cURL 8.0.1 was released on 20-March-2023. 130 + 1 bugfixes since v7.88.1: Home | Changelog | Downloads | Releaselogs
cURL | Homepage | Changelog | Downloads | Releaselogs | News 8.1.2 was released on 30-May-2023. Spoiler curl 8.1.2 release video Bugfixes: configure: quote the assignments for run-compiler configure: without pkg-config and no custom path, use -lnghttp2 curl: cache the --trace-time value for a second http2: fix EOF handling on uploads with auth negotiation http3: send EOF indicator early as possible lib1560: verify more scheme guessing lib: remove unused functions, make single-use static libcurl.m4: remove the trailing 'dnl' that causes this to break autoconf libssh: when keyboard-interactive auth fails, try password misc: fix spelling mistakes page-header: mention curl version and how to figure out the current release page-header: minor wording polish in the URL segment scripts/singleuse.pl: add more API calls urlapi: remove superfluous host name check
cURL | Homepage | Changelog | Downloads | Releaselogs | News 8.2.0 was released on 19-July-2023. Spoiler Changelog Related: Daily Snapshots Source repo Security Vulnerabilities Release log Pending Release Notes Fixed in 8.2.0 - July 19, 2023 Changes: curl: add --ca-native and --proxy-ca-native curl: add --trace-ids CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS haproxy: add --haproxy-clientip flag to set client IPs lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID Bugfixes: bufq: make write/pass methods more robust build: drop unused/redundant `HAVE_WINLDAP_H` cf-socket: don't bypass fclosesocket callback if cancelled before connect cf-socket: move ctx declaration under HAVE_GETPEERNAME cf-socket: skip getpeername()/getsockname for TFTP checksrc: modernise perl file open checksrc: quote the file name to work with "funny" letters CI: brew fix for openssl in default path CI: don't install impacket if tests are not run CI: enable parallel make in more builds circleci: install impacket & wolfssl 5.6.0 cmake: add support for "unity" builds cmake: make use of snprintf cmake: stop CMake from quietly ignoring missing Brotli configure: add check for ldap_init_fd configure: fix run-compiler for old /bin/sh configure: the --without forms of the options are also gone connect-timeout.d: mention that the DNS lookup is included curl.h: include <sys/select.h> for vxworks curl: count uploaded data to stop at the originally given size curl: return error when asked to use an unsupported HTTP version curl_easy_nextheader.3: add missing open parenthesis examples curl_log: evaluate log statement only when transfer is verbose curl_mprintf.3: minor fix of the example curl_pushheader_byname/bynum.3: document in their own man pages curl_url_set: enforce the max string length check for all parts CURLOPT_AWS_SIGV4.3: remove unused variable from example CURLOPT_INFILESIZE.3: mention -1 triggers chunked CURLOPT_MIMEPOST.3: clarify what setting to NULL means CURLOPT_SSH_PRIVATE_KEYFILE.3: expand on the file search docs/libcurl/libcurl.3: cleanups and improvements docs: add more .IP after .RE to fix indentation of generate paragraphs docs: fix missing parameter names in examples docs: update CURLOPT_UPLOAD.3 docs: update HTTP3.md for newer ngtcp2 and nghttp3 docs: use a space after RFC when spelling out RFC numbers example/connect-to: show CURLOPT_CONNECT_TO example/crawler: also set CURLOPT_AUTOREFERER example/crawler: make it use a few more options example/default-scheme: set the default scheme for schemeless URLs example/hsts-preload: show one way to HSTS preload example/http2-download: set CURLOPT_BUFFERSIZE example/ipv6: feature CURLOPT_ADDRESS_SCOPE in use example/maxconnects: set maxconnect example example/opensslthreadlock: remove examples/ftpuploadresume.c: add use of CURLOPT_ACCEPTTIMEOUT_MS examples/http-options: show how to send "OPTIONS *" examples/https.c: use CURLOPT_CA_CACHE_TIMEOUT examples/multi-debugcallback.c: avoid the bool typedef examples/smtp-mime: use CURLOPT_MAIL_RCPT_ALLOWFAILS examples/unixsocket.c: example using CURLOPT_UNIX_SOCKET_PATH examples/websocket.c: websocket example using CONNECT_ONLY examples: make use of CURLOPT_(REDIR_|)PROTOCOLS_STR fopen: fix conversion warning on 32-bit Android fopen: optimize hostip.c: Move macOS-specific calls into global init call HTTP/2: upload handling fixes http2: better support for --limit-rate http2: error stream resets with code CURLE_HTTP2_STREAM http2: fix crash in handling stream weights http2: fix variable type http2: h2 and h2-PROXY connection alive check fixes http2: raise header limitations above and beyond http2: send HEADER & DATA together if possible http2: treat initial SETTINGS as a WINDOW_UPDATE HTTP3.md: update openssl version http3/ngtcp2: upload EAGAIN handling http: rectify the outgoing Cookie: header field size check hyper: fix EOF handling on input hyper: unslow imap-append.c: update to make it more likely to work imap: Provide method to disable SASL if it is advertised krb5: add typecast to please Coverity libcurl-url.3: also mention CURLUPART_ZONEID libcurl-ws.3. WebSocket API overview libssh2: provide error message when setting host key type fails libssh2: use custom memory functions ngtcp2: assigning timeout, but value is overwritten before used ngtcp2: build with 0.17.0 and nghttp3 0.13.0 ngtcp2: use ever increasing timestamp in io quiche: avoid NULL deref in debug logging quiche: fix defects found in latest coverity report quote.d: fix indentation of generated paragraphs runtests: abort test run after failure without -a runtests: better handle ^C during slow tests runtests: consistently write the test check summary block runtests: create multiple test runners when requested runtests: include missing valgrind package runtests: make test file directories in log/N runtests: rename server command file runtests: use more consistent failure lines runtests: work around a perl without SIGUSR1 runtests; give each server a unique log lock file scripts: Fix GHA matrix job detection in cijobs.pl sectransp: fix EOF handling system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles test2600: fix the description test427: verify sending more cookies than fit in a 8190 bytes line tests/http: Add mod_h2 directive `H2ProxyRequests` tests/servers.pm: pick unused port number with a server socket tests/servers: generate temp names in /tmp for unix domain sockets tests: fix error messages & handling around sockets tests: improve reliability of TFTP tests testutil: allow multiple %-operators on the same line timeval: use CLOCK_MONOTONIC_RAW if available tls13-ciphers.d: include Schannel tool: remove exclamation marks from error/warning messages tool: remove newlines from all helpf/notef/warnf/errorf calls tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION` tool_getparam: fix comment tool_operate: allow cookie lines up to 8200 bytes tool_parsecfg: accept line lengths up to 10M tool_urlglob: use curl_off_t instead of longs tool_writeout_json: fix encoding of control characters transfer: clear credentials when redirecting to absolute URL urlapi: have *set(PATH) prepend a slash if one is missing urlapi: scheme must start with alpha vtls: avoid memory leak if sha256 call fails websocket-cb: example doing WebSocket download using callback wolfssl: detect when TLS 1.2 support is not built into wolfssl wolfssl: support setting CA certificates as blob ws: make the curl_ws_meta() return pointer a const
cURL | Homepage | Changelog | Downloads | Releaselogs | News Version 8.2.1 was released on 26-July-2023. Spoiler Fixed in 8.2.1 - July 26, 2023 curl 8.2.1 release video Changes: Changes: Bugfixes: amigaos: fix sys/mbuf.h m_len macro clash amissl: add missing signal.h include amissl: fix AmiSSL v5 detection cfilters: rename close/connect functions to avoid clashes ciphers.d: put URL in first column cmake: add `libcurlu`/`libcurltool` for unit tests cmake: update ngtcp2 detection configure: check for nghttp2_session_get_stream_local_window_size CONTRIBUTE: drop mention of copyright year ranges CONTRIBUTE: fix syntax in commit message description curl_multi_wait.3: fix arg quoting to doc macro .BR docs: mark two TLS options for TLS, not SSL docs: provide more see also for cipher options hostip: return IPv6 first for localhost resolves http2: fix regression on upload EOF handling http: VLH, very large header test and fixes libcurl-errors.3: add CURLUE_OK os400: correct EXPECTED_STRING_LASTZEROTERMINATED quiche: fix lookup of transfer at multi quiche: fix segfault and other things rustls: update rustls-ffi 0.10.0 socks: print ipv6 address within brackets src/mkhelp: strip off escape sequences tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T transfer: do not clear the credentials on redirect to absolute URL unittest: remove unneeded *_LDADD websocket: rename arguments/variables to match docs
cURL | Homepage | Changelog | Downloads | Releaselogs | News Version 8.3.0 has been released. (13-September-2023) 9 changes and 174 bug fixes… Spoiler Fixed in 8.3.0 - September 13, 2023 Changes: curl: make %output{} in -w specify a file to write to gskit: remove lib: --disable-bindlocal builds curl without local binding support nss: remove support for this TLS library tool: add “variable” support trace: make tracing available in non-debug builds url: change the default value for CURLOPT_MAXREDIRS to 30 urlapi: CURLU_PUNY2IDN – convert from punycode to IDN name wolfssl: support loading system CA certificates Bugfixes: altsvc: accept and parse IPv6 addresses in response headers asyn-ares: reduce timeout to, 2000ms aws-sigv4: canonicalize the query aws-sigv4: fix having date header twice in some cases aws-sigv4: handle no-value user header entries bearssl: don't load CA certs when peer verification is disabled bearssl: handshake fix, provide proper get_select_socks() implementation build: fix portability of mancheck and checksrc targets build: streamline non-UWP wincrypt detections c-hyper: adjust the hyper to curlcode conversion c-hyper: fix memory leaks in `Curl_http` cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP cf-socket: log successful interface bind CI/cirrus: disable python install on FreeBSD CI: add a 32-bit i686 Linux build CI: add caching to many jobs CI: move on to ngtcp2 v0.19.1 CI: move the Alpine build from Cirrus to GHA CI: ngtcp2-linux: use separate caches for tls libraries CI: remove Windows builds from Cirrus, without replacement CI: switch macOS ARM build from Cirrus to Circle CI CI: use master again for wolfssl cirrus: install everything with pkg, avoid pip CMake: add GnuTLS option CMake: add support for `CURL_DEFAULT_SSL_BACKEND` CMake: add support for single libcurl compilation pass CMake: allow `SHARE_LIB_OBJECT=ON` on all platforms CMake: assume `wldap32` availability on Windows CMake: cache more config and delete unused ones CMake: detect `SSL_set0_wbio` in OpenSSL CMake: drop `HAVE_LIBWINMM` and `HAVE_LIBWS2_32` feature checks CMake: fix to use variable for the curl namespace CMake: fixup the H2 duplicate symbols for unity builds CMake: set SIZEOF_LONG_LONG in curl_config.h CMake: support building static and shared libcurl in one go cmdline-docs: make sure to phrase it as “added in ….” cmdline-docs: use present tense, not future cmdline-opts/docs: mention the negative option part cmdline-opts/page-header: clarify stronger that !opt == URL cmdline-opts/page-header: reorder, clean up configure, CMake, lib: more form api deprecation configure: fix `HAVE_TIME_T_UNSIGNED` check configure: trust pkg-config when it's used for zlib configure: use the pkg-config --libs-only-l flag for libssh2 connect: stop halving the remaining timeout when less than 600 ms left cookie-jar.d: emphasize that