1 _ _ ____ _ 2 ___| | | | _ \| | 3 / __| | | | |_) | | 4 | (__| |_| | _ <| |___ 5 \___|\___/|_| \_\_____| 6 7 Things that could be nice to do in the future 8 9 Things to do in project curl. Please tell us what you think, contribute and 10 send us patches that improve things! 11 12 Be aware that these are things that we could do, or have once been considered 13 things we could do. If you want to work on any of these areas, please 14 consider bringing it up for discussions first on the mailing list so that we 15 all agree it is still a good idea for the project! 16 17 All bugs documented in the KNOWN_BUGS document are subject for fixing! 18 19 1. libcurl 20 1.1 TFO support on Windows 21 1.3 struct lifreq 22 1.5 get rid of PATH_MAX 23 1.7 Support HTTP/2 for HTTP(S) proxies 24 1.8 CURLOPT_RESOLVE for any port number 25 1.9 Cache negative name resolves 26 1.10 auto-detect proxy 27 1.11 minimize dependencies with dynamically loaded modules 28 1.12 updated DNS server while running 29 1.13 c-ares and CURLOPT_OPENSOCKETFUNCTION 30 1.14 Typesafe curl_easy_setopt() 31 1.15 Monitor connections in the connection pool 32 1.16 Try to URL encode given URL 33 1.17 Add support for IRIs 34 1.18 try next proxy if one doesn't work 35 1.20 SRV and URI DNS records 36 1.22 CURLINFO_PAUSE_STATE 37 1.23 Offer API to flush the connection pool 38 1.24 TCP Fast Open for windows 39 1.25 Expose tried IP addresses that failed 40 1.27 hardcode the "localhost" addresses 41 1.28 FD_CLOEXEC 42 1.29 Upgrade to websockets 43 1.30 config file parsing 44 45 2. libcurl - multi interface 46 2.1 More non-blocking 47 2.2 Better support for same name resolves 48 2.3 Non-blocking curl_multi_remove_handle() 49 2.4 Split connect and authentication process 50 2.5 Edge-triggered sockets should work 51 2.6 multi upkeep 52 53 3. Documentation 54 3.2 Provide cmake config-file 55 56 4. FTP 57 4.1 HOST 58 4.2 Alter passive/active on failure and retry 59 4.3 Earlier bad letter detection 60 4.5 ASCII support 61 4.6 GSSAPI via Windows SSPI 62 4.7 STAT for LIST without data connection 63 4.8 Option to ignore private IP addresses in PASV response 64 65 5. HTTP 66 5.1 Better persistency for HTTP 1.0 67 5.3 Rearrange request header order 68 5.4 Allow SAN names in HTTP/2 server push 69 5.5 auth= in URLs 70 71 6. TELNET 72 6.1 ditch stdin 73 6.2 ditch telnet-specific select 74 6.3 feature negotiation debug data 75 76 7. SMTP 77 7.2 Enhanced capability support 78 7.3 Add CURLOPT_MAIL_CLIENT option 79 80 8. POP3 81 8.2 Enhanced capability support 82 83 9. IMAP 84 9.1 Enhanced capability support 85 86 10. LDAP 87 10.1 SASL based authentication mechanisms 88 89 11. SMB 90 11.1 File listing support 91 11.2 Honor file timestamps 92 11.3 Use NTLMv2 93 11.4 Create remote directories 94 95 12. New protocols 96 97 13. SSL 98 13.2 Provide mutex locking API 99 13.3 Support in-memory certs/ca certs/keys 100 13.4 Cache/share OpenSSL contexts 101 13.5 Export session ids 102 13.6 Provide callback for cert verification 103 13.7 improve configure --with-ssl 104 13.8 Support DANE 105 13.10 Support Authority Information Access certificate extension (AIA) 106 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY 107 13.12 Support HSTS 108 13.14 Support the clienthello extension 109 110 14. GnuTLS 111 14.2 check connection 112 113 15. WinSSL/SChannel 114 15.1 Add support for client certificate authentication 115 15.3 Add support for the --ciphers option 116 15.4 Add option to disable client certificate auto-send 117 118 16. SASL 119 16.1 Other authentication mechanisms 120 16.2 Add QOP support to GSSAPI authentication 121 16.3 Support binary messages (i.e.: non-base64) 122 123 17. SSH protocols 124 17.1 Multiplexing 125 17.3 Support better than MD5 hostkey hash 126 17.4 Support CURLOPT_PREQUOTE 127 128 18. Command line tool 129 18.1 sync 130 18.2 glob posts 131 18.3 prevent file overwriting 132 18.5 UTF-8 filenames in Content-Disposition 133 18.7 at least N milliseconds between requests 134 18.9 Choose the name of file in braces for complex URLs 135 18.10 improve how curl works in a windows console window 136 18.11 Windows: set attribute 'archive' for completed downloads 137 18.12 keep running, read instructions from pipe/socket 138 18.15 --retry should resume 139 18.16 send only part of --data 140 18.17 consider file name from the redirected URL with -O ? 141 18.18 retry on network is unreachable 142 18.19 expand ~/ in config files 143 18.20 host name sections in config files 144 145 19. Build 146 19.1 roffit 147 19.2 Enable PIE and RELRO by default 148 19.3 cmake test suite improvements 149 150 20. Test suite 151 20.1 SSL tunnel 152 20.2 nicer lacking perl message 153 20.3 more protocols supported 154 20.4 more platforms supported 155 20.5 Add support for concurrent connections 156 20.6 Use the RFC6265 test suite 157 20.7 Support LD_PRELOAD on macOS 158 159 21. Next SONAME bump 160 21.1 http-style HEAD output for FTP 161 21.2 combine error codes 162 21.3 extend CURLOPT_SOCKOPTFUNCTION prototype 163 164 22. Next major release 165 22.1 cleanup return codes 166 22.2 remove obsolete defines 167 22.3 size_t 168 22.4 remove several functions 169 22.5 remove CURLOPT_FAILONERROR 170 22.7 remove progress meter from libcurl 171 22.8 remove 'curl_httppost' from public 172 173============================================================================== 174 1751. libcurl 176 1771.1 TFO support on Windows 178 179 TCP Fast Open is supported on several platforms but not on Windows. Work on 180 this was once started but never finished. 