TODO (49834B)
1 _ _ ____ _ 2 ___| | | | _ \| | 3 / __| | | | |_) | | 4 | (__| |_| | _ <| |___ 5 \___|\___/|_| \_\_____| 6 7 Things that could be nice to do in the future 8 9 Things to do in project curl. Please tell us what you think, contribute and 10 send us patches that improve things. 11 12 Be aware that these are things that we could do, or have once been considered 13 things we could do. If you want to work on any of these areas, please 14 consider bringing it up for discussions first on the mailing list so that we 15 all agree it is still a good idea for the project. 16 17 All bugs documented in the KNOWN_BUGS document are subject for fixing. 18 19 1. libcurl 20 1.1 TFO support on Windows 21 1.2 Consult %APPDATA% also for .netrc 22 1.3 struct lifreq 23 1.4 alt-svc sharing 24 1.5 get rid of PATH_MAX 25 1.6 thread-safe sharing 26 1.8 CURLOPT_RESOLVE for any port number 27 1.9 Cache negative name resolves 28 1.10 auto-detect proxy 29 1.11 minimize dependencies with dynamically loaded modules 30 1.12 updated DNS server while running 31 1.13 c-ares and CURLOPT_OPENSOCKETFUNCTION 32 1.14 connect to multiple IPs in parallel 33 1.15 Monitor connections in the connection pool 34 1.16 Try to URL encode given URL 35 1.17 Add support for IRIs 36 1.18 try next proxy if one does not work 37 1.19 provide timing info for each redirect 38 1.20 SRV and URI DNS records 39 1.21 netrc caching and sharing 40 1.22 CURLINFO_PAUSE_STATE 41 1.23 Offer API to flush the connection pool 42 1.25 Expose tried IP addresses that failed 43 1.28 FD_CLOEXEC 44 1.29 WebSocket read callback 45 1.30 config file parsing 46 1.31 erase secrets from heap/stack after use 47 1.32 add asynch getaddrinfo support 48 1.33 make DoH inherit more transfer properties 49 50 2. libcurl - multi interface 51 2.1 More non-blocking 52 2.2 Better support for same name resolves 53 2.3 Non-blocking curl_multi_remove_handle() 54 2.4 Split connect and authentication process 55 2.5 Edge-triggered sockets should work 56 2.6 multi upkeep 57 2.7 Virtual external sockets 58 2.8 dynamically decide to use socketpair 59 60 3. Documentation 61 3.1 Improve documentation about fork safety 62 63 4. FTP 64 4.1 HOST 65 4.6 GSSAPI via Windows SSPI 66 4.7 STAT for LIST without data connection 67 4.8 Passive transfer could try other IP addresses 68 69 5. HTTP 70 5.1 Provide the error body from a CONNECT response 71 5.2 Obey Retry-After in redirects 72 5.3 Rearrange request header order 73 5.4 Allow SAN names in HTTP/2 server push 74 5.5 auth= in URLs 75 5.6 alt-svc should fallback if alt-svc does not work 76 5.7 Require HTTP version X or higher 77 78 6. TELNET 79 6.1 ditch stdin 80 6.2 ditch telnet-specific select 81 6.3 feature negotiation debug data 82 6.4 exit immediately upon connection if stdin is /dev/null 83 84 7. SMTP 85 7.1 Passing NOTIFY option to CURLOPT_MAIL_RCPT 86 7.2 Enhanced capability support 87 7.3 Add CURLOPT_MAIL_CLIENT option 88 89 8. POP3 90 8.2 Enhanced capability support 91 92 9. IMAP 93 9.1 Enhanced capability support 94 95 10. LDAP 96 10.1 SASL based authentication mechanisms 97 10.2 CURLOPT_SSL_CTX_FUNCTION for LDAPS 98 10.3 Paged searches on LDAP server 99 10.4 Certificate-Based Authentication 100 101 11. SMB 102 11.1 File listing support 103 11.2 Honor file timestamps 104 11.3 Use NTLMv2 105 11.4 Create remote directories 106 107 12. FILE 108 12.1 Directory listing on non-POSIX 109 110 13. TLS 111 13.1 TLS-PSK with OpenSSL 112 13.2 TLS channel binding 113 13.3 Defeat TLS fingerprinting 114 13.4 Consider OCSP stapling by default 115 13.5 Export session ids 116 13.6 Provide callback for cert verification 117 13.7 Less memory massaging with Schannel 118 13.8 Support DANE 119 13.9 TLS record padding 120 13.10 Support Authority Information Access certificate extension (AIA) 121 13.11 Some TLS options are not offered for HTTPS proxies 122 13.13 Make sure we forbid TLS 1.3 post-handshake authentication 123 13.14 Support the clienthello extension 124 13.16 Share the CA cache 125 13.17 Add missing features to TLS backends 126 127 14. Proxy 128 14.1 Retry SOCKS handshake on address type not supported 129 130 15. Schannel 131 15.1 Extend support for client certificate authentication 132 15.2 Extend support for the --ciphers option 133 15.4 Add option to allow abrupt server closure 134 135 16. SASL 136 16.1 Other authentication mechanisms 137 16.2 Add QOP support to GSSAPI authentication 138 139 17. SSH protocols 140 17.1 Multiplexing 141 17.2 Handle growing SFTP files 142 17.3 Read keys from ~/.ssh/id_ecdsa, id_ed25519 143 17.4 Support CURLOPT_PREQUOTE 144 17.5 SSH over HTTPS proxy with more backends 145 17.6 SFTP with SCP:// 146 147 18. Command line tool 148 18.1 sync 149 18.2 glob posts 150 18.4 --proxycommand 151 18.5 UTF-8 filenames in Content-Disposition 152 18.6 Option to make -Z merge lined based outputs on stdout 153 18.7 specify which response codes that make -f/--fail return error 154 18.9 Choose the name of file in braces for complex URLs 155 18.10 improve how curl works in a Windows console window 156 18.11 Windows: set attribute 'archive' for completed downloads 157 18.12 keep running, read instructions from pipe/socket 158 18.13 Acknowledge Ratelimit headers 159 18.14 --dry-run 160 18.15 --retry should resume 161 18.17 consider filename from the redirected URL with -O ? 162 18.18 retry on network is unreachable 163 18.19 expand ~/ in config files 164 18.20 hostname sections in config files 165 18.21 retry on the redirected-to URL 166 18.23 Set the modification date on an uploaded file 167 18.24 Use multiple parallel transfers for a single download 168 18.25 Prevent terminal injection when writing to terminal 169 18.26 Custom progress meter update interval 170 18.27 -J and -O with %-encoded filenames 171 18.28 -J with -C - 172 18.29 --retry and transfer timeouts 173 174 19. Build 175 19.2 Enable PIE and RELRO by default 176 19.3 Do not use GNU libtool on OpenBSD 177 19.4 Package curl for Windows in a signed installer 178 19.5 make configure use --cache-file more and better 179 180 20. Test suite 181 20.1 SSL tunnel 182 20.2 more protocols supported 183 20.3 more platforms supported 184 20.4 write an SMB test server to replace impacket 185 20.5 Use the RFC 6265 test suite 186 20.6 Run web-platform-tests URL tests 187 188 21. MQTT 189 21.1 Support rate-limiting 190 21.2 Support MQTTS 191 21.3 Handle network blocks 192 193 22. TFTP 194 22.1 TFTP does not convert LF to CRLF for mode=netascii 195 196 23. Gopher 197 23.1 Handle network blocks 198 199 ============================================================================== 200 201 1. libcurl 202 203 1.1 TFO support on Windows 204 205 libcurl supports the CURLOPT_TCP_FASTOPEN option since 7.49.0 for Linux and 206 macOS. Windows supports TCP Fast Open starting with Windows 10, version 1607 207 and we should add support for it. 208 209 TCP Fast Open is supported on several platforms but not on Windows. Work on 210 this was once started but never finished. 