Daniel Stenberg [Thu, 11 Sep 2025 15:50:59 +0000 (17:50 +0200)]
CURLOPT_MAXLIFETIME_CONN: make default 24 hours
Set a default value to only reuse existing connections if less than 24
hours old. This makes the TLS certificate check get redone for the new
connection. An application can still set it to zero.
Viktor Szakats [Thu, 11 Sep 2025 13:05:28 +0000 (15:05 +0200)]
GHA/http3-linux: fix nghttpx build and other tweaks
- fix `nghttp2` build to also build the `nghttpx` application.
Restore required `libc-ares-dev`. Also confirm that `libev-dev` is
required too. Document these requirements.
Follow-up to 0455d8772a1af20ce63c46c5738582aa9b1b8441 #18509
- explicitly enable `nghttpx` for the `nghttp2` build to make it fail if
requirements aren't met:
```
configure: error: applications were requested (--enable-app) but dependencies are not met.
```
- explicitly install brotli, zstd, zlib for the dependency builds.
Of these, zstd and zlib are preinstalled. zlib is required for
`nghttpx`. zstd and brotli doesn't seem to be used, but keep them
there just in case and to match the test env.
Follow-up to 0455d8772a1af20ce63c46c5738582aa9b1b8441 #18509
- enable brotli for `nghttpx`. It doesn't change the tests, and also
cost almost nothing, so I figure why not.
Stefan Eissing [Thu, 11 Sep 2025 12:12:04 +0000 (14:12 +0200)]
ngtcp2: check error code on connect failure
Access the error codes of ngtcp2 when a connect attempt failes. Trace
the information for analysis. Treat errors as permanent failure by
default, trigger retrying only when the server refused without
indicating an error.
Stefan Eissing [Thu, 11 Sep 2025 10:59:22 +0000 (12:59 +0200)]
quic: fix min TLS version handling
When switching to TSLv1.2 as default in 9d8998c99408e1adf8eba629fad9f87b3235bdfa, this led to an explicit
setting of 1.2 on QUIC connections when using quictls, overriding the
already set min version of 1.3.
This leads to a ClientHello with TLS 1.2+1.3 offered on a QUIC connect
which is rejected by the Caddy server. Using ngtcp2 with OpenSSL 3.5+,
GnuTLS or AWS-LC is not affected.
Fixes #18518 Reported-by: fds242 on github
Closes #18520
Viktor Szakats [Thu, 11 Sep 2025 09:20:08 +0000 (11:20 +0200)]
GHA: fix and tweak installed packages for http3-linux and Windows-cross
- explicitly install `libldap-dev` to not rely on test-specific packages
installing it implicitly, to have the same `curl -V` output for each
TLS backend build pair.
Follow-up to 0455d8772a1af20ce63c46c5738582aa9b1b8441 #18509
- install `libev-dev` for tests. It's a runtime dependency for
the local build of `nghttpx`. Missing it made pytest skip 178 tests.
Also skewing the 'Gain' time. I estimate it to account for 3 minutes,
making the total gain ~20 minutes.
Follow-up to 0455d8772a1af20ce63c46c5738582aa9b1b8441 #18509
(It may be a better solution to disable libev for the local nghttp2
build, to avoid this hidden dependency.)
- fix quiche jobs to use the local build of `libnghttp2`.
- stop installing the `clang` package for Windows-cross. `clang` and
`clang-tidy` tools are preinstalled on the Ubuntu 24.04 runner.
Viktor Szakats [Wed, 10 Sep 2025 08:25:17 +0000 (10:25 +0200)]
GHA: minimize installed packages in http3-linux and Windows cross-builds
In the last couple of months some jobs started taking a lot of time and
often timing out due to slow `apt install` from the Azure Ubuntu mirror.
The jobs affected were those that installed large packages:
GHA/http3-linux and the 3 cross-build jobs in GHA/windows.
This patch reduces the installed packaged to the minimum required
to complete the jobs. Saving a minute+ for each http3-linux job (a total
of 20+ minutes for the workflow.) Also saving bandwidth and reducing
the chance for long downloads or timeouts with slow Azure repos.
Details:
- http3: delete redundant packages from the `build-cache` job.
- http3: install gnutls dependencies for gnutls jobs only.
- http3: do not install test dependencies in jobs not running tests.
- http3: drop redundant packages from the curl jobs.