this option is ONLY writing cookies crypto: ensure crypto initialization works curl_url_get/set.3: add missing semicolon in SYNOPSIS CURLINFO_CERTINFO.3: better explain curl_certinfo struct CURLINFO_TLS_SSL_PTR.3: clarify a recommendation CURLOPT_*TIMEOUT*: extend and clarify CURLOPT_SSL_VERIFYPEER.3: mention it does not load CA certs when disabled CURLOPT_URL.3: add two URL API calls in the see-also section CURLOPT_URL.3: explain curl_url_set() uses the same parser digest: Use hostname to generate spn instead of realm disable.d: explain --disable not implemented prior to 7.50.0 docs/cmdline-opts/gen.pl: hide “added in” before 7.50.0 docs/cmdline-opts: match the current output docs/cmdline-opts: spell fixes, typos and polish docs/cmdline: add small “warning” to verbose options docs/cmdline: remove repeated working for negotiate + NTLM docs/HYPER.md: document a workaround for a link error docs: add curl_global_trace to some SEE ALSO sections docs: link to the website versions instead of markdowns docs: mark --ssl-revoke-best-effort as Schannel specific docs: mention critical files in same directories as curl saves docs: removing “pausing transfers” from HYPER.md. docs: rewrite to present tense easy: remove #ifdefs to make code easier on the eye egd: delete feature detection and related source code ftp: fix temp write of ipv6 address gen.pl: escape all dashes (ASCII minus) to avoid unicode hyphens gen.pl: replace all single quotes with aq GHA: adding quiche workflow headers: accept leading white spaces on first response header http2: avoid too early connection re-use/multiplexing http2: cleanup trace messages http2: disable assertion blocking OSSfuzz testing http2: fix in h2 proxy tunnel: progress in ingress on sending http2: polish things around POST http2: upgrade tests and add fix for non-existing stream http3/ngtcp2: shorten handshake, trace cleanup http3: quiche, handshake optimization, trace cleanup http: close the connection after a late 417 is received http: do not require a user name when using CURLAUTH_NEGOTIATE http: fix sending of large requests http: remove the p_pragma struct field http: return error when receiving too large header set hyper: fix a progress upload counter bug hyper: fix ownership problems hyper: remove `hyptransfer->endtask` IMAP: add a check for failing strdup() IMAP: remove the only sscanf() call in the IMAP code include.d: explain headers not printed with --fail before 7.75.0 include/curl/mprintf.h: add __attribute__ for the prototypes krb5: fix “implicit conversion loses integer precision” warnings lib: add the ability to disable auths individually lib: build fixups when built with most things disabled lib: fix a few *printf() flag mistakes lib: fix null ptr derefs and uninitialized vars (h2/h3) lib: move mimepost data from ->req.p.http to ->state libtest: use curl_free() to free libcurl allocated data list-only.d: mention SFTP as a supported protocol macOS: fix target detection more misc: fix various typos multi.h: the 'revents' field of curl_waitfd is supported multi: more efficient pollfd count for poll multi: remove 'processing: <url>' debug message ngtcp2: fix handling of large requests openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED` openssl: clear error queue after SSL_shutdown openssl: make aws-lc version support OCSP openssl: Support async cert verify callback openssl: switch to modern init for LibreSSL 2.7.0+ openssl: use `SSL_CTX_set_ciphersuites` with LibreSSL 3.4.1 openssl: use `SSL_CTX_set_keylog_callback` with LibreSSL 3.5.0 openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before os400: build test servers os400: do not check translatable options at build time os400: implement CLI tool page-footer: QLOGDIR works with ngtcp2 and quiche page-header: move up a URL paragraph from GLOBBING to URL pytest: fix check for slow_network skips to only apply when intended quic: don't set SNI if hostname is an IP address quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s quiche: enable quiche to handle timeout events resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set revert “schannel: reverse the order of certinfo insertions” schannel: fix ordering of cert chain info schannel: fix user-set legacy algorithms in Windows 10 & 11 schannel: verify hostname independent of verify cert sectransp: fix compiler warnings sectransp: prevent CFRelease() of NULL secureserver.pl: fix stunnel path quoting secureserver.pl: fix stunnel version parsing SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline system.h: add CURL_OFF_T definitions on HP-UX with HP aCC test1304: build and skip without netrc support test1554: check translatable string options in OS400 wrapper test1608: make it build and get skipped without shuffle DNS support test687/688: two more basic --xattr tests tests/tftpd+mqttd: make variables static to silence picky warnings tests: add 'large-time' as a testable feature tests: add support for nested %if conditions tests: don't call HTTP errors OK in test cases tests: ensure `libcurl.def` contains all exports tests: fix h3 server check and parallel instances tests: TLS session sharing test tests: update cookie expiry dates to far in the future time-cond.d: mention what happens on a missing file tool: avoid including leading spaces in the Location hyperlink tool: change some fopen failures from warnings to errors tool: make the length argument an int for printf()-.* flags tool_cb_wrt: fix invalid unicode for windows console tool_filetime: make -z work with file dates before 1970 tool_operate: allow both SSL_CERT_FILE and SSL_CERT_DIR tool_operate: make aws-sigv4 not require TLS to be used tool_paramhlp: improve str2num(): avoid unnecessary call to strlen() tool_urlglob: use the correct format specifier for curl_off_t in msnprintf transfer: also stop the sending on closed connection transfer: don't set TIMER_STARTTRANSFER on first send unit2600: fix build warning if built without verbose messages url: remove infof() output for “still name resolving” urlapi: fix heap buffer overflow urlapi: make sure zoneid is also duplicated in curl_url_dup urlapi: return CURLUE_BAD_HOSTNAME if puny2idn encoding fails urlapi: setting a blank URL (“") is not an ok URL vquic: show stringified messages for errno vtls: clarify “ALPN: offers” message winbuild: improve check for static zlib wolfSSL: avoid the OpenSSL compat API when not needed workflows/macOS.yml: disable zstd and alt-svc in the http-only build write-out.d: clarify %{time_starttransfer} ws: fix spelling mistakes in examples and tests
cURL and libcurl 8.6.0 have been released. (31-January-2024) Website | Download | News | Releaselogs | Changelog | Video Presentations | Documentation | Spoiler Fixed in 8.6.0 - January 31 2024 Changes: add CURLE_TOO_LARGE add CURLINFO_QUEUE_TIME_T add CURLOPT_SERVER_RESPONSE_TIMEOUT_MS: add asyn-thread: use GetAddrInfoExW on >= Windows 8 configure: make libpsl detection failure cause error docs/cmdline: change to .md for cmdline docs docs: introduce “curldown” for libcurl man page format runtests: support -gl. Like -g but for lldb. Bugfixes: altsvc: free 'as' when returning error appveyor: replace PowerShell with bash + parallel autotools appveyor: switch to out-of-tree builds asyn-ares: with modern c-ares, use its default timeout build: delete unused `HAVE_{GSSHEIMDAL,GSSMIT,HEIMDAL}` build: delete/replace clang warning pragmas build: enable missing OpenSSF-recommended warnings, with fixes build: fix `-Wconversion`/`-Wsign-conversion` warnings build: fix Windows ADDRESS_FAMILY detection build: more `-Wformat` fixes build: remove redundant `CURL_PULL_*` settings cf-h1-proxy: no CURLOPT_USERAGENT in CONNECT with hyper cf-socket: show errno in tcpkeepalive error messages CI/distcheck: run full tests cmake: add option to disable building docs cmake: fix generation for system name iOS cmake: fix typo cmake: freshen up docs/INSTALL.cmake cmake: prefill/cache `HAVE_STRUCT_SOCKADDR_STORAGE` cmake: rework options to enable curl and libcurl docs cmake: when USE_MANUAL=YES, build the curl.1 man page cmdline-opts/write-out.d: remove spurious double quotes cmdline-opts: update availability for the *-ca-native options cmdline/gen: fix the sorting of the man page options configure: add libngtcp2_crypto_boringssl detection configure: fix no default int compile error in ipv6 detection configure: when enabling QUIC, check that TLS supports QUIC connect: remove margin from eyeballer alloc content_encoding: change return code to typedef'ed enum cookie.d: document use of empty string to enable cookie engine cookie: avoid fopen with empty file name curl.h: CURLOPT_DNS_SERVERS is only available with c-ares curl: show ipfs and ipns as supported “protocols” curl_easy_getinfo.3: remove the wrong time value count curl_multi_fdset.3: remove mention of null pointer support CURLINFO_REFERER.3: clarify that it is the *request* header CURLOPT_AUTOREFERER.3: mention CURLINFO_REFERER CURLOPT_POSTFIELDS.3: fix incorrect C string escape in example CURLOPT_SSH_*_KEYFILE: clarify dist: add tests/errorcodes.pl to the tarball docs: clean up Protocols: for cmdline options docs: describe and highlight super cookies docs: do not start lines/sentences with So, But nor And docs: install curl.1 with cmake docs: mention env vars not used by schannel doh: remove unused local variable examples: add four new examples file+ftp: use stack buffers instead of data->state.buffer ftp: handle the PORT parsing without allocation ftp: use dynbuf to store entrypath ftp: use memdup0 to store the OS from a SYST 215 response ftpserver.pl: send 213 SIZE response without spurious newline gen.pl: support ## for doing .IP in table-like lists gen: do italics/bold for a range of letters, not just single word GHA: add a job scanning for “bad words” in markdown GHA: bump ngtcp2, gnutls, mod_h2, quiche gnutls: fix build with --disable-verbose haproxy-clientip.d: document the arg headers: make sure the trailing newline is not stored headers: remove assert from Curl_headers_push hostip: return error immediately when Curl_ip2addr() fails hsts: remove assert for zero length domain http2: improved on_stream_close/data_done handling http3/quiche: fix result code on a stream reset http3: initial support for OpenSSL 3.2 QUIC stack http: adjust_pollset fix http: check for “Host:” case insensitively http: fix off-by-one error in request method length check http: only act on 101 responses when they are HTTP/1.1 http: remove comment reference to a removed solution http: use stack scratch buffer http_proxy: a blank CURLOPT_USERAGENT should not be used in CONNECT krb5: add prototype to silence clang warnings on mvsnprintf() lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT lib: error out on multissl + http3 lib: fix variable undeclared error caused by `infof` changes lib: reduce use of strncpy lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding lib: replace readwrite with write_resp lib: strndup/memdup instead of malloc, memcpy and null-terminate libssh2: use `libssh2_session_callback_set2()` with v1.11.1 libssh: improve the deprecation warning dismissal libssh: supress warnings without version check Makefile.am: fix the MSVC project generation Makefile.mk: drop Windows support mbedtls: fix `-Wnull-dereference` and `-Wredundant-decls` mbedtls: free the entropy when threaded mime: use memdup0 instead of malloc + memcpy mksymbolsmanpage.pl: provide references to where the symbol is used mprintf: overhaul and bugfixes mqtt: use stack scratch buffer for recv+publish multi: remove total timer reset in file_do() while fetching file:// ngtcp2: put h3 at the front of alpn ntlm_wb: do not use data->state.buffer any longer openldap: fix an LDAP crash openldap: