Before this patch it broke clang 20/21 cmake builds on ubuntu-26.04-arm
runner, failing at the beginning of the configure stage while probing
the compiler.
Seen in the 'CM openssl clang krb5 LTO' job:
```
: && /usr/bin/clang --target=aarch64-pc-linux-gnu CMakeFiles/cmTC_3d9ae.dir/testCCompiler.c.o -o cmTC_3d9ae && :
/usr/bin/aarch64-linux-gnu-ld.bfd: cannot find crtbeginS.o: No such file or directory
/usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc: No such file or directory
/usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc_s: No such file or directory
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462687#step:38:66
Follow-up to 36bd807475#15242
Follow-up to 232302f88a#14382
Cherry-picked from #22092Closes#22097
pytype is discontinued, does not receive further updates, and it
requires older python, offered by Ubuntu 24.04 or older.
Move it to its own GHA job to allow bumping the rest of checkers to.
newer runner images. Also move it out from the shared `requirements.txt`
and install directly from its separate GHA job, to avoid installing it
unnecessarily from others. Since it does not receive update, it's fine
to move out from Dependabot's view.
Ref: https://pypi.org/project/pytype/
Cherry-picked from #22092Closes#22096
At the time of the original commit, the runner was ubuntu-22.04 with
a default GCC 11. It made sense to bump to 12 manually. Since 2025,
the default is ubuntu-24.04 with GCC 13, when this became a downgrade.
Drop manual envs and bump to GCC 13 with it. Other options available are
14, 15 and 16.
Refs:
https://packages.ubuntu.com/jammy/gcc (ubuntu-22.04)
https://packages.ubuntu.com/noble/gcc (ubuntu-24.04)
Follow-up to 6079ff314b#22075
Follow-up to a8174176b5#13841Closes#22077
Issue had been fixed in the ubuntu-24.04-arm runner image upstream.
now:
```
$ ls -l /home # on arm
drwxr-x--- 11 runner runner 4096 Jun 18 08:19 runner
$ ls -l /home # on intel
drwxr-x--- 11 runner runner 4096 Jun 18 08:19 runner
```
Follow-up to 2b0d8dcc16#20231Closes#22076
3 minutes (was: 2).
IIn the hope it fixes timeouts, assuming the Ubuntu mirrors are only
somewhat slower sometimes (and not completely stalled).
Closes#22068
Whether the install is extreme slow and will fail anyway, or only slower
sometimes, and this fixes, we will see.
Example:
```
Need to get 1159 MB of archives.
After this operation, 4463 MB of additional disk space will be used.
Get:1 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2023.2.0 all 2023.2.0-49462 [30.4 kB]
Get:2 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2026.0 all 2026.0.0-235 [30.7 kB]
[...]
Get:21 https://apt.repos.intel.com/oneapi all/main amd64 intel-oneapi-dpcpp-debugger-2023.2.0 amd64 2023.2.0-49330 [201 MB]
Error: The action 'install Intel compilers' has timed out after 2 minutes.
```
Ref: https://github.com/curl/curl/actions/runs/27683923870/job/81877924590
Follow-up to 50ff4f2927#21414Closes#22065
Fix build issues:
- src: adjust `toolx_ftruncate()`.
- libtests/cli_ftp_upload: make `struct timeval` initialization portable.
- libtests/lib1960: do unconst in local `inet_pton()` macro.
- tests/server/dnsd: make it stub instead of failing the build.
- tests/server: make them link AmiSSL for `SocketBase`.
Also:
- bump AmiSSL to the latest release.
- add download hash checks and toolchain cache.
- sync restored code with local updates made since last year.
It takes 30 seconds per job, 1 minute in total.
Thanks-to: Bebbo
Thanks-to: Darren Banfi
Ref: https://github.com/curl/curl/pull/21989#issuecomment-4691380623
Follow-up to 7a14898264#17486Closes#21993
It seems the commit hash behind the v6.1 tag is changing, and the latest
version is actually v6.0.2, which is currently mapped to the v6.1 hash.
Fixing:
```
warning[ref-version-mismatch]: action's hash pin has mismatched or missing version comment
--> .github/workflows/windows.yml:98:87
|
98 | - uses: cygwin/cygwin-install-action@711d29f3da # v6.1
| --------------------------------------------------------------------------- ^^^^ points to commit 3f0a3f9f988f
| |
| is pointed to by tag v6.0.1
```
Ref: https://github.com/cygwin/cygwin-install-action/issues/59Closes#21974
- drop more uses of the word "just". (not enforced here)
- drop some uses of the "will" word.
- "then" -> "than".
- tests/http/testenv/curl.py: fix copy-paste typo in error message.
- pytest: replace `shutdownh` with `shutdown` in test names.
Spotted by GitHub Code Quality.
- comment typos.
- whitespace and newlines fixes.
Closes#21830
Also:
- GHA/http3-linux: enable deprecated APIs in openssl-prev local
OpenSSL builds. Required by h2o and its vendored dependencies.
Tried OpenSSL 4, LibreSSL 4.x, BoringSSL: all failed at one point.
- GHA/http3-linux: build h2o from source.
libuv1-dev may not be stricly required.
Tried installing libwslay-dev, but it wasn't recognized.
Also disable building h2o libs for a much smaller dist directory and
slightly faster build.
Sadly, h2o is not versioned, so I pinned to the current latest commit
at the master branch. It advertises itself as 2.3.0-DEV in pytest.
