WebSocket has been supported by curl as a non-experimental feature since version 8.11.0 (November 6 2024). With the upcoming release of version 8.16.0, we are taking it a step further. With that release, you can use WebSocket in a pipe from the command line. Like this: > curl --no-progress-meter -T . -N wss://echo.websocket.org/ Request served by 4d896d95b55478dsadsa Hello! Hello! you just echo what I send? you just echo what I send? ... This command line contacts the “echo” server run by...| Posts on icing's blog
Updated (2025-09-13) see “RIP pthread_cancel Updated (2025-08-22) at the end You probably know about threads and most likely heard of pthreads, but have you ever used pthread_cancel()? Well, I had not before last week and it was a little bit of a journey. What’s the problem? curl (or better libcurl) runs all transfers in the same thread (You can run libcurl in several threads, but that’s a story for another post).| Posts on icing's blog
With mod_md v2.6.0 the Apache ACME in httpd supports the new “ARI” extension. This is described in rfc9773 titled “ACME Renewal Information (ARI) Extension”. What does that mean? An ACME CA, like Let’s Encrypt, can publish an API endpoint where a client can ask it about a certificate renewal. This can be seen in the “directory” of the server. Like this: > curl https://acme-v02.api.letsencrypt.org/directory {"-S7Ve8oLIfo": "https://community.letsencrypt.org/t/adding-random-entrie...| Posts on icing's blog
Let’s talk a bit about CVE-2025-53020, a moderate security vulnerability in Apache httpd that was fixed with the recent release 2.4.64. It was found by security researcher Gal Bar Nahum and reported to the project on June 18th 2025. Gal did real real research, understanding the protocol, reading our code and spotting where a client could pierce through our defenses. What you’d expect from a real security researcher. Not one of the new AI sloppers clogging projects everywhere.| Posts on icing's blog
curl being used on many platforms, I looked at how my recent improvements compared on my linux (debian sid) box. Yes, I did, but not as much. Below are the numbers for running 50000 requests of a 10KB resource on localhost, using a single HTTP/2 connection with 100 concurrent transfers. These are requests per second: 8.14.1 is the most recent version we shipped. The second row is the current master with the improved “data_pending” handling I wrote about. The third row is the latest improv...| Posts on icing's blog
Let’s make curl a little bit faster! When I looked at curl Flame Graphs last Friday, I noticed something that deserved my attention. The graph below was made with curl’s scorecard.py, a tool for running several performance related scenarios against a curl build. I called it via > python3 tests/http/scorecard.py -r --request-count=50000 --request-parallels=100 h2 Date: 2025-06-30T07:47:36.380050+00:00 Version: curl 8.15.0-DEV (x86_64-apple-darwin24.5.0) libcurl/8.15.0-DEV OpenSSL/3.5.0 zli...| Posts on icing's blog
Let’s have some fun with flame graphs and curl! I used curl’s scorecard python script to add some dtrace of the curl process and the nice FlameGraph by Brendan Gregg to have a look what curl is actually doing. dtrace makes snapshots of the current stack frames here about 100 times per second and the Flame Graphs tools aggregate these and render an interactive SVG to look at the data. You can read these as follows:| Posts on icing's blog
As you might have heard, Let’s Encrypt will introduce certificates with shorter lifetimes in 2025. They will not go away from the 90 days they give you now. They’ll add certificates with a duration of 6 days in addition. If you do nothing you will continue to get certificates as before! This out of the way, what do you have to do to get the shorter ones? How to get other Certs First, as of now, you will not be able to use this new feature, as Let’s Encrypt is gradually phasing that in t...| Posts on icing's blog
Apache ACME gives you easy access to certificates via mod_md, as you might know. It handles obtaining and renewing them by the Apache server itself. No other 3rd party scripts needed. There are meaningful defaults and quite some flexibility in letting you control (and monitor!) how it works. But with the recent v2.4.26 release, we are going one step further. Revocations Certificates may get revoked. By the CA (Certificate Authority) that gave them to you. This may get trigger by yourself (you...| Posts on icing's blog
