Also:
- GHA/http3-linux: enable deprecated APIs in openssl-prev local
OpenSSL builds. Required by h2o and its vendored dependencies.
Tried OpenSSL 4, LibreSSL 4.x, BoringSSL: all failed at one point.
- GHA/http3-linux: build h2o from source.
libuv1-dev may not be stricly required.
Tried installing libwslay-dev, but it wasn't recognized.
Also disable building h2o libs for a much smaller dist directory and
slightly faster build.
Sadly, h2o is not versioned, so I pinned to the current latest commit
at the master branch. It advertises itself as 2.3.0-DEV in pytest.
- drop redundant `libnghttp3` installs. Remains of openssl-quic builds.
Follow-up to 6aaac9dd38#20226
Note GHA/macos pytests may or not not be stable with the H3 proxy tests.
Follow-up to e78b1b3ecc#21153Closes#21789
- H3 proxy: re-sync code with original source `curl_ngtcp2.c` to reduce
differences, and to apply missed minor fixes. Also apply clang-format.
Drop redundant `#undef`s, casts, `#endif` comments, includes, drop
intermediate variables, sync include and macro order.
Follow-up to e78b1b3ecc#21153
- INSTALL-CMAKE.md: move `CURL_ENABLE_SMB` to the enable section.
- tests/http/env: rename `tcpdmp` to `tcpdump` to match object variable.
- mbedtls: drop incorrect `mbedTLS 4+` comments.
(features are also supported by 3+, meaning it's always supported.)
- lib1648: rename a variable to match purpose.
- CIPHERS.md: alpha-sort link list.
- replace rare `X''` hex markup with `0x`.
- `IP v4/6` -> `IPv4/6`.
- 'version X.Y' -> 'vX.Y', where sensible.
- 'VX.Y' -> 'vX.Y', where sensible.
- fix indents, casing, newlines, typos.
Closes#21772
This patch adds two major proxy capabilities to curl (ngtcp2 QUIC):
- HTTP/3 Proxy CONNECT: Tunnel HTTP/1.1 or HTTP/2 traffic through an
HTTPS proxy that speaks HTTP/3 (QUIC) using the standard CONNECT
method over an HTTP/3 connection.
- MASQUE CONNECT-UDP: Tunnel HTTP/3 (QUIC) traffic through an HTTP
proxy (speaking HTTP/1.1, HTTP/2, or HTTP/3) using the extended
CONNECT method with the CONNECT-UDP protocol (RFC9297 & RFC9298).
Public API additions:
- `CURLPROXY_HTTPS3`: new proxy type constant for HTTP/3 proxy
- `--proxy-http3`: new CLI flag to negotiate HTTP/3 with HTTPS proxy
The implementation adds two new filters:
- `H3-PROXY` - enables negotiating HTTP/3 (QUIC) to the proxy and
running CONNECT/CONNECT-UDP through that proxy transport.
- `CAPSULE` - dedicated filter inserted between QUIC transport and
HTTP-PROXY to handle datagram capsule encapsulation/decapsulation.
Here is how the curl filter chaining looks in different scenarios:
- HTTP/3 Proxy CONNECT (tunneling TCP protocols over QUIC proxy):
conn -> HTTP/1.1 or HTTP/2 -> SSL -> HTTP-PROXY ->
H3-PROXY -> HAPPY-EYEBALLS -> UDP
- MASQUE CONNECT-UDP (tunneling QUIC over any proxy):
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H3-PROXY ->
HAPPY-EYEBALLS -> UDP
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H1-PROXY or H2-PROXY ->
SSL -> HAPPY-EYEBALLS -> TCP
- Both features currently require the ngtcp2 QUIC backend.
- Both features are experimental (disabled by default). Enable with
`--enable-proxy-http3`(autotools) or `-DUSE_PROXY_HTTP3=ON`(CMake).
Tests:
- tests/unit/unit3400.c: Unit tests for capsule protocol encode/decode
- tests/http/test_60_h3_proxy.py: Comprehensive pytest integration suite
- tests/http/testenv/h2o.py: Managing h2o instances with HTTP/1.1, HTTP/2,
and HTTP/3 (QUIC) listeners, proxy.connect and proxy.connect-udp enabled.
References:
RFC 9297 - HTTP Datagrams and the Capsule Protocol
RFC 9298 - Proxying UDP in HTTP
RFC 9000 §16 — Variable-Length Integer Encoding
Signed-off-by: Aritra Basu <aritrbas+gh@cisco.com>
Closes#21153
- fix macOS locale tests to clear existing variables.
(Without this, the system-defined `LC_ALL` takes precedence, and
the custom envs in CI are ignored.)
- trigger test 1981 issue by setting `LC_TIME` to non-English, on macOS.
(On Linux it'd require explicitly installing a non-English locale, I
skipped this for simplicity.)
```
[...]
-Time: 01/Aug/2025 08:31:43.037103 +0000 UTC[CR][LF]
+Time: 01/ao%c3%bb/2025 08:31:43.037103 +0000 UTC[CR][LF]
[...]
