curl added support for OpenSSL immediately when it was first released, as they switched away from SSLeay, in the late 1990s. We have since supported it over the decades as both OpenSSL and curl have developed. A while back the OpenSSL project stopped updating their 1.0.x and 1.1.x public branches. This means that unless you … Continue reading Dropping old OpenSSL→| daniel.haxx.se
In August 16 2025 I did a keynote with this title on the FrOSCon conference in Bonn, Germany. The room held a few hundred seats and every single one was occupied with people also filling up the stairs and was standing along the walls. Awesome! https://www.youtube.com/watch?v=6n2eDcRjSsk See also my death by slop post for more … Continue reading AI slop attacks on the curl project →| daniel.haxx.se
Seven years ago I wrote about how a hundred million cars were running curl and as I brought up this blog post in a discussion recently, I came to reflect over how the world might have changed since. Is curl perhaps used in more cars now? Yes it is. With the help of friendly people … Continue reading car brands running curl→| daniel.haxx.se
The curl command line option --write-out or just -w for short, is a powerful and flexible way to extract information from transfers done with the tool. It was introduced already back in version 6.5 in the early 2000. This option takes an argument in which you can add “variables” that hold all sorts of different … Continue reading curl tells the %time→| daniel.haxx.se
In the early days of curl development we (I suppose it was me personally but let’s stick with we so that I can pretend the blame is not all on me) made the possibly slightly unwise decision to make the -X option change the HTTP method for all requests in a curl transfer, even when … Continue reading Follow redirects but differently→| daniel.haxx.se
From March 20, 1998 when the first curl release was published, to this day August 5, 2025 is exactly 10,000 days. We call it the curl-10000-day. Or just c10kday. c ten K day. We want to celebrate this occasion by collecting and sharing stories. Your stories about curl. Your favorite memories. When you used curl … Continue reading c10kday→| daniel.haxx.se
Back in 2012, the Happy Eyeballs RFC 6555 was published. It details how a sensible Internet client should proceed when connecting to a server. It basically goes like this: Give the IPv6 attempt priority, then with a delay start a separate IPv4 connection in parallel with the IPv6 one; then use the connection that succeeds … Continue reading Even happier eyeballs→| daniel.haxx.se
I’m convinced a lot of people have not yet figured out that curl has supported parallel downloads for six years already by now. Provided a practically unlimited number of URLs, curl can be asked to get them in a parallel fashion. It then makes sure to keep N transfers alive for as long as there … Continue reading curl adds parallel host control→| daniel.haxx.se
We have always had a custom command line option parser in curl. It is fast and uncomplicated and gives us the perfect mix of flexibility and function. It also saves us from importing or using code with another license. In one aspect it has behaved slightly different than many other command line parsers: the way … Continue reading option parsing in curl→| daniel.haxx.se
Downloading data from a remote URL is probably the single most common operation people do with curl. Often, users then add various additional options to the command line to extract information from that transfer but may also decide that the actually fetched data is not interesting. Sometimes they don't get the accurate meta-data if the … Continue reading Output nothing with –out-null →| daniel.haxx.se
I often hear or see people claim that HTTP is a simple protocol. Primarily of course from people without much experience or familiarity with actual implementations. I think I personally also had thoughts in that style back when I started working with the protocol. After personally having devoted soon three decades on writing client-side code … Continue reading HTTP is not simple →| daniel.haxx.se
Welcome to another curl release. A shorter cycle this time so we did not have time to merge many changes: there is just one logged. See below. This is the 269th release featuring 269 command line options. Release presentation https://www.youtube.com/watch?v=O-JKlkXVURg Numbers the 269th release1 change42 days (total: 9,980)233 bugfixes (total: 12,282)334 commits (total: 35,572)0 new … Continue reading curl 8.15.0 →| daniel.haxx.se
My desktop computer is my trusted work machine that I do the majority of all my (curl) development on. When the 15th computer I've owned through the times was ten years old the time was ripe to bump things up a notch. Requirements I don't do games (as in: never) and I don't do any … Continue reading My 2023 dev machine →| daniel.haxx.se
Sprout is the name of my new machine that just arrived. The crowd-funded laptop. Since this beauty is graciously sponsored by a large crowd of people a felt I should share a little bit of its journey and entry into my life. First I needed a name for it, and since it is small and … Continue reading Hello Sprout →| daniel.haxx.se
I have previously blogged about the relatively new trend of AI slop in vulnerability reports submitted to curl and how it hurts and exhausts us. This trend does not seem to slow down. On the contrary, it seems that we have recently not only received more AI slop but also more human slop. The latter … Continue reading Death by a thousand slops →| daniel.haxx.se
A while ago I received an email with this question. I've been subscribed to your weekly newsletter for a while now, receiving your weekly updates every Friday. I'm writing because I admire your consistency, focus, and perseverance. I can't help but wonder, with admiration, how you manage to do it. Since this is a topic … Continue reading How I do it →| daniel.haxx.se
I need to get myself a new laptop. My existing one is from 2017 and was already then not the most powerful one. It recently started to shut itself off when running on battery and during the two most recent curl up meetings it has proven itself to be rather sluggish and unable to save … Continue reading Sponsor my laptop! →| daniel.haxx.se
I'm pleased to announce that once again I have collected the results, generated the graphs and pondered over conclusions to make after the annual curl user survey. Get the curl user survey 2025 analysis here Take-aways I don't think I spoil it too much if I say that there aren't too many drastic news in … Continue reading curl user survey 2025 analysis →| daniel.haxx.se