181 182 See https://github.com/curl/curl/pull/3378 183 1841.3 struct lifreq 185 186 Use 'struct lifreq' and SIOCGLIFADDR instead of 'struct ifreq' and 187 SIOCGIFADDR on newer Solaris versions as they claim the latter is obsolete. 188 To support IPv6 interface addresses for network interfaces properly. 189 1901.5 get rid of PATH_MAX 191 192 Having code use and rely on PATH_MAX is not nice: 193 https://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html 194 195 Currently the libssh2 SSH based code uses it, but to remove PATH_MAX from 196 there we need libssh2 to properly tell us when we pass in a too small buffer 197 and its current API (as of libssh2 1.2.7) doesn't. 198 1991.7 Support HTTP/2 for HTTP(S) proxies 200 201 Support for doing HTTP/2 to HTTP and HTTPS proxies is still missing. 202 203 See https://github.com/curl/curl/issues/3570 204 2051.8 CURLOPT_RESOLVE for any port number 206 207 This option allows applications to set a replacement IP address for a given 208 host + port pair. Consider making support for providing a replacement address 209 for the host name on all port numbers. 210 211 See https://github.com/curl/curl/issues/1264 212 2131.9 Cache negative name resolves 214 215 A name resolve that has failed is likely to fail when made again within a 216 short period of time. Currently we only cache positive responses. 217 2181.10 auto-detect proxy 219 220 libcurl could be made to detect the system proxy setup automatically and use 221 that. On Windows, macOS and Linux desktops for example. 222 223 The pull-request to use libproxy for this was deferred due to doubts on the 224 reliability of the dependency and how to use it: 225 https://github.com/curl/curl/pull/977 226 227 libdetectproxy is a (C++) library for detecting the proxy on Windows 228 https://github.com/paulharris/libdetectproxy 229 2301.11 minimize dependencies with dynamically loaded modules 231 232 We can create a system with loadable modules/plug-ins, where these modules 233 would be the ones that link to 3rd party libs. That would allow us to avoid 234 having to load ALL dependencies since only the necessary ones for this 235 app/invoke/used protocols would be necessary to load. See 236 https://github.com/curl/curl/issues/349 237 2381.12 updated DNS server while running 239 240 If /etc/resolv.conf gets updated while a program using libcurl is running, it 241 is may cause name resolves to fail unless res_init() is called. We should 242 consider calling res_init() + retry once unconditionally on all name resolve 243 failures to mitigate against this. Firefox works like that. Note that Windows 244 doesn't have res_init() or an alternative. 245 246 https://github.com/curl/curl/issues/2251 247 2481.13 c-ares and CURLOPT_OPENSOCKETFUNCTION 249 250 curl will create most sockets via the CURLOPT_OPENSOCKETFUNCTION callback and 251 close them with the CURLOPT_CLOSESOCKETFUNCTION callback. However, c-ares 252 does not use those functions and instead opens and closes the sockets 253 itself. This means that when curl passes the c-ares socket to the 254 CURLMOPT_SOCKETFUNCTION it isn't owned by the application like other sockets. 255 256 See https://github.com/curl/curl/issues/2734 257 2581.14 Typesafe curl_easy_setopt() 259 260 One of the most common problems in libcurl using applications is the lack of 261 type checks for curl_easy_setopt() which happens because it accepts varargs 262 and thus can take any type. 263 264 One possible solution to this is to introduce a few different versions of the 265 setopt version for the different kinds of data you can set. 266 267 curl_easy_set_num() - sets a long value 268 269 curl_easy_set_large() - sets a curl_off_t value 270 271 curl_easy_set_ptr() - sets a pointer 272 273 curl_easy_set_cb() - sets a callback PLUS its callback data 274 2751.15 Monitor connections in the connection pool 276 277 libcurl's connection cache or pool holds a number of open connections for the 278 purpose of possible subsequent connection reuse. It may contain a few up to a 279 significant amount of connections. Currently, libcurl leaves all connections 280 as they are and first when a connection is iterated over for matching or 281 reuse purpose it is verified that it is still alive. 282 283 Those connections may get closed by the server side for idleness or they may 284 get a HTTP/2 ping from the peer to verify that they're still alive. By adding 285 monitoring of the connections while in the pool, libcurl can detect dead 286 connections (and close them) better and earlier, and it can handle HTTP/2 287 pings to keep such ones alive even when not actively doing transfers on them. 288 2891.16 Try to URL encode given URL 290 291 Given a URL that for example contains spaces, libcurl could have an option 292 that would try somewhat harder than it does now and convert spaces to %20 and 293 perhaps URL encoded byte values over 128 etc (basically do what the redirect 294 following code already does). 295 296 https://github.com/curl/curl/issues/514 297 2981.17 Add support for IRIs 299 300 IRIs (RFC 3987) allow localized, non-ascii, names in the URL. To properly 301 support this, curl/libcurl would need to translate/encode the given input 302 from the input string encoding into percent encoded output "over the wire". 303 304 To make that work smoothly for curl users even on Windows, curl would 305 probably need to be able to convert from several input encodings. 