• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1                                  _   _ ____  _
2                              ___| | | |  _ \| |
3                             / __| | | | |_) | |
4                            | (__| |_| |  _ <| |___
5                             \___|\___/|_| \_\_____|
6
7                Things that could be nice to do in the future
8
9 Things to do in project curl. Please tell us what you think, contribute and
10 send us patches that improve things!
11
12 Be aware that these are things that we could do, or have once been considered
13 things we could do. If you want to work on any of these areas, please
14 consider bringing it up for discussions first on the mailing list so that we
15 all agree it is still a good idea for the project!
16
17 All bugs documented in the KNOWN_BUGS document are subject for fixing!
18
19 1. libcurl
20 1.1 TFO support on Windows
21 1.2 Consult %APPDATA% also for .netrc
22 1.3 struct lifreq
23 1.5 get rid of PATH_MAX
24 1.7 Support HTTP/2 for HTTP(S) proxies
25 1.8 CURLOPT_RESOLVE for any port number
26 1.9 Cache negative name resolves
27 1.10 auto-detect proxy
28 1.11 minimize dependencies with dynamically loaded modules
29 1.12 updated DNS server while running
30 1.13 c-ares and CURLOPT_OPENSOCKETFUNCTION
31 1.14 Typesafe curl_easy_setopt()
32 1.15 Monitor connections in the connection pool
33 1.16 Try to URL encode given URL
34 1.17 Add support for IRIs
35 1.18 try next proxy if one doesn't work
36 1.20 SRV and URI DNS records
37 1.22 CURLINFO_PAUSE_STATE
38 1.23 Offer API to flush the connection pool
39 1.24 TCP Fast Open for windows
40 1.25 Expose tried IP addresses that failed
41 1.27 hardcode the "localhost" addresses
42 1.28 FD_CLOEXEC
43 1.29 Upgrade to websockets
44 1.30 config file parsing
45
46 2. libcurl - multi interface
47 2.1 More non-blocking
48 2.2 Better support for same name resolves
49 2.3 Non-blocking curl_multi_remove_handle()
50 2.4 Split connect and authentication process
51 2.5 Edge-triggered sockets should work
52 2.6 multi upkeep
53
54 3. Documentation
55 3.2 Provide cmake config-file
56
57 4. FTP
58 4.1 HOST
59 4.2 Alter passive/active on failure and retry
60 4.3 Earlier bad letter detection
61 4.5 ASCII support
62 4.6 GSSAPI via Windows SSPI
63 4.7 STAT for LIST without data connection
64 4.8 Option to ignore private IP addresses in PASV response
65
66 5. HTTP
67 5.1 Better persistency for HTTP 1.0
68 5.3 Rearrange request header order
69 5.4 Allow SAN names in HTTP/2 server push
70 5.5 auth= in URLs
71
72 6. TELNET
73 6.1 ditch stdin
74 6.2 ditch telnet-specific select
75 6.3 feature negotiation debug data
76
77 7. SMTP
78 7.2 Enhanced capability support
79 7.3 Add CURLOPT_MAIL_CLIENT option
80
81 8. POP3
82 8.2 Enhanced capability support
83
84 9. IMAP
85 9.1 Enhanced capability support
86
87 10. LDAP
88 10.1 SASL based authentication mechanisms
89
90 11. SMB
91 11.1 File listing support
92 11.2 Honor file timestamps
93 11.3 Use NTLMv2
94 11.4 Create remote directories
95
96 12. New protocols
97
98 13. SSL
99 13.2 Provide mutex locking API
100 13.3 Support in-memory certs/ca certs/keys
101 13.4 Cache/share OpenSSL contexts
102 13.5 Export session ids
103 13.6 Provide callback for cert verification
104 13.7 improve configure --with-ssl
105 13.8 Support DANE
106 13.10 Support Authority Information Access certificate extension (AIA)
107 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
108 13.12 Support HSTS
109 13.14 Support the clienthello extension
110
111 14. GnuTLS
112 14.2 check connection
113
114 15. WinSSL/SChannel
115 15.1 Add support for client certificate authentication
116 15.3 Add support for the --ciphers option
117 15.4 Add option to disable client certificate auto-send
118
119 16. SASL
120 16.1 Other authentication mechanisms
121 16.2 Add QOP support to GSSAPI authentication
122 16.3 Support binary messages (i.e.: non-base64)
123
124 17. SSH protocols
125 17.1 Multiplexing
126 17.2 Handle growing SFTP files
127 17.3 Support better than MD5 hostkey hash
128 17.4 Support CURLOPT_PREQUOTE
129
130 18. Command line tool
131 18.1 sync
132 18.2 glob posts
133 18.3 prevent file overwriting
134 18.5 UTF-8 filenames in Content-Disposition
135 18.7 at least N milliseconds between requests
136 18.9 Choose the name of file in braces for complex URLs
137 18.10 improve how curl works in a windows console window
138 18.11 Windows: set attribute 'archive' for completed downloads
139 18.12 keep running, read instructions from pipe/socket
140 18.15 --retry should resume
141 18.16 send only part of --data
142 18.17 consider file name from the redirected URL with -O ?