211 212 See https://github.com/curl/curl/pull/3378 213 214 1.2 Consult %APPDATA% also for .netrc 215 216 %APPDATA%\.netrc is not considered when running on Windows. should not it? 217 218 See https://github.com/curl/curl/issues/4016 219 220 1.3 struct lifreq 221 222 Use 'struct lifreq' and SIOCGLIFADDR instead of 'struct ifreq' and 223 SIOCGIFADDR on newer Solaris versions as they claim the latter is obsolete. 224 To support IPv6 interface addresses for network interfaces properly. 225 226 1.4 alt-svc sharing 227 228 The share interface could benefit from allowing the alt-svc cache to be 229 possible to share between easy handles. 230 231 See https://github.com/curl/curl/issues/4476 232 233 The share interface offers CURL_LOCK_DATA_CONNECT to have multiple easy 234 handle share a connection cache, but due to how connections are used they are 235 still not thread-safe when used shared. 236 237 See https://github.com/curl/curl/issues/4915 and lib1541.c 238 239 The share interface offers CURL_LOCK_DATA_HSTS to have multiple easy handle 240 share an HSTS cache, but this is not thread-safe. 241 242 1.5 get rid of PATH_MAX 243 244 Having code use and rely on PATH_MAX is not nice: 245 https://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html 246 247 Currently the libssh2 SSH based code uses it, but to remove PATH_MAX from 248 there we need libssh2 to properly tell us when we pass in a too small buffer 249 and its current API (as of libssh2 1.2.7) does not. 250 251 1.6 thread-safe sharing 252 253 Using the share interface users can share some data between easy handles but 254 several of the sharing options are documented as not safe and supported to 255 share between multiple concurrent threads. Fixing this would enable more 256 users to share data in more powerful ways. 257 258 1.8 CURLOPT_RESOLVE for any port number 259 260 This option allows applications to set a replacement IP address for a given 261 host + port pair. Consider making support for providing a replacement address 262 for the hostname on all port numbers. 263 264 See https://github.com/curl/curl/issues/1264 265 266 1.9 Cache negative name resolves 267 268 A name resolve that has failed is likely to fail when made again within a 269 short period of time. Currently we only cache positive responses. 270 271 1.10 auto-detect proxy 272 273 libcurl could be made to detect the system proxy setup automatically and use 274 that. On Windows, macOS and Linux desktops for example. 275 276 The pull-request to use libproxy for this was deferred due to doubts on the 277 reliability of the dependency and how to use it: 278 https://github.com/curl/curl/pull/977 279 280 libdetectproxy is a (C++) library for detecting the proxy on Windows 281 https://github.com/paulharris/libdetectproxy 282 283 1.11 minimize dependencies with dynamically loaded modules 284 285 We can create a system with loadable modules/plug-ins, where these modules 286 would be the ones that link to 3rd party libs. That would allow us to avoid 287 having to load ALL dependencies since only the necessary ones for this 288 app/invoke/used protocols would be necessary to load. See 289 https://github.com/curl/curl/issues/349 290 291 1.12 updated DNS server while running 292 293 If /etc/resolv.conf gets updated while a program using libcurl is running, it 294 is may cause name resolves to fail unless res_init() is called. We should 295 consider calling res_init() + retry once unconditionally on all name resolve 296 failures to mitigate against this. Firefox works like that. Note that Windows 297 does not have res_init() or an alternative. 298 299 https://github.com/curl/curl/issues/2251 300 301 1.13 c-ares and CURLOPT_OPENSOCKETFUNCTION 302 303 curl creates most sockets via the CURLOPT_OPENSOCKETFUNCTION callback and 304 close them with the CURLOPT_CLOSESOCKETFUNCTION callback. However, c-ares 305 does not use those functions and instead opens and closes the sockets itself. 306 This means that when curl passes the c-ares socket to the 307 CURLMOPT_SOCKETFUNCTION it is not owned by the application like other 308 sockets. 309 310 See https://github.com/curl/curl/issues/2734 311 312 1.14 connect to multiple IPs in parallel 313 314 curl currently implements the happy eyeball algorithm for connecting to the 315 IPv4 and IPv6 alternatives for a host in parallel, sticking with the 316 connection that "wins". We could implement a similar algorithm per individual 317 IP family as well when there are multiple available addresses: start with the 318 first address, then start a second attempt N milliseconds after and then a 319 third another N milliseconds later. That way there would be less waiting when 320 the first IP has problems. It also improves the connection timeout value 321 handling for multiple address situations. 322 323 1.15 Monitor connections in the connection pool 324 325 libcurl's connection cache or pool holds a number of open connections for the 326 purpose of possible subsequent connection reuse. It may contain a few up to a 327 significant amount of connections. Currently, libcurl leaves all connections 328 as they are and first when a connection is iterated over for matching or 329 reuse purpose it is verified that it is still alive. 330 331 Those connections may get closed by the server side for idleness or they may 332 get an HTTP/2 ping from the peer to verify that they are still alive. By 333 adding monitoring of the connections while in the pool, libcurl can detect 334 dead connections (and close them) better and earlier, and it can handle 335 HTTP/2 pings to keep such ones alive even when not actively doing transfers 336 on them. 337 338 1.16 Try to URL encode given URL 339 340 Given a URL that for example contains spaces, libcurl could have an option 341 that would try somewhat harder than it does now and convert spaces to %20 and 342 perhaps URL encoded byte values over 128 etc (basically do what the redirect 343 following code already does). 344 345 https://github.com/curl/curl/issues/514 346 347 1.17 Add support for IRIs 348 349 IRIs (RFC 3987) allow localized, non-ASCII, names in the URL. To properly 350 support this, curl/libcurl would need to translate/encode the given input 351 from the input string encoding into percent encoded output "over the wire". 352 353 To make that work smoothly for curl users even on Windows, curl would 354 probably need to be able to convert from several input encodings. 