makes it attempt to follow the `Location:` pointers.
To tell curl to follow a Location:
curl --location https://www.example.com
If you use curl to POST to a site that immediately redirects you to another
page, you can safely use [`--location`](https://curl.se/docs/manpage.html#-L)
(`-L`) and `--data`/`--form` together. curl only uses POST in the first
request, and then revert to GET in the following operations.
## Other redirects
Browsers typically support at least two other ways of redirects that curl
does not: first the html may contain a meta refresh tag that asks the browser
to load a specific URL after a set number of seconds, or it may use
JavaScript to do it.
# Cookies
## Cookie Basics
The way the web browsers do "client side state control" is by using cookies.
Cookies are names with associated contents. The cookies are sent to the client
by the server. The server tells the client for what path and hostname it wants
the cookie sent back, and it also sends an expiration date and a few more
properties.
When a client communicates with a server with a name and path as previously
specified in a received cookie, the client sends back the cookies and their
contents to the server, unless of course they are expired.
Many applications and servers use this method to connect a series of requests
into a single logical session. To be able to use curl in such occasions, we
must be able to record and send back cookies the way the web application
expects them. The same way browsers deal with them.
## Cookie options
The simplest way to send a few cookies to the server when getting a page with
curl is to add them on the command line like:
curl --cookie "name=Daniel" https://www.example.com
Cookies are sent as common HTTP headers. This is practical as it allows curl
to record cookies by recording headers. Record cookies with curl by
using the [`--dump-header`](https://curl.se/docs/manpage.html#-D) (`-D`)
option like:
curl --dump-header headers_and_cookies https://www.example.com
(Take note that the
[`--cookie-jar`](https://curl.se/docs/manpage.html#-c) option described
below is a better way to store cookies.)
curl has a full blown cookie parsing engine built-in that comes in use if you
want to reconnect to a server and use cookies that were stored from a
previous connection (or hand-crafted manually to fool the server into
believing you had a previous connection). To use previously stored cookies,
you run curl like:
curl --cookie stored_cookies_in_file https://www.example.com
curl's "cookie engine" gets enabled when you use the
[`--cookie`](https://curl.se/docs/manpage.html#-b) option. If you only
want curl to understand received cookies, use `--cookie` with a file that
does not exist. Example, if you want to let curl understand cookies from a
page and follow a location (and thus possibly send back cookies it received),
you can invoke it like:
curl --cookie nada --location https://www.example.com
curl has the ability to read and write cookie files that use the same file
format that Netscape and Mozilla once used. It is a convenient way to share
cookies between scripts or invokes. The `--cookie` (`-b`) switch
automatically detects if a given file is such a cookie file and parses it,
and by using the `--cookie-jar` (`-c`) option you make curl write a new
cookie file at the end of an operation:
curl --cookie cookies.txt --cookie-jar newcookies.txt \
https://www.example.com
# HTTPS
## HTTPS is HTTP secure
There are a few ways to do secure HTTP transfers. By far the most common
protocol for doing this is what is generally known as HTTPS, HTTP over
SSL. SSL encrypts all the data that is sent and received over the network and
thus makes it harder for attackers to spy on sensitive information.
SSL (or TLS as the current version of the standard is called) offers a set of
advanced features to do secure transfers over HTTP.
curl supports encrypted fetches when built to use a TLS library and it can be
built to use one out of a fairly large set of libraries - `curl -V` shows
which one your curl was built to use (if any). To get a page from an HTTPS
server, run curl like:
curl https://secure.example.com
## Certificates
In the HTTPS world, you use certificates to validate that you are the one you
claim to be, as an addition to normal passwords. curl supports client- side
certificates. All certificates are locked with a passphrase, which you need
to enter before the certificate can be used by curl. The passphrase can be
specified on the command line or if not, entered interactively when curl
queries for it. Use a certificate with curl on an HTTPS server like:
curl --cert mycert.pem https://secure.example.com
curl also tries to verify that the server is who it claims to be, by
verifying the server's certificate against a locally stored CA cert bundle.
Failing the verification causes curl to deny the connection. You must then
use [`--insecure`](https://curl.se/docs/manpage.html#-k) (`-k`) in case you
want to tell curl to ignore that the server cannot be verified.
