The 20+ Year War Against Insecure Connections: A libcurl Retrospective

2025-02-11
The 20+ Year War Against Insecure Connections:  A libcurl Retrospective

Since curl's support for SSL in 1998, default certificate verification has been a cornerstone of network security. However, developers continue to disable this crucial check, leading to widespread vulnerabilities. This article recounts the evolution of libcurl, explores the dangers of disabling verification, and proposes solutions like API improvements, enhanced documentation, and proactive bug reporting. The fight for secure connections is a long-term battle.

Read more

OpenSSL Rejects QUIC API: A Setback for HTTP/3 Adoption?

2025-01-21
OpenSSL Rejects QUIC API: A Setback for HTTP/3 Adoption?

OpenSSL, the most popular TLS library, has rejected adding a QUIC API to its upcoming releases, posing a significant hurdle for widespread HTTP/3 adoption. Despite a community pull request (PR8797) offering the necessary APIs, the OpenSSL management committee decided to build a complete QUIC stack from scratch, a process expected to take several years. This decision has sparked community frustration, as mature QUIC libraries already exist. Microsoft and Akamai created quictls, an OpenSSL fork with the QUIC API, as a workaround. However, this isn't a sustainable solution, leaving the future of HTTP/3 adoption uncertain due to OpenSSL's choice.

Read more
Development

curl Gets a Major Update: Partial File Reading Support

2024-12-30
curl Gets a Major Update: Partial File Reading Support

The upcoming curl 8.12.0 release introduces exciting new functionality: partial file reading. Users can now leverage a new variable system to extract specific byte ranges from files and use them within curl command lines. This adds significant flexibility to how curl handles files, allowing for tasks like extracting the beginning of a file as a username or a section in the middle for a POST body. This significantly expands curl's capabilities, empowering users with a more robust command-line tool.

Read more
Development file handling

cURL and libcurl Drop Hyper Support

2024-12-22
cURL and libcurl Drop Hyper Support

After a four-year experiment, the cURL project has announced it's abandoning the use of the Rust-based Hyper library as an HTTP backend. Despite Hyper's memory safety advantages and support from Let's Encrypt, lack of user demand and developer involvement led to its termination. The cURL team cited the high cost of maintaining the Hyper code and a focus on improving and maintaining the existing codebase. While the experiment failed, cURL gained valuable experience and improved its HTTP handling capabilities.

Read more
Development

HTTP/3's Current State: Challenges and Opportunities on the Path to Adoption

2024-12-16
HTTP/3's Current State: Challenges and Opportunities on the Path to Adoption

The HTTP/3 specifications are complete but await final publication. Server-side support is surprisingly high, particularly among top websites. Major players like Cloudflare have enabled HTTP/3, and browsers widely support it. However, client-side support, such as in curl, remains incomplete, largely due to the lagging development of QUIC-enabled TLS libraries. OpenSSL's QUIC support has been delayed, while alternatives like BoringSSL and quictls have limitations. While HTTP/3 promises speed improvements, real-world benefits depend on network conditions. Widespread adoption hinges on specification release and mature TLS libraries.

Read more
Development