143 18.18 retry on network is unreachable
144 18.19 expand ~/ in config files
145 18.20 host name sections in config files
146
147 19. Build
148 19.1 roffit
149 19.2 Enable PIE and RELRO by default
150 19.3 cmake test suite improvements
151
152 20. Test suite
153 20.1 SSL tunnel
154 20.2 nicer lacking perl message
155 20.3 more protocols supported
156 20.4 more platforms supported
157 20.5 Add support for concurrent connections
158 20.6 Use the RFC6265 test suite
159 20.7 Support LD_PRELOAD on macOS
160
161 21. Next SONAME bump
162 21.1 http-style HEAD output for FTP
163 21.2 combine error codes
164 21.3 extend CURLOPT_SOCKOPTFUNCTION prototype
165
166 22. Next major release
167 22.1 cleanup return codes
168 22.2 remove obsolete defines
169 22.3 size_t
170 22.4 remove several functions
171 22.5 remove CURLOPT_FAILONERROR
172 22.7 remove progress meter from libcurl
173 22.8 remove 'curl_httppost' from public
174
175==============================================================================
176
1771. libcurl
178
1791.1 TFO support on Windows
180
181 TCP Fast Open is supported on several platforms but not on Windows. Work on
182 this was once started but never finished.
183
184 See https://github.com/curl/curl/pull/3378
185
1861.2 Consult %APPDATA% also for .netrc
187
188 %APPDATA%\.netrc is not considered when running on Windows. Shouldn't it?
189
190 See https://github.com/curl/curl/issues/4016
191
1921.3 struct lifreq
193
194 Use 'struct lifreq' and SIOCGLIFADDR instead of 'struct ifreq' and
195 SIOCGIFADDR on newer Solaris versions as they claim the latter is obsolete.
196 To support IPv6 interface addresses for network interfaces properly.
197
1981.5 get rid of PATH_MAX
199
200 Having code use and rely on PATH_MAX is not nice:
201 https://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html
202
203 Currently the libssh2 SSH based code uses it, but to remove PATH_MAX from
204 there we need libssh2 to properly tell us when we pass in a too small buffer
205 and its current API (as of libssh2 1.2.7) doesn't.
206
2071.7 Support HTTP/2 for HTTP(S) proxies
208
209 Support for doing HTTP/2 to HTTP and HTTPS proxies is still missing.
210
211 See https://github.com/curl/curl/issues/3570
212
2131.8 CURLOPT_RESOLVE for any port number
214
215 This option allows applications to set a replacement IP address for a given
216 host + port pair. Consider making support for providing a replacement address
217 for the host name on all port numbers.
218
219 See https://github.com/curl/curl/issues/1264
220
2211.9 Cache negative name resolves
222
223 A name resolve that has failed is likely to fail when made again within a
224 short period of time. Currently we only cache positive responses.
225
2261.10 auto-detect proxy
227
228 libcurl could be made to detect the system proxy setup automatically and use
229 that. On Windows, macOS and Linux desktops for example.
230
231 The pull-request to use libproxy for this was deferred due to doubts on the
232 reliability of the dependency and how to use it:
233 https://github.com/curl/curl/pull/977
234
235 libdetectproxy is a (C++) library for detecting the proxy on Windows
236 https://github.com/paulharris/libdetectproxy
237
2381.11 minimize dependencies with dynamically loaded modules
239
240 We can create a system with loadable modules/plug-ins, where these modules
241 would be the ones that link to 3rd party libs. That would allow us to avoid
242 having to load ALL dependencies since only the necessary ones for this
243 app/invoke/used protocols would be necessary to load.  See
244 https://github.com/curl/curl/issues/349
245
2461.12 updated DNS server while running
247
248 If /etc/resolv.conf gets updated while a program using libcurl is running, it
249 is may cause name resolves to fail unless res_init() is called. We should
250 consider calling res_init() + retry once unconditionally on all name resolve
251 failures to mitigate against this. Firefox works like that. Note that Windows
252 doesn't have res_init() or an alternative.
253
254 https://github.com/curl/curl/issues/2251
255
2561.13 c-ares and CURLOPT_OPENSOCKETFUNCTION
257
258 curl will create most sockets via the CURLOPT_OPENSOCKETFUNCTION callback and
259 close them with the CURLOPT_CLOSESOCKETFUNCTION callback. However, c-ares
260 does not use those functions and instead opens and closes the sockets
261 itself. This means that when curl passes the c-ares socket to the
262 CURLMOPT_SOCKETFUNCTION it isn't owned by the application like other sockets.
263
264 See https://github.com/curl/curl/issues/2734
265
2661.14 Typesafe curl_easy_setopt()
267
268 One of the most common problems in libcurl using applications is the lack of
269 type checks for curl_easy_setopt() which happens because it accepts varargs
270 and thus can take any type.
271
272 One possible solution to this is to introduce a few different versions of the
273 setopt version for the different kinds of data you can set.
274
275  curl_easy_set_num() - sets a long value
276
277  curl_easy_set_large() - sets a curl_off_t value
278
279  curl_easy_set_ptr() - sets a pointer
280
281  curl_easy_set_cb() - sets a callback PLUS its callback data
282
2831.15 Monitor connections in the connection pool
284
285 libcurl's connection cache or pool holds a number of open connections for the
286 purpose of possible subsequent connection reuse. It may contain a few up to a
287 significant amount of connections. Currently, libcurl leaves all connections
288 as they are and first when a connection is iterated over for matching or
289 reuse purpose it is verified that it is still alive.