306 3071.18 try next proxy if one doesn't work 308 309 Allow an application to specify a list of proxies to try, and failing to 310 connect to the first go on and try the next instead until the list is 311 exhausted. Browsers support this feature at least when they specify proxies 312 using PACs. 313 314 https://github.com/curl/curl/issues/896 315 3161.20 SRV and URI DNS records 317 318 Offer support for resolving SRV and URI DNS records for libcurl to know which 319 server to connect to for various protocols (including HTTP!). 320 3211.22 CURLINFO_PAUSE_STATE 322 323 Return information about the transfer's current pause state, in both 324 directions. https://github.com/curl/curl/issues/2588 325 3261.23 Offer API to flush the connection pool 327 328 Sometimes applications want to flush all the existing connections kept alive. 329 An API could allow a forced flush or just a forced loop that would properly 330 close all connections that have been closed by the server already. 331 3321.24 TCP Fast Open for windows 333 334 libcurl supports the CURLOPT_TCP_FASTOPEN option since 7.49.0 for Linux and 335 Mac OS. Windows supports TCP Fast Open starting with Windows 10, version 1607 336 and we should add support for it. 337 3381.25 Expose tried IP addresses that failed 339 340 When libcurl fails to connect to a host, it should be able to offer the 341 application the list of IP addresses that were used in the attempt. 342 343 https://github.com/curl/curl/issues/2126 344 3451.27 hardcode the "localhost" addresses 346 347 There's this new spec getting adopted that says "localhost" should always and 348 unconditionally be a local address and not get resolved by a DNS server. A 349 fine way for curl to fix this would be to simply hard-code the response to 350 127.0.0.1 and/or ::1 (depending on what IP versions that are requested). This 351 is what the browsers probably will do with this hostname. 352 353 https://bugzilla.mozilla.org/show_bug.cgi?id=1220810 354 355 https://tools.ietf.org/html/draft-ietf-dnsop-let-localhost-be-localhost-02 356 3571.28 FD_CLOEXEC 358 359 It sets the close-on-exec flag for the file descriptor, which causes the file 360 descriptor to be automatically (and atomically) closed when any of the 361 exec-family functions succeed. Should probably be set by default? 362 363 https://github.com/curl/curl/issues/2252 364 3651.29 Upgrade to websockets 366 367 libcurl could offer a smoother path to get to a websocket connection. 368 See https://github.com/curl/curl/issues/3523 369 370 Michael Kaufmann suggestion here: 371 https://curl.haxx.se/video/curlup-2017/2017-03-19_05_Michael_Kaufmann_Websocket_support_for_curl.mp4 372 3731.30 config file parsing 374 375 Consider providing an API, possibly in a separate companion library, for 376 parsing a config file like curl's -K/--config option to allow applications to 377 get the same ability to read curl options from files. 378 379 See https://github.com/curl/curl/issues/3698 380 3812. libcurl - multi interface 382 3832.1 More non-blocking 384 385 Make sure we don't ever loop because of non-blocking sockets returning 386 EWOULDBLOCK or similar. Blocking cases include: 387 388 - Name resolves on non-windows unless c-ares or the threaded resolver is used 389 - SOCKS proxy handshakes 390 - file:// transfers 391 - TELNET transfers 392 - The "DONE" operation (post transfer protocol-specific actions) for the 393 protocols SFTP, SMTP, FTP. Fixing Curl_done() for this is a worthy task. 394 3952.2 Better support for same name resolves 396 397 If a name resolve has been initiated for name NN and a second easy handle 398 wants to resolve that name as well, make it wait for the first resolve to end 399 up in the cache instead of doing a second separate resolve. This is 400 especially needed when adding many simultaneous handles using the same host 401 name when the DNS resolver can get flooded. 402 4032.3 Non-blocking curl_multi_remove_handle() 404 405 The multi interface has a few API calls that assume a blocking behavior, like 406 add_handle() and remove_handle() which limits what we can do internally. The 407 multi API need to be moved even more into a single function that "drives" 408 everything in a non-blocking manner and signals when something is done. A 409 remove or add would then only ask for the action to get started and then 410 multi_perform() etc still be called until the add/remove is completed. 411 4122.4 Split connect and authentication process 413 414 The multi interface treats the authentication process as part of the connect 415 phase. As such any failures during authentication won't trigger the relevant 416 QUIT or LOGOFF for protocols such as IMAP, POP3 and SMTP. 417 4182.5 Edge-triggered sockets should work 419 420 The multi_socket API should work with edge-triggered socket events. One of 421 the internal actions that need to be improved for this to work perfectly is 422 the 'maxloops' handling in transfer.c:readwrite_data(). 