fix STARTTLS openssl: re-match LibreSSL deinit with init openssl: when verifystatus fails, remove session id from cache OS400: sync ILE/RPG binding pingpong: stop using the download buffer pop3: replace calloc + memcpy with memdup0 pytest: scorecard tracking CPU and RSS quiche: return CURLE_HTTP3 on send to invalid stream readwrite_data: loop less Revert “urldata: move async resolver state from easy handle to connectdata” rtsp: deal with borked server responses runtests: for mode="text” on <stdout>, fix newlines on both parts sasl: make login option string override http auth schannel: fix `-Warith-conversion` gcc 13 warning sectransp: do verify_cert without memdup for blobs sectransp_ make TLSCipherNameForNumber() available in non-verbose config sendf: fix compiler warning with CURL_DISABLE_HEADERS_API setopt: clear mimepost when formp is freed setopt: use memdup0 when cloning COPYPOSTFIELDS socks: fix generic output string to say SOCKS instead of SOCKS4 socks: use own buffer instead of data->state.buffer ssh: fix namespace of two local macros ssh: use stack scratch buffer for seeks strerror: repair get_winsock_error() system.h: sync mingw `CURL_TYPEOF_CURL_SOCKLEN_T` with other compilers system_win32: fix a function pointer assignment warning telnet: use dynbuf instad of malloc for escape buffer telnet: use stack scratch buffer for do tests/server: delete workaround for old-mingw tests: avoid int/size_t conversion size/sign warnings tests: respect $TMPDIR when creating unix domain sockets tool: make parser reject blank arguments if not supported tool: prepend output_dir in header callback tool_getparam: bsearch cmdline options tool_getparam: do not try to expand without an argument tool_getparam: stop supporting `@filename` style for --cookie tool_listhelp: regenerate after recent .d updates tool_operate: make --remove-on-error only remove “real” files tool_operate: stop setting the file comment on Amiga transfer: adjust_pollset improvements transfer: fix upload rate limiting, add test cases transfer: make the select_bits_paused condition check both directions transfer: remove warning: Value stored to 'blen' is never read url: don't set default CA paths for Secure Transport backend url: for disabled protocols, mention if found in redirect urlapi: remove assert verify-examples.pl: fail verification on unescaped backslash version: show only the libpsl version, not its dependencies vquic: extract TLS setup into own source vtls: fix missing multissl version info vtls: receive max buffer vtls: remove the Curl_cft_ssl_proxy object if CURL_DISABLE_PROXY websockets: check for negative payload lengths websockets: refactor decode chain windows: delete redundant headers windows: simplify detecting and using system headers wolfssl: load certificate *chain* for PEM client certs x509asn1: remove code for WANT_VERIFYHOST x509asn1: switch from malloc to dynbuf
cURL and libcurl 8.7.0 have been released. (27-March-2024) Website | Download | News | Releaselogs | Changelog | Video Presentations | Documentation | Spoiler Fixed in 8.7.0 - March 27, 2024 Changes: configure: add --disable-docs flag CURLINFO_USED_PROXY: return bool whether the proxy was used digest: support SHA-512/256 DoH: add trace configuration write-out: add '%{proxy_used}' Bugfixes: ALTSVC.md: correct a typo asyn-ares: fix data race warning asyn-thread: use wakeup_close to close the read descriptor badwords: use hostname, not host name BINDINGS: add mcurl, the python binding bufq: writing into a softlimit queue cannot be partial c-hyper: add header collection writer in hyper builds cd2nroff: gen: make `\>` in input to render as plain '>' in output cd2nroff: remove backticks from titles checksrc.pl: fix handling .checksrc with CRLF cmake: add USE_OPENSSL_QUIC support cmake: add warning for using TLS libraries without 1.3 support cmake: enable `ENABLE_CURL_MANUAL` by default cmake: fix `CURL_WINDOWS_SSPI=ON` with Schannel disabled cmake: fix function description in comment cmake: fix install for older CMake versions cmake: fix libcurl.pc and curl-config library specifications cmdline-docs/Makefile: avoid using a fixed temp file name cmdline-docs: quote and angle bracket cleanup cmdline-opts/_EXITCODES: sync with libcurl-errors cmdline-opts/_VARIABLES.md: improve the description cmdline-opts/_VERSION: provide %VERSION correctly cmdline-opts: shorter help texts configure: add pkg-config support to rustls detection configure: add warning for using TLS libraries without 1.3 support configure: build & install shell completions when enabled configure: do not link with nghttp3 unless necessary configure: Don't build shell completions when disabled configure: Don't make shell completions without perl configure: find libpsl with pkg-config connect.c: fix typo CONTRIBUTE: update the section on documentation format cookie.md: provide an example sending a fixed cookie cookie: if psl fails, reject the cookie curl: exit on config file parser errors curl: make --libcurl output better CURLOPT_*SSLVERSION curl: when allocating variables, add the name into the struct curl_setup.h: add curl_uint64_t internal type curldown: fix email address in Copyright CURLMOPT_MAX*: mention what happens if changed mid-transfer CURLOPT_INTERFACE.md: remove spurious amp, add see-also CURLOPT_POSTQUOTE.md: fix typo CURLOPT_SSL_CTX_FUNCTION.md: no promises of lifetime after return CURLOPT_WRITEFUNCTION.md: typo fix digest: add check for hashing error dist: make sure the http tests are in the tarball DISTROS: add document with distro pointers docs/libcurl: add TLS backend info for all TLS options docs/libcurl: generate PROTOCOLS from meta-data docs: add missing slashes to SChannel client certificate documentation docs: add necessary setup for nghttp3 docs: ascii version of manpage without nroff docs: dist curl*.1 and install without perl docs: make curldown do angle brackets like markdown docs: make each libcurl man specify protocol(s) docs: make sure curl.1 is included in dist tarballs docs: update minimal binary size in INSTALL.md docs: use present tense examples: use present tense in comments file: use xfer buf for file:// transfers fopen: fix narrowing conversion warning on 32-bit Android form-string.md: correct the example ftp: do lineend conversions in client writer ftp: fix socket wait activity in ftp_domore_getsock ftp: tracing improvements ftp: treat a 226 arriving before data as a signal to read data gen.pl: make the "manpageification" faster gen: make `\>` in input to render as plain '>' in output getparam: make --ftp-ssl work again GHA/linux: add sysctl trick to work-around GitHub runner issue GIT-INFO: convert to markdown GOVERNANCE: document the core team header.md: remove backslash, make nicer markdown HTTP/2: write response directly http2, http3: return CURLE_PARTIAL_FILE when bytes were received http2: fix push discard http2: memory errors in the push callbacks are fatal http2: minor tweaks to optimize two struct sizes http2: push headers better cleanup http2: remove the third (unused) argument from http2_data_done() HTTP3.md: adjust the OpenSSL QUIC install instructions http: better error message for HTTP/1.x response without status line http: improve response header handling, save cpu cycles http: move headers collecting to writer http: remove stale comment about rewindbeforesend http: separate response parsing from response action http_chunks: fix the accounting of consumed bytes http_chunks: remove unused 'endptr' variable https-proxy: use IP address and cert with ip in alt names hyper: implement unpausing via client reader ipv6.md: mention IPv4 mapped addresses KNOWN_BUGS: POP3 issue when reading small chunks lib1598: fix `CURLOPT_POSTFIELDSIZE` usage lib582: remove code causing warning that is never run lib: add `void *ctx` to reader/writer instances lib: convert Curl_get_line to use dynbuf lib: Curl_read/Curl_write clarifications lib: enhance client reader resume + rewind lib: initialize output pointers to NULL before calling strto[ff,l,ul] lib: keep conn IP information together lib: move 'done' parameter to SingleRequests lib: remove curl_mimepart object when CURL_DISABLE_MIME libcurl-docs: cleanups libcurl-security.md: Active FTP passes on the local IP address libssh/libssh2: return error on too big range MANUAL.md: fix typo mbedtls: fix building when MBEDTLS_X509_REMOVE_INFO flag is defined mbedtls: fix pytest for newer versions mbedtls: properly cleanup the thread-shared entropy mbedtls: use mbedtls_ssl_conf_{min|max}_tls_version md4: include strdup.h for the memdup proto mime: add client reader misc: fix typos in docs and lib mkhelp: simplify the generated hugehelp program mprintf: fix format prefix I32/I64 for windows compilers multi: add xfer_buf to multi handle multi: fix multi_sock handling of select_bits multi: make add_handle free any multi_easy ngtcp2: no recvbuf for stream ntml_wb: fix buffer type typo OpenSSL QUIC: adapt to v3.3.x openssl-quic: check on Windows that socket conv to int is possible openssl-quic: fix BIO leak and Windows warning openssl-quic: fix unity build, casing, indentation OS400: avoid using awk in the build scripts paramhlp: fix CRLF-stripping files with "-d @file" proxy1.0.md: fix example pytest: adapt to API change request: clarify message when request has been sent off rustls: make curl compile with 0.12.0 schannel: fix hang on unexpected server close scripts: fix cijobs.pl for Azure and GHA sendf: ignore response body to HEAD setopt: fix check for CURLOPT_PROXY_TLSAUTH_TYPE value setopt: fix disabling all protocols sha512_256: add support for GnuTLS and OpenSSL smtp: fix STARTTLS SPONSORS: describe the basics strtoofft: fix the overflow check test 1541: verify getinfo values on first header callback test1165: improve pattern matching tests: support setting/using blank content env variables TIMER_STARTTRANSFER: set the same for everyone TLS: start shutdown only when peer did not already close TODO: update 13.11 with more information tool_cb_hdr: only parse etag + content-disposition for 2xx tool_getparam: accept a blank -w "" tool_getparam: handle non-existing (out of range) short-options tool_operate: change precedence of server Retry-After time tool_operate: do not set CURLOPT_QUICK_EXIT in debug builds trace-config.md: remove the mutexed options list transfer.c: break receive loop in speed limited transfers transfer: improve Windows SO_SNDBUF update limit urldata: move authneg bit from conn to Curl_easy version: allow building with ancient libpsl vquic-tls: fix the error code returned for bad CA file vtls: fix tls proxy peer verification vtls: revert "receive max buffer" + add test case VULN-DISCLOSURE-POLICY.md: update detail about CVE requests websocket: fix curl_ws_recv() wolfSSL: do not call the stub function wolfSSL_BIO_set_init() write-out.md: clarify error handling details
cURL and libcurl 8.7.1 have been released. (27-March-2024) Website | Download | News | Releaselogs | Changelog | Video Presentations | Documentation | Spoiler Fixed in 8.7.1 - March 27, 2024 8.7.1 Bugfixes: Fixed empty tool_hugehelp.c file