290
291 Those connections may get closed by the server side for idleness or they may
292 get a HTTP/2 ping from the peer to verify that they're still alive. By adding
293 monitoring of the connections while in the pool, libcurl can detect dead
294 connections (and close them) better and earlier, and it can handle HTTP/2
295 pings to keep such ones alive even when not actively doing transfers on them.
296
2971.16 Try to URL encode given URL
298
299 Given a URL that for example contains spaces, libcurl could have an option
300 that would try somewhat harder than it does now and convert spaces to %20 and
301 perhaps URL encoded byte values over 128 etc (basically do what the redirect
302 following code already does).
303
304 https://github.com/curl/curl/issues/514
305
3061.17 Add support for IRIs
307
308 IRIs (RFC 3987) allow localized, non-ascii, names in the URL. To properly
309 support this, curl/libcurl would need to translate/encode the given input
310 from the input string encoding into percent encoded output "over the wire".
311
312 To make that work smoothly for curl users even on Windows, curl would
313 probably need to be able to convert from several input encodings.
314
3151.18 try next proxy if one doesn't work
316
317 Allow an application to specify a list of proxies to try, and failing to
318 connect to the first go on and try the next instead until the list is
319 exhausted. Browsers support this feature at least when they specify proxies
320 using PACs.
321
322 https://github.com/curl/curl/issues/896
323
3241.20 SRV and URI DNS records
325
326 Offer support for resolving SRV and URI DNS records for libcurl to know which
327 server to connect to for various protocols (including HTTP!).
328
3291.22 CURLINFO_PAUSE_STATE
330
331 Return information about the transfer's current pause state, in both
332 directions. https://github.com/curl/curl/issues/2588
333
3341.23 Offer API to flush the connection pool
335
336 Sometimes applications want to flush all the existing connections kept alive.
337 An API could allow a forced flush or just a forced loop that would properly
338 close all connections that have been closed by the server already.
339
3401.24 TCP Fast Open for windows
341
342 libcurl supports the CURLOPT_TCP_FASTOPEN option since 7.49.0 for Linux and
343 Mac OS. Windows supports TCP Fast Open starting with Windows 10, version 1607
344 and we should add support for it.
345
3461.25 Expose tried IP addresses that failed
347
348 When libcurl fails to connect to a host, it should be able to offer the
349 application the list of IP addresses that were used in the attempt.
350
351 https://github.com/curl/curl/issues/2126
352
3531.27 hardcode the "localhost" addresses
354
355 There's this new spec getting adopted that says "localhost" should always and
356 unconditionally be a local address and not get resolved by a DNS server. A
357 fine way for curl to fix this would be to simply hard-code the response to
358 127.0.0.1 and/or ::1 (depending on what IP versions that are requested). This
359 is what the browsers probably will do with this hostname.
360
361 https://bugzilla.mozilla.org/show_bug.cgi?id=1220810
362
363 https://tools.ietf.org/html/draft-ietf-dnsop-let-localhost-be-localhost-02
364
3651.28 FD_CLOEXEC
366
367 It sets the close-on-exec flag for the file descriptor, which causes the file
368 descriptor to be automatically (and atomically) closed when any of the
369 exec-family functions succeed. Should probably be set by default?
370
371 https://github.com/curl/curl/issues/2252
372
3731.29 Upgrade to websockets
374
375 libcurl could offer a smoother path to get to a websocket connection.
376 See https://github.com/curl/curl/issues/3523
377
378 Michael Kaufmann suggestion here:
379 https://curl.haxx.se/video/curlup-2017/2017-03-19_05_Michael_Kaufmann_Websocket_support_for_curl.mp4
380
3811.30 config file parsing
382
383 Consider providing an API, possibly in a separate companion library, for
384 parsing a config file like curl's -K/--config option to allow applications to
385 get the same ability to read curl options from files.
386
387 See https://github.com/curl/curl/issues/3698
388
3892. libcurl - multi interface
390
3912.1 More non-blocking
392
393 Make sure we don't ever loop because of non-blocking sockets returning
394 EWOULDBLOCK or similar. Blocking cases include:
395
396 - Name resolves on non-windows unless c-ares or the threaded resolver is used
397 - SOCKS proxy handshakes
398 - file:// transfers
399 - TELNET transfers
400 - The "DONE" operation (post transfer protocol-specific actions) for the
401   protocols SFTP, SMTP, FTP. Fixing Curl_done() for this is a worthy task.
402
4032.2 Better support for same name resolves
404
405 If a name resolve has been initiated for name NN and a second easy handle
406 wants to resolve that name as well, make it wait for the first resolve to end
407 up in the cache instead of doing a second separate resolve. This is
408 especially needed when adding many simultaneous handles using the same host
409 name when the DNS resolver can get flooded.
410
4112.3 Non-blocking curl_multi_remove_handle()
412
413 The multi interface has a few API calls that assume a blocking behavior, like
414 add_handle() and remove_handle() which limits what we can do internally. The
415 multi API need to be moved even more into a single function that "drives"
416 everything in a non-blocking manner and signals when something is done. A
417 remove or add would then only ask for the action to get started and then
418 multi_perform() etc still be called until the add/remove is completed.