423 4242.6 multi upkeep 425 426 In libcurl 7.62.0 we introduced curl_easy_upkeep. It unfortunately only works 427 on easy handles. We should introduces a version of that for the multi handle, 428 and also consider doing "upkeep" automatically on connections in the 429 connection pool when the multi handle is in used. 430 431 See https://github.com/curl/curl/issues/3199 432 4333. Documentation 434 4353.2 Provide cmake config-file 436 437 A config-file package is a set of files provided by us to allow applications 438 to write cmake scripts to find and use libcurl easier. See 439 https://github.com/curl/curl/issues/885 440 4414. FTP 442 4434.1 HOST 444 445 HOST is a command for a client to tell which host name to use, to offer FTP 446 servers named-based virtual hosting: 447 448 https://tools.ietf.org/html/rfc7151 449 4504.2 Alter passive/active on failure and retry 451 452 When trying to connect passively to a server which only supports active 453 connections, libcurl returns CURLE_FTP_WEIRD_PASV_REPLY and closes the 454 connection. There could be a way to fallback to an active connection (and 455 vice versa). https://curl.haxx.se/bug/feature.cgi?id=1754793 456 4574.3 Earlier bad letter detection 458 459 Make the detection of (bad) %0d and %0a codes in FTP URL parts earlier in the 460 process to avoid doing a resolve and connect in vain. 461 4624.5 ASCII support 463 464 FTP ASCII transfers do not follow RFC959. They don't convert the data 465 accordingly. 466 4674.6 GSSAPI via Windows SSPI 468 469 In addition to currently supporting the SASL GSSAPI mechanism (Kerberos V5) 470 via third-party GSS-API libraries, such as Heimdal or MIT Kerberos, also add 471 support for GSSAPI authentication via Windows SSPI. 472 4734.7 STAT for LIST without data connection 474 475 Some FTP servers allow STAT for listing directories instead of using LIST, 476 and the response is then sent over the control connection instead of as the 477 otherwise usedw data connection: https://www.nsftools.com/tips/RawFTP.htm#STAT 478 479 This is not detailed in any FTP specification. 480 4814.8 Option to ignore private IP addresses in PASV response 482 483 Some servers respond with and some other FTP client implementations can 484 ignore private (RFC 1918 style) IP addresses when received in PASV responses. 485 To consider for libcurl as well. See https://github.com/curl/curl/issues/1455 486 4875. HTTP 488 4895.1 Better persistency for HTTP 1.0 490 491 "Better" support for persistent connections over HTTP 1.0 492 https://curl.haxx.se/bug/feature.cgi?id=1089001 493 4945.3 Rearrange request header order 495 496 Server implementors often make an effort to detect browser and to reject 497 clients it can detect to not match. One of the last details we cannot yet 498 control in libcurl's HTTP requests, which also can be exploited to detect 499 that libcurl is in fact used even when it tries to impersonate a browser, is 500 the order of the request headers. I propose that we introduce a new option in 501 which you give headers a value, and then when the HTTP request is built it 502 sorts the headers based on that number. We could then have internally created 503 headers use a default value so only headers that need to be moved have to be 504 specified. 505 5065.4 Allow SAN names in HTTP/2 server push 507 508 curl only allows HTTP/2 push promise if the provided :authority header value 509 exactly matches the host name given in the URL. It could be extended to allow 510 any name that would match the Subject Alternative Names in the server's TLS 511 certificate. 512 513 See https://github.com/curl/curl/pull/3581 514 5155.5 auth= in URLs 516 517 Add the ability to specify the preferred authentication mechanism to use by 518 using ;auth=<mech> in the login part of the URL. 519 520 For example: 521 522 http://test:pass;auth=NTLM@example.com would be equivalent to specifying 523 --user test:pass;auth=NTLM or --user test:pass --ntlm from the command line. 524 525 Additionally this should be implemented for proxy base URLs as well. 526 527 5286. TELNET 529 5306.1 ditch stdin 531 532 Reading input (to send to the remote server) on stdin is a crappy solution 533 for library purposes. We need to invent a good way for the application to be 534 able to provide the data to send. 535 5366.2 ditch telnet-specific select 537 538 Move the telnet support's network select() loop go away and merge the code 539 into the main transfer loop. Until this is done, the multi interface won't 540 work for telnet. 541 5426.3 feature negotiation debug data 543 544 Add telnet feature negotiation data to the debug callback as header data. 545 546 5477. SMTP 548 5497.2 Enhanced capability support 550 551 Add the ability, for an application that uses libcurl, to obtain the list of 552 capabilities returned from the EHLO command. 553 5547.3 Add CURLOPT_MAIL_CLIENT option 555 556 Rather than use the URL to specify the mail client string to present in the 557 HELO and EHLO commands, libcurl should support a new CURLOPT specifically for 558 specifying this data as the URL is non-standard and to be honest a bit of a 559 hack ;-) 560 561 Please see the following thread for more information: 562 https://curl.haxx.se/mail/lib-2012-05/0178.html 563 564 5658. POP3 566 5678.2 Enhanced capability support 568 569 Add the ability, for an application that uses libcurl, to obtain the list of 570 capabilities returned from the CAPA command. 571 5729. IMAP 573 5749.1 Enhanced capability support 575 576 Add the ability, for an application that uses libcurl, to obtain the list of 577 capabilities returned from the CAPABILITY command. 578 57910. LDAP 580 58110.1 SASL based authentication mechanisms 582 583 Currently the LDAP module only supports ldap_simple_bind_s() in order to bind 584 to an LDAP server. However, this function sends username and password details 585 using the simple authentication mechanism (as clear text). However, it should 586 be possible to use ldap_bind_s() instead specifying the security context 587 information ourselves. 