355 356 1.18 try next proxy if one does not work 357 358 Allow an application to specify a list of proxies to try, and failing to 359 connect to the first go on and try the next instead until the list is 360 exhausted. Browsers support this feature at least when they specify proxies 361 using PACs. 362 363 https://github.com/curl/curl/issues/896 364 365 1.19 provide timing info for each redirect 366 367 curl and libcurl provide timing information via a set of different 368 time-stamps (CURLINFO_*_TIME). When curl is following redirects, those 369 returned time value are the accumulated sums. An improvement could be to 370 offer separate timings for each redirect. 371 372 https://github.com/curl/curl/issues/6743 373 374 1.20 SRV and URI DNS records 375 376 Offer support for resolving SRV and URI DNS records for libcurl to know which 377 server to connect to for various protocols (including HTTP). 378 379 1.21 netrc caching and sharing 380 381 The netrc file is read and parsed each time a connection is setup, which 382 means that if a transfer needs multiple connections for authentication or 383 redirects, the file might be reread (and parsed) multiple times. This makes 384 it impossible to provide the file as a pipe. 385 386 1.22 CURLINFO_PAUSE_STATE 387 388 Return information about the transfer's current pause state, in both 389 directions. https://github.com/curl/curl/issues/2588 390 391 1.23 Offer API to flush the connection pool 392 393 Sometimes applications want to flush all the existing connections kept alive. 394 An API could allow a forced flush or just a forced loop that would properly 395 close all connections that have been closed by the server already. 396 397 1.25 Expose tried IP addresses that failed 398 399 When libcurl fails to connect to a host, it could offer the application the 400 addresses that were used in the attempt. Source + dest IP, source + dest port 401 and protocol (UDP or TCP) for each failure. Possibly as a callback. Perhaps 402 also provide "reason". 403 404 https://github.com/curl/curl/issues/2126 405 406 1.28 FD_CLOEXEC 407 408 It sets the close-on-exec flag for the file descriptor, which causes the file 409 descriptor to be automatically (and atomically) closed when any of the 410 exec-family functions succeed. Should probably be set by default? 411 412 https://github.com/curl/curl/issues/2252 413 414 1.29 WebSocket read callback 415 416 Call the read callback once the connection is established to allow sending 417 the first message in the connection. 418 419 https://github.com/curl/curl/issues/11402 420 421 1.30 config file parsing 422 423 Consider providing an API, possibly in a separate companion library, for 424 parsing a config file like curl's -K/--config option to allow applications to 425 get the same ability to read curl options from files. 426 427 See https://github.com/curl/curl/issues/3698 428 429 1.31 erase secrets from heap/stack after use 430 431 Introducing a concept and system to erase secrets from memory after use, it 432 could help mitigate and lessen the impact of (future) security problems etc. 433 However: most secrets are passed to libcurl as clear text from the 434 application and then clearing them within the library adds nothing... 435 436 https://github.com/curl/curl/issues/7268 437 438 1.32 add asynch getaddrinfo support 439 440 Use getaddrinfo_a() to provide an asynch name resolver backend to libcurl 441 that does not use threads and does not depend on c-ares. The getaddrinfo_a 442 function is (probably?) glibc specific but that is a widely used libc among 443 our users. 444 445 https://github.com/curl/curl/pull/6746 446 447 1.33 make DoH inherit more transfer properties 448 449 Some options are not inherited because they are not relevant for the DoH SSL 450 connections, or inheriting the option may result in unexpected behavior. For 451 example the user's debug function callback is not inherited because it would 452 be unexpected for internal handles (ie DoH handles) to be passed to that 453 callback. 454 455 If an option is not inherited then it is not possible to set it separately 456 for DoH without a DoH-specific option. For example: 457 CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and 458 CURLOPT_DOH_SSL_VERIFYSTATUS. 459 460 See https://github.com/curl/curl/issues/6605 461 462 2. libcurl - multi interface 463 464 2.1 More non-blocking 465 466 Make sure we do not ever loop because of non-blocking sockets returning 467 EWOULDBLOCK or similar. Blocking cases include: 468 469 - Name resolves on non-Windows unless c-ares or the threaded resolver is used. 470 471 - The threaded resolver may block on cleanup: 472 https://github.com/curl/curl/issues/4852 473 474 - file:// transfers 475 476 - TELNET transfers 477 478 - GSSAPI authentication for FTP transfers 479 480 - The "DONE" operation (post transfer protocol-specific actions) for the 481 protocols SFTP, SMTP, FTP. Fixing multi_done() for this is a worthy task. 482 483 - curl_multi_remove_handle for any of the above. See section 2.3. 484 485 - Calling curl_ws_send() from a callback 486 487 2.2 Better support for same name resolves 488 489 If a name resolve has been initiated for name NN and a second easy handle 490 wants to resolve that name as well, make it wait for the first resolve to end 491 up in the cache instead of doing a second separate resolve. This is 492 especially needed when adding many simultaneous handles using the same host 493 name when the DNS resolver can get flooded. 494 495 2.3 Non-blocking curl_multi_remove_handle() 496 497 The multi interface has a few API calls that assume a blocking behavior, like 498 add_handle() and remove_handle() which limits what we can do internally. The 499 multi API need to be moved even more into a single function that "drives" 500 everything in a non-blocking manner and signals when something is done. A 501 remove or add would then only ask for the action to get started and then 502 multi_perform() etc still be called until the add/remove is completed. 503 504 2.4 Split connect and authentication process 505 506 The multi interface treats the authentication process as part of the connect 507 phase. As such any failures during authentication does not trigger the 508 relevant QUIT or LOGOFF for protocols such as IMAP, POP3 and SMTP. 509 510 2.5 Edge-triggered sockets should work 511 512 The multi_socket API should work with edge-triggered socket events. One of 513 the internal actions that need to be improved for this to work perfectly is 514 the 'maxloops' handling in transfer.c:readwrite_data(). 