419
4202.4 Split connect and authentication process
421
422 The multi interface treats the authentication process as part of the connect
423 phase. As such any failures during authentication won't trigger the relevant
424 QUIT or LOGOFF for protocols such as IMAP, POP3 and SMTP.
425
4262.5 Edge-triggered sockets should work
427
428 The multi_socket API should work with edge-triggered socket events. One of
429 the internal actions that need to be improved for this to work perfectly is
430 the 'maxloops' handling in transfer.c:readwrite_data().
431
4322.6 multi upkeep
433
434 In libcurl 7.62.0 we introduced curl_easy_upkeep. It unfortunately only works
435 on easy handles. We should introduces a version of that for the multi handle,
436 and also consider doing "upkeep" automatically on connections in the
437 connection pool when the multi handle is in used.
438
439 See https://github.com/curl/curl/issues/3199
440
4413. Documentation
442
4433.2 Provide cmake config-file
444
445 A config-file package is a set of files provided by us to allow applications
446 to write cmake scripts to find and use libcurl easier. See
447 https://github.com/curl/curl/issues/885
448
4494. FTP
450
4514.1 HOST
452
453 HOST is a command for a client to tell which host name to use, to offer FTP
454 servers named-based virtual hosting:
455
456 https://tools.ietf.org/html/rfc7151
457
4584.2 Alter passive/active on failure and retry
459
460 When trying to connect passively to a server which only supports active
461 connections, libcurl returns CURLE_FTP_WEIRD_PASV_REPLY and closes the
462 connection. There could be a way to fallback to an active connection (and
463 vice versa). https://curl.haxx.se/bug/feature.cgi?id=1754793
464
4654.3 Earlier bad letter detection
466
467 Make the detection of (bad) %0d and %0a codes in FTP URL parts earlier in the
468 process to avoid doing a resolve and connect in vain.
469
4704.5 ASCII support
471
472 FTP ASCII transfers do not follow RFC959. They don't convert the data
473 accordingly.
474
4754.6 GSSAPI via Windows SSPI
476
477 In addition to currently supporting the SASL GSSAPI mechanism (Kerberos V5)
478 via third-party GSS-API libraries, such as Heimdal or MIT Kerberos, also add
479 support for GSSAPI authentication via Windows SSPI.
480
4814.7 STAT for LIST without data connection
482
483 Some FTP servers allow STAT for listing directories instead of using LIST,
484 and the response is then sent over the control connection instead of as the
485 otherwise usedw data connection: https://www.nsftools.com/tips/RawFTP.htm#STAT
486
487 This is not detailed in any FTP specification.
488
4894.8 Option to ignore private IP addresses in PASV response
490
491 Some servers respond with and some other FTP client implementations can
492 ignore private (RFC 1918 style) IP addresses when received in PASV responses.
493 To consider for libcurl as well. See https://github.com/curl/curl/issues/1455
494
4955. HTTP
496
4975.1 Better persistency for HTTP 1.0
498
499 "Better" support for persistent connections over HTTP 1.0
500 https://curl.haxx.se/bug/feature.cgi?id=1089001
501
5025.3 Rearrange request header order
503
504 Server implementors often make an effort to detect browser and to reject
505 clients it can detect to not match. One of the last details we cannot yet
506 control in libcurl's HTTP requests, which also can be exploited to detect
507 that libcurl is in fact used even when it tries to impersonate a browser, is
508 the order of the request headers. I propose that we introduce a new option in
509 which you give headers a value, and then when the HTTP request is built it
510 sorts the headers based on that number. We could then have internally created
511 headers use a default value so only headers that need to be moved have to be
512 specified.
513
5145.4 Allow SAN names in HTTP/2 server push
515
516 curl only allows HTTP/2 push promise if the provided :authority header value
517 exactly matches the host name given in the URL. It could be extended to allow
518 any name that would match the Subject Alternative Names in the server's TLS
519 certificate.
520
521 See https://github.com/curl/curl/pull/3581
522
5235.5 auth= in URLs
524
525 Add the ability to specify the preferred authentication mechanism to use by
526 using ;auth=<mech> in the login part of the URL.
527
528 For example:
529
530 http://test:pass;auth=NTLM@example.com would be equivalent to specifying
531 --user test:pass;auth=NTLM or --user test:pass --ntlm from the command line.
532
533 Additionally this should be implemented for proxy base URLs as well.
534
535
5366. TELNET
537
5386.1 ditch stdin
539
540 Reading input (to send to the remote server) on stdin is a crappy solution
541 for library purposes. We need to invent a good way for the application to be
542 able to provide the data to send.
543
5446.2 ditch telnet-specific select
545
546 Move the telnet support's network select() loop go away and merge the code
547 into the main transfer loop. Until this is done, the multi interface won't
548 work for telnet.
549
5506.3 feature negotiation debug data
551
552 Add telnet feature negotiation data to the debug callback as header data.
553
554
5557. SMTP
556
5577.2 Enhanced capability support
558
559 Add the ability, for an application that uses libcurl, to obtain the list of
560 capabilities returned from the EHLO command.
561
5627.3 Add CURLOPT_MAIL_CLIENT option
563
564 Rather than use the URL to specify the mail client string to present in the
565 HELO and EHLO commands, libcurl should support a new CURLOPT specifically for
566 specifying this data as the URL is non-standard and to be honest a bit of a
567 hack ;-)
568
569 Please see the following thread for more information:
570 https://curl.haxx.se/mail/lib-2012-05/0178.html
571
572
5738. POP3
574
5758.2 Enhanced capability support
576
577 Add the ability, for an application that uses libcurl, to obtain the list of
578 capabilities returned from the CAPA command.