More about server certificate verification and ca cert bundles can be read in
the [`SSLCERTS` document](https://curl.se/docs/sslcerts.html).
At times you may end up with your own CA cert store and then you can tell
curl to use that to verify the server's certificate:
curl --cacert ca-bundle.pem https://example.com/
# Custom Request Elements
## Modify method and headers
Doing fancy stuff, you may need to add or change elements of a single curl
request.
For example, you can change the POST method to `PROPFIND` and send the data
as `Content-Type: text/xml` (instead of the default `Content-Type`) like
this:
curl --data "<xml>" --header "Content-Type: text/xml" \
--request PROPFIND example.com
You can delete a default header by providing one without content. Like you
can ruin the request by chopping off the `Host:` header:
curl --header "Host:" https://www.example.com
You can add headers the same way. Your server may want a `Destination:`
header, and you can add it:
curl --header "Destination: nowhere" https://example.com
## More on changed methods
It should be noted that curl selects which methods to use on its own
depending on what action to ask for. `-d` makes a POST, `-I` makes a HEAD and
so on. If you use the [`--request`](https://curl.se/docs/manpage.html#-X) /
`-X` option you can change the method keyword curl selects, but you do not
modify curl's behavior. This means that if you for example use -d "data" to
do a POST, you can modify the method to a `PROPFIND` with `-X` and curl still
thinks it sends a POST. You can change the normal GET to a POST method by
adding `-X POST` in a command line like:
curl -X POST https://example.org/
curl however still acts as if it sent a GET so it does not send any request
body etc.
# Web Login
## Some login tricks
While not strictly HTTP related, it still causes a lot of people problems so
here's the executive run-down of how the vast majority of all login forms work
and how to login to them using curl.
It can also be noted that to do this properly in an automated fashion, you
most certainly need to script things and do multiple curl invokes etc.
First, servers mostly use cookies to track the logged-in status of the
client, so you need to capture the cookies you receive in the responses.
Then, many sites also set a special cookie on the login page (to make sure
you got there through their login page) so you should make a habit of first
getting the login-form page to capture the cookies set there.
Some web-based login systems feature various amounts of JavaScript, and
sometimes they use such code to set or modify cookie contents. Possibly they
do that to prevent programmed logins, like this manual describes how to...
Anyway, if reading the code is not enough to let you repeat the behavior
manually, capturing the HTTP requests done by your browsers and analyzing the
sent cookies is usually a working method to work out how to shortcut the
JavaScript need.
In the actual `<form>` tag for the login, lots of sites fill-in
random/session or otherwise secretly generated hidden tags and you may need
to first capture the HTML code for the login form and extract all the hidden
fields to be able to do a proper login POST. Remember that the contents need
to be URL encoded when sent in a normal POST.
# Debug
## Some debug tricks
Many times when you run curl on a site, you notice that the site does not
seem to respond the same way to your curl requests as it does to your
browser's.
Then you need to start making your curl requests more similar to your
browser's requests:
- Use the `--trace-ascii` option to store fully detailed logs of the requests
for easier analyzing and better understanding
- Make sure you check for and use cookies when needed (both reading with
`--cookie` and writing with `--cookie-jar`)
- Set user-agent (with [`-A`](https://curl.se/docs/manpage.html#-A)) to
one like a recent popular browser does
- Set referer (with [`-E`](https://curl.se/docs/manpage.html#-E)) like
it is set by the browser
- If you use POST, make sure you send all the fields and in the same order as
the browser does it.
## Check what the browsers do
A good helper to make sure you do this right, is the web browsers' developers
tools that let you view all headers you send and receive (even when using
HTTPS).
A more raw approach is to capture the HTTP traffic on the network with tools
such as Wireshark or tcpdump and check what headers that were sent and
received by the browser. (HTTPS forces you to use `SSLKEYLOGFILE` to do
that.)

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,154 @@
---
c: Copyright (C) Samuel Henrique <samueloph@debian.org>, Sergio Durigan Junior <sergiodj@debian.org> and many contributors, see the AUTHORS file.