cURL and libcurl 8.8.0 have been released. (22-May-2024) Website | Download | News | Releaselogs | Changelog | Video Presentations | Documentation | Spoiler Fixed in 8.8.0 - May 22, 2024 Changes: curl_version_info: provide librtmp version file: add support for directory listings idn: add native AppleIDN (icucore) support for macOS/iOS lib: add curl_multi_waitfds mbedTLS: implement CURLOPT_SSL_CIPHER_LIST option NTLM_WB: drop support TLS: add support for ECH (Encrypted Client Hello) urlapi: add CURLU_GET_EMPTY for empty queries and fragments Bugfixes: appveyor: drop unnecessary `--clean-first` cmake option appveyor: guard against crash-build with VS2008 appveyor: make gcc 6 mingw64 job build-only asyn-thread: fix curl_global_cleanup crash in Windows asyn-thread: fix Curl_thread_create result check autotools: delete unused functions autotools: fix `HAVE_IOCTLSOCKET_FIONBIO` test for gcc 14 autotools: only probe for SGI MIPS compilers on IRIX bearssl: fix compiler warnings bearssl: use common code for cipher suite lookup bufq: remove duplicate word in comment BUG-BOUNTY.md: clarify the third party situation build: prefer `USE_IPV6` macro internally (was: `ENABLE_IPV6`) build: remove MacOSX-Framework script cd2nroff/manage: use UTC when SOURCE_DATE_EPOCH is set cf-https-connect: use timeouts as unsigned ints cf-socket: don't try getting local IP without socket cf-socket: remove references to l_ip, l_port ci: add curl-for-win builds: Linux MUSL, macOS, Windows cmake: add `BUILD_EXAMPLES` option to build examples cmake: add librtmp/rtmpdump option and detection cmake: check fseeko after detecting HAVE_FILE_OFFSET_BITS cmake: do not pass linker flags to the static library tool cmake: enable `-pedantic-errors` for clang when `CURL_WERROR=ON` cmake: FindNGHTTP2 add static lib name to find_library call cmake: fix `CURL_WERROR=ON` for old CMake and use it in GHA/linux-old cmake: fix `HAVE_IOCTLSOCKET_FIONBIO` test with gcc 14 cmake: fixup `DEPENDS` filename cmake: forward `USE_LIBRTMP` option to C cmake: generate misc manpages and install `mk-ca-bundle.pl` cmake: initialize `BUILD_TESTING` before first use cmake: speed up libcurl doc building again cmake: tidy-up to use `WORKING_DIRECTORY` cmake: use namespaced custom target names cmdline-docs: fix make install with configure --disable-docs configure: error on missing perl if docs or manual is enabled configure: make --disable-docs imply --disable-manual content_encoding: brotli and others, pass through 0-length writes content_encoding: ignore duplicate chunked encoding content_encoding: reject transfer-encoding after chunked contrithanks: honor `CURLWWW` variable curl-confopts.m4: define CARES_NO_DEPRECATED when c-ares is used curl.h: change CURL_SSLVERSION_* from enum to defines curl: make --help adapt to the terminal width curl: use curl_getenv instead of the curlx_ version Curl_creader_read: init two variables to avoid using them uninited curl_easy_pause.md: use correct defines in example curl_getdate.md: document two-digit year handling curl_global_trace.md: shorten the description curl_multibyte: remove access() function wrapper for Windows curl_path: make Curl_get_pathname use dynbuf curl_setup.h: add support for IAR compiler curl_setup.h: detect 'inline' support curl_sha512_256: do not use workaround for NetBSD when not needed curl_sha512_256: fix detection of OpenSSL 1.1.1 or later curl_url_get.md: clarify queries and fragments and CURLU_GET_EMPTY CURLINFO_REQUEST_SIZE: fixed, add tests for transfer infos reported CURLOPT_WRITEFUNCTION.md: fix the callback proto in the example cw-out: improved error handling DEPRECATE.md: TLS libraries without 1.3 support digest: replace strcpy for empty string with simple assignment dist: `set -eu`, fix shellcheck, make reproducible and smaller tarballs dist: add files missing from release tarball dist: add reproducible dir entries to tarballs dist: do not require Perl in `maketgz` dist: remove the curl-config.1 from the tarball dist: verify tarball reproducibility in CI DISTROS: add patch and issues link for curl-for-win DISTROS: Cygwin updates dllmain: Call OpenSSL thread cleanup for Windows and Cygwin doc: pytest `--repeat` -> `--count` docs/cmdline-opts: invoke managen using a relative path docs/cmdline-opts: mention STARTTLS for --ssl and --ssl-reqd docs: add CURLOPT_NOPROGRESS to CURLOPT_XFERINFOFUNCTION example docs: clarify CURLOPT_MAXFILESIZE and CURLOPT_MAXFILESIZE_LARGE docs: fix some CURLINFO examples doh: fix typo in comment doh: remove unused function prototype dynbuf: fix returncode on memory error examples: fix/silence `-Wsign-conversion` EXPERIMENTAL: add graduation requirements for each feature file: remove useless assignment ftp: add tracing support ftp: fix build for CURL_DISABLE_VERBOSE_STRINGS ftp: fix socket leak on rare error GHA: add NetBSD, OpenBSD, FreeBSD/arm64 and OmniOS jobs GHA: add shellcheck job and fix warnings, shell tidy-ups GHA: add valgrind to a wolfSSL build GHA: on macOS remove $HOME/.curlrc GHA: pin dependencies gnutls: lazy init the trust settings h3/ngtcp2: improve error handling hash: change 'slots' to size_t from int hash: delete unused debug function hsts: explicitly skip blank lines hsts: remove single-use single-line function http tests: in CI skip test_02_23* for quiche http2 + ngtcp2: pass CURLcode errors from callbacks http2, http3: decouple stream state from easy handle http2: emit RST when client write fails http3: quiche+ngtcp2 improvements http: acknowledge a returned error code http: HEAD response body tolerance http: reject HTTP major version switch mid connection http: remove redundant check http: with chunked POST forced, disable length check on read callback http_aws_sigv4: remove useless assignment idn: make Curl_idnconvert_hostname() use Curl_idn_decode() if2ip: make the buf_size arg a size_t INSTALL-CMAKE.md: explain `cmake -G <generator-name>` krb5: use dynbuf ldap: fix unused variables (seen on OmniOS) lib/cf-h1-proxy: silence compiler warnings (gcc 14) lib: add trace support for client reads and writes lib: bump hash sizes to `size_t` lib: clear the easy handle's saved errno before transfer lib: fix compiler warnings (gcc) lib: make protocol handlers store scheme name lowercase lib: merge `ENABLE_QUIC` C macro into `USE_HTTP3` lib: remove two instances of "only only" messages lib: silence `-Wsign-conversion` in base64, strcase, mprintf lib: silence warnings on comma misuse lib: use `#error` instead of invalid syntax in `curl_setup_once.h` lib: use multi instead of multi_easy for the active multi libcurl-opts: mention pipelining less libssh2: delete redundant feature guard libssh2: replace `access()` with `stat()` libssh2: set length to 0 if strdup failed m4: fix rustls pkg-config codepath MAIL-ETIQUETTE: convert to markdown makefile: remove the sorting from the vc-ide action maketgz: put docs/RELEASE-TOOL.md into the tarball managen: fix the option sort order mbedtls: call mbedtls_ssl_setup() after RNG callback is set mbedtls: cut off trailing newlines from debug logs mbedtls: fix building with v3 in CMake Unity mode mbedtls: support TLS 1.3 mime: avoid using access() misc: fix typos misc: fix typos, quoting and spelling mprintf: check fputc error rather than matching returned character mqtt: when Curl_xfer_recv returns error, don't use nread multi: avoid memory-leak risk multi: introduce SETUP state for better timeouts multi: multi_wait improvements multi: remove the unused Curl_preconnect function multi: remove useless assignment multi: timeout handles even without connection openldap: create ldap URLs correctly for IPv6 addresses openssl: do not set SSL_MODE_RELEASE_BUFFERS openssl: revert keylog_callback support for LibreSSL OS400: fix shellcheck warnings in scripts projects: drop MSVC project files for recent versions pytest: add DELETE tests, check server version pytest: fixes for recent python, add FTP tests quic: fixup duplicate static function name (for cmake unity) quiche: expire all active transfers on connection close quiche: trust its timeout handling RELEASE-PROCEDURE: mention an initial working build request: make Curl_req_init return void request: paused upload on completed download, assess connection reuse: add copyright + license info to individual docs/*.md files ROADMAP: remove completed entries, mention websocket rustls: fix handshake done handling rustls: fix partial send handling rustls: remove incorrect SSLSUPP_TLS13_CIPHERSUITES flag rustsls: fix error code on receive sendf: fix two typos in comments sendf: useless assignment in cr_lc_read() setopt: acknowledge errors proper for CURLOPT_COOKIEJAR setopt: make the setstropt_userpwd args compulsory setopt: remove check for 'option' that is always true setopt: warn on Curl_set*opt() uses not using the return value smtp: result of Curl_bufq_cread was not used socket: remove redundant call to getsockname socketpair: fix compilation when USE_UNIX_SOCKETS is not defined src: tidy up types, add necessary casts telnet: check return code from fileno() tests/http: fix compiler warning tests: add -q as first option when invoking curl for tests tests: check caddy server version to match test expectations tests: enable test 1117 for hyper tests: fix feature case in test1481 tests: fix test 1167 to skip digit-only symbols tests: make the unit test result type `CURLcode` tests: Mark tftpd timer function as noreturn tests: tidy up types in server code tls: fix SecureTransport + BearSSL cmake unity builds tls: remove EXAMPLEs from deprecated options tls: use shared init code for TCP+QUIC tool: move tool_ftruncate64 to tool_util.c tool_cb_rea: limit rate unpause for -T . uploads tool_cfgable: free {proxy_}cipher13_list on exit tool_getparam: output warning for leading unicode quote character tool_getparam: remove two redundant conditions tool_operate: don't truncate the etag save file by default tool_operate: init vars unconditionally in post_per_transfer tool_paramhlp: remove duplicate assign tool_xattr: "guess" URL scheme if none is provided tool_xattr: in debug builds, act normally if CURL_FAKE_XATTR is not set transfer: remove useless assignment url: do not URL decode proxy crendentials url: fix use of an uninitialized variable url: make parse_login_details use memdup0 url: remove duplicate call to Curl_conncache_remove_conn when pruning urlapi: allow setting port number zero urlapi: fix relative redirects to fragment-only urldata: remove fields not used depending on used features vauth: make two functions void that always just returned OK version: use msnprintf instead of strncpy vquic-tls: use correct cert name check API for wolfSSL vquic: use CURL_FORMAT_CURL_OFF_T for 64 bit printf output vtls: TLS session storage overhaul wakeup_create: use FD_CLOEXEC/SOCK_CLOEXEC warnless: delete orphan declarations websocket: avoid memory leak in error path winbuild: add ENABLE_WEBSOCKETS option winbuild: use $(RC) correctly wolfssl: plug memory leak in wolfssl_connect_step2() x509asn1: return error on missing OID