579
5809. IMAP
581
5829.1 Enhanced capability support
583
584 Add the ability, for an application that uses libcurl, to obtain the list of
585 capabilities returned from the CAPABILITY command.
586
58710. LDAP
588
58910.1 SASL based authentication mechanisms
590
591 Currently the LDAP module only supports ldap_simple_bind_s() in order to bind
592 to an LDAP server. However, this function sends username and password details
593 using the simple authentication mechanism (as clear text). However, it should
594 be possible to use ldap_bind_s() instead specifying the security context
595 information ourselves.
596
59711. SMB
598
59911.1 File listing support
600
601Add support for listing the contents of a SMB share. The output should probably
602be the same as/similar to FTP.
603
60411.2 Honor file timestamps
605
606The timestamp of the transferred file should reflect that of the original file.
607
60811.3 Use NTLMv2
609
610Currently the SMB authentication uses NTLMv1.
611
61211.4 Create remote directories
613
614Support for creating remote directories when uploading a file to a directory
615that doesn't exist on the server, just like --ftp-create-dirs.
616
61712. New protocols
618
61913. SSL
620
62113.2 Provide mutex locking API
622
623 Provide a libcurl API for setting mutex callbacks in the underlying SSL
624 library, so that the same application code can use mutex-locking
625 independently of OpenSSL or GnutTLS being used.
626
62713.3 Support in-memory certs/ca certs/keys
628
629 You can specify the private and public keys for SSH/SSL as file paths. Some
630 programs want to avoid using files and instead just pass them as in-memory
631 data blobs. There's probably a challenge to make this work across the
632 plethory of different TLS and SSH backends that curl supports.
633 https://github.com/curl/curl/issues/2310
634
63513.4 Cache/share OpenSSL contexts
636
637 "Look at SSL cafile - quick traces look to me like these are done on every
638 request as well, when they should only be necessary once per SSL context (or
639 once per handle)". The major improvement we can rather easily do is to make
640 sure we don't create and kill a new SSL "context" for every request, but
641 instead make one for every connection and re-use that SSL context in the same
642 style connections are re-used. It will make us use slightly more memory but
643 it will libcurl do less creations and deletions of SSL contexts.
644
645 Technically, the "caching" is probably best implemented by getting added to
646 the share interface so that easy handles who want to and can reuse the
647 context specify that by sharing with the right properties set.
648
649 https://github.com/curl/curl/issues/1110
650
65113.5 Export session ids
652
653 Add an interface to libcurl that enables "session IDs" to get
654 exported/imported. Cris Bailiff said: "OpenSSL has functions which can
655 serialise the current SSL state to a buffer of your choice, and recover/reset
656 the state from such a buffer at a later date - this is used by mod_ssl for
657 apache to implement and SSL session ID cache".
658
65913.6 Provide callback for cert verification
660
661 OpenSSL supports a callback for customised verification of the peer
662 certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
663 it be? There's so much that could be done if it were!
664
66513.7 improve configure --with-ssl
666
667 make the configure --with-ssl option first check for OpenSSL, then GnuTLS,
668 then NSS...
669
67013.8 Support DANE
671
672 DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
673 keys and certs over DNS using DNSSEC as an alternative to the CA model.
674 https://www.rfc-editor.org/rfc/rfc6698.txt
675
676 An initial patch was posted by Suresh Krishnaswamy on March 7th 2013
677 (https://curl.haxx.se/mail/lib-2013-03/0075.html) but it was a too simple
678 approach. See Daniel's comments:
679 https://curl.haxx.se/mail/lib-2013-03/0103.html . libunbound may be the
680 correct library to base this development on.
681
682 Björn Stenberg wrote a separate initial take on DANE that was never
683 completed.
684
68513.10 Support Authority Information Access certificate extension (AIA)
686
687 AIA can provide various things like CRLs but more importantly information
688 about intermediate CA certificates that can allow validation path to be
689 fulfilled when the HTTPS server doesn't itself provide them.
690
691 Since AIA is about downloading certs on demand to complete a TLS handshake,
692 it is probably a bit tricky to get done right.
693
694 See https://github.com/curl/curl/issues/2793
695
69613.11 Support intermediate & root pinning for PINNEDPUBLICKEY
697
698 CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
699 certificates when comparing the pinned keys. Therefore it is not compatible
700 with "HTTP Public Key Pinning" as there also intermediate and root certificates
701 can be pinned. This is very useful as it prevents webadmins from "locking
702 themself out of their servers".
703
704 Adding this feature would make curls pinning 100% compatible to HPKP and allow
705 more flexible pinning.
706
70713.12 Support HSTS
708
709 "HTTP Strict Transport Security" is TOFU (trust on first use), time-based
710 features indicated by a HTTP header send by the webserver. It is widely used
711 in browsers and it's purpose is to prevent insecure HTTP connections after
712 a previous HTTPS connection. It protects against SSLStripping attacks.
713
714 Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
715 RFC 6797: https://tools.ietf.org/html/rfc6797
716
71713.14 Support the clienthello extension
718
719 Certain stupid networks and middle boxes have a problem with SSL handshake
720 pakets that are within a certain size range because how that sets some bits
721 that previously (in older TLS version) were not set. The clienthello
722 extension adds padding to avoid that size range.