- drop redundant `libnghttp3` installs. Remains of openssl-quic builds.
Follow-up to 6aaac9dd38#20226
Note GHA/macos pytests may or not not be stable with the H3 proxy tests.
Follow-up to e78b1b3ecc#21153Closes#21789
- H3 proxy: re-sync code with original source `curl_ngtcp2.c` to reduce
differences, and to apply missed minor fixes. Also apply clang-format.
Drop redundant `#undef`s, casts, `#endif` comments, includes, drop
intermediate variables, sync include and macro order.
Follow-up to e78b1b3ecc#21153
- INSTALL-CMAKE.md: move `CURL_ENABLE_SMB` to the enable section.
- tests/http/env: rename `tcpdmp` to `tcpdump` to match object variable.
- mbedtls: drop incorrect `mbedTLS 4+` comments.
(features are also supported by 3+, meaning it's always supported.)
- lib1648: rename a variable to match purpose.
- CIPHERS.md: alpha-sort link list.
- replace rare `X''` hex markup with `0x`.
- `IP v4/6` -> `IPv4/6`.
- 'version X.Y' -> 'vX.Y', where sensible.
- 'VX.Y' -> 'vX.Y', where sensible.
- fix indents, casing, newlines, typos.
Closes#21772
This patch adds two major proxy capabilities to curl (ngtcp2 QUIC):
- HTTP/3 Proxy CONNECT: Tunnel HTTP/1.1 or HTTP/2 traffic through an
HTTPS proxy that speaks HTTP/3 (QUIC) using the standard CONNECT
method over an HTTP/3 connection.
- MASQUE CONNECT-UDP: Tunnel HTTP/3 (QUIC) traffic through an HTTP
proxy (speaking HTTP/1.1, HTTP/2, or HTTP/3) using the extended
CONNECT method with the CONNECT-UDP protocol (RFC9297 & RFC9298).
Public API additions:
- `CURLPROXY_HTTPS3`: new proxy type constant for HTTP/3 proxy
- `--proxy-http3`: new CLI flag to negotiate HTTP/3 with HTTPS proxy
The implementation adds two new filters:
- `H3-PROXY` - enables negotiating HTTP/3 (QUIC) to the proxy and
running CONNECT/CONNECT-UDP through that proxy transport.
- `CAPSULE` - dedicated filter inserted between QUIC transport and
HTTP-PROXY to handle datagram capsule encapsulation/decapsulation.
Here is how the curl filter chaining looks in different scenarios:
- HTTP/3 Proxy CONNECT (tunneling TCP protocols over QUIC proxy):
conn -> HTTP/1.1 or HTTP/2 -> SSL -> HTTP-PROXY ->
H3-PROXY -> HAPPY-EYEBALLS -> UDP
- MASQUE CONNECT-UDP (tunneling QUIC over any proxy):
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H3-PROXY ->
HAPPY-EYEBALLS -> UDP
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H1-PROXY or H2-PROXY ->
SSL -> HAPPY-EYEBALLS -> TCP
- Both features currently require the ngtcp2 QUIC backend.
- Both features are experimental (disabled by default). Enable with
`--enable-proxy-http3`(autotools) or `-DUSE_PROXY_HTTP3=ON`(CMake).
Tests:
- tests/unit/unit3400.c: Unit tests for capsule protocol encode/decode
- tests/http/test_60_h3_proxy.py: Comprehensive pytest integration suite
- tests/http/testenv/h2o.py: Managing h2o instances with HTTP/1.1, HTTP/2,
and HTTP/3 (QUIC) listeners, proxy.connect and proxy.connect-udp enabled.
References:
RFC 9297 - HTTP Datagrams and the Capsule Protocol
RFC 9298 - Proxying UDP in HTTP
RFC 9000 §16 — Variable-Length Integer Encoding
Signed-off-by: Aritra Basu <aritrbas+gh@cisco.com>
Closes#21153
- fix macOS locale tests to clear existing variables.
(Without this, the system-defined `LC_ALL` takes precedence, and
the custom envs in CI are ignored.)
- trigger test 1981 issue by setting `LC_TIME` to non-English, on macOS.
(On Linux it'd require explicitly installing a non-English locale, I
skipped this for simplicity.)
```
[...]
-Time: 01/Aug/2025 08:31:43.037103 +0000 UTC[CR][LF]
+Time: 01/ao%c3%bb/2025 08:31:43.037103 +0000 UTC[CR][LF]
[...]
FAIL 1981: '%time output with --write-out' HTTP, HTTP GET
```
Follow-up to 90a7732d46#21749
Follow-up to 1cc8a5235f#17988
Follow-up to c221c0ee59#17938Closes#21753
Detect latest tarball version via the https://curl.se/downloads.html
page, download the signing key from a public keyserver then verify
source download signatures.
To ensure that public downloads are intact.
Closes#21759
Also switch back to ftp.openbsd.org download server. More often than not
the GitHub release entry is missing the download artifacts at the time
of detecting a new version, breaking automatic bumps. We cache the
download so it does not bang the origin server with many requests.
Follow-up to 800b0bec18#19082Closes#21742Closes#21754
CI time cost is 1s.
It may replace existing pedantic check, if this level isn't bringing
false-positives or annoyance. Officially it's not meant for CI, but curl
has been passing this in the last couple of months when checked locally.
Closes#21718