cURL and libcurl 8.9.0 have been released. (24-July-2024) Website | Download | News | Releaselogs | Changelog | Video Presentations | Documentation | Spoiler Changes in 8.9.0 - July 24, 2024 8.9.0 8.9.0 Changes: curl: add --ip-tos (IP Type of Service / Traffic Class) curl: add --mptcp curl: add --vlan-priority curl: add -w '%{num_retries}' gnutls: support CA caching mbedtls: support CURLOPT_CERTINFO noproxy: patterns need to be comma separated socket: support binding to interface *AND* IP tcpkeepalive: add CURLOPT_TCP_KEEPCNT and --keepalive-cnt urlapi: add CURLU_NO_GUESS_SCHEME wolfssl: support CA caching Bugfixes: (lib)curl.rc: set debug flag also for `CURLDEBUG` and `UNITTESTS` asyn-thread: avoid using GetAddrInfoExW with impersonation aws-sigv4: url encode the canonical path BINDINGS: update java link to one that exists build: add Debug, TrackMemory, ECH to feature list build: add more supported attributes to the IAR compiler build: fix llvm 16 or older + Xcode 15 or newer, and gcc build: fix llvm 17 and older + macOS SDK 14.4 and newer build: sync warning options between autotools, cmake & compilers build: tidy up `__builtin_available` feature checks (Apple) build: untangle `CURLDEBUG` and `DEBUGBUILD` macros build: use `#error` instead of invalid syntax cd2nroff: convert two warnings to errors cd2nroff: use an empty "##" to signal end of .IP sequence cf-socket: improve SO_SNDBUF update for Winsock cf-socket: optimize curlx_nonblock() and check its return error cf-socket: remove obsolete recvbuf cf-socket: remove two "useless" assignments cfilters: make Curl_conn_connect always assign 'done' cmake: add CURL_USE_GSASL option with detection + CI test cmake: allow `ENABLE_CURLDEBUG=OFF` with `ENABLE_DEBUG=ON` cmake: allow SOVERSION override with `CURL_LIBCURL_SOVERSION` cmake: alpha-sort feature list cmake: always build unit tests with the `testdeps` target cmake: bring `curl-config.cmake` closer to `FindCURL` cmake: create `configurehelp.pm` like autotools does cmake: delete unused `HAVE_LIBSSH2`, `HAVE_LIBSOCKET` macros cmake: detect `libidn2` also via `pkg-config` cmake: enable SOVERSION for Cygwin and `CMAKE_DLL_NAME_WITH_SOVERSION` cmake: fix `-Wredundant-decls` in unity/mingw-w64 builds cmake: fix brotli lib order cmake: fix building `unit1600` due to missing `ssl/openssl.h` cmake: fix building in unity mode cmake: fix building with both md4 and md5 in unity mode cmake: fix builds with detected libidn2 lib but undetected header cmake: fix feature and protocol lists for SecureTransport cmake: fix quotes when appending multiple options (SecureTransport) cmake: fix test 1013 with websockets enabled and no TLS cmake: improve wolfSSL detection cmake: show protocols, then features cmake: stop setting SOVERSION for the static lib target cmake: sync CA bundle/path detection with autotools cmake: sync protocol/feature list with `curl -V` output cmake: use `APPLE` instead of `CMAKE_SYSTEM_NAME` string cmake: whitespace, formatting/tidy-up in comments cmdline-docs: "added in" cleanups cmdline-docs: fix `--proxy-ca-native` example + tidy-ups cmdline-opts/_PROTOCOLS.md: mention WS(S) cmdline-opts/ech.md: shorten the help text cmdline-opts/fail.md: expand and clarify cmdline-opts/interface.md: expand the documentation cmdline-opts: category cleanup cmdline-opts: expand the parallel explanations cmdline-opts: shorten six help texts cmdline: expand proxy option explanations code: language cleanup in comments configure: CA bundle/path detection fixes configure: fix `SystemConfiguration` detection configure: fix pkg-config library name 'libnghttp3' configure: fix pkg-config names (zstd, ngtcp2*) configure: limit `SystemConfiguration` test to non-c-ares, IPv6 builds configure: remove 'deeper' checks for `AC_CHECK_FUNCS` configure: require a QUIC library if nghttp3 is used configure: sort feature list, lowercase protocols, use backticks configure: use `$EGREP` in place of `grep -E` configure: use AC_MSG_WARN for TLS/experimental warning texts connect-to.md: expand with examples connection: shutdown TLS (for FTP) better cookie-jar.md: see also --junk-session-cookies curl-config: revert to backticks to support old target envs curl: allow etag and content-disposition for 3xx reply curl: bsearch the --write-out variable name curl: check for --disable case *sensitively* curl: list categories in --help curl: make warnings and other messages aware of terminal width curl: output "flying saucers" with leading carriage return curl_easy_escape: elaborate a little on encoding a URL curl_mprintf.md: add missing comma curl_multi_poll.md: expand the example with an custom file descriptor curl_str[n]equal.md: tidy up text to make them stand-alone curl_url_set.md: libcurl only parses :// URLs curl_url_set: elaborate on scheme guessing curldown: make 'added-in:' a mandatory header field CURLOPT_CONNECTTIMEOUT*: clarify, document the milliseond version CURLOPT_ECH.md: remove repeated 'if' CURLOPT_NETRC.md: clarify what it does on Windows CURLOPT_RESOLVE.md: mention hostname can be wildcard ('*') CURLOPT_SSL_VERIFYHOST.md: refresh CURLOPT_TLSAUTH_PASSWORD/USERNAME.md: language fixups DISTROS: add a link to the list archive DISTROS: add AlmaLinux package source link DISTROS: add MSYS2 (native) links docs/cmdline-opts: fix mail-auth example TLD typo docs/cmdline-opts: remove two superfluous "Added in" mentions docs/libcurl: polish the single-line descriptions docs/Makefile.am: make curl-config.1 install docs: reference non deprecated libcurl options docs: start markdown headers with capital letter where applicable doh-insecure.md: expand doh: fix cleanup doh: fix leak and zero-length HTTPS RR crash dump-header.md: mention minus for stdout examples/threaded-ssl: remove locking callback code examples: add missing binaries to .gitignore examples: delete unused includes examples: fix compiling with MSVC examples: suppress deprecation warnings locally FEATURES.md: refresh file: separate fake headers and body with a stand-alone CRLF ftp: remove redundant null pointer check in loop condition get.d: clarify the explanation GHA/windows: add MSVC wolfSSL job with test GHA/windows: ignore FTP test results for old-mingw-w64 GHA: add MSVC UWP job, expand jobs with more options GHA: detect and warn for more English contractions GHA: disable MQTT and WebSocket tests in Windows jobs GHA: disable TFTP tests in Windows jobs GHA: enable tests 1139, 1177, 1477 on Windows GHA: improve vcpkg cache, add BoringSSL ECH and LibreSSL MSVC jobs GHA: unify http3 workflows into one GHA: use vcpkg to install packages for MSVC jobs GIT-INFO.md: remove version requirements gnutls: improve TLS shutdown gnutls: pass in SNI name, not hostname when checking cert help: add flags to output and ssh categories hostip: skip error check for infallible function call http/3: add shutdown support http/3: resume upload on ack if we have more data to send http: remove "struct HTTP" http: write last header line late idn: fix ß with AppleIDN idn: make macidn fail before trying conversion if name too long idn: tweak buffer use when converting with macidn lib/v*: tidy up types and casts lib: add a few DEBUGASSERT(data) to aid code analyzers lib: add failure reason on bind errors lib: fix gcc warning in certain debug builds lib: fix thread entry point to return `DWORD` on WinCE lib: graceful connection shutdown lib: prefer `var = time(NULL)` over `time(&var)` lib: tidy up types and casts lib: xfer_setup and non-blocking shutdown libcurl-docs: make option lists alpha-sorted libcurl-easy.md: now *more* than 300 options libcurl.pc: add `Requires.private`, `Requires` for static linking libcurl.pc: add more `Requires.private`/`Requires` dependencies libssh: remove CURLOPT_SSL_VERIFYHOST check macos: add workaround for gcc, non-c-ares, IPv6, compile error macos: undo `availability` macro enabled by Homebrew gcc managen: "added in" fixes managen: cleanups to generate nicer-looking output managen: error on trailing blank lines in input files managen: fix removing backticks from subtitles managen: insert final .fi for files ending with a quote managen: introduce "Multi: per-URL" managen: only output .RE for manpage output managen: output tabs for each 8 leading spaces managen: warn on excessively long help texts MANUAL.md: wrap two example urls that overrun styling mbedtls: check version before getting tls version mbedtls: check version for cipher id mbedtls: correct the error message for cert blob parsing failure mbedtls: send close-notify on close mbedtls: v3.6.0 workarounds md4: fix compilation with OpenSSL 1.x with md4 disabled misc: fix typos mk-ca-bundle.pl: delay 'curl -V' execution until it is needed multi: add multi->proto_hash, a key-value store for protocol data multi: do a final progress update on connect failure multi: fix multi_wait() timeout handling multi: fix pollset during RESOLVING phase multi: multi_getsock(), check correct socket ngtcp2+quictls: fix cert-status use noproxy: test bad ipv6 net size first openssl/gnutls: rectify the TLS version checks for QUIC openssl: fix %-specifier in infof() call openssl: fix hostname handling when using ECH openssl: stop duplicate ssl key logging for legacy OpenSSL os400: make it compilable again pytest: add ftp upload tests pytest: include testenv/vsftpd.py in dist tarball quic: enable UDP GRO quic: openssl quic, cmake and doc version update to 3.3.0 quic: require at least OpenSSL 3.3 for QUIC quic: update to quiche 0.22.0 quiche: fix operand of ‘?:’ changes signedness request.md: language fix request: change the struct field bodywrites to a bool, only for hyper reuse: switch to REUSE 3.2 and REUSE.toml runtests: show name and keywords for failed tests in summary runtests: sort test IDs in summary lines runtests: support %DATEfor YYYY-MM-DD of right now runtests: support %VERNUM runtests: support crlf="yes" for the <stderr> section sectransp: fix `HAVE_BUILTIN_AVAILABLE` checks to not emit warnings sectransp: fix clang compiler warnings, stop silencing them sectransp: remove large cipher table sectransp: use common code for cipher suite lookup sendf: fix CRLF conversion of input smtp: for starttls, do full upgrade socket: change TCP keepalive from ms to seconds on DragonFly BSD socket: use SOCK_NONBLOCK to eliminate extra system call socketpair: add `eventfd` and use `SOCK_NONBLOCK` for `socketpair()` src/Makefile.am: remove SUBDIRS assignment system_win32: add missing curl.h include tcpkeepalive: support TCP keep-alive parameters on Solaris <11.4 test1119: adapt for `.md` input test1139: scan .md files instead of .3 ones test1175: scan libcurl-errors.md, not the generated .3 version test1486: verify that write-out.md and tool_writeout.c are in sync test2600: disable on win32 test: add test1484, for HEAD with content test: add test1546, chunked not last transfer encoding tests/scripts: call it 'manpage' (single word) tests: add pytest for --ciphers and --tls13-ciphers options tests: delete `CharConv` remains tests: delete redundant `!MSDOS` guard tests: extend user/password parsing test1620 tests: fix sshd IdentityFile path for MinGW/Cygwin tests: fix sshd UserKnownHostsFile path for MinGW/Cygwin tests: include current directory when running test Perl commands tests: log "Throwing away" messages before throwing away tests: run with "--trace-config all" to provide even more info tests: sync feature names with `curl -V` tests: test_17_ssl_use.py clarify mbedTLS TLSv1.3 support tests: use exec when spawning nghttpx tidy-up: use consistent casing for Windows directories TODO: remove some old, clarify, add something tool_cb_hdr: return error for failed header writes tool_operate: avoid explicitly setting verifypeer to 1 tool_operate: simplify return code handling from url_proto() tool_writeout: get certinfo only when needing it trace-ascii.md: mention "%" for stderr transfer: avoid polling socket every transfer loop transfer: conn close on paused upload transfer: do not use EXPIRE_NOW while blocked transfer: remove curl_upload_refill_watermark, no longer used transfer: set CSELECT_IN if there is data pending unit2604: use 'unitfail' instead of 'error' variable url: allow DoH transfers to override max connection limit urlapi: remove unused definition of HOST_BAD variable.md: make example use expand verify-synopsis.pl: work with .md files vms: fixed language in comment vtls: deprioritize Secure Transport vtls: replace addsessionid with set_sessionid winbuild: fix PE version info debug flag winbuild: MS-DOS batch tidy-ups winbuild: remove outdated WIN32 defines windows: fix UWP builds, add GHA job winsock: move SO_SNDBUF update into cf-socket wolfssl: assume key_file equal to clientcert if no key_file wolfssl: use larger error buffer when formatting errors x509asn1: add some common ECDSA OIDs x509asn1: ASN1tostr() should fail when 'constructed' is set x509asn1: fallback to dotted OID representation x509asn1: make Curl_extract_certinfo store error message x509asn1: prevent NULL dereference x509asn1: remove superfluous free() x509asn1: remove two static variables Further The previous release was 8.8.0.