SPDX-License-Identifier: curl
Title: wcurl
Section: 1
Source: wcurl
See-also:
- curl (1)
- trurl (1)
Added-in: n/a
---
# NAME
**wcurl** - a simple wrapper around curl to easily download files.
# SYNOPSIS
**wcurl \<URL\>...**
**wcurl [--curl-options \<CURL_OPTIONS\>]... [--dry-run] [--no-decode-filename] [-o|-O|--output \<PATH\>] [--] \<URL\>...**
**wcurl [--curl-options=\<CURL_OPTIONS\>]... [--dry-run] [--no-decode-filename] [--output=\<PATH\>] [--] \<URL\>...**
**wcurl -V|--version**
**wcurl -h|--help**
# DESCRIPTION
**wcurl** is a simple curl wrapper which lets you use curl to download files
without having to remember any parameters.
Call **wcurl** with a list of URLs you want to download and **wcurl**
picks sane defaults.
If you need anything more complex, you can provide any of curl's supported
parameters via the **--curl-options** option. Beware that you likely should be
using curl directly if your use case is not covered.
By default, **wcurl** does:
## * Percent-encode whitespace in URLs;
## * Download multiple URLs in parallel
if the installed curl's version is \>= 7.66.0 (--parallel);
## * Use a total number of 5 parallel connections to the same protocol + hostname + port number target
if the installed curl's version is \>= 8.16.0 (--parallel-max-host);
## * Follow redirects;
## * Automatically choose a filename as output;
## * Avoid overwriting files
if the installed curl's version is \>= 7.83.0 (--no-clobber);
## * Perform retries;
## * Set the downloaded file timestamp
to the value provided by the server, if available;
## * Default to https
if the URL does not contain any scheme;
## * Disable curl's URL globbing parser
so {} and [] characters in URLs are not treated specially;
## * Percent-decode the resulting filename;
## * Use 'index.html' as the default filename
if there is none in the URL.
# OPTIONS
## --curl-options, --curl-options=\<CURL_OPTIONS\>...
Specify extra options to be passed when invoking curl. May be specified more
than once.
## -o, -O, --output, --output=\<PATH\>
Use the provided output path instead of getting it from the URL. If multiple
URLs are provided, resulting files share the same name with a number appended to
the end (curl \>= 7.83.0). If this option is provided multiple times, only the
last value is considered.
## --no-decode-filename
Do not percent-decode the output filename, even if the percent-encoding in the
URL was done by **wcurl**, e.g.: The URL contained whitespace.
## --dry-run
Do not actually execute curl, print what would be invoked.
## -V, \--version
Print version information.
## -h, \--help
Print help message.
# CURL_OPTIONS
Any option supported by curl can be set here. This is not used by **wcurl**; it
is instead forwarded to the curl invocation.
# URL
URL to be downloaded. Anything that is not a parameter is considered
an URL. Whitespace is percent-encoded and the URL is passed to curl, which
then performs the parsing. May be specified more than once.
# EXAMPLES
Download a single file:
**wcurl example.com/filename.txt**
Download two files in parallel:
**wcurl example.com/filename1.txt example.com/filename2.txt**
Download a file passing the **--progress-bar** and **--http2** flags to curl:
**wcurl --curl-options="--progress-bar --http2" example.com/filename.txt**
Resume from an interrupted download. The options necessary to resume the download
(`--clobber --continue-at -`) must be the **last** options specified in `--curl-options`.
Note that the only way to resume interrupted downloads is to allow wcurl to overwrite
the destination file:
**wcurl --curl-options="--clobber --continue-at -" example.com/filename.txt**
Download multiple files without a limit of concurrent connections per host (the default limit is 5):
**wcurl --curl-options="--parallel-max-host 0" example.com/filename1.txt example.com/filename2.txt**
# AUTHORS
Samuel Henrique \<samueloph@debian.org\>
Sergio Durigan Junior \<sergiodj@debian.org\>
and many contributors, see the AUTHORS file.
# REPORTING BUGS
If you experience any problems with **wcurl** that you do not experience with
curl, submit an issue on GitHub: https://github.com/curl/wcurl
# COPYRIGHT
**wcurl** is licensed under the curl license