I recently tooted my happiness with curl’s tracing capabilities on mastodon (the place to be for awesome curl news) and people showed interest in hearing more details about it. So, here we go… The case for logging/tracing First, if you have added printf(...) statements before, only to remove them again after a bug was fixed, you should consider tracing. The investment is worth it. One challenge when putting your code into the hands of people on the internet is that they often run it in en...| Posts on icing's blog
In the upcoming curl version 8.12.0 we’ll add the experimental feature of SSL session import/export. You can specify a file where sessions are imported from at the start of curl and to which they are exported again once curl is done. Like in: > curl --ssl-sessions my-session-file https://curl.se This will work for all TLS backends that support SSL sessions in a format suitable to storage: GnuTLS, OpenSSL (and variants), wolfSSL, bearssl, mbedTLS.| Posts on icing's blog
Over the last months, Viktor Szakats and I worked on improving curl’s CI system. Viktor focused on improvements in the various builds and how we cover all the platforms that we test on. I looked into improving the test suite reliability and performance. As I like to say, our CI is the weapon we slay the dragons with that lurk in code. It needs to be sharp and precise. Even for a little hobby project like curl.| Posts on icing's blog
Daniel just posted a new graph on hist famous collection of curl statistics and I like to blab a bit about it. The curl Graph It is called “Added LOC per LOC still present” because we like flashy marketing speech in the curl project. What is shows is basically “How often do we change code lines over time”. Examples: if we wrote perfect code and outside requirements would never change, we’d never have to revisit it. The graph would be flat at multiplier 1. The code that stays in curl...| Posts on icing's blog
In the upcoming curl 8.9.0 release, we gave some love to ending connections in a better way. What does that mean? Will it affect you? Let’s start with the End. The End of a Connection For almost all transfers curl establishes a connection to a server. At some time, the connection will need to be closed again. There are several ways this is triggered: the server closes there was a network error while sending/receiving the transfer was aborted by the application the connection was kept open f...| Posts on icing's blog
In my last blog about connection shutdowns in curl, I was a bit vague about why ending TCP connections via FIN is much preferable to a RST. Dan Fandrich provided me with the links to that necessary wordings from the TCP standards to explain that in more detail. Note: while I say “detail”, it seems worthy to state that I try to explain the topic without the need to understand everything about TCP. Real network gurus might despair at some shortcuts taken here. I apologize.| Posts on icing's blog
Over the last 15 months I worked in curl on various HTTP related areas. HTTP/2 is a good example of what has changed and I’d like to give you an idea of what we have been and continue working on. The following is technical. If you use curl occasionally to retrieve a single URL, you will not experience any of the things touched upon below. If you are more of a power user or into network stuff in general, I hope you’ll find this interesting. (Even if not, should you use git or Rust’s carg...| Posts on icing's blog
In the upcoming curl 8.6.0 release, we’ll ship a new, experimental HTTP/3 (QUIC) implementation using the new OpenSSL 3.2.0 QUIC stack. So, I took a look at what performance numbers I am seeing, to give you an idea what you will get. Of course, there are no objective benchmarks. Things may behave different in your settings. I may be holding things wrong. The measurements shown below are also just from this point in time. We continue to work on this, cooperating with projects like ngtcp2 and...| Posts on icing's blog
On 2023-10-19 the project released version 2.4.58 of Apache httpd. 3 CVEs have been fixed, 2 low and 1 moderate. I describe the changes done by me below. CVEs The interesting one is CVE-2023-45802 which I described in my blog about the HTTP/2 Rapid Reset. Changes mod_http2, HTTP/2 frontend WebSockets I added support for bootstrapping WebSockets via HTTP/2, as described in RFC 8441. A new directive ‘H2WebSockets on|off’ has been added. The feature is not enabled by default for compatibilit...| Posts on icing's blog
The HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 has made the news last week. For a good overview of what Cloudflare experienced and how they responded, I recommend HTTP/2 Rapid Reset: deconstructing the record-breaking attack by Lucas Pardue and Julien Desgats. Apache httpd Impact I am assuming you are by now somewhat familiar with what the attack is (if not, read the Cloudflare blog). This is a Denial-of-Service attack. No private data is exposed, nothing is infected or compromised. Vul...| Posts on icing's blog