515 516 2.6 multi upkeep 517 518 In libcurl 7.62.0 we introduced curl_easy_upkeep. It unfortunately only works 519 on easy handles. We should introduces a version of that for the multi handle, 520 and also consider doing "upkeep" automatically on connections in the 521 connection pool when the multi handle is in used. 522 523 See https://github.com/curl/curl/issues/3199 524 525 2.7 Virtual external sockets 526 527 libcurl performs operations on the given file descriptor that presumes it is 528 a socket and an application cannot replace them at the moment. Allowing an 529 application to fully replace those would allow a larger degree of freedom and 530 flexibility. 531 532 See https://github.com/curl/curl/issues/5835 533 534 2.8 dynamically decide to use socketpair 535 536 For users who do not use curl_multi_wait() or do not care for 537 curl_multi_wakeup(), we could introduce a way to make libcurl NOT 538 create a socketpair in the multi handle. 539 540 See https://github.com/curl/curl/issues/4829 541 542 3. Documentation 543 544 3.1 Improve documentation about fork safety 545 546 See https://github.com/curl/curl/issues/6968 547 548 4. FTP 549 550 4.1 HOST 551 552 HOST is a command for a client to tell which hostname to use, to offer FTP 553 servers named-based virtual hosting: 554 555 https://datatracker.ietf.org/doc/html/rfc7151 556 557 4.6 GSSAPI via Windows SSPI 558 559 In addition to currently supporting the SASL GSSAPI mechanism (Kerberos V5) 560 via third-party GSS-API libraries, such as Heimdal or MIT Kerberos, also add 561 support for GSSAPI authentication via Windows SSPI. 562 563 4.7 STAT for LIST without data connection 564 565 Some FTP servers allow STAT for listing directories instead of using LIST, 566 and the response is then sent over the control connection instead of as the 567 otherwise usedw data connection: https://www.nsftools.com/tips/RawFTP.htm#STAT 568 569 This is not detailed in any FTP specification. 570 571 4.8 Passive transfer could try other IP addresses 572 573 When doing FTP operations through a proxy at localhost, the reported spotted 574 that curl only tried to connect once to the proxy, while it had multiple 575 addresses and a failed connect on one address should make it try the next. 576 577 After switching to passive mode (EPSV), curl could try all IP addresses for 578 "localhost". Currently it tries ::1, but it should also try 127.0.0.1. 579 580 See https://github.com/curl/curl/issues/1508 581 582 5. HTTP 583 584 5.1 Provide the error body from a CONNECT response 585 586 When curl receives a body response from a CONNECT request to a proxy, it 587 always just reads and ignores it. It would make some users happy if curl 588 instead optionally would be able to make that responsible available. Via a 589 new callback? Through some other means? 590 591 See https://github.com/curl/curl/issues/9513 592 593 5.2 Obey Retry-After in redirects 594 595 The Retry-After is said to dicate "the minimum time that the user agent is 596 asked to wait before issuing the redirected request" and libcurl does not 597 obey this. 598 599 See https://github.com/curl/curl/issues/11447 600 601 5.3 Rearrange request header order 602 603 Server implementers often make an effort to detect browser and to reject 604 clients it can detect to not match. One of the last details we cannot yet 605 control in libcurl's HTTP requests, which also can be exploited to detect 606 that libcurl is in fact used even when it tries to impersonate a browser, is 607 the order of the request headers. I propose that we introduce a new option in 608 which you give headers a value, and then when the HTTP request is built it 609 sorts the headers based on that number. We could then have internally created 610 headers use a default value so only headers that need to be moved have to be 611 specified. 612 613 5.4 Allow SAN names in HTTP/2 server push 614 615 curl only allows HTTP/2 push promise if the provided :authority header value 616 exactly matches the hostname given in the URL. It could be extended to allow 617 any name that would match the Subject Alternative Names in the server's TLS 618 certificate. 619 620 See https://github.com/curl/curl/pull/3581 621 622 5.5 auth= in URLs 623 624 Add the ability to specify the preferred authentication mechanism to use by 625 using ;auth=<mech> in the login part of the URL. 626 627 For example: 628 629 http://test:pass;auth=NTLM@example.com would be equivalent to specifying 630 --user test:pass;auth=NTLM or --user test:pass --ntlm from the command line. 631 632 Additionally this should be implemented for proxy base URLs as well. 633 634 5.6 alt-svc should fallback if alt-svc does not work 635 636 The alt-svc: header provides a set of alternative services for curl to use 637 instead of the original. If the first attempted one fails, it should try the 638 next etc and if all alternatives fail go back to the original. 639 640 See https://github.com/curl/curl/issues/4908 641 642 5.7 Require HTTP version X or higher 643 644 curl and libcurl provide options for trying higher HTTP versions (for example 645 HTTP/2) but then still allows the server to pick version 1.1. We could 646 consider adding a way to require a minimum version. 647 648 See https://github.com/curl/curl/issues/7980 649 650 6. TELNET 651 652 6.1 ditch stdin 653 654 Reading input (to send to the remote server) on stdin is a crappy solution 655 for library purposes. We need to invent a good way for the application to be 656 able to provide the data to send. 657 658 6.2 ditch telnet-specific select 659 660 Move the telnet support's network select() loop go away and merge the code 661 into the main transfer loop. Until this is done, the multi interface does not 662 work for telnet. 663 664 6.3 feature negotiation debug data 665 666 Add telnet feature negotiation data to the debug callback as header data. 667 668 6.4 exit immediately upon connection if stdin is /dev/null 669 670 If it did, curl could be used to probe if there is an server there listening 671 on a specific port. That is, the following command would exit immediately 672 after the connection is established with exit code 0: 673 674 curl -s --connect-timeout 2 telnet://example.com:80 </dev/null 675 676 7. SMTP 677 678 7.1 Passing NOTIFY option to CURLOPT_MAIL_RCPT 679 680 Is there a way to pass the NOTIFY option to the CURLOPT_MAIL_RCPT option ? I 681 set a string that already contains a bracket. For instance something like 682 that: curl_slist_append( recipients, "<foo@bar> NOTIFY=SUCCESS,FAILURE" ); 683 684 https://github.com/curl/curl/issues/8232 685 686 7.2 Enhanced capability support 687 688 Add the ability, for an application that uses libcurl, to obtain the list of 689 capabilities returned from the EHLO command. 