- Windows-cross: replace `mingw-w64` with `gcc-mingw-w64-x86-64-win32`
for the 3 Windows cross-build job. Dropping C++, 32-bit, and 64-bit
POSIX-threaded parts. Saving time and significant bandwidth for each
of the 3 jobs:
Download size: 277 MB -> 65 MB (installed: 1300 MB -> 400 MB)
- Windows-cross: restore previous job time limit of 15m (from 45m)
Follow-up to ff5140a25f42fef80325c6e28c4802fdb7e06386 #18163
Out of curiousity, build times as seen in the http3 build-cache job:
- TLS backends:
- openssl: 2m25s
- libressl: 27s
- aws-lc: 41s
- boringssl: 1m8s
- quictls: 1m46s
- gnutls: 6m30s
- wolfssl: 51s
- quiche + boringssl: 1m9s
- ng* libs (not yet optimized for build speed):
- nghttp3: 13s
- ngtcp2: 52s (with 6 backends, 3 runs)
- ngtcp2: 19s (boringssl)
- nghttp2: 21s
Ref: https://github.com/curl/curl/actions/runs/17626120054/job/50083344805
A similar effort in curl-for-win, affecting 2 GHA/curl-for-win Windows
jobs (though they use the default Debian repo, with no issues):
- with llvm/clang:
Download size: 648 MB -> 430 MB (installed: 3344 MB -> 2333 MB)
- with gcc:
Download size: 550 MB -> 328 MB (installed: 2815 MB -> 1804 MB)
Ref: https://github.com/curl/curl-for-win/commit/e19665d9486bdca60f996ed2e198a66128cfba38
Ref: https://github.com/curl/curl-for-win/commit/6b14c3946a8c89dc1d3847afc9501fc71f3ac628
Stefan Eissing [Wed, 10 Sep 2025 09:55:24 +0000 (11:55 +0200)]
curl_easy_getinfo: error code on NULL arg
When passing an address to curl_easy_getinfo to retrieve a value and the
address is NULL, return CURLE_BAD_FUNCTION_ARGUMENT instead of
CURLE_UNKNOWN_OPTION.
Stefan Eissing [Wed, 10 Sep 2025 09:33:36 +0000 (11:33 +0200)]
easy_getinfo: check magic, Curl_close safety
Check the easy handles magic in calls to curl_easy_getinfo().
In Curl_close() clear the magic after DNS shutdown since we'd
like to see tracing for this.
When clearing the magic, also clear the verbose flag so we
no longer call DEBUGFUNCTION on such a handle.
Some OSes (Linux, macOS, more?) will generate an EMSGSIZE socket error
on the next recv all after receiving an ICMP Packet Too Big on an
unconnected UDP socket.
These can be safely ignored as QUIC's DPLPMTUD uses MTU probes that do
not rely on receiving ICMP packets.
Viktor Szakats [Sun, 7 Sep 2025 10:32:54 +0000 (12:32 +0200)]
VULN-DISCLOSURE-POLICY: make it pass test 1275
```
test 1275...[Verify capital letters after period in markdown files]
../../docs/VULN-DISCLOSURE-POLICY.md:426:55:error: lowercase daily after period
* regular communication from communication leader (ex. daily update)
```
Ref: https://github.com/curl/curl/actions/runs/17527331816/job/49779555753?pr=18485
Stefan Eissing [Thu, 4 Sep 2025 14:09:05 +0000 (16:09 +0200)]
websocket: handling of PONG frames
The auto PONG frames were inserted into the connection at the time
a PING had been decoded, irregardless if an upstream frame was just
in the middle of being assembled.
Add PONG frames only to the buffer if there is no frame currently
assemebled and, if it is, set the control frame aside. This control
frame is then added on the first opportunity of a "clean" send buffer.
There is only a single control frame set aside at a time. This means
a double PING will, when the PONG cannot be sent right away, only
send the last PONG.
I imagine this is fine. We want to prevent the endless buffering of
PONG frames on a connection where the server sends but does no receives.
Stefan Eissing [Thu, 4 Sep 2025 10:00:48 +0000 (12:00 +0200)]
websocket: reset upload_done when sending data
Sending websocket data did not clear the "upload_done" flag of
the initial HTTP Upgrade request, leading to KEEP_SEND never be
cleared. This caused the socket to be polled for INOUT after all
the websocket data had been sent. A busy loop.
Viktor Szakats [Tue, 2 Sep 2025 13:40:12 +0000 (15:40 +0200)]
lib: drop `UNUSED_PARAM` macro
Added in 2011, but has seen little use in the code. The necessary
compiler feature is missing in some compilers (e.g. MSVC), thus in most
places the portable `(void)` cast is used in addition.