Not everyone understands how open source is made. I received the following email from NASA a while ago. Subject: Curl Country of Origin and NDAA Compliance Hello, my name is [deleted] and I am a Supply Chain Risk Management Analyst at NASA. As such, I ensure that all NASA acquisitions of Covered Articles comply with … Continue reading curl supports NASA →| daniel.haxx.se
With the new EU legislation Cyber Resiliency Act (CRA), there are new responsibilities and requirements put on manufacturers of digital products and services in Europe. Going forward these manufacturers must be able to know and report the exact contents of their software, called a Software Bill of Material (SBOM) and they have requirements to check … Continue reading Cybersecurity Risk Assessment Request →| daniel.haxx.se
In the curl project we have a long tradition of supporting a range of different third party libraries that provide similar functionality. The person who builds curl needs to decide which of the backends they want to use out of the provided alternatives. For example when selecting which TLS library to use. This is a … Continue reading Dropping some TLS laggards →| daniel.haxx.se
tldr: Apple thinks it is fine. I do not. On December 28 2023, bugreport 12604 was filed in the curl issue tracker. We get a lot issues filed most days so this fact alone was hardly anything out of the ordinary. We read the reports, investigate, ask follow-up questions to see what we can learn … Continue reading the Apple curl security incident 12604 →| daniel.haxx.se
curl supports getting built with eleven different TLS libraries. Six of these libraries are OpenSSL or forks of OpenSSL. Allow me to give you a glimpse of their differences, similarities and some insights into what it takes to support them all. SSLeay It all started with SSLeay. This was the first SSL library I found … Continue reading A family of forks →| daniel.haxx.se
(Clearly a much better word than simplification.) I believe we generally accept the truth that we should write simple and easy to read code in order to make it harder to create bugs and cause security problems. The more complicated code we write, the easier it gets to slip up, misunderstand or forget something along … Continue reading Decomplexification →| daniel.haxx.se
Yes! curl user survey 2025 The time has come for you to once again do your curl community duty. Run over and fill in the curl user survey and tell us about how you use curl etc. This is the only proper way we get user feedback on a wide scale so please use this … Continue reading The curl user survey 2025 is up →| daniel.haxx.se
On the completely impossible situation of blocking the Tor .onion TLD to avoid leaks, but at the same time not block it to make users able to do what they want. dot-onion leaks The onion TLD is a Tor specific domain that does not mean much to the world outside of Tor. If you try … Continue reading Leeks and leaks →| daniel.haxx.se
In a recent educational trick, curl contributor James Fuller submitted a pull-request to the project in which he suggested a larger cleanup of a set of scripts. In a later presentation, he could show us how not a single human reviewer in the team nor any CI job had spotted or remarked on one of … Continue reading Detecting malicious Unicode →| daniel.haxx.se
It is a somewhat common question to me: how do we write C in curl to make it safe and secure for billions of installations? Some precautions we take and decisions we make. There is no silver bullet, just guidelines. As I think you can see for yourself below they are also neither strange nor … Continue reading Writing C for curl →| daniel.haxx.se
CVSS is short for Common Vulnerability Scoring System and is according to Wikipedia a technical standard for assessing the severity of vulnerabilities in computing systems. Typically you use an online CVSS calculator, click a few checkboxes and radio buttons and then you magically get a number from 0 to 10. There are also different versions … Continue reading CVSS is dead to us →| daniel.haxx.se
tldr: work has started to make Hyper work as a backend in curl for HTTP. curl and its data transfer core, libcurl, is all written in C. The language C is known and infamous for not being memory safe and for being easy to mess up and as a result accidentally cause security problems. At … Continue reading rust in curl with hyper →| daniel.haxx.se
It has been eighteen years of libcurl ABI stability.| daniel.haxx.se
Time for another checkup. Where are we right now with HTTP/3 support in curl for users?| daniel.haxx.se
On Friday May 3, 2024 I had several of my curl friends over for dinner in my house. An unusually warm and sunny spring day with a temperature reaching twenty degrees centigrade. The curl up 2024 weekend started excellently and the following morning we all squeezed ourselves into a conference room in downtown Stockholm. I … Continue reading I survived curl up 2024 →| daniel.haxx.se
I have held back on writing anything about AI or how we (not) use AI for development in the curl factory. Now I can't hold back anymore. Let me show you the most significant effect of AI on curl as of today - with examples. Bug Bounty Having a bug bounty means that we offer … Continue reading The I in LLM stands for intelligence →| daniel.haxx.se
Section 9.1.1 in RFC7540 explains how HTTP/2 clients can reuse connections. This is my lengthy way of explaining how this works in reality. Many connections in HTTP/1 With HTTP/1.1, browsers are typically using 6 connections per origin (host name + port). They do this to overcome the problems in HTTP/1 and how it uses TCP … Continue reading HTTP/2 connection coalescing →| daniel.haxx.se
In association with the release of curl 8.4.0, we publish a security advisory and all the details for CVE-2023-38545. This problem is the worst security problem found in curl in a long time. We set it to severity HIGH. While the advisory contains all the necessary details. I figured I would use a few additional … Continue reading How I made a heap overflow in curl →| daniel.haxx.se
IDN, International Domain Names, is the concept that lets us register and use international characters in domain names, and by international we of course mean characters outside of the ASCII range. Recently I have fought some battles against IDN and IDN decoding so I felt this urge to write a lot of words about it … Continue reading IDN is crazy →| daniel.haxx.se
The other day I sent out this tweet As it took off, got an amazing attention and I received many different comments and replies, I felt a need to elaborate a little. To add some meat to this. Is this string really a legitimate URL? What is a URL? How is it parsed? http://http://http://@http://http://?http://#http:// curl … Continue reading http://http://http://@http://http://?http://#http:// →| daniel.haxx.se