588 58911. SMB 590 59111.1 File listing support 592 593Add support for listing the contents of a SMB share. The output should probably 594be the same as/similar to FTP. 595 59611.2 Honor file timestamps 597 598The timestamp of the transferred file should reflect that of the original file. 599 60011.3 Use NTLMv2 601 602Currently the SMB authentication uses NTLMv1. 603 60411.4 Create remote directories 605 606Support for creating remote directories when uploading a file to a directory 607that doesn't exist on the server, just like --ftp-create-dirs. 608 60912. New protocols 610 61113. SSL 612 61313.2 Provide mutex locking API 614 615 Provide a libcurl API for setting mutex callbacks in the underlying SSL 616 library, so that the same application code can use mutex-locking 617 independently of OpenSSL or GnutTLS being used. 618 61913.3 Support in-memory certs/ca certs/keys 620 621 You can specify the private and public keys for SSH/SSL as file paths. Some 622 programs want to avoid using files and instead just pass them as in-memory 623 data blobs. There's probably a challenge to make this work across the 624 plethory of different TLS and SSH backends that curl supports. 625 https://github.com/curl/curl/issues/2310 626 62713.4 Cache/share OpenSSL contexts 628 629 "Look at SSL cafile - quick traces look to me like these are done on every 630 request as well, when they should only be necessary once per SSL context (or 631 once per handle)". The major improvement we can rather easily do is to make 632 sure we don't create and kill a new SSL "context" for every request, but 633 instead make one for every connection and re-use that SSL context in the same 634 style connections are re-used. It will make us use slightly more memory but 635 it will libcurl do less creations and deletions of SSL contexts. 636 637 Technically, the "caching" is probably best implemented by getting added to 638 the share interface so that easy handles who want to and can reuse the 639 context specify that by sharing with the right properties set. 640 641 https://github.com/curl/curl/issues/1110 642 64313.5 Export session ids 644 645 Add an interface to libcurl that enables "session IDs" to get 646 exported/imported. Cris Bailiff said: "OpenSSL has functions which can 647 serialise the current SSL state to a buffer of your choice, and recover/reset 648 the state from such a buffer at a later date - this is used by mod_ssl for 649 apache to implement and SSL session ID cache". 650 65113.6 Provide callback for cert verification 652 653 OpenSSL supports a callback for customised verification of the peer 654 certificate, but this doesn't seem to be exposed in the libcurl APIs. Could 655 it be? There's so much that could be done if it were! 656 65713.7 improve configure --with-ssl 658 659 make the configure --with-ssl option first check for OpenSSL, then GnuTLS, 660 then NSS... 661 66213.8 Support DANE 663 664 DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL 665 keys and certs over DNS using DNSSEC as an alternative to the CA model. 666 https://www.rfc-editor.org/rfc/rfc6698.txt 667 668 An initial patch was posted by Suresh Krishnaswamy on March 7th 2013 669 (https://curl.haxx.se/mail/lib-2013-03/0075.html) but it was a too simple 670 approach. See Daniel's comments: 671 https://curl.haxx.se/mail/lib-2013-03/0103.html . libunbound may be the 672 correct library to base this development on. 673 674 Björn Stenberg wrote a separate initial take on DANE that was never 675 completed. 676 67713.10 Support Authority Information Access certificate extension (AIA) 678 679 AIA can provide various things like CRLs but more importantly information 680 about intermediate CA certificates that can allow validation path to be 681 fulfilled when the HTTPS server doesn't itself provide them. 682 683 Since AIA is about downloading certs on demand to complete a TLS handshake, 684 it is probably a bit tricky to get done right. 685 686 See https://github.com/curl/curl/issues/2793 687 68813.11 Support intermediate & root pinning for PINNEDPUBLICKEY 689 690 CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root 691 certificates when comparing the pinned keys. Therefore it is not compatible 692 with "HTTP Public Key Pinning" as there also intermediate and root certificates 693 can be pinned. This is very useful as it prevents webadmins from "locking 694 themself out of their servers". 695 696 Adding this feature would make curls pinning 100% compatible to HPKP and allow 697 more flexible pinning. 698 69913.12 Support HSTS 700 701 "HTTP Strict Transport Security" is TOFU (trust on first use), time-based 702 features indicated by a HTTP header send by the webserver. It is widely used 703 in browsers and it's purpose is to prevent insecure HTTP connections after 704 a previous HTTPS connection. It protects against SSLStripping attacks. 705 706 Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security 707 RFC 6797: https://tools.ietf.org/html/rfc6797 708 70913.14 Support the clienthello extension 710 711 Certain stupid networks and middle boxes have a problem with SSL handshake 712 pakets that are within a certain size range because how that sets some bits 713 that previously (in older TLS version) were not set. The clienthello 714 extension adds padding to avoid that size range. 715 716 https://tools.ietf.org/html/rfc7685 717 https://github.com/curl/curl/issues/2299 718 71914. GnuTLS 720 72114.2 check connection 722 723 Add a way to check if the connection seems to be alive, to correspond to the 724 SSL_peak() way we use with OpenSSL. 