Recently I had a customer reporting stalls in his Apache httpd installation. Those were happening on HTTP/2 requests. It took minutes before a response was sent to the client. What was going on? The installation used Apache as a reverse proxy for an application server, a very common setup, and the app server used Server Sent Events (SSE) with browser clients. SSE are GET request that are meant to run for a very long time (in HTTP’s definition of “long”). Whenever something happens in th...| Posts on icing's blog
You might have heard about the ACME 0-day exploit in acme.sh (fixed in the latest release) and Matt Holt, who discovered it, has written an excellent blog about it, where you can read all the details. In the second part of his blog, he gives general security advice and opinions on technology in regard to ACME implementations and deployments. Given that he and me and on different spectrum in the Holy Campaign on Memory Safety, I feel some points misrepresented or left out.| Posts on icing's blog
I was invited by Daniel Stenberg to work with him on curl improvements sponsored by the Sovereign Tech Fund, an initiative of the German government to strengthen digital infrastructure and open source in the public interests. Daniel blogged about it. Via this blog I try to give some updates on my ongoing work in this project, not least for transparency. This is deeply technical gobbledygook. What has happened from my perspective in the last, almost two months?| Posts on icing's blog
I was invited by Daniel Stenberg to work with him on curl improvements sponsored by the Sovereign Tech Fund, an initiative of the German government to strengthen digital infrastructure and open source in the public interests. Daniel blogged about it. Via this blog I try to give some updates on my ongoing work in this project, not least for transparency. This is deeply technical gobbledygook. A Sleigh of Hand Below, I describe an optimization in curl’s internals that you may find interesting...| Posts on icing's blog
I was invited by Daniel Stenberg to work with him on curl improvements sponsored by the Sovereign Tech Fund, an initiative of the German government to strengthen digital infrastructure and open source in the public interests. Daniel blogged about it. Via this blog I try to give some updates on my ongoing work in this project, not least for transparency. This is deeply technical gobbledygook. Today, I have create the first PR that adds “HTTP Eyeballing” to curl. Daniel has a nice blog post...| Posts on icing's blog
I was invited by Daniel Stenberg to work with him on curl improvements sponsored by the Sovereign Tech Fund, an initiative of the German government to strengthen digital infrastructure and open source in the public interests. Daniel blogged about it. Via this blog I try to give some updates on my ongoing work in this project, not least for transparency. This is deeply technical gobbledygook. Today, I have create the first PR that adds “HTTP Eyeballing” to curl. Daniel has a nice blog post...| Posts on icing's blog
I was invited by Daniel Stenberg to work with him on curl improvements sponsored by the Sovereign Tech Fund, an initiative of the German government to strengthen digital infrastructure and open source in the public interests. Daniel blogged about it. Via this blog I try to give some updates on my ongoing work in this project, not least for transparency. This is deeply technical gobbledygook. In the News German news magazine Zeit has an article about the Sovereign Tech Fund and curl, of course...| Posts on icing's blog
I was invited by Daniel Stenberg to work with him on curl improvements sponsored by the Sovereign Tech Fund, an initiative of the German government to strengthen digital infrastructure and open source in the public interests. Daniel blogged about it. Via this blog I try to give some updates on my ongoing work in this project, not least for transparency. This is deeply technical gobbledygook. HTTPS Proxy Tunnels We yesterday merged my changes to the TLS backend implementations, making them use...| Posts on icing's blog
I was invited by Daniel Stenberg to work with him on curl improvements sponsored by the Sovereign Tech Fund, an initiative of the German government to strengthen digital infrastructure and open source in the public interests. Daniel blogged about it. Via this blog I try to give some updates on my ongoing work in this project, not least for transparency. This is deeply technical gobbledygook. Connection Filters Merged Yesterday, Daniel merged my PR #9855 that introduces “Connection Filters...| Posts on icing's blog