FAIL 1981: '%time output with --write-out' HTTP, HTTP GET
```
Follow-up to 90a7732d46#21749
Follow-up to 1cc8a5235f#17988
Follow-up to c221c0ee59#17938Closes#21753
Detect latest tarball version via the https://curl.se/downloads.html
page, download the signing key from a public keyserver then verify
source download signatures.
To ensure that public downloads are intact.
Closes#21759
Also switch back to ftp.openbsd.org download server. More often than not
the GitHub release entry is missing the download artifacts at the time
of detecting a new version, breaking automatic bumps. We cache the
download so it does not bang the origin server with many requests.
Follow-up to 800b0bec18#19082Closes#21742Closes#21754
CI time cost is 1s.
It may replace existing pedantic check, if this level isn't bringing
false-positives or annoyance. Officially it's not meant for CI, but curl
has been passing this in the last couple of months when checked locally.
Closes#21718
- GHA/windows: bump dl-mingw job from gcc 15 to 16.
- multi: silence warning while building libcurlu:
```
In function 'multi_ischanged',
inlined from 'multi_socket.isra' at D:/a/curl/curl/lib/multi.c:3282:6:
D:/a/curl/curl/lib/multi.c:1710:17: error: null pointer dereference [-Werror=null-dereference]
1710 | bool retval = (bool)multi->recheckstate;
| ^~~~~~~~~~~~~~~~~~~~~~~~~
D:/a/curl/curl/lib/multi.c:1712:25: error: null pointer dereference [-Werror=null-dereference]
1712 | multi->recheckstate = FALSE;
| ^
```
Ref: https://github.com/curl/curl/actions/runs/26217071531/job/77142119137?pr=21707
- multi: silence another `-Wnull-dereference`, popping up in libcurl
with gcc 13 after the previous silencing:
```
In function 'Curl_multi_xfers_running',
inlined from 'multi_socket.isra' at ../../lib/multi.c:3292:28:
../../lib/multi.c:4132:15: error: null pointer dereference [-Werror=null-dereference]
4132 | return multi->xfers_alive;
| ~~~~~^~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/26218822231/job/77148186045
- multi: also add `DEBUGASSERT(multi)` to the two updated functions.
Closes#21707
Example:
```
Wed, 20 May 2026 09:51:48 GMT Updating Avalon repository catalogue...
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT repository Avalon has no meta file, using default settings
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT Unable to update repository Avalon
Wed, 20 May 2026 09:51:48 GMT Error updating repositories!
Wed, 20 May 2026 09:51:48 GMT Error: Process completed with exit code 3.
```
As tested over at libssh2, retrying the install command also does not
help, only repeats the same failure.
Also: fix whitespace in matrix.
Follow-up to b158d1c9f7#21681Closes#21694
- bump cross-platform-actions to v1.1.0.
Ref: https://github.com/cross-platform-actions/action/releases/tag/v1.1.0
- merge BSD jobs into a single matrix.
- split BSD jobs into build steps as used for other platforms.
A new feature of cross-platform-actions v1.1.0.
- sync BSD build steps with other platforms.
- add DragonFlyBSD and MidnightBSD to the BSD matrix.
New features of cross-platform-actions v1.1.0.
MidnightBSD uses GnuTLS to add variation, also the preinstalled
OpenSSL is too old (v1.1.1w) for curl.
Stick with autotools for DragonFlyBSD; I could not figure out how
to install cmake.
Refs:
https://en.wikipedia.org/wiki/DragonFly_BSDhttps://en.wikipedia.org/wiki/MidnightBSD
- bump Intel FreeBSD jobs from v14.3 to v15.0.
- fix to show `gcc` in the NetBSD job name.
All these saved 50 lines of YAML. The two new jobs take 2m15s each. The
bump to FreeBSD 15 needs and extra minute in total.
Note, the DragonFlyBSD job seems to have reliability issues. If it
remains an issue, I'll comment it out or delete it in a future commit.
Closes#21681
In both autotools and cmake builds, because Android does not offer
a `zlib.pc`.
Also:
- GHA/non-native: dump config files, to verify.
Reported-by: sfan5 on github
Fixes#21647Closes#21648
Also fix fallouts found.
Windows clang-tidy CI job is a little pickier than I'd prefer due to the
`_CURL_TESTS_CONCAT=ON` option used there, and all macros considered
local, thus checked by the compiler. Upside: it revealed macro usage
dynamics in tests. If too annoying, `first.h` may be opted-out from the
concat logic. Some macros may also be deleted instead of `#if 0`-ing.
Follow-up to e0e56e9ae4#21550
Follow-up to 5fa5cb3825#20593Closes#21554
Fixing this with zizmor v1.25.0:
```
error[unpinned-images]: unpinned image references
--> .github/workflows/linux-old.yml:59:5
59 | container: 'debian:stretch'
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ container image is not pinned to a SHA256 hash
= help: audit documentation -> https://docs.zizmor.sh/audits/#unpinned-images
[...]