725 72615. WinSSL/SChannel 727 72815.1 Add support for client certificate authentication 729 730 WinSSL/SChannel currently makes use of the OS-level system and user 731 certificate and private key stores. This does not allow the application 732 or the user to supply a custom client certificate using curl or libcurl. 733 734 Therefore support for the existing -E/--cert and --key options should be 735 implemented by supplying a custom certificate to the SChannel APIs, see: 736 - Getting a Certificate for Schannel 737 https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx 738 73915.3 Add support for the --ciphers option 740 741 The cipher suites used by WinSSL/SChannel are configured on an OS-level 742 instead of an application-level. This does not allow the application or 743 the user to customize the configured cipher suites using curl or libcurl. 744 745 Therefore support for the existing --ciphers option should be implemented 746 by mapping the OpenSSL/GnuTLS cipher suites to the SChannel APIs, see 747 - Specifying Schannel Ciphers and Cipher Strengths 748 https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx 749 75015.4 Add option to disable client certificate auto-send 751 752 Microsoft says "By default, Schannel will, with no notification to the client, 753 attempt to locate a client certificate and send it to the server." That could 754 be considered a privacy violation and unexpected. 755 756 Some Windows users have come to expect that default behavior and to change the 757 default to make it consistent with other SSL backends would be a breaking 758 change. An option should be added that can be used to disable the default 759 Schannel auto-send behavior. 760 761 https://github.com/curl/curl/issues/2262 762 76316. SASL 764 76516.1 Other authentication mechanisms 766 767 Add support for other authentication mechanisms such as OLP, 768 GSS-SPNEGO and others. 769 77016.2 Add QOP support to GSSAPI authentication 771 772 Currently the GSSAPI authentication only supports the default QOP of auth 773 (Authentication), whilst Kerberos V5 supports both auth-int (Authentication 774 with integrity protection) and auth-conf (Authentication with integrity and 775 privacy protection). 776 77716.3 Support binary messages (i.e.: non-base64) 778 779 Mandatory to support LDAP SASL authentication. 780 781 78217. SSH protocols 783 78417.1 Multiplexing 785 786 SSH is a perfectly fine multiplexed protocols which would allow libcurl to do 787 multiple parallel transfers from the same host using the same connection, 788 much in the same spirit as HTTP/2 does. libcurl however does not take 789 advantage of that ability but will instead always create a new connection for 790 new transfers even if an existing connection already exists to the host. 791 792 To fix this, libcurl would have to detect an existing connection and "attach" 793 the new transfer to the existing one. 794 79517.3 Support better than MD5 hostkey hash 796 797 libcurl offers the CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 option for verifying the 798 server's key. MD5 is generally being deprecated so we should implement 799 support for stronger hashing algorithms. libssh2 itself is what provides this 800 underlying functionality and it supports at least SHA-1 as an alternative. 801 SHA-1 is also being deprecated these days so we should consider working with 802 libssh2 to instead offer support for SHA-256 or similar. 803 80417.4 Support CURLOPT_PREQUOTE 805 806 The two other QUOTE options are supported for SFTP, but this was left out for 807 unknown reasons! 808 80918. Command line tool 810 81118.1 sync 812 813 "curl --sync http://example.com/feed[1-100].rss" or 814 "curl --sync http://example.net/{index,calendar,history}.html" 815 816 Downloads a range or set of URLs using the remote name, but only if the 817 remote file is newer than the local file. A Last-Modified HTTP date header 818 should also be used to set the mod date on the downloaded file. 819 82018.2 glob posts 821 822 Globbing support for -d and -F, as in 'curl -d "name=foo[0-9]" URL'. 823 This is easily scripted though. 824 82518.3 prevent file overwriting 826 827 Add an option that prevents curl from overwriting existing local files. When 828 used, and there already is an existing file with the target file name 829 (either -O or -o), a number should be appended (and increased if already 830 existing). So that index.html becomes first index.html.1 and then 831 index.html.2 etc. 832 83318.5 UTF-8 filenames in Content-Disposition 834 835 RFC 6266 documents how UTF-8 names can be passed to a client in the 836 Content-Disposition header, and curl does not support this. 837 838 https://github.com/curl/curl/issues/1888 839 84018.7 at least N milliseconds between requests 841 842 Allow curl command lines issue a lot of request against services that limit 843 users to no more than N requests/second or similar. Could be implemented with 844 an option asking that at least a certain time has elapsed since the previous 845 request before the next one will be performed. Example: 846 847 $ curl "https://example.com/api?input=[1-1000]" -d yadayada --after 500 848 849 See https://github.com/curl/curl/issues/3920 850 85118.9 Choose the name of file in braces for complex URLs 852 853 When using braces to download a list of URLs and you use complicated names 854 in the list of alternatives, it could be handy to allow curl to use other 855 names when saving. 