690 691 7.3 Add CURLOPT_MAIL_CLIENT option 692 693 Rather than use the URL to specify the mail client string to present in the 694 HELO and EHLO commands, libcurl should support a new CURLOPT specifically for 695 specifying this data as the URL is non-standard and to be honest a bit of a 696 hack ;-) 697 698 Please see the following thread for more information: 699 https://curl.se/mail/lib-2012-05/0178.html 700 701 702 8. POP3 703 704 8.2 Enhanced capability support 705 706 Add the ability, for an application that uses libcurl, to obtain the list of 707 capabilities returned from the CAPA command. 708 709 9. IMAP 710 711 9.1 Enhanced capability support 712 713 Add the ability, for an application that uses libcurl, to obtain the list of 714 capabilities returned from the CAPABILITY command. 715 716 10. LDAP 717 718 10.1 SASL based authentication mechanisms 719 720 Currently the LDAP module only supports ldap_simple_bind_s() in order to bind 721 to an LDAP server. However, this function sends username and password details 722 using the simple authentication mechanism (as clear text). However, it should 723 be possible to use ldap_bind_s() instead specifying the security context 724 information ourselves. 725 726 10.2 CURLOPT_SSL_CTX_FUNCTION for LDAPS 727 728 CURLOPT_SSL_CTX_FUNCTION works perfectly for HTTPS and email protocols, but 729 it has no effect for LDAPS connections. 730 731 https://github.com/curl/curl/issues/4108 732 733 10.3 Paged searches on LDAP server 734 735 https://github.com/curl/curl/issues/4452 736 737 10.4 Certificate-Based Authentication 738 739 LDAPS not possible with macOS and Windows with Certificate-Based Authentication 740 741 https://github.com/curl/curl/issues/9641 742 743 11. SMB 744 745 11.1 File listing support 746 747 Add support for listing the contents of an SMB share. The output should 748 probably be the same as/similar to FTP. 749 750 11.2 Honor file timestamps 751 752 The timestamp of the transferred file should reflect that of the original 753 file. 754 755 11.3 Use NTLMv2 756 757 Currently the SMB authentication uses NTLMv1. 758 759 11.4 Create remote directories 760 761 Support for creating remote directories when uploading a file to a directory 762 that does not exist on the server, just like --ftp-create-dirs. 763 764 765 12. FILE 766 767 12.1 Directory listing on non-POSIX 768 769 Listing the contents of a directory accessed with FILE only works on 770 platforms with opendir. Support could be added for more systems, like 771 Windows. 772 773 13. TLS 774 775 13.1 TLS-PSK with OpenSSL 776 777 Transport Layer Security pre-shared key ciphersuites (TLS-PSK) is a set of 778 cryptographic protocols that provide secure communication based on pre-shared 779 keys (PSKs). These pre-shared keys are symmetric keys shared in advance among 780 the communicating parties. 781 782 https://github.com/curl/curl/issues/5081 783 784 13.2 TLS channel binding 785 786 TLS 1.2 and 1.3 provide the ability to extract some secret data from the TLS 787 connection and use it in the client request (usually in some sort of 788 authentication) to ensure that the data sent is bound to the specific TLS 789 connection and cannot be successfully intercepted by a proxy. This 790 functionality can be used in a standard authentication mechanism such as 791 GSS-API or SCRAM, or in custom approaches like custom HTTP Authentication 792 headers. 793 794 For TLS 1.2, the binding type is usually tls-unique, and for TLS 1.3 it is 795 tls-exporter. 796 797 https://datatracker.ietf.org/doc/html/rfc5929 798 https://datatracker.ietf.org/doc/html/rfc9266 799 https://github.com/curl/curl/issues/9226 800 801 13.3 Defeat TLS fingerprinting 802 803 By changing the order of TLS extensions provided in the TLS handshake, it is 804 sometimes possible to circumvent TLS fingerprinting by servers. The TLS 805 extension order is of course not the only way to fingerprint a client. 806 807 13.4 Consider OCSP stapling by default 808 809 Treat a negative response a reason for aborting the connection. Since OCSP 810 stapling is presumed to get used much less in the future when Let's Encrypt 811 drops the OCSP support, the benefit of this might however be limited. 812 813 https://github.com/curl/curl/issues/15483 814 815 13.5 Export session ids 816 817 Add an interface to libcurl that enables "session IDs" to get 818 exported/imported. Cris Bailiff said: "OpenSSL has functions which can 819 serialise the current SSL state to a buffer of your choice, and recover/reset 820 the state from such a buffer at a later date - this is used by mod_ssl for 821 apache to implement and SSL session ID cache". 822 823 13.6 Provide callback for cert verification 824 825 OpenSSL supports a callback for customised verification of the peer 826 certificate, but this does not seem to be exposed in the libcurl APIs. Could 827 it be? There is so much that could be done if it were. 828 829 13.7 Less memory massaging with Schannel 830 831 The Schannel backend does a lot of custom memory management we would rather 832 avoid: the repeated alloc + free in sends and the custom memory + realloc 833 system for encrypted and decrypted data. That should be avoided and reduced 834 for 1) efficiency and 2) safety. 835 836 13.8 Support DANE 837 838 DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL 839 keys and certs over DNS using DNSSEC as an alternative to the CA model. 840 https://www.rfc-editor.org/rfc/rfc6698.txt 841 842 An initial patch was posted by Suresh Krishnaswamy on March 7th 2013 843 (https://curl.se/mail/lib-2013-03/0075.html) but it was a too simple 844 approach. See Daniel's comments: 845 https://curl.se/mail/lib-2013-03/0103.html . libunbound may be the 846 correct library to base this development on. 847 848 Björn Stenberg wrote a separate initial take on DANE that was never 849 completed. 850 851 13.9 TLS record padding 852 853 TLS (1.3) offers optional record padding and OpenSSL provides an API for it. 854 I could make sense for libcurl to offer this ability to applications to make 855 traffic patterns harder to figure out by network traffic observers. 856 857 See https://github.com/curl/curl/issues/5398 858 859 13.10 Support Authority Information Access certificate extension (AIA) 860 861 AIA can provide various things like CRLs but more importantly information 862 about intermediate CA certificates that can allow validation path to be 863 fulfilled when the HTTPS server does not itself provide them. 864 865 Since AIA is about downloading certs on demand to complete a TLS handshake, 866 it is probably a bit tricky to get done right. 