cURL and libcurl 8.11.0 have been released. (06-November-2024) Website | Download | News | Releaselogs | Changelog | Video Presentations | Documentation | Tutorial | FAQ | Comparison Table | Spoiler Changes in 8.11.0 - November 6, 2024 Changes: curl: --create-dirs works for --dump-header as well gtls: Add P12 format support ipfs: add options to disable TLS: TLSv1.3 earlydata support for curl WebSockets: make support official (non-experimental) Bugfixes: alt-svc: honor data->state.httpwant altsvc: avoid using local buffer and memcpy asyn-ares: remove typecast, fix expire autotools: add support for 'unity' builds, enable in CI bearssl: avoid strpcy() when generating TLS version log message bearssl: improved session handling, test exceptions bufq: unwrite fix build: add `ldap` to `libcurl.pc` `Requires:` build: add pytest targets build: clarify CA embed is for curl tool, mark default, improve summary build: detect and use `_setmode()` with Cygwin/MSYS, also use on Windows build: disable warning `-Wunreachable-code-break` build: fix clang-cl builds, add CI job build: fix cross-compile check for poll with bionic build: fix possible `-Wformat-overflow` in lib557 build: limit arc4random detection to no-SSL configs build: show if CA bundle to embed was found build: tidy up and improve versioned-symbols options build: tidy up deprecation suppression, enable warnings for clang certs: add missing `-CAcreateserial` option for LibreSSL checksrc: add check for spaces around logical AND operators checksrc: Added checks for colon operator in ternary expressions checksrc: check for spaces around '?', '>' and '<' ci: dump `curl_config.h` to log in all jobs CI: run with standard mod_http2 cmake, Makefile.mk: use -isystem for headers, silence BearSSL issues cmake/FindCares: fix version detection for c-ares 1.34.1 cmake/FindNGTCP2: use library path as hint for finding crypto module cmake: add missed variable to comment cmake: add native `pkg-config` detection for mbedTLS, MSH3, Quiche, Rustls, wolfSSL cmake: allow building tests in unity mode cmake: apply `WIN32_LEAN_AND_MEAN` to all feature checks cmake: avoid setting `BUILD_TESTING` cmake: clear package version after `pkg-config` detection cmake: delete unused NEED_LBER_H, HAVE_LDAP_H cmake: detect `HAVE_NETINET_IN6_H`, `HAVE_CLOSESOCKET_CAMEL`, `HAVE_PROTO_BSDSOCKET_H` cmake: detect GNU GSS cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled cmake: do not propagate unused `HAVE_GSSAPI_GSSAPI_KRB5_H` to C cmake: document `-D` and env build options cmake: drop obsolete items from `TODO` and `INSTALL-CMAKE` cmake: drop redundant assignments cmake: drop redundant zlib var, rename function (internals) cmake: expand CURL_USE_PKGCONFIG to non-cross MINGW cmake: fix broken dependency chain for cmdline-opts, tidy-ups cmake: fix compile warnings for clang-cl cmake: fix missing spacing in log message cmake: limit `CURL_STATIC_CRT` to MSVC cmake: make `test-ci` target skip building dependencies cmake: mark as advanced some internal Find* variables cmake: readd `generate-curl.1` dependency for `src` just in case cmake: rename LDAP dependency config variables to match Find modules cmake: replace `check_include_file_concat()` for LDAP and GSS detection cmake: replace `CURL_*_DIR` with `{PROJECT,CMAKE_CURRENT}_*_DIR` cmake: require quictls (or fork) when using msh3 on non-Windows cmake: separate target for examples, optimize CI, fix fallouts cmake: set version for `project()` and add CPack support cmake: stop adding dependency headers to global `CMAKE_REQUIRED_INCLUDES` cmake: sync torture test parallelism with autotools cmake: tidy up `CURL_DISABLE_FORM_API` initialization cmake: tidy up and shorten symbol hiding initialization cmake: tidy up line order cmake: tidy up picky warning initialization cmake: tidy-ups and rebase fixups cmake: tweaks around debug mode and hidden symbols cmake: untangle feature detection interdependencies cmake: use `list(APPEND)` on `CURL_INCLUDES` cmake: use OpenSSL for LDAP detection only if available cmake: use the `BSD` variable config: rename the OS define to CURL_OS to reduce collision risk configure: add GSS to `libcurl.pc` `Depends:` configure: catch Apple in more target triplets configure: drop duplicate feature checks for `poll()`, `if_nametoindex()` configure: drop unused bare `socket.h` detection configure: improve help string for some options conncache: find bundle again in case it is removed conncache: more efficient implementation of cpool_remove_bundle cookie: overhaul and cleanup curl-rustls.m4: set linker flags to allow rustls build on macos curl.h: remove the struct pointer for CURL/CURLSH/CURLM typedefs curl: add build options for safe/no CA bundle search (Windows) curl: detect ECH support dynamically, not at build time curl_addrinfo: support operating systems with only getaddrinfo(3) curl_multi_perform.md: fix typo curl_trc: fix build with verbose messages disabled curl_url_set.md: document HOST handling when URL is parsed curl_ws_recv.md: the 'meta' pointer is only returned on success curl_ws_recv: return recv 0 and point meta to NULL on all errors CURLMOPT_PIPELINING.md: clarify that CURLPIPE_NOTHING is not default CURLOPT_APPEND.md: goes for SFTP as well CURLOPT_HEADERFUNCTION.md: do not modify the passed in buffer DISABLED: disable test 1060 with hyper DISTROS: avoid use of "very" Dockerfile: update Docker digest to d830561 docs/cmdline-opts: GnuTLS supports PKCS#11 URI in --cert option docs: clarify FTP over HTTP proxy functionality somewhat docs: fix a typo in some cipher options ech: spelling, whitespace, say `--ech` default config ftp: fix 0-length last write on upload from stdin ftp: move listen handling to socket filter GHA: optimize test prereq steps gnutls: use session cache for QUIC hsts: avoid the local buffer and memcpy on lookup hsts: improve subdomain handling hsts: support "implied LWS" properly around max-age http2: auto reset stream on server eos http_aws_sigv4: avoid local buffer and strcpy INSTALL-CMAKE.md: mention focus on shared libraries INSTALL-CMAKE: fix punctuation and a typo INSTALL.md: fix a typo that slipped in to RISC OS json.md: cli-option `--json` is an alias of `--data-binary` lib, src, tests: added space around ternary expressions lib/cw-out: initialize 'flush_all' directly lib/src: white space edits to comply better with code style lib: avoid assigning 'result' temporarily lib: fix disabled-verbose-strings + enable-debug build warnings lib: fix unity builds with BearSSL, MSH3, Quiche, OmniOS lib: move curl_path.[ch] into vssh/ lib: msnprintf tidy-ups lib: remove Curl_ prefix from static functions lib: remove function pointer typecasts for hmac/sha256/md5 lib: use bool/TRUE/FALSE properly libcurl/opts: improve phrasing for connection cap related options libssh.c: handle EGAINS during proto-connect correctly libssh2: delete duplicate `break` libssh2: put the readdir buffers into struct libssh2: use the Curl_* memory functions to avoid memdebug libssh2: use the filename buffer when getting the homedir libtests: generate the lib1521 atomically mbedTLS: fix handling of TLSv1.3 sessions mbedtls: handle session as blobs mbedtls: remove failf() use from mbedtls_random mk-lib1521: fix the long return code check mprintf: do not ignore length modifiers of `%o`, `%x`, `%X` mprintf: treat `%o` as unsigned, add tests for `%o`, `%x`, `%X` mqtt: fix mqtt.md wording and add clearer explanation multi.c: make stronger check for paused transfer before asserting multi.c: warn/assert on stall only without timer multi: avoid reading whole struct pointer from pointer multi: convert Curl_follow to static multi_follow multi: make curl_multi_cleanup invalidate magic latter multi: make multi_handle_timeout use the connect timeout multi: split multi_runsingle into sub functions negotiate: conditional check around GSS & SSL specific code netrc: cache the netrc file in memory ngtcp2: do not loop on recv ngtcp2: set max window size to 10x of initial (128KB) openssl quic: populate x509 store before handshake openssl: convert a memcpy to dynbuf use openssl: extend the OpenSSL error messages openssl: improve retries on shutdown openssl: remove two strcpy() calls OS400: don't delete source files when building with debug packages/OS400/curlmain: remove the strncpy calls processhelp.pm: improve taskkill calls (Windows) pytest: fix run against multissl curl pytest: improve pytest_07_42a reliability pytest: include `buildinfo.txt` in the output pytest: include curl version string and python platform in log pytest: show curl features and protocols quic: use send/recvmmsg when available quic: use the session cache with wolfSSL as well request: on shutdown send, proceed normally on timeout runtests.md: suggest a value for -j for torture tests runtests: add comment for handle64 pathsep requirement runtests: drop unused code for old/classic-mingw support runtests: pass single backslashes with Windows Perl runtests: use deterministic sort for `TESTINFO` lines schannel: fix TLS cert verification by IP SAN schannel: ignore error on recv beyond close notify schannel: reclassify extra-verbose schannel_recv messages select: use poll() if existing, avoid poll() with no sockets sendf: add condition to max-filesize check server/mqttd: fix two memory leaks setopt: avoid superfluous length checks before strcmp() setopt: return error for bad input to CURLOPT_RTSP_REQUEST setopt_cptr: make overflow check only done when needed singleuse: make `git grep` faster, add Apple `nm` support smb: do not redefine `getpid` on Windows smb: replace use of strcpy() with snprintf() socks_gssapi: switch to dynbuf from buffer with strcpy source: avoid use of 'very' in comments src/lib: remove redundant ternary operators src: guard for double declaration of `curl_ca_embed` in unity builds sws: fix unused static function with `TCP_NODELAY` undefined telnet: avoid two strcpy() by pointing to the strings instead test1035: convert host name back to utf8 as should be test1515: add tracing and more debug info test1540: add debug logging test190: replace %FTPTIME2 with a fixed value test1915: add tracing and connect timeout test1915: remove wrong comment test2502: add libtest debug tracing test504: fix handling on pending connect testrun: explicitly set proper IP address for stunnel listen/connect tests/http: fix ubuntu GnuTLS CI failures tests/scorecard: allow remote server test tests/server/util.c: remove use of strncpy tests/valgrind.pm: fix warnings with no valgrind report to show tests/valgrind.supp: remove a travis suppression, add a Debian tests: add and use `%PERL` variable to refer to the Perl binary tests: add codeset-utf8 as a feature tests: add file: tests with existing files tests: allow pytests to run in out-of-tree builds tests: capture stdin to get the vsftpd version number tests: change Python code style to pass ruff checks tests: check http/2 and http/3 server responsiveness tests: delete duplicate macro check tests: enable additional ruff Python lint options tests: fix `%POSIX_PWD` on native Windows Perl tests: fix callback signatures to please UndefinedBehaviorSanitizer tests: Fix FILEFORMAT <file name=""> directive tests: fix keyword for test1411 tests: fix shell quoting on native Windows Perl tests: fix some Python typing issues tests: fixup `checkcmd` `PATH` on non-unixy platforms tests: improve mqtt server handling tests: introduce %CLIENT6IP-NB tests: let openssl generate random cert serials tests: libtests and unit tests need explicit #include memdebug tests: make precheck for HTTP on 127.0.0.1 into a feature tests: Only log warnings or worse by default in smbserver tests: postcheck is now in verify tests: remove all valgrind disable instructions tests: remove debug requirement on 38 tests tests: remove the %FTPTIME3 variable tests: replace `%PWD` with `%FILE_PWD` for `file://` tests: replace `%PWD` with `%SSH_PWD` in SCP/SFTP tests tests: replace hard-coded `/dev/null` with variable tests: simplify `pathhelp.pm`, avoid using external tools tests: speed up builds with single-binary test bundles tests: testrunner fairness tests: testrunner reliability improvements tests: use '-4' where needed tests: use a set for several of the curl_props tftp: avoid two memcpy/strcpy tidy-up: rename CURL_WINDOWS_APP to CURL_WINDOWS_UWP tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED tool: support --show-headers AND --remote-header-name tool_doswin: simplify; remove unused options and strncpy calls tool_getparam: drop unused time() call tool_getparam: replace two uses of strncpy(), ban strncpy tool_operate: make --skip-existing work for --parallel tool_operate: reuse the schannel backend check tool_xattr: create the user.creator xattr attribute unit1307: tidy up Apple OS detection unit1660: fix unreachable code warning in no-SSL builds url: connection reuse on h3 connections url: use same credentials on redirect urlapi: drop unused header urlapi: normalize the IPv6 address version: minor cleanups version: say quictls in MSH3 builds vquic: fix compiler warning with gcc + MUSL vquic: recv_mmsg, use fewer, but larger buffers vtls: convert Curl_pin_peer_pubkey to use dynbuf vtls: convert pubkey_pem_to_der to use dynbuf warnless: remove curlx_sktosi and curlx_sitosk winbuild/README: consolidate command prompt section winbuild/README: document how to clean a build winbuild: add initial wolfSSL support winbuild: drop `gen_resp_file.bat` wolfssl: convert malloc + memcpys to dynbuf for cipher string wolfSSL: fix handling of TLSv1.3 sessions wolfssl: no more use of the OpenSSL API wolfssl: use old version API without openssl extra
cURL and libcurl 8.11.1 have been released. (11-December-2024) Website | Download | News | Releaselogs | Changelog | Video Presentations | Documentation | Tutorial | FAQ | Comparison Table | Spoiler Changes in 8.11.1 - December 11, 2024 Bugfixes: build: fix ECH to always enable HTTPS RR build: fix MSVC UWP builds build: omit certain deps from `libcurl.pc` unless found via `pkg-config` build: use `_fseeki64()` on Windows, drop detections cmake: do not echo most inherited `LDFLAGS` to config files cmake: drop cmake args list from `buildinfo.txt` cmake: include `wolfssl/options.h` first cmake: remove legacy unused IMMEDIATE keyword cmake: restore cmake args list in `buildinfo.txt` cmake: set `CURL_STATICLIB` for static lib when `SHARE_LIB_OBJECT=OFF` cmake: sync GSS config code with other deps cmake: typo in comment cmake: work around `ios.toolchain.cmake` breaking feature-detections cmakelint: fix to check root `CMakeLists.txt` cmdline/ech.md: formatting cleanups configure: add FIXMEs for disabled pkg-config references configure: do not echo most inherited `LDFLAGS` to config files configure: replace `$#` shell syntax cookie: treat cookie name case sensitively curl-rustls.m4: keep existing `CPPFLAGS`/`LDFLAGS` when detected curl.h: mark two error codes as obsolete curl: --continue-at is mutually exclusive with --no-clobber curl: --continue-at is mutually exclusive with --range curl: --continue-at is mutually exclusive with --remove-on-error curl: --test-duphandle in debug builds runs "duphandled" curl: do more command line parsing in sub functions curl: rename struct var to fix AIX build curl: use realtime in trace timestamps curl_multi_socket_all.md: soften the deprecation warning CURLOPT_PREREQFUNCTION.md: add result code on failure digest: produce a shorter cnonce in Digest headers DISTROS: update Alt Linux links dmaketgz: use --no-cache when building docker image docs: bring back ALTSVC.md and HSTS.md docs: document default `User-Agent` docs: suggest --ssl-reqd instead of --ftp-ssl duphandle: also init netrc ECH: enable support for the AWS-LC backend hostip: don't use the resolver for FQDN localhost http_negotiate: allow for a one byte larger channel binding buffer http_proxy: move dynhds_add_custom here from http.c KNOWN_BUGS: setting a disabled option should return CURLE_NOT_BUILT_IN krb5: fix socket/sockindex confusion, MSVC compiler warnings lib: fixes for wolfSSL OPENSSL_COEXIST libssh: use libssh sftp_aio to upload file libssh: when using IPv6 numerical address, add brackets macos: disable gcc `availability` workaround as needed mbedtls: call psa_crypt_init() in global init mime: fix reader stall on small read lengths mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions mprintf: fix the integer overflow checks multi: add clarifying comment for wakeup_write() multi: fix callback for `CURLMOPT_TIMERFUNCTION` not being called again when... netrc: address several netrc parser flaws netrc: support large file, longer lines, longer tokens nghttp2: use custom memory functions OpenSSL: improvde error message on expired certificate openssl: remove three "Useless Assignments" openssl: stop using SSL_CTX_ function prefix for our functions os400: Fix IBMi builds os400: Fix IBMi EBCDIC conversion of arguments pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS rtsp: check EOS in the RTSP receive and return an error code schannel: remove TLS 1.3 ciphersuite-list support setopt: fix CURLOPT_HTTP_CONTENT_DECODING setopt: fix missing options for builds without HTTP & MQTT show-headers.md: clarify the headers are saved with the data socket: handle binding to "host!<ip>" socketpair: fix enabling `USE_EVENTFD` strtok: use namespaced `strtok_r` macro instead of redefining it tests: add the ending time stamp in testcurl.pl tests: re-enable 2086, and 472, 1299, 1613 for Windows TODO: consider OCSP stapling by default tool_formparse: remove use of sscanf() tool_getparam: parse --localport without using sscanf tool_getpass: fix UWP `-Wnull-dereference` tool_getpass: replace `getch()` call with `_getch()` on Windows tool_urlglob: parse character globbing range without sscanf vtls: fix compile warning when ALPN is not available
cURL and libcurl 8.13.0 have been released. (02-December-2025) Website | Download | News | Releaselogs | Changelog | Video Presentations | Documentation | Tutorial | FAQ | Comparison Table | Spoiler Changes in 8.13.0 - April 2, 2025 Changes: curl: add write-out variable 'tls_earlydata' curl: make --url support a file with URLs gnutls: set priority via --ciphers IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY OpenSSL/quictls: add support for TLSv1.3 early data rustls: add support for CERTINFO rustls: add support for SSLKEYLOGFILE rustls: support ECH w/ DoH lookup for config rustls: support native platform verifier var: add a '64dec' function that can base64 decode a string wolfssl: tls early data support Bugfixes: addrinfo: add curl macro to avoid redefining foreign symbols asyn-thread: avoid the separate 'struct resdata' alloc asyn-thread: avoid the separate curl_mutex_t alloc asyn-thread: do not allocate thread_data separately asyn-thread: remove 'status' from struct Curl_async autotools: fix `dllmain.c` in unity builds autotools: fix `libtest` bundle to depend on `FIRSTFILES` autotools: use `CURLDEBUG` to exclude TrackMemory code from unity aws_sigv4: cannot be used for proxy aws_sigv4: merge repeated headers in canonical request aws_sigv4: use strparse more for parsing base64: drop `BUILDING_CURL` macro, always include in tests/server build: add Windows CE / CeGCC support, with CI jobs build: cmake multi-pkg-config detection improvements (brotli, ldap, mbedtls) build: do not apply curl debug macros to `tests/server` by default build: drop unused `getpart` tool build: enable -Wjump-misses-init for GCC 4.5+ build: enable `-Wcast-qual`, fix or silence compiler warnings build: fix compiler warnings in feature detections build: replace Curl_ prefix with curlx_ for functions used in servers build: set `-O3` and tune WinCE in CI, fix `getpart`, `vtls_scache` fallouts build: set `HAVE_STDINT_H` if `stdint.h` is available build: set `HAVE_WRITABLE_ARGV` for Apple cross-builds build: silence bogus `-Wconversion` warnings with gcc 5.1-5.4 build: silence mingw32ce C99 format warnings, simplify CI build: tidy-ups around `inet_pton` c-ares httpsrr: fix ifdef c-ares: error out for unsupported versions, drop unused macros ca-native.md: sync with CURLSSLOPT_NATIVE_CA cf-socket: deduplicate Windows Vista detection cf-socket: remove empty switch client writer: handle pause before decoding cmake: `CURL_LIBDIRS` improvements (upstreamed from vcpkg) cmake: `SHARE_LIB_OBJECT=ON` requires CMake 3.12 or newer cmake: add custom command scripts as dependencies where missing cmake: add pre-fill for Unix, enable in GHA/macos, verify pre-fills cmake: add shell completion support cmake: allow `CURL_STATIC_CRT` with shared libcurl and no curl exe cmake: allow `CURL_STATIC_CRT` with UCRT VS2015+ builds cmake: allow empty `IMPORT_LIB_SUFFIX`, add suffix collision detection cmake: avoid `-Wnonnull` warning in `HAVE_FSETXATTR_5` detection cmake: disable HTTPS-proxy as a feature if proxy is disabled cmake: drop `CURL_DISABLE_TESTS` option cmake: drop `HAVE_C_FLAG_Wno_long_double` logic for ancient Apple gcc cmake: drop `HAVE_IN_ADDR_T` from pre-fill too cmake: drop two stray TLS feature checks for wolfSSL cmake: exclude `-MP` for `clang-cl` again cmake: fix `HAVE_ATOMIC`/`HAVE_STDATOMIC` pre-fill for clang-cl cmake: fix clang-tidy builds to verify tests, fix fallouts cmake: fix detection pre-fills for iOS cmake: fix ECH detection in custom-patched OpenSSL cmake: fix typo in ECH config error msg cmake: hide empty `MINGW64_VERSION` output for mingw32ce cmake: improve httpd detection for pytest cmake: mention 'insecure' in the debug build warning cmake: misc tidy-ups cmake: pre-fill known type sizes for Windows OSes cmake: replace CMAKE_COMPILER_IS_GNUCC with CMAKE_C_COMPILER_ID cmake: replace exec_program() with execute_process() cmake: restrict static CRT builds to static curl exe, test in CI cmake: sync cutoff version with autotools for picky option `-ftree-vrp` cmake: sync OpenSSL(-fork) feature checks with `./configure` cmake: unity mode optimization for non-`CURLDEBUG` `testdeps` targets CODE_STYLE: readability and banned functions config-win32: set `HAVE_STDINT_H` where available configure: call the blocking resolver "blocking", not "default" configure: fix ECH detection with MultiSSL configure: silence compiler warnings in feature checks, drop duplicates configure: tidy up shell completion rules configure: use `curl_cv_apple` variable conn: eliminate `conn->now` conn: fix connection reuse when SSL is optional conncache: eliminate `conn->destination_len` as premature optimization contributors.sh: lowercase 'github' for consistency contrithanks.sh: update docs/THANKS in place cookie: do prefix matching case-sensitively cookie: minor parser simplification cookie: simplify invalid_octets() core: stop redefining `E*` macros on Windows, map `EACCES`, related fixes curl.h: change some enums to defines with L suffix