I was invited by Daniel Stenberg to work with him on curl improvements sponsored by the Sovereign Tech Fund, an initiative of the German government to strengthen digital infrastructure and open source in the public interests. Daniel blogged about it. Via this blog I try to give some updates on my ongoing work in this project, not least for transparency. This is deeply technical gobbledygook. Goals The two subprojects I am working on are HTTP/3 and HTTP/2 proxying.| Posts on icing's blog
TLS servers are weird. There are not many people who work on them, so few people think about the challenges. Notably, I had discussion over the years with designers of TLS stacks that did not understand the needs. Instead of explaining it again and again, I decided to write this blog. Just to drop a link next time. Clients have it easy A client knows where it wants to go, what it expects to see, etc. This is all configured before the connection starts:| Posts on icing's blog
Something light and seemingly trivial: on the use of goto statements. Inspired by this tweet. People discover this independently with growing experience and it seems beneficial to make this an “official” coding pattern (so these things exist). This post is about goto use in the C programming language. It is not advocating the use of C or make any comparison with other languages. This is for people who write/maintain C code. A suggestion on good use of the language.| Posts on icing's blog
In software we are always discussing how to solve problems. We try, we change, we develop new tools and languages to get a grip on the complexities we need to master. This has proven to be an excellent way to make progress. And there is no reason to expect that to stop anytime soon. The discussions often become heated, involving opinions, egos, excuses, personal stakes and life choices. We are all humans. And some passionate heat is ok. We can love or hate a tool, a language, an operating sys...| Posts on icing's blog
Someone recently said on IRC “You’re a machine!”. This was intended as a compliment on the speed of my work and I took it as such (compliments are nice!). But it somehow stuck in my head and now it wants to get out. It’s Friday and I am winding down for the weekend, so I thought I’d give it a shot. Machines A machine is, generally speaking, something made for a purpose. It is a good machine if it does that whenever we want it to. Bonus points for speed and efficiency.| Posts on icing's blog
On 2022-06-08 the project released version 2.4.54 of Apache httpd. 8 CVEs have been fixed, 7 low and 1 moderate. Bugs have been fixed, the ACME certificate provisioning has some enhancements. In detail: CVEs The relatively large number of CVEs are the results of security people continuing to analyze our code and the deployment scenarios it runs in. We are of course not happy about having vulnerabilities, but we are grateful that people are finding them and working with us to fix them!| Posts on icing's blog
tailscale describes itself as “zero config VPN”. It has a free tier for personal use. Its business is around giving enterprises their own network using the public internet (my words). I gave this a try (it works nicely and the “zero config” is indeed almost zero) after hearing that the Go based caddy web server did some integration with it. Later, tailscale offered an auth integration for nginx and I wondered what Apache can offer here.| Posts on icing's blog
In this blog I blab a bit about vulnerabilities in software. There is no definite conclusion to be had here. Should you chose to read it, don’t blame me for wasting your time. You have been warned. Feasible Security In our quest to make secure systems, the implied assumption often seems to be that we should strive for making complex software machinery that has a defined output for all possible kinds of input. That is, we can be “sure” it does the “right” thing.| Posts on icing's blog
Every other week, there is someone voicing that curl is far too complex and could be rewritten on a weekend. Ok, maybe a long weekend. So far, there is a complete lack of evidence of this and the persons voicing such expert opinions usually never intend to follow up on this. If you have a shred of empathy, you can probably feel the pain such statements cause to the authors of curl and Daniel Stenberg, the inventor and decade long maintainer, in particular.| Posts on icing's blog
ACME is really one of the greater inventions of the last years for the web. Everyone likes it, there is great support via Let’s Encrypt and all the implementations out there. It is integrated into more and more components. People find new ways to benefit for it. Take as example the certificates provided for you VPN hosts that tailscale offers. If you want to name one thing where it struggles, it is the revocation of certificates. While it has functionality to revoke a certificate, the timel...| Posts on icing's blog