867 868 See https://github.com/curl/curl/issues/2793 869 870 13.11 Some TLS options are not offered for HTTPS proxies 871 872 Some TLS related options to the command line tool and libcurl are only 873 provided for the server and not for HTTPS proxies. --proxy-tls-max, 874 --proxy-tlsv1.3, --proxy-curves and a few more. 875 For more Documentation on this see: 876 https://curl.se/libcurl/c/tls-options.html 877 878 https://github.com/curl/curl/issues/12286 879 880 13.13 Make sure we forbid TLS 1.3 post-handshake authentication 881 882 RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3 883 post-handshake authentication. We should make sure to live up to that. 884 885 See https://github.com/curl/curl/issues/5396 886 887 13.14 Support the clienthello extension 888 889 Certain stupid networks and middle boxes have a problem with SSL handshake 890 packets that are within a certain size range because how that sets some bits 891 that previously (in older TLS version) were not set. The clienthello 892 extension adds padding to avoid that size range. 893 894 https://datatracker.ietf.org/doc/html/rfc7685 895 https://github.com/curl/curl/issues/2299 896 897 13.16 Share the CA cache 898 899 For TLS backends that supports CA caching, it makes sense to allow the share 900 object to be used to store the CA cache as well via the share API. Would 901 allow multiple easy handles to reuse the CA cache and save themselves from a 902 lot of extra processing overhead. 903 904 13.17 Add missing features to TLS backends 905 906 The feature matrix at https://curl.se/libcurl/c/tls-options.html shows which 907 features are supported by which TLS backends, and thus also where there are 908 feature gaps. 909 910 14. Proxy 911 912 14.1 Retry SOCKS handshake on address type not supported 913 914 When curl resolves a hostname, it might get a mix of IPv6 and IPv4 returned. 915 curl might then use an IPv6 address with a SOCKS5 proxy, which - if it does 916 not support IPv6 - returns "Address type not supported" and curl exits with 917 that error. 918 919 Perhaps it is preferred if curl would in this situation instead first retry 920 the SOCKS handshake again for this case and then use one of the IPv4 921 addresses for the target host. 922 923 See https://github.com/curl/curl/issues/17222 924 925 15. Schannel 926 927 15.1 Extend support for client certificate authentication 928 929 The existing support for the -E/--cert and --key options could be 930 extended by supplying a custom certificate and key in PEM format, see: 931 - Getting a Certificate for Schannel 932 https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx 933 934 15.2 Extend support for the --ciphers option 935 936 The existing support for the --ciphers option could be extended 937 by mapping the OpenSSL/GnuTLS cipher suites to the Schannel APIs, see 938 - Specifying Schannel Ciphers and Cipher Strengths 939 https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx 940 941 15.4 Add option to allow abrupt server closure 942 943 libcurl with Schannel errors without a known termination point from the server 944 (such as length of transfer, or SSL "close notify" alert) to prevent against 945 a truncation attack. Really old servers may neglect to send any termination 946 point. An option could be added to ignore such abrupt closures. 947 948 https://github.com/curl/curl/issues/4427 949 950 16. SASL 951 952 16.1 Other authentication mechanisms 953 954 Add support for other authentication mechanisms such as OLP, 955 GSS-SPNEGO and others. 956 957 16.2 Add QOP support to GSSAPI authentication 958 959 Currently the GSSAPI authentication only supports the default QOP of auth 960 (Authentication), whilst Kerberos V5 supports both auth-int (Authentication 961 with integrity protection) and auth-conf (Authentication with integrity and 962 privacy protection). 963 964 965 17. SSH protocols 966 967 17.1 Multiplexing 968 969 SSH is a perfectly fine multiplexed protocols which would allow libcurl to do 970 multiple parallel transfers from the same host using the same connection, 971 much in the same spirit as HTTP/2 does. libcurl however does not take 972 advantage of that ability but does instead always create a new connection for 973 new transfers even if an existing connection already exists to the host. 974 975 To fix this, libcurl would have to detect an existing connection and "attach" 976 the new transfer to the existing one. 977 978 17.2 Handle growing SFTP files 979 980 The SFTP code in libcurl checks the file size *before* a transfer starts and 981 then proceeds to transfer exactly that amount of data. If the remote file 982 grows while the transfer is in progress libcurl does not notice and does not 983 adapt. The OpenSSH SFTP command line tool does and libcurl could also just 984 attempt to download more to see if there is more to get... 985 986 https://github.com/curl/curl/issues/4344 987 988 17.3 Read keys from ~/.ssh/id_ecdsa, id_ed25519 989 990 The libssh2 backend in curl is limited to only reading keys from id_rsa and 991 id_dsa, which makes it fail connecting to servers that use more modern key 992 types. 993 994 https://github.com/curl/curl/issues/8586 995 996 17.4 Support CURLOPT_PREQUOTE 997 998 The two other QUOTE options are supported for SFTP, but this was left out for 999 unknown reasons. 1000 1001 17.5 SSH over HTTPS proxy with more backends 1002 1003 The SSH based protocols SFTP and SCP did not work over HTTPS proxy at 1004 all until PR https://github.com/curl/curl/pull/6021 brought the 1005 functionality with the libssh2 backend. Presumably, this support 1006 can/could be added for the other backends as well. 1007 1008 17.6 SFTP with SCP:// 1009 1010 OpenSSH 9 switched their 'scp' tool to speak SFTP under the hood. Going 1011 forward it might be worth having curl or libcurl attempt SFTP if SCP fails to 1012 follow suite. 1013 1014 18. Command line tool 1015 1016 18.1 sync 1017 1018 "curl --sync http://example.com/feed[1-100].rss" or 1019 "curl --sync http://example.net/{index,calendar,history}.html" 1020 1021 Downloads a range or set of URLs using the remote name, but only if the 1022 remote file is newer than the local file. A Last-Modified HTTP date header 1023 should also be used to set the mod date on the downloaded file. 1024 1025 18.2 glob posts 1026 1027 Globbing support for -d and -F, as in 'curl -d "name=foo[0-9]" URL'. 1028 This is easily scripted though. 1029 1030 18.4 --proxycommand 1031 1032 Allow the user to make curl run a command and use its stdio to make requests 1033 and not do any network connection by itself. Example: 1034 1035 curl --proxycommand 'ssh pi@raspberrypi.local -W 10.1.1.75 80' \ 1036 http://some/otherwise/unavailable/service.php 1037 1038 See https://github.com/curl/curl/issues/4941 1039 1040 18.5 UTF-8 filenames in Content-Disposition 1041 1042 RFC 6266 documents how UTF-8 names can be passed to a client in the 1043 Content-Disposition header, and curl does not support this. 1044 1045 https://github.com/curl/curl/issues/1888 1046 1047 18.6 Option to make -Z merge lined based outputs on stdout 1048 1049 When a user requests multiple lined based files using -Z and sends them to 1050 stdout, curl does not "merge" and send complete lines fine but may send 1051 partial lines from several sources. 