723
724 https://tools.ietf.org/html/rfc7685
725 https://github.com/curl/curl/issues/2299
726
72714. GnuTLS
728
72914.2 check connection
730
731 Add a way to check if the connection seems to be alive, to correspond to the
732 SSL_peak() way we use with OpenSSL.
733
73415. WinSSL/SChannel
735
73615.1 Add support for client certificate authentication
737
738 WinSSL/SChannel currently makes use of the OS-level system and user
739 certificate and private key stores. This does not allow the application
740 or the user to supply a custom client certificate using curl or libcurl.
741
742 Therefore support for the existing -E/--cert and --key options should be
743 implemented by supplying a custom certificate to the SChannel APIs, see:
744 - Getting a Certificate for Schannel
745   https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx
746
74715.3 Add support for the --ciphers option
748
749 The cipher suites used by WinSSL/SChannel are configured on an OS-level
750 instead of an application-level. This does not allow the application or
751 the user to customize the configured cipher suites using curl or libcurl.
752
753 Therefore support for the existing --ciphers option should be implemented
754 by mapping the OpenSSL/GnuTLS cipher suites to the SChannel APIs, see
755 - Specifying Schannel Ciphers and Cipher Strengths
756   https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx
757
75815.4 Add option to disable client certificate auto-send
759
760 Microsoft says "By default, Schannel will, with no notification to the client,
761 attempt to locate a client certificate and send it to the server." That could
762 be considered a privacy violation and unexpected.
763
764 Some Windows users have come to expect that default behavior and to change the
765 default to make it consistent with other SSL backends would be a breaking
766 change. An option should be added that can be used to disable the default
767 Schannel auto-send behavior.
768
769 https://github.com/curl/curl/issues/2262
770
77116. SASL
772
77316.1 Other authentication mechanisms
774
775 Add support for other authentication mechanisms such as OLP,
776 GSS-SPNEGO and others.
777
77816.2 Add QOP support to GSSAPI authentication
779
780 Currently the GSSAPI authentication only supports the default QOP of auth
781 (Authentication), whilst Kerberos V5 supports both auth-int (Authentication
782 with integrity protection) and auth-conf (Authentication with integrity and
783 privacy protection).
784
78516.3 Support binary messages (i.e.: non-base64)
786
787  Mandatory to support LDAP SASL authentication.
788
789
79017. SSH protocols
791
79217.1 Multiplexing
793
794 SSH is a perfectly fine multiplexed protocols which would allow libcurl to do
795 multiple parallel transfers from the same host using the same connection,
796 much in the same spirit as HTTP/2 does. libcurl however does not take
797 advantage of that ability but will instead always create a new connection for
798 new transfers even if an existing connection already exists to the host.
799
800 To fix this, libcurl would have to detect an existing connection and "attach"
801 the new transfer to the existing one.
802
80317.2 Handle growing SFTP files
804
805 The SFTP code in libcurl checks the file size *before* a transfer starts and
806 then proceeds to transfer exactly that amount of data. If the remote file
807 grows while the tranfer is in progress libcurl won't notice and will not
808 adapt. The OpenSSH SFTP command line tool does and libcurl could also just
809 attempt to download more to see if there is more to get...
810
811 https://github.com/curl/curl/issues/4344
812
81317.3 Support better than MD5 hostkey hash
814
815 libcurl offers the CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 option for verifying the
816 server's key. MD5 is generally being deprecated so we should implement
817 support for stronger hashing algorithms. libssh2 itself is what provides this
818 underlying functionality and it supports at least SHA-1 as an alternative.
819 SHA-1 is also being deprecated these days so we should consider working with
820 libssh2 to instead offer support for SHA-256 or similar.
821
82217.4 Support CURLOPT_PREQUOTE
823
824 The two other QUOTE options are supported for SFTP, but this was left out for
825 unknown reasons!
826
82718. Command line tool
828
82918.1 sync
830
831 "curl --sync http://example.com/feed[1-100].rss" or
832 "curl --sync http://example.net/{index,calendar,history}.html"
833
834 Downloads a range or set of URLs using the remote name, but only if the
835 remote file is newer than the local file. A Last-Modified HTTP date header
836 should also be used to set the mod date on the downloaded file.
837
83818.2 glob posts
839
840 Globbing support for -d and -F, as in 'curl -d "name=foo[0-9]" URL'.
841 This is easily scripted though.
842
84318.3 prevent file overwriting
844
845 Add an option that prevents curl from overwriting existing local files. When
846 used, and there already is an existing file with the target file name
847 (either -O or -o), a number should be appended (and increased if already
848 existing). So that index.html becomes first index.html.1 and then
849 index.html.2 etc.
850
85118.5 UTF-8 filenames in Content-Disposition
852
853 RFC 6266 documents how UTF-8 names can be passed to a client in the
854 Content-Disposition header, and curl does not support this.
855
856 https://github.com/curl/curl/issues/1888
857
85818.7 at least N milliseconds between requests
859
860 Allow curl command lines issue a lot of request against services that limit
861 users to no more than N requests/second or similar. Could be implemented with
862 an option asking that at least a certain time has elapsed since the previous
863 request before the next one will be performed. Example:
864
865    $ curl "https://example.com/api?input=[1-1000]" -d yadayada --after 500
866
867 See https://github.com/curl/curl/issues/3920
868
86918.9 Choose the name of file in braces for complex URLs
870
871 When using braces to download a list of URLs and you use complicated names
872 in the list of alternatives, it could be handy to allow curl to use other
873 names when saving.