Let’s Encrypt found some trouble with their certificate validation that used the `tls-alpn-01’ challenge scheme of the ACME protocol. It seems severe enough that they decided to revoke all certificates issues with this method on January 28, 2022. This is rather drastic, but they usually know what they are doing. But still, a 5 day heads up on this has many people scrambling. They offer help on renewing your certificates on their community forum. Which is a nice place with many helpful peo...| Posts on icing's blog
This is a mini series of blogs about the social aspects of programming languages and how they allow for interaction between developers and deployments. It does not cover language details. This article focuses on Java, what worked and what did not. (Caveat: this reflects on my experiences with the Java of 2000-2010. There might be newer, relevant changes that I am unaware of. Read it as a retrospective on what was there at the time and what impacts it had.)| Posts on icing's blog
As feedback to my earlier posts about Social C and Social Java I got a link from Cory Benfield to an essay How Swift Achieved Dynamic Linking Where Rust Couldn’t by Aria Beingessner. This proved very interesting for several reasons which I try to layout below. API stability, ABI stability, what are those, really? Aria, who works at Mozilla on Rust, talks about this in depth in her article. And as usual, when listening to someone who really knows a thing you find out that your own knowledge ...| Posts on icing's blog
The programming language C is being under heavy attack in recent years as it is prone to memory vulnerabilities, allowing very serious exploits, making systems we all rely on insecure. To be clear, the language C itself is secure. A C program does exactly what the programmers told it to do. The problem is that it is hard to express in C what exactly you want it to do. Compilers for C are being improved all the time to give better warnings in case it seems unclear what the purpose of your C st...| Posts on icing's blog
On 2021-12-20 the project released version 2.4.52 of Apache httpd. 2 CVEs have been fixed, several bugs have been addressed. The server has been tested with OpenSSL 3.0.1. A new, experimental for Rust based TLS and ACME EAB support has been added. In detail: CVEs mod_lua A buffer overflow, a classic C weakness, has been identified in multipart POST handling inside mod_lua. If you do not have that module loaded into your installation, you are not affected. The overflow can be triggered by an o...| Posts on icing's blog
Over the last 6 years, I have done quite some Open Source work around Apache httpd and that was, while often stressful, also very rewarding (for the soul). This year, I decided to pursue that exclusively in 2022. At the end of the year, I will leave greenbytes and be on my own. The company I founded in 2000 with two university friends is not the setup that works for this. It is a bit heartbreaking to let that go, but it is what it is, as they say.| Posts on icing's blog
I use curl in my tests for the Apache httpd server. I like end-to-end testing and curl is not only the most common HTTP client outside of browsers, it is also very versatile. Since https is now used for everything, tests should use that too. This blog describes how to do a setup for that and how to use curl in this case, so that a full TLS validation is done and all is pretty close to what the usage in a production setup would be.| Posts on icing's blog
With Apache 2.4.50 the team fixed CVE-2021-41773, a critical security flaw that allowed under certain conditions an outside to access files on your server outside of the configured document roots. This fix was corrected for the issue reported, but it did not close the weakness completely, as was discovered soon thereafter by people in the security community. Indeed, the weakness was worse than originally thought. But it also affected way less installations than was communicated in the media.| Posts on icing's blog
Posts| icing's blog
I posted about adding pthread_cancel use in curl about three weeks ago, we released this in curl 8.16.0 and it blew up right in our faces. Now, with #18540 we are ripping it out again. What happened? short recap pthreads define “Cancelation points”, a list of POSIX functions where a pthread may be cancelled. In addition, there is also a list of functions that may be cancelation points, among those getaddrinfo(). getaddrinfo() is exactly what we are interested in for libcurl. It blocks unt...| icing's blog
icing| eissing.org
up| eissing.org