1                                  _   _ ____  _
2                              ___| | | |  _ \| |
3                             / __| | | | |_) | |
4                            | (__| |_| |  _ <| |___
5                             \___|\___/|_| \_\_____|
6
7                Things that could be nice to do in the future
8
9 Things to do in project cURL. Please tell us what you think, contribute and
10 send us patches that improve things!
11
12 Be aware that these are things that we could do, or have once been considered
13 things we could do. If you want to work on any of these areas, please
14 consider bringing it up for discussions first on the mailing list so that we
15 all agree it is still a good idea for the project!
16
17 All bugs documented in the KNOWN_BUGS document are subject for fixing!
18
19 1. libcurl
20 1.2 More data sharing
21 1.3 struct lifreq
22 1.4 signal-based resolver timeouts
23 1.5 get rid of PATH_MAX
24 1.6 Modified buffer size approach
25 1.7 Detect when called from within callbacks
26 1.8 Allow SSL (HTTPS) to proxy
27 1.9 Cache negative name resolves
28 1.10 Support IDNA2008
29 1.11 minimize dependencies with dynamicly loaded modules
30 1.12 have form functions use CURL handle argument
31 1.13 Add CURLOPT_MAIL_CLIENT option
32 1.14 Typesafe curl_easy_setopt()
33 1.15 TCP Fast Open
34 1.16 Try to URL encode given URL
35 1.17 Add support for IRIs
36 1.18 try next proxy if one doesn't work
37 1.19 Timeout idle connections from the pool
38
39 2. libcurl - multi interface
40 2.1 More non-blocking
41 2.2 Better support for same name resolves
42 2.3 Non-blocking curl_multi_remove_handle()
43 2.4 Split connect and authentication process
44 2.5 Edge-triggered sockets should work
45
46 3. Documentation
47 3.1 Update date and version in man pages
48 3.2 Provide cmake config-file
49
50 4. FTP
51 4.1 HOST
52 4.2 Alter passive/active on failure and retry
53 4.3 Earlier bad letter detection
54 4.4 REST for large files
55 4.5 ASCII support
56 4.6 GSSAPI via Windows SSPI
57 4.7 STAT for LIST without data connection
58
59 5. HTTP
60 5.1 Better persistency for HTTP 1.0
61 5.2 support FF3 sqlite cookie files
62 5.3 Rearrange request header order
63 5.4 SPDY
64 5.5 auth= in URLs
65 5.6 Refuse "downgrade" redirects
66 5.7 More compressions
67
68 6. TELNET
69 6.1 ditch stdin
70 6.2 ditch telnet-specific select
71 6.3 feature negotiation debug data
72 6.4 send data in chunks
73
74 7. SMTP
75 7.1 Pipelining
76 7.2 Enhanced capability support
77
78 8. POP3
79 8.1 Pipelining
80 8.2 Enhanced capability support
81
82 9. IMAP
83 9.1 Enhanced capability support
84
85 10. LDAP
86 10.1 SASL based authentication mechanisms
87
88 11. SMB
89 11.1 File listing support
90 11.2 Honor file timestamps
91 11.3 Use NTLMv2
92 11.4 Create remote directories
93
94 12. New protocols
95 12.1 RSYNC
96
97 13. SSL
98 13.1 Disable specific versions
99 13.2 Provide mutex locking API
100 13.3 Evaluate SSL patches
101 13.4 Cache OpenSSL contexts
102 13.5 Export session ids
103 13.6 Provide callback for cert verification
104 13.7 improve configure --with-ssl
105 13.8 Support DANE
106
107 14. GnuTLS
108 14.1 SSL engine stuff
109 14.2 check connection
110
111 15. WinSSL/SChannel
112 15.1 Add support for client certificate authentication
113 15.2 Add support for custom server certificate validation
114 15.3 Add support for the --ciphers option
115
116 16. SASL
117 16.1 Other authentication mechanisms
118 16.2 Add QOP support to GSSAPI authentication
119 16.3 Support binary messages (i.e.: non-base64)
120
121 17. Command line tool
122 17.1 sync
123 17.2 glob posts
124 17.3 prevent file overwriting
125 17.4 simultaneous parallel transfers
126 17.5 provide formpost headers
127 17.6 warning when setting an option
128 17.7 warning when sending binary output to terminal
129 17.8 offer color-coded HTTP header output
130 17.9 Choose the name of file in braces for complex URLs
131 17.10 improve how curl works in a windows console window
132 17.11 -w output to stderr
133 17.12 keep running, read instructions from pipe/socket
134 17.13 support metalink in http headers