874
875 Consider a way to offer that. Possibly like
876 {partURL1:name1,partURL2:name2,partURL3:name3} where the name following the
877 colon is the output name.
878
879 See https://github.com/curl/curl/issues/221
880
88118.10 improve how curl works in a windows console window
882
883 If you pull the scrollbar when transferring with curl in a Windows console
884 window, the transfer is interrupted and can get disconnected. This can
885 probably be improved. See https://github.com/curl/curl/issues/322
886
88718.11 Windows: set attribute 'archive' for completed downloads
888
889 The archive bit (FILE_ATTRIBUTE_ARCHIVE, 0x20) separates files that shall be
890 backed up from those that are either not ready or have not changed.
891
892 Downloads in progress are neither ready to be backed up, nor should they be
893 opened by a different process. Only after a download has been completed it's
894 sensible to include it in any integer snapshot or backup of the system.
895
896 See https://github.com/curl/curl/issues/3354
897
89818.12 keep running, read instructions from pipe/socket
899
900 Provide an option that makes curl not exit after the last URL (or even work
901 without a given URL), and then make it read instructions passed on a pipe or
902 over a socket to make further instructions so that a second subsequent curl
903 invoke can talk to the still running instance and ask for transfers to get
904 done, and thus maintain its connection pool, DNS cache and more.
905
90618.15 --retry should resume
907
908 When --retry is used and curl actually retries transfer, it should use the
909 already transferred data and do a resumed transfer for the rest (when
910 possible) so that it doesn't have to transfer the same data again that was
911 already transferred before the retry.
912
913 See https://github.com/curl/curl/issues/1084
914
91518.16 send only part of --data
916
917 When the user only wants to send a small piece of the data provided with
918 --data or --data-binary, like when that data is a huge file, consider a way
919 to specify that curl should only send a piece of that. One suggested syntax
920 would be: "--data-binary @largefile.zip!1073741823-2147483647".
921
922 See https://github.com/curl/curl/issues/1200
923
92418.17 consider file name from the redirected URL with -O ?
925
926 When a user gives a URL and uses -O, and curl follows a redirect to a new
927 URL, the file name is not extracted and used from the newly redirected-to URL
928 even if the new URL may have a much more sensible file name.
929
930 This is clearly documented and helps for security since there's no surprise
931 to users which file name that might get overwritten. But maybe a new option
932 could allow for this or maybe -J should imply such a treatment as well as -J
933 already allows for the server to decide what file name to use so it already
934 provides the "may overwrite any file" risk.
935
936 This is extra tricky if the original URL has no file name part at all since
937 then the current code path will error out with an error message, and we can't
938 *know* already at that point if curl will be redirected to a URL that has a
939 file name...
940
941 See https://github.com/curl/curl/issues/1241
942
94318.18 retry on network is unreachable
944
945 The --retry option retries transfers on "transient failures". We later added
946 --retry-connrefused to also retry for "connection refused" errors.
947
948 Suggestions have been brought to also allow retry on "network is unreachable"
949 errors and while totally reasonable, maybe we should consider a way to make
950 this more configurable than to add a new option for every new error people
951 want to retry for?
952
953 https://github.com/curl/curl/issues/1603
954
95518.19 expand ~/ in config files
956
957 For example .curlrc could benefit from being able to do this.
958
959 See https://github.com/curl/curl/issues/2317
960
96118.20 host name sections in config files
962
963 config files would be more powerful if they could set different
964 configurations depending on used URLs, host name or possibly origin. Then a
965 default .curlrc could a specific user-agent only when doing requests against
966 a certain site.
967
968
96919. Build
970
97119.1 roffit
972
973 Consider extending 'roffit' to produce decent ASCII output, and use that
974 instead of (g)nroff when building src/tool_hugehelp.c
975
97619.2 Enable PIE and RELRO by default
977
978 Especially when having programs that execute curl via the command line, PIE
979 renders the exploitation of memory corruption vulnerabilities a lot more
980 difficult. This can be attributed to the additional information leaks being
981 required to conduct a successful attack. RELRO, on the other hand, masks
982 different binary sections like the GOT as read-only and thus kills a handful
983 of techniques that come in handy when attackers are able to arbitrarily
984 overwrite memory. A few tests showed that enabling these features had close
985 to no impact, neither on the performance nor on the general functionality of
986 curl.
987
98819.3 cmake test suite improvements
989
990 The cmake build doesn't support 'make show' so it doesn't know which tests
991 are in the makefile or not (making appveyor builds do many false warnings
992 about it) nor does it support running the test suite if building out-of-tree.
993
994 See https://github.com/curl/curl/issues/3109
995
99620. Test suite
997
99820.1 SSL tunnel
999
1000 Make our own version of stunnel for simple port forwarding to enable HTTPS
1001 and FTP-SSL tests without the stunnel dependency, and it could allow us to
1002 provide test tools built with either OpenSSL or GnuTLS
1003
100420.2 nicer lacking perl message
1005
1006 If perl wasn't found by the configure script, don't attempt to run the tests
1007 but explain something nice why it doesn't.