```
Ref: https://github.com/curl/curl/actions/runs/25890035949/job/76090925291?pr=21618
Sadly there is no automatic mechanism to bump them..
Also:
- replace `debian-stretch` with its slim variant.
- bump one of the two Alpine jobs from 3.20 to 3.23.4.
Closes#21619
Fixing:
```
==> Installing openssl@3 dependency: ca-certificates
==> Pouring ca-certificates--2026-05-14.all.bottle.tar.gz
Error: undefined method '[]' for nil
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/utils/bottles.rb:127:in 'Utils::Bottles.load_tab'
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/formula_installer.rb:1507:in 'FormulaInstaller#pour'
[...]
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/brew.rb:114:in '<main>'
You have disabled automatic updates and have not updated today.
Do not report this issue until you've run `brew update` and tried again.
Error: Process completed with exit code 1.
```
Ref: https://github.com/curl/curl/actions/runs/25859030402/job/75984082148?pr=21607
Dropping `HOMEBREW_NO_AUTO_UPDATE=1` was not enough to fix it.
Closes#21608
- disable DES with nettle 4. It no longer supports it.
```
lib/curl_ntlm_core.c:67:12: fatal error: 'nettle/des.h' file not found
67 | # include <nettle/des.h>
| ^~~~~~~~~~~~~~
```
- fix MD4 support with nettle 4.
```
lib/md4.c:178:36: error: too many arguments to function call, expected 2, have 3
178 | md4_digest(ctx, MD4_DIGEST_SIZE, digest);
| ~~~~~~~~~~ ^~~~~~
```
- fix unused argument compiler warning:
```
lib/vtls/gtls.c:2267:39: error: unused parameter 'sha256len' [clang-diagnostic-unused-parameter,-warnings-as-errors]
2267 | size_t sha256len)
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970143?pr=21557
- GHA/macos: stop enabling NTLM in the GnuTLS job.
It no longer builds due to missing DES support in nettle 4.
```
lib/curl_ntlm_core.c:90:4: error: "cannot compile NTLM support without a crypto library with DES."
90 | # error "cannot compile NTLM support without a crypto library with DES."
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970170?pr=21557
Follow-up to cfadbaa133#21169Closes#21557
No production code function is allowed to be longer than 500 lines.
The lib/setopt.c:setopt_cptr function is currently exempt, as a single
exception until we make it smaller.
Closes#21492
- update action `actions/cache` from 5.0.4 to 5.0.5
- update action `actions/upload-artifact` from 7.0.0 to 7.0.1
- update action `github/codeql-action` from 4.32.4 to 4.35.2
- update action `msys2/setup-msys2` from 2.31.0 to 2.31.1
- update pip `filelock` from 3.25.2 to 3.29.0
- update pip `impacket` to 0.13.0
- update pip `ruff` from 0.15.10 to 0.15.12
Closes#21483Closes#21482
- sha256: fix backend priority in comment.
- URLs: link to IETF URLs to the HTML document, to match others.
- VERSIONS.md: use unified date format for recent entries too.
Ref: ce5d32032f
- GHA/labeler.yml: alpha-sort file masks in a label block.
- tests/server/mqttd: fix call arg list in a disabled function.
- tests/server/mqttd: fix comment.
Closes#21473
```
The following packages have unmet dependencies:
[...]
E: Unable to satisfy dependencies. Reached two conflicting assignments:
1. musl-dev:amd64=1.2.5-3+b1 is selected for install
2. musl-dev:amd64 is not selected for install because:
1. musl-dev:riscv64=1.2.5-3 is selected for install
2. musl-dev:amd64 Breaks musl-dev:riscv64 (!= 1.2.5-3+b1)
```
Ref: https://github.com/curl/curl/actions/runs/25168601672/job/73785600341#step:3:154Closes#21475
- prefer `--branch` over `-b`, where missing.
- add `--depth 1` where missing.
- sync option order between docs and GHA.
- bump quiche and rustls-ffi versions in documentation.
- ECH.md: update for OpenSSL 4.
Closes#21447
Necessary when the libssh2/libssh client library does not support KEX
algos offered by default by the OpenSSH server. E.g. libssh2 with WinCNG
combined with OpenSSH 10+.
Also: use this option in GHA/windows.
Follow-up to 3b8bb1a86a#21219
Follow-up to c98d0a2e9a#21220Closes#21438
Due to year-long unreliability.
The default Ubuntu mirror works as fast as the Azure one when it's
working at its normal speed. And has HTTPS.
Also:
- replac the retry hack that turn out to not solve the problem.
- add timeouts to each download step to catch slowness early.
Follow-up to a5838847c4#21181
Follow-up to 5172ba5475#21107Closes#21414
GitHub runners are getting new 3rd-party sources frequntly now, last
week `docker.list`, this week: `google-chrome.sources`. To avoid
playing catch up, allowlist the only one we use: `ubuntu.sources`. If
this is renamed, CI would break. Let's hope this happens much less
often than new sources.
Bug: https://github.com/curl/curl/pull/21414#issuecomment-4297788640
Follow-up to 3e0e2cc1ab#21344Closes#21416