856 857 Consider a way to offer that. Possibly like 858 {partURL1:name1,partURL2:name2,partURL3:name3} where the name following the 859 colon is the output name. 860 861 See https://github.com/curl/curl/issues/221 862 86318.10 improve how curl works in a windows console window 864 865 If you pull the scrollbar when transferring with curl in a Windows console 866 window, the transfer is interrupted and can get disconnected. This can 867 probably be improved. See https://github.com/curl/curl/issues/322 868 86918.11 Windows: set attribute 'archive' for completed downloads 870 871 The archive bit (FILE_ATTRIBUTE_ARCHIVE, 0x20) separates files that shall be 872 backed up from those that are either not ready or have not changed. 873 874 Downloads in progress are neither ready to be backed up, nor should they be 875 opened by a different process. Only after a download has been completed it's 876 sensible to include it in any integer snapshot or backup of the system. 877 878 See https://github.com/curl/curl/issues/3354 879 88018.12 keep running, read instructions from pipe/socket 881 882 Provide an option that makes curl not exit after the last URL (or even work 883 without a given URL), and then make it read instructions passed on a pipe or 884 over a socket to make further instructions so that a second subsequent curl 885 invoke can talk to the still running instance and ask for transfers to get 886 done, and thus maintain its connection pool, DNS cache and more. 887 88818.15 --retry should resume 889 890 When --retry is used and curl actually retries transfer, it should use the 891 already transferred data and do a resumed transfer for the rest (when 892 possible) so that it doesn't have to transfer the same data again that was 893 already transferred before the retry. 894 895 See https://github.com/curl/curl/issues/1084 896 89718.16 send only part of --data 898 899 When the user only wants to send a small piece of the data provided with 900 --data or --data-binary, like when that data is a huge file, consider a way 901 to specify that curl should only send a piece of that. One suggested syntax 902 would be: "--data-binary @largefile.zip!1073741823-2147483647". 903 904 See https://github.com/curl/curl/issues/1200 905 90618.17 consider file name from the redirected URL with -O ? 907 908 When a user gives a URL and uses -O, and curl follows a redirect to a new 909 URL, the file name is not extracted and used from the newly redirected-to URL 910 even if the new URL may have a much more sensible file name. 911 912 This is clearly documented and helps for security since there's no surprise 913 to users which file name that might get overwritten. But maybe a new option 914 could allow for this or maybe -J should imply such a treatment as well as -J 915 already allows for the server to decide what file name to use so it already 916 provides the "may overwrite any file" risk. 917 918 This is extra tricky if the original URL has no file name part at all since 919 then the current code path will error out with an error message, and we can't 920 *know* already at that point if curl will be redirected to a URL that has a 921 file name... 922 923 See https://github.com/curl/curl/issues/1241 924 92518.18 retry on network is unreachable 926 927 The --retry option retries transfers on "transient failures". We later added 928 --retry-connrefused to also retry for "connection refused" errors. 929 930 Suggestions have been brought to also allow retry on "network is unreachable" 931 errors and while totally reasonable, maybe we should consider a way to make 932 this more configurable than to add a new option for every new error people 933 want to retry for? 934 935 https://github.com/curl/curl/issues/1603 936 93718.19 expand ~/ in config files 938 939 For example .curlrc could benefit from being able to do this. 940 941 See https://github.com/curl/curl/issues/2317 942 94318.20 host name sections in config files 944 945 config files would be more powerful if they could set different 946 configurations depending on used URLs, host name or possibly origin. Then a 947 default .curlrc could a specific user-agent only when doing requests against 948 a certain site. 949 950 95119. Build 952 95319.1 roffit 954 955 Consider extending 'roffit' to produce decent ASCII output, and use that 956 instead of (g)nroff when building src/tool_hugehelp.c 957 95819.2 Enable PIE and RELRO by default 959 960 Especially when having programs that execute curl via the command line, PIE 961 renders the exploitation of memory corruption vulnerabilities a lot more 962 difficult. This can be attributed to the additional information leaks being 963 required to conduct a successful attack. RELRO, on the other hand, masks 964 different binary sections like the GOT as read-only and thus kills a handful 965 of techniques that come in handy when attackers are able to arbitrarily 966 overwrite memory. A few tests showed that enabling these features had close 967 to no impact, neither on the performance nor on the general functionality of 968 curl. 969 97019.3 cmake test suite improvements 971 972 The cmake build doesn't support 'make show' so it doesn't know which tests 973 are in the makefile or not (making appveyor builds do many false warnings 974 about it) nor does it support running the test suite if building out-of-tree. 975 976 See https://github.com/curl/curl/issues/3109 977 97820. Test suite 979 98020.1 SSL tunnel 981 982 Make our own version of stunnel for simple port forwarding to enable HTTPS 983 and FTP-SSL tests without the stunnel dependency, and it could allow us to 984 provide test tools built with either OpenSSL or GnuTLS 985 98620.2 nicer lacking perl message 987 988 If perl wasn't found by the configure script, don't attempt to run the tests 989 but explain something nice why it doesn't. 990 99120.3 more protocols supported 992 993 Extend the test suite to include more protocols. The telnet could just do FTP 994 or http operations (for which we have test servers). 