curl.h: convert CURLUSESSL* names to defines curl.h: stop defining non-curl `__has_declspec_attribute` curl.h: switch `CURL_HTTP_VERSION*` enums to long constants curl/system.h: drop leftover comment about 32 bit curl_off_t curl: add my_setopt_long() and _offt() curl_msh3: remove verify bypass from DEBUGBUILDs curl_setup: drop `ERANGE` (for WinCE), no longer used curl_setup_once: drop `E*` macro redefines unused (with winsock2) curl_setup_once: stop redefining `ENAMETOOLONG` to winsock2 error code curl_trc: fix build with CURL_DISABLE_VERBOSE_STRINGS curl_ws_recv.md: expand a little on the fragments the API delivers CURLMOPT_SOCKETFUNCTION.md: add advice for socket callback invocation CURLOPT_HTTPHEADER.md: add comments to the example CURLOPT_HTTPHEADER.md: rephrases curltime: use libcurl time functions in src and tests/server DISABLED: add 313 for sectransp (move from GHA/macos) docs/cmdline-opts: use imperative form docs: adapt to removed --with-random docs: add FD_ZERO to curl_multi_fdset example docs: bump `rustls` to 0.14.1 docs: correct argument names & URL redirection docs: minor edits to please the new spellchecker regime docs: rework RUSTLS install instructions docs: unify HTTP version style in --help output docs: vulnerabilities in debug code are not eligible for a bounty doh: improve HTTPS RR svcparams parsing doh: remove wrong but unreachable exit path from doh_decode_rdata_name dynbuf: assert init on free easy: drop `break` after `return` easy: fix warning about possible comma misuse eventfd: allow use on all CPUs examples: prefer `return` over `exit()` (cont.) ftp/sftp: strdup data info memory ftp: fix comment gnutls: fix connection state check on handshake gnutls: fix use of pkcs11 urls for keys/certs gtls: fix uninitialized variable hash: use single linked list for entries hostip: don't use alarm() for DoH resolves hostip: make CURLOPT_RESOLVE support replacing IPv6 addresses http2: add on_invalid_frame callback for error detection http2: detect session being closed on ingress handling http2: enhance error messages on Curl_dyn* upon receiving headers http2: fix stream assignemnt for pushes http2: reset stream on response header error HTTP3.md: only speak about minimal versions http: convert parsers to strparse http: fix NTLM info message typo http: fix the auth check http: make the RTSP version check stricter http: negotiation and room for alt-svc/https rr to navigate http: remove a HTTP method size restriction http: version negotiation http_chunks: replace a strofft call with curl_str_hex https-rr: implementation improvements httpsrr: fix port detection httpsrr: fix the HTTPS-RR threaded-resolver build combo INFRASTRUCTURE.md: add IRC and Matrix details INSTALL-CMAKE.md: CMake usage updates INSTALL-CMAKE.md: mention `ZLIB_USE_STATIC_LIBS` lib1156: pass longs to `curl_easy_setopt()` lib1560: test set path containing LR or CR lib2302: fix crash due to stack overflow on MSVC and clang Windows lib696: fix building on Windows in non-bundle mode lib: better optimized casecompare() and ncasecompare() lib: clear up CURLRES_ASYNCH vs USE_CURL_ASYNC use lib: fix two curlx_strtoofft invokes lib: rename curlx_strtoofft to Curl_str_numblanks() lib: replace while(ISBLANK()) loops with Curl_str_passblanks() lib: simplify more white space loops lib: strtoofft.h header cleanup lib: use Curl_str_* instead of strtok_r() lib: use Curl_str_number() for parsing decimal numbers libssh2: fix freeing of resources in disconnect libssh2: fix memory leak in `SSH_SFTP_REALPATH` state libssh2: fix to ignore `known_hosts` if SHA256 host public key is set libssh2: print user with verbose flag libssh2: show crypto backend in the verbose connect log libssh: fix freeing of resources in disconnect libssh: fix scp large file upload for 32-bit size_t systems libtest/first.c: remove the Test: stderr output for unity builds libtest/libprereq.c: set CURLOPT_FOLLOWLOCATION with a long managen: accept more markdown-quote-markers managen: correct the warning for un-escaped '<' and '>' mbedtls: re-enable an error check memdebug.h: avoid `-Wredundant-decls` with an extra guard memdebug: drop dynamic allocation from `curl_dbg_log()` mprintf: switch three number parsers to use strparse mqtt: convert sendleftovers to dynbuf msvc: drop support for VS2005 and older multi: call protocol handler done() if PROTOCONNECT or later multi: event based rework multi: kill off remaining internal handles in curl_multi_cleanup multi: start the loop over when handles are removed multi_ev: fixes regarding connection shutdowns ngtcp2: do not iterate over multi handles ntlm: merge ntlm.h into ntlm.c openssl-quic: do not iterate over multi handles openssl: check return value of X509_get0_pubkey openssl: drop support for old OpenSSL/LibreSSL versions openssl: fix crash on missing cert password openssl: fix pkcs11 URI checking for key files. openssl: remove bad `goto`s into other scope prox/preproxy.md: document argument within <brackets> pytest: test negotiate with http proxy quiche: do not iterate over multi handles RELEASE-PROCEDURE.md: explain release candidates request: clear sendbuf_hds_len when resetting request bufq resolve: fix building without Unix sockets and `CURLDEBUG` runtests: accept `CURL_DIRSUFFIX` without ending slash runtests: add feature-based filtering runtests: check and report if `diff` tool is missing runtests: drop logic calling the `handle` tool (Windows) runtests: drop recognizing 'winssl' as Schannel runtests: drop ref to unused external function runtests: fix bundled test invocation with `-g` option runtests: fix SSH server not starting in cases, re-ignore failing vcpkg CI jobs runtests: fix test key format for libssh2 WinCNG (and others) runtests: generate certs dynamically, bump to EC-256, tidy up runtests: recognize AWS-LC as OpenSSL runtests: rewrite `genserv.sh` in Perl runtests: support multi-target cmake, drop workarounds from CI runtests: support running tests under wine or qemu (cont.) runtests: support running tests under wine or qemu runtests: use `setfacl` on Cygwin/MSYS, if present rustls: add ECH support w/ string ECH config rustls: cap maximum allowed CRL file size to 8MB rustls: support ECH GREASE rustls: use client cert and key if available schannel: deduplicate Windows Vista detection schannel: enable ALPN support under WINE 6.0+ schannel: enable ALPN with MinGW, fix ALPN for UWP builds schannel: guard ALPN init code to ALPN builds scripts/managen: fix option 'single' scripts/managen: fix parsing of markdown code sections scripts: update completion.pl to parse options from docs sectransp: add support for HTTP/2 in gcc builds sendf: client reader line conversion: do not change data->state.infilesize setopt: illegal CURLOPT_SOCKS5_AUTH should return error setopt: remove unnecessary void pointer typecasts setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine shutdowns: split shutdown handling from connection pool socks: remove bad assert from do_SOCKS5() src: avoid strdup on platforms not doing UTF-8 conversions src: cleanup ISBLANK vs ISSPACE src: remove Curl_ prefix from tool-specific function src: remove final uses of Curl_ symbol prefixes in tool code src: replace strto[ld] with curlx_str_ parsers [*]ssh: consider sftp quote commands case sensitive [*]sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version [*]sshserver.pl: use Perl `chmod` [*]sshserver: fix excluding obsolete client config lines [*]ssl session cache: add exportable flag [*]SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR [*]strparse: make Curl_str_number() return error for no digits [*]strparse: switch the API to work on 'const char *' [*]strparse: switch to curl_off_t as base data type [*]test1022: add support for rc releases [*]test1167: catch #defines with extra whitespace [*]test313: disable CRL test for Schannel due to lack of support and flakiness [*]test313: disable via `<features>` for backends without CRL support [*]test489: set output dir [*]test612: SCP `rm` the uploaded remote file (not the local source), unignore in CI [*]test613: make it pass on Windows, fix postprocess, unignore in CI [*]test615: fix for Cygwin, unignore in CI [*]tests/certs: cleanup [*]tests/server: drop unused `base64.pl` [*]tests/server: fix to check against winsock2 error codes on Windows [*]tests/server: give global `path` variable a more descriptive name [*]tests/server: make the signal handler signal-safe [*]tests/server: replace `errno` with `SOCKERRNO` in sockfilt, socksd, sws [*]tests/server: replace `strerror` with `sstrerror` in socksd [*]tests/server: support bundle binary [*]tests/server: sync `wait_ms()` with the libcurl implementation [*]tests/server: use `curlx_str_numblanks()` to avoid `errno` [*]tests/servers.pm: remove unused variable 'portrange' [*]tests: build non-debug unit tests with autotools, run them [*]tests: fix comment in lib533 [*]tests: fix enum/int confusion, fix autotools `CFLAGS` for `servers` [*]tests: make sure 'commands.log' is generated in the correct logdir [*]tests: mark tests 1631, 1632 flaky [*]tests: reformat error messages to avoid tripping MSBuild [*]tests: remove base64 encoded sections [*]tests: Remove unused variables [*]tests: replace remaining non-ASCII bytes with hex markup [*]tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` [*]tidy-up: align MSYS2/Cygwin codepaths, follow Cygwin `MAX_PID` bump [*]tidy-up: delete, comment or scope C macros reported unused [*]tidy-up: drop unused `CURL_INADDR_NONE` macro and `in_addr_t` type [*]tidy-up: use `CURL_ARRAYSIZE()` [*]timediff: fix comment for curlx_mstotv() [*]timediff: remove unnecessary double typecast [*]tool_dirhie: create dir hierarchy without strtok [*]tool_getparam: clear sensitive arguments better [*]tool_getparam: do parse_upload_flags without the alloc/free [*]tool_getparam: parse --trace-config without strdup()/free() [*]tool_getparam: parse_header() without strtok [*]tool_operate: change "1 retries" to "1 retry" [*]tool_operate: fail SSH transfers without server auth [*]tool_operate: fix pluralization of seconds [*]tool_operate: remove unnecessary (long) typecasts [*]tool_paramhlp: do --proto parsing without strtok [*]tool_parsecfg: make my_get_line skip comments and newlines [*]tool_setopt: reduce use of "code hiding" macros [*]url: call protocol handler's disconnect in Curl_conn_free [*]urlapi: fix redirect from file:// with query, and simplify [*]urlapi: remove percent encoded dot sequences from the URL path [*]urlapi: simplify junkscan [*]urldata: remove 'hostname' from struct Curl_async [*]variable.md: clarify 'trim' example [*]vquic: obey IOV_MAX [*]vtls: fix compiler warnings seen with gcc 7.3.0 and mbedTLS [*]winbuild: reduce command-line length by dropping whitespace [*]windows: do not use winsock2 `inet_ntop()`/`inet_pton()` [*]windows: drop code and curl manifest targeting W2K and older [*]windows: fix issues detected by clang-tidy, and some more [*]wolfssh: fix freeing of resources in disconnect [*]wolfssh: retrieve the error using wolfSSH_get_error [*]wolfssl: fix CA certificate multiple location import [*]wolfssl: fix unused variable warning [*]wolfssl: warn if CA native import option is ignored [*]wolfssl: when using PQ KEM, use ML-KEM, not Kyber [*]ws: corrected curlws_cont to reflect its documented purpose [*]ws: fix and extend CURLWS_CONT handling [*]zlib: bump minimum to 1.2.5.2 (was: 1.2.0.4)