1052 1053 https://github.com/curl/curl/issues/5175 1054 1055 18.7 specify which response codes that make -f/--fail return error 1056 1057 Allows a user to better specify exactly which error code(s) that are fine 1058 and which are errors for their specific uses cases 1059 1060 18.9 Choose the name of file in braces for complex URLs 1061 1062 When using braces to download a list of URLs and you use complicated names 1063 in the list of alternatives, it could be handy to allow curl to use other 1064 names when saving. 1065 1066 Consider a way to offer that. Possibly like 1067 {partURL1:name1,partURL2:name2,partURL3:name3} where the name following the 1068 colon is the output name. 1069 1070 See https://github.com/curl/curl/issues/221 1071 1072 18.10 improve how curl works in a Windows console window 1073 1074 If you pull the scrollbar when transferring with curl in a Windows console 1075 window, the transfer is interrupted and can get disconnected. This can 1076 probably be improved. See https://github.com/curl/curl/issues/322 1077 1078 18.11 Windows: set attribute 'archive' for completed downloads 1079 1080 The archive bit (FILE_ATTRIBUTE_ARCHIVE, 0x20) separates files that shall be 1081 backed up from those that are either not ready or have not changed. 1082 1083 Downloads in progress are neither ready to be backed up, nor should they be 1084 opened by a different process. Only after a download has been completed it is 1085 sensible to include it in any integer snapshot or backup of the system. 1086 1087 See https://github.com/curl/curl/issues/3354 1088 1089 18.12 keep running, read instructions from pipe/socket 1090 1091 Provide an option that makes curl not exit after the last URL (or even work 1092 without a given URL), and then make it read instructions passed on a pipe or 1093 over a socket to make further instructions so that a second subsequent curl 1094 invoke can talk to the still running instance and ask for transfers to get 1095 done, and thus maintain its connection pool, DNS cache and more. 1096 1097 18.13 Acknowledge Ratelimit headers 1098 1099 Consider a command line option that can make curl do multiple serial requests 1100 while acknowledging server specified rate limits: 1101 https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/ 1102 1103 See https://github.com/curl/curl/issues/5406 1104 1105 18.14 --dry-run 1106 1107 A command line option that makes curl show exactly what it would do and send 1108 if it would run for real. 1109 1110 See https://github.com/curl/curl/issues/5426 1111 1112 18.15 --retry should resume 1113 1114 When --retry is used and curl actually retries transfer, it should use the 1115 already transferred data and do a resumed transfer for the rest (when 1116 possible) so that it does not have to transfer the same data again that was 1117 already transferred before the retry. 1118 1119 See https://github.com/curl/curl/issues/1084 1120 1121 18.17 consider filename from the redirected URL with -O ? 1122 1123 When a user gives a URL and uses -O, and curl follows a redirect to a new 1124 URL, the filename is not extracted and used from the newly redirected-to URL 1125 even if the new URL may have a much more sensible filename. 1126 1127 This is clearly documented and helps for security since there is no surprise 1128 to users which filename that might get overwritten, but maybe a new option 1129 could allow for this or maybe -J should imply such a treatment as well as -J 1130 already allows for the server to decide what filename to use so it already 1131 provides the "may overwrite any file" risk. 1132 1133 This is extra tricky if the original URL has no filename part at all since 1134 then the current code path does error out with an error message, and we 1135 cannot *know* already at that point if curl is redirected to a URL that has a 1136 filename... 1137 1138 See https://github.com/curl/curl/issues/1241 1139 1140 18.18 retry on network is unreachable 1141 1142 The --retry option retries transfers on "transient failures". We later added 1143 --retry-connrefused to also retry for "connection refused" errors. 1144 1145 Suggestions have been brought to also allow retry on "network is unreachable" 1146 errors and while totally reasonable, maybe we should consider a way to make 1147 this more configurable than to add a new option for every new error people 1148 want to retry for? 1149 1150 https://github.com/curl/curl/issues/1603 1151 1152 18.19 expand ~/ in config files 1153 1154 For example .curlrc could benefit from being able to do this. 1155 1156 See https://github.com/curl/curl/issues/2317 1157 1158 18.20 hostname sections in config files 1159 1160 config files would be more powerful if they could set different 1161 configurations depending on used URLs, hostname or possibly origin. Then a 1162 default .curlrc could a specific user-agent only when doing requests against 1163 a certain site. 1164 1165 18.21 retry on the redirected-to URL 1166 1167 When curl is told to --retry a failed transfer and follows redirects, it 1168 might get an HTTP 429 response from the redirected-to URL and not the 1169 original one, which then could make curl decide to rather retry the transfer 1170 on that URL only instead of the original operation to the original URL. 1171 1172 Perhaps extra emphasized if the original transfer is a large POST that 1173 redirects to a separate GET, and that GET is what gets the 529 1174 1175 See https://github.com/curl/curl/issues/5462 1176 1177 18.23 Set the modification date on an uploaded file 1178 1179 For SFTP and possibly FTP, curl could offer an option to set the 1180 modification time for the uploaded file. 1181 1182 See https://github.com/curl/curl/issues/5768 1183 1184 18.24 Use multiple parallel transfers for a single download 1185 1186 To enhance transfer speed, downloading a single URL can be split up into 1187 multiple separate range downloads that get combined into a single final 1188 result. 1189 1190 An ideal implementation would not use a specified number of parallel 1191 transfers, but curl could: 1192 - First start getting the full file as transfer A 1193 - If after N seconds have passed and the transfer is expected to continue for 1194 M seconds or more, add a new transfer (B) that asks for the second half of 1195 A's content (and stop A at the middle). 1196 - If splitting up the work improves the transfer rate, it could then be done 1197 again. Then again, etc up to a limit. 1198 1199 This way, if transfer B fails (because Range: is not supported) it lets 1200 transfer A remain the single one. N and M could be set to some sensible 1201 defaults. 