Also:
- vtls/rustls: silence unused argument warning with `(void)`.
Necessary for MSVC, for example.
Stefan Eissing [Tue, 2 Sep 2025 13:16:21 +0000 (15:16 +0200)]
multi: limit-rate revisited
Tweaks around handling of --limit-rate:
* tracing: trace outstanding timeouts by name
* multi: do not mark transfer as dirty that have
an EXPIRE_TOOFAST set
* multi: have one static function to asses speed limits
* multi: when setting EXPIRE_TOOFAST remove the transfers
from the dirty set
* progress: rename vars and comment on how speed limit
timeouts are calculated, for clarity
* transfer: when speed limiting, exit the receive loop
after a quarter of the limit has been received, not
on the first chunk received.
* cf-ip-happy.c: clear EXPIRE_HAPPY_EYEBALLS on connect
* scorecard: add --limit-rate parameter to test with
speed limits in effect
David Zhuang [Wed, 3 Sep 2025 00:28:21 +0000 (17:28 -0700)]
http: do the cookie list access under lock
A previous refactor of cookie logic changed Curl_cookie_getlist to no
longer return a list of copied cookies, but instead return a linked list
pointing to existing cookies. The returned linked list is accessed
outside of the scope of the cookie share lock in http_cookies, which
leads to issues if the shared cookie list is modified at the same time.
This is the relevant commit: be39ed1
Daniel Stenberg [Wed, 3 Sep 2025 07:52:36 +0000 (09:52 +0200)]
tool_getparam: warn on more unicode prefixes
If a string argument is expected and the first two bytes are 0xe2 ex80
and the third has the 7th bit set, that's enough for curl to warn.
Previously we tried to detect and warn only for the unicode double
quote, but users might use single quotes, other quotes or even lead the
argument with one of the "zero widths" characters. This is an attempt to
detect many of those. Without triggering for "normal" IDN hostnames.
Jay Satiro [Wed, 27 Aug 2025 07:35:01 +0000 (03:35 -0400)]
projects: fix Windows project 'clean' function
- Fix generate.bat "-clean" option.
- Change version template substitutes to match old files, eg go back to
using format version "11.00" instead of "11.0".
- Limit the vcxproj filters file types that are filtered to c, h, rc.
- Get rid of the tmpl extension from template files and add a README
to the tmpl directory explaining the purpose of the files.
- gitignore VCxx directories entirely rather than individual file types.
- Do not remove the VC directories during clean, instead remove just the
generated project files.
Removing the VC directories has the unwanted behavior of removing files
other than those generated. Visual Studio will generate its own
preference files (like if you have some debug arguments in your .suo)
and those files sit in the VC directories. We ignore those files since
they are the user's files and should not be deleted. Also the user may
have their own untracked files that we shouldn't be deleting.
Follow-up to 57d349fe which consolidated the project templates.
Assisted-by: Viktor Szakats
Closes https://github.com/curl/curl/pull/18412
Daniel Stenberg [Mon, 1 Sep 2025 14:36:53 +0000 (16:36 +0200)]
parsedate: make Curl_getdate_capped able to return epoch
By returning error separately on parse errors and avoiding magic
numbers, this function can now return 0 or -1 as proper dates when such
a date string is provided.
Stefan Eissing [Fri, 29 Aug 2025 15:38:45 +0000 (17:38 +0200)]
aws-lc: do not use large buffer
test_10_08, uploading larger files for a h2 proxy, sporadically fails
with a decrpytion error on received data in AWS-LC. The frequency can
be increased by simulated network receive blocks.
Not setting a 4 * TLS record sized buffer, leaving AWS-LC at its
default buffer size seems to mitigate this problem.
XCas13 [Fri, 29 Aug 2025 09:52:25 +0000 (13:52 +0400)]
ngtcp2: handshake timeout should be equal to --connect-timeout
Default timeout is hardcoded (10 seconds) and doesn't respect
--connect-timeout parameter. In some cases 10 seconds can be not enough
or too long to "establish a connection". Moreover the non-working
--connect-timeout parameter for http3 is confusing. This change makes
the handshake timeout equal to --connect-timeout, if it's set.