1008
100920.3 more protocols supported
1010
1011 Extend the test suite to include more protocols. The telnet could just do FTP
1012 or http operations (for which we have test servers).
1013
101420.4 more platforms supported
1015
1016 Make the test suite work on more platforms. OpenBSD and Mac OS. Remove
1017 fork()s and it should become even more portable.
1018
101920.5 Add support for concurrent connections
1020
1021 Tests 836, 882 and 938 were designed to verify that separate connections
1022 aren't used when using different login credentials in protocols that
1023 shouldn't re-use a connection under such circumstances.
1024
1025 Unfortunately, ftpserver.pl doesn't appear to support multiple concurrent
1026 connections. The read while() loop seems to loop until it receives a
1027 disconnect from the client, where it then enters the waiting for connections
1028 loop. When the client opens a second connection to the server, the first
1029 connection hasn't been dropped (unless it has been forced - which we
1030 shouldn't do in these tests) and thus the wait for connections loop is never
1031 entered to receive the second connection.
1032
103320.6 Use the RFC6265 test suite
1034
1035 A test suite made for HTTP cookies (RFC 6265) by Adam Barth is available at
1036 https://github.com/abarth/http-state/tree/master/tests
1037
1038 It'd be really awesome if someone would write a script/setup that would run
1039 curl with that test suite and detect deviances. Ideally, that would even be
1040 incorporated into our regular test suite.
1041
104220.7 Support LD_PRELOAD on macOS
1043
1044 LD_RELOAD doesn't work on macOS, but there are tests which require it to run
1045 properly. Look into making the preload support in runtests.pl portable such
1046 that it uses DYLD_INSERT_LIBRARIES on macOS.
1047
104821. Next SONAME bump
1049
105021.1 http-style HEAD output for FTP
1051
1052 #undef CURL_FTP_HTTPSTYLE_HEAD in lib/ftp.c to remove the HTTP-style headers
1053 from being output in NOBODY requests over FTP
1054
105521.2 combine error codes
1056
1057 Combine some of the error codes to remove duplicates.  The original
1058 numbering should not be changed, and the old identifiers would be
1059 macroed to the new ones in an CURL_NO_OLDIES section to help with
1060 backward compatibility.
1061
1062 Candidates for removal and their replacements:
1063
1064    CURLE_FILE_COULDNT_READ_FILE => CURLE_REMOTE_FILE_NOT_FOUND
1065
1066    CURLE_FTP_COULDNT_RETR_FILE => CURLE_REMOTE_FILE_NOT_FOUND
1067
1068    CURLE_FTP_COULDNT_USE_REST => CURLE_RANGE_ERROR
1069
1070    CURLE_FUNCTION_NOT_FOUND => CURLE_FAILED_INIT
1071
1072    CURLE_LDAP_INVALID_URL => CURLE_URL_MALFORMAT
1073
1074    CURLE_TFTP_NOSUCHUSER => CURLE_TFTP_ILLEGAL
1075
1076    CURLE_TFTP_NOTFOUND => CURLE_REMOTE_FILE_NOT_FOUND
1077
1078    CURLE_TFTP_PERM => CURLE_REMOTE_ACCESS_DENIED
1079
108021.3 extend CURLOPT_SOCKOPTFUNCTION prototype
1081
1082 The current prototype only provides 'purpose' that tells what the
1083 connection/socket is for, but not any protocol or similar. It makes it hard
1084 for applications to differentiate on TCP vs UDP and even HTTP vs FTP and
1085 similar.
1086
108722. Next major release
1088
108922.1 cleanup return codes
1090
1091 curl_easy_cleanup() returns void, but curl_multi_cleanup() returns a
1092 CURLMcode. These should be changed to be the same.
1093
109422.2 remove obsolete defines
1095
1096 remove obsolete defines from curl/curl.h
1097
109822.3 size_t
1099
1100 make several functions use size_t instead of int in their APIs
1101
110222.4 remove several functions
1103
1104 remove the following functions from the public API:
1105
1106 curl_getenv
1107
1108 curl_mprintf (and variations)
1109
1110 curl_strequal
1111
1112 curl_strnequal
1113
1114 They will instead become curlx_ - alternatives. That makes the curl app
1115 still capable of using them, by building with them from source.
1116
1117 These functions have no purpose anymore:
1118
1119 curl_multi_socket
1120
1121 curl_multi_socket_all
1122
112322.5 remove CURLOPT_FAILONERROR
1124
1125 Remove support for CURLOPT_FAILONERROR, it has gotten too kludgy and weird
1126 internally. Let the app judge success or not for itself.
1127
112822.7 remove progress meter from libcurl
1129
1130 The internally provided progress meter output doesn't belong in the library.
1131 Basically no application wants it (apart from curl) but instead applications
1132 can and should do their own progress meters using the progress callback.
1133
1134 The progress callback should then be bumped as well to get proper 64bit
1135 variable types passed to it instead of doubles so that big files work
1136 correctly.
1137
113822.8 remove 'curl_httppost' from public
1139
1140 curl_formadd() was made to fill in a public struct, but the fact that the
1141 struct is public is never really used by application for their own advantage
1142 but instead often restricts how the form functions can or can't be modified.
1143
1144 Changing them to return a private handle will benefit the implementation and
1145 allow us much greater freedoms while still maintaining a solid API and ABI.
1146