995 99620.4 more platforms supported 997 998 Make the test suite work on more platforms. OpenBSD and Mac OS. Remove 999 fork()s and it should become even more portable. 1000 100120.5 Add support for concurrent connections 1002 1003 Tests 836, 882 and 938 were designed to verify that separate connections 1004 aren't used when using different login credentials in protocols that 1005 shouldn't re-use a connection under such circumstances. 1006 1007 Unfortunately, ftpserver.pl doesn't appear to support multiple concurrent 1008 connections. The read while() loop seems to loop until it receives a 1009 disconnect from the client, where it then enters the waiting for connections 1010 loop. When the client opens a second connection to the server, the first 1011 connection hasn't been dropped (unless it has been forced - which we 1012 shouldn't do in these tests) and thus the wait for connections loop is never 1013 entered to receive the second connection. 1014 101520.6 Use the RFC6265 test suite 1016 1017 A test suite made for HTTP cookies (RFC 6265) by Adam Barth is available at 1018 https://github.com/abarth/http-state/tree/master/tests 1019 1020 It'd be really awesome if someone would write a script/setup that would run 1021 curl with that test suite and detect deviances. Ideally, that would even be 1022 incorporated into our regular test suite. 1023 102420.7 Support LD_PRELOAD on macOS 1025 1026 LD_RELOAD doesn't work on macOS, but there are tests which require it to run 1027 properly. Look into making the preload support in runtests.pl portable such 1028 that it uses DYLD_INSERT_LIBRARIES on macOS. 1029 103021. Next SONAME bump 1031 103221.1 http-style HEAD output for FTP 1033 1034 #undef CURL_FTP_HTTPSTYLE_HEAD in lib/ftp.c to remove the HTTP-style headers 1035 from being output in NOBODY requests over FTP 1036 103721.2 combine error codes 1038 1039 Combine some of the error codes to remove duplicates. The original 1040 numbering should not be changed, and the old identifiers would be 1041 macroed to the new ones in an CURL_NO_OLDIES section to help with 1042 backward compatibility. 1043 1044 Candidates for removal and their replacements: 1045 1046 CURLE_FILE_COULDNT_READ_FILE => CURLE_REMOTE_FILE_NOT_FOUND 1047 1048 CURLE_FTP_COULDNT_RETR_FILE => CURLE_REMOTE_FILE_NOT_FOUND 1049 1050 CURLE_FTP_COULDNT_USE_REST => CURLE_RANGE_ERROR 1051 1052 CURLE_FUNCTION_NOT_FOUND => CURLE_FAILED_INIT 1053 1054 CURLE_LDAP_INVALID_URL => CURLE_URL_MALFORMAT 1055 1056 CURLE_TFTP_NOSUCHUSER => CURLE_TFTP_ILLEGAL 1057 1058 CURLE_TFTP_NOTFOUND => CURLE_REMOTE_FILE_NOT_FOUND 1059 1060 CURLE_TFTP_PERM => CURLE_REMOTE_ACCESS_DENIED 1061 106221.3 extend CURLOPT_SOCKOPTFUNCTION prototype 1063 1064 The current prototype only provides 'purpose' that tells what the 1065 connection/socket is for, but not any protocol or similar. It makes it hard 1066 for applications to differentiate on TCP vs UDP and even HTTP vs FTP and 1067 similar. 1068 106922. Next major release 1070 107122.1 cleanup return codes 1072 1073 curl_easy_cleanup() returns void, but curl_multi_cleanup() returns a 1074 CURLMcode. These should be changed to be the same. 1075 107622.2 remove obsolete defines 1077 1078 remove obsolete defines from curl/curl.h 1079 108022.3 size_t 1081 1082 make several functions use size_t instead of int in their APIs 1083 108422.4 remove several functions 1085 1086 remove the following functions from the public API: 1087 1088 curl_getenv 1089 1090 curl_mprintf (and variations) 1091 1092 curl_strequal 1093 1094 curl_strnequal 1095 1096 They will instead become curlx_ - alternatives. That makes the curl app 1097 still capable of using them, by building with them from source. 1098 1099 These functions have no purpose anymore: 1100 1101 curl_multi_socket 1102 1103 curl_multi_socket_all 1104 110522.5 remove CURLOPT_FAILONERROR 1106 1107 Remove support for CURLOPT_FAILONERROR, it has gotten too kludgy and weird 1108 internally. Let the app judge success or not for itself. 1109 111022.7 remove progress meter from libcurl 1111 1112 The internally provided progress meter output doesn't belong in the library. 1113 Basically no application wants it (apart from curl) but instead applications 1114 can and should do their own progress meters using the progress callback. 1115 1116 The progress callback should then be bumped as well to get proper 64bit 1117 variable types passed to it instead of doubles so that big files work 1118 correctly. 1119 112022.8 remove 'curl_httppost' from public 1121 1122 curl_formadd() was made to fill in a public struct, but the fact that the 1123 struct is public is never really used by application for their own advantage 1124 but instead often restricts how the form functions can or can't be modified. 1125 1126 Changing them to return a private handle will benefit the implementation and 1127 allow us much greater freedoms while still maintaining a solid API and ABI. 1128