Discussion is here https://github.com/curl/curl/discussions/18427
Viktor Szakats [Thu, 28 Aug 2025 20:36:47 +0000 (22:36 +0200)]
GHA/windows: fix perl 5.40.3 bump fallout with custom-built modules
Perl got bumped from 5.38.4 to 5.40.3. The new version crashes when
loading the `Win32::Process*` modules built and cached in CI. The build
job uses Perl 5.38.4.
To avoid the crash, include the Perl version (hashed) in the cache key,
so that it's only loaded when the Perl version matches.
This solution is imperfect, because some of the jobs will not use the
Perl modules in transition periods, when different jobs use different
Perl versions. Anyway, can't think of a better one for now. Another
option is to drop the effort with these modules. After all they did not
help with crashes and hangs, nor with performance. While adding quite
a bit of CI complexity.
Also:
- test early if the modules load and log the result.
It's causing false-positives with clang-tidy v21, in cases in system
headers (seen in `FD_ISSET()` with macOS SDK). In some cases in
tests/server, there was no distinct source line that was triggering it.
Example:
```
/Applications/Xcode_16.4.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX15.5.sdk/usr/include/sys/_types/_fd_def.h:83:10: error: Potential out of bound access to 'fds_read.fds_bits' with tainted index [clang-analyzer-security.ArrayBound,-warnings-as-errors]
83 | return _p->fds_bits[(unsigned long)_fd / __DARWIN_NFDBITS] & ((__int32_t)(((unsigned long)1) << ((unsigned long)_fd % __DARWIN_NFDBITS)));
| ^
[...]
/Users/runner/work/curl/curl/tests/server/socksd.c:679:5: note: Taking false branch
679 | if(rc < 0) {
| ^
```
Daniel Stenberg [Thu, 28 Aug 2025 09:42:49 +0000 (11:42 +0200)]
cookie: simplifications
- add Curl_secure_context(), to have it determined in a single place.
- tweak the Curl_cookie_getlist() proto. Move some logic into the
function - at is only called in a single place. Instead of forcing the
caller to do it.
Stefan Eissing [Mon, 18 Aug 2025 15:12:35 +0000 (17:12 +0200)]
websocket: improve handling of 0-len frames
Write out 9-length frames to client's WRITEFUNCTION
Read 0-length frames from READFUNCTION *if* the function
started a new frame via `curl_ws_start_frame()`.
Viktor Szakats [Wed, 27 Aug 2025 14:23:58 +0000 (16:23 +0200)]
HTTP3.md: avoid `configure` issue for ngtcp2 1.14.0+ compatibility
Applied the same workaround to the build examples as used earlier in CI.
That is, drop `<path> from `--with-ngtcp2=<path>` and configure env
`PKG_CONFIG_PATH` instead.
Jay Satiro [Fri, 1 Aug 2025 07:57:12 +0000 (03:57 -0400)]
schannel: fix renegotiation
- Move the schannel_recv renegotiation code to function
schannel_recv_renegotiate.
- Save the state of a pending renegotiation.
- Pre-empt schannel_recv and schannel_send to continue a pending
renegotation.
- Partially block during renegotiation if necessary.
Prior to this change, since a1850ad7 (precedes 8.13.0), schannel_recv
did not properly complete renegotiation before attempting to decrypt
data. In some cases that could cause an error SEC_E_CONTEXT_EXPIRED.
Most of the time though DecryptMessage would succeed by chance and
return SEC_I_RENEGOTIATE which allowed the renegotiation to continue.
Reported-by: stephannn@users.noreply.github.com Reported-by: Dustin L. Howett
Fixes https://github.com/curl/curl/issues/18029
Closes https://github.com/curl/curl/pull/18125
Viktor Szakats [Thu, 14 Aug 2025 21:43:34 +0000 (23:43 +0200)]
GHA/linux: build `-O3` job with unity batches to save 10-15s
Before (build, test run):
https://github.com/curl/curl/actions/runs/16974205126/job/48118716664 25s, 12m56
https://github.com/curl/curl/actions/runs/16973102133/job/48114977897 24s, 12m51
After, with batch size 50 (build, test run):
https://github.com/curl/curl/actions/runs/17250901063/job/48952645881?pr=18293 16s, 12m51
https://github.com/curl/curl/actions/runs/17250901063/job/48953665204?pr=18293 17s, 12m42
Daniel Stenberg [Tue, 26 Aug 2025 14:03:24 +0000 (16:03 +0200)]
ftp: simplify
- Avoid checking what's always true. The ftpcode pointer is always
passed in, so use it.
- Simplified an indent level somewhat
- Split out two functions from the state machine
projects / thirdparty / curl.git / log