1202 1203 See https://github.com/curl/curl/issues/5774 1204 1205 18.25 Prevent terminal injection when writing to terminal 1206 1207 curl could offer an option to make escape sequence either non-functional or 1208 avoid cursor moves or similar to reduce the risk of a user getting tricked by 1209 clever tricks. 1210 1211 See https://github.com/curl/curl/issues/6150 1212 1213 18.26 Custom progress meter update interval 1214 1215 Users who are for example doing large downloads in CI or remote setups might 1216 want the occasional progress meter update to see that the transfer is 1217 progressing and has not stuck, but they may not appreciate the 1218 many-times-a-second frequency curl can end up doing it with now. 1219 1220 18.27 -J and -O with %-encoded filenames 1221 1222 -J/--remote-header-name does not decode %-encoded filenames. RFC 6266 details 1223 how it should be done. The can of worm is basically that we have no charset 1224 handling in curl and ASCII >=128 is a challenge for us. Not to mention that 1225 decoding also means that we need to check for nastiness that is attempted, 1226 like "../" sequences and the like. Probably everything to the left of any 1227 embedded slashes should be cut off. 1228 https://curl.se/bug/view.cgi?id=1294 1229 1230 -O also does not decode %-encoded names, and while it has even less 1231 information about the charset involved the process is similar to the -J case. 1232 1233 Note that we do not decode -O without the user asking for it with some other 1234 means, since -O has always been documented to use the name exactly as 1235 specified in the URL. 1236 1237 18.28 -J with -C - 1238 1239 When using -J (with -O), automatically resumed downloading together with "-C 1240 -" fails. Without -J the same command line works. This happens because the 1241 resume logic is worked out before the target filename (and thus its 1242 pre-transfer size) has been figured out. This can be improved. 1243 1244 https://curl.se/bug/view.cgi?id=1169 1245 1246 18.29 --retry and transfer timeouts 1247 1248 If using --retry and the transfer timeouts (possibly due to using -m or 1249 -y/-Y) the next attempt does not resume the transfer properly from what was 1250 downloaded in the previous attempt but truncates and restarts at the original 1251 position where it was at before the previous failed attempt. See 1252 https://curl.se/mail/lib-2008-01/0080.html and Mandriva bug report 1253 https://qa.mandriva.com/show_bug.cgi?id=22565 1254 1255 1256 19. Build 1257 1258 19.2 Enable PIE and RELRO by default 1259 1260 Especially when having programs that execute curl via the command line, PIE 1261 renders the exploitation of memory corruption vulnerabilities a lot more 1262 difficult. This can be attributed to the additional information leaks being 1263 required to conduct a successful attack. RELRO, on the other hand, masks 1264 different binary sections like the GOT as read-only and thus kills a handful 1265 of techniques that come in handy when attackers are able to arbitrarily 1266 overwrite memory. A few tests showed that enabling these features had close 1267 to no impact, neither on the performance nor on the general functionality of 1268 curl. 1269 1270 19.3 Do not use GNU libtool on OpenBSD 1271 1272 When compiling curl on OpenBSD with "--enable-debug" it gives linking errors 1273 when you use GNU libtool. This can be fixed by using the libtool provided by 1274 OpenBSD itself. However for this the user always needs to invoke make with 1275 "LIBTOOL=/usr/bin/libtool". It would be nice if the script could have some 1276 magic to detect if this system is an OpenBSD host and then use the OpenBSD 1277 libtool instead. 1278 1279 See https://github.com/curl/curl/issues/5862 1280 1281 19.4 Package curl for Windows in a signed installer 1282 1283 See https://github.com/curl/curl/issues/5424 1284 1285 19.5 make configure use --cache-file more and better 1286 1287 The configure script can be improved to cache more values so that repeated 1288 invokes run much faster. 1289 1290 See https://github.com/curl/curl/issues/7753 1291 1292 20. Test suite 1293 1294 20.1 SSL tunnel 1295 1296 Make our own version of stunnel for simple port forwarding to enable HTTPS 1297 and FTP-SSL tests without the stunnel dependency, and it could allow us to 1298 provide test tools built with either OpenSSL or GnuTLS 1299 1300 20.2 more protocols supported 1301 1302 Extend the test suite to include more protocols. The telnet could just do FTP 1303 or http operations (for which we have test servers). 1304 1305 20.3 more platforms supported 1306 1307 Make the test suite work on more platforms. OpenBSD and macOS. Remove 1308 fork()s and it should become even more portable. 1309 1310 20.4 write an SMB test server to replace impacket 1311 1312 This would allow us to run SMB tests on more platforms and do better and more 1313 covering tests. 1314 1315 See https://github.com/curl/curl/issues/15697 1316 1317 20.5 Use the RFC 6265 test suite 1318 1319 A test suite made for HTTP cookies (RFC 6265) by Adam Barth is available at 1320 https://github.com/abarth/http-state/tree/master/tests 1321 1322 It would be good if someone would write a script/setup that would run curl 1323 with that test suite and detect deviances. Ideally, that would even be 1324 incorporated into our regular test suite. 1325 1326 20.6 Run web-platform-tests URL tests 1327 1328 Run web-platform-tests URL tests and compare results with browsers on wpt.fyi 1329 1330 It would help us find issues to fix and help us document where our parser 1331 differs from the WHATWG URL spec parsers. 1332 1333 See https://github.com/curl/curl/issues/4477 1334 1335 21. MQTT 1336 1337 21.1 Support rate-limiting 1338 1339 The rate-limiting logic is done in the PERFORMING state in multi.c but MQTT 1340 is not (yet) implemented to use that. 1341 1342 21.2 Support MQTTS 1343 1344 21.3 Handle network blocks 1345 1346 Running test suite with 1347 `CURL_DBG_SOCK_WBLOCK=90 ./runtests.pl -a mqtt` makes several 1348 MQTT test cases fail where they should not. 1349 1350 22. TFTP 1351 1352 22.1 TFTP does not convert LF to CRLF for mode=netascii 1353 1354 RFC 3617 defines that an TFTP transfer can be done using "netascii" 1355 mode. curl does not support extracting that mode from the URL nor does it treat 1356 such transfers specifically. It should probably do LF to CRLF translations 1357 for them. 1358 1359 See https://github.com/curl/curl/issues/12655 1360 1361 23. Gopher 1362 1363 23.1 Handle network blocks 1364 1365 Running test suite with 1366 `CURL_DBG_SOCK_WBLOCK=90 ./runtests.pl -a 1200 to 1300` makes several 1367 Gopher test cases fail where they should not.