135 17.14 --fail without --location should treat 3xx as a failure
136
137 18. Build
138 18.1 roffit
139
140 19. Test suite
141 19.1 SSL tunnel
142 19.2 nicer lacking perl message
143 19.3 more protocols supported
144 19.4 more platforms supported
145 19.5 Add support for concurrent connections
146 19.6 Use the RFC6265 test suite
147
148 20. Next SONAME bump
149 20.1 http-style HEAD output for FTP
150 20.2 combine error codes
151 20.3 extend CURLOPT_SOCKOPTFUNCTION prototype
152
153 21. Next major release
154 21.1 cleanup return codes
155 21.2 remove obsolete defines
156 21.3 size_t
157 21.4 remove several functions
158 21.5 remove CURLOPT_FAILONERROR
159 21.6 remove CURLOPT_DNS_USE_GLOBAL_CACHE
160 21.7 remove progress meter from libcurl
161 21.8 remove 'curl_httppost' from public
162
163==============================================================================
164
1651. libcurl
166
1671.2 More data sharing
168
169 curl_share_* functions already exist and work, and they can be extended to
170 share more. For example, enable sharing of the ares channel and the
171 connection cache.
172
1731.3 struct lifreq
174
175 Use 'struct lifreq' and SIOCGLIFADDR instead of 'struct ifreq' and
176 SIOCGIFADDR on newer Solaris versions as they claim the latter is obsolete.
177 To support IPv6 interface addresses for network interfaces properly.
178
1791.4 signal-based resolver timeouts
180
181 libcurl built without an asynchronous resolver library uses alarm() to time
182 out DNS lookups. When a timeout occurs, this causes libcurl to jump from the
183 signal handler back into the library with a sigsetjmp, which effectively
184 causes libcurl to continue running within the signal handler. This is
185 non-portable and could cause problems on some platforms. A discussion on the
186 problem is available at https://curl.haxx.se/mail/lib-2008-09/0197.html
187
188 Also, alarm() provides timeout resolution only to the nearest second. alarm
189 ought to be replaced by setitimer on systems that support it.
190
1911.5 get rid of PATH_MAX
192
193 Having code use and rely on PATH_MAX is not nice:
194 http://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html
195
196 Currently the SSH based code uses it a bit, but to remove PATH_MAX from there
197 we need libssh2 to properly tell us when we pass in a too small buffer and
198 its current API (as of libssh2 1.2.7) doesn't.
199
2001.6 Modified buffer size approach
201
202 Current libcurl allocates a fixed 16K size buffer for download and an
203 additional 16K for upload. They are always unconditionally part of the easy
204 handle. If CRLF translations are requested, an additional 32K "scratch
205 buffer" is allocated. A total of 64K transfer buffers in the worst case.
206
207 First, while the handles are not actually in use these buffers could be freed
208 so that lingering handles just kept in queues or whatever waste less memory.
209
210 Secondly, SFTP is a protocol that needs to handle many ~30K blocks at once
211 since each need to be individually acked and therefore libssh2 must be
212 allowed to send (or receive) many separate ones in parallel to achieve high
213 transfer speeds. A current libcurl build with a 16K buffer makes that
214 impossible, but one with a 512K buffer will reach MUCH faster transfers. But
215 allocating 512K unconditionally for all buffers just in case they would like
216 to do fast SFTP transfers at some point is not a good solution either.
217
218 Dynamically allocate buffer size depending on protocol in use in combination
219 with freeing it after each individual transfer? Other suggestions?
220
2211.7 Detect when called from within callbacks
222
223 We should set a state variable before calling callbacks, so that we
224 subsequently can add code within libcurl that returns error if called within
225 callbacks for when that's not supported.
226
2271.8 Allow SSL (HTTPS) to proxy
228
229 To prevent local users from snooping on your traffic to the proxy. Supported
230 by Chrome already:
231 https://www.chromium.org/developers/design-documents/secure-web-proxy
232
233 ...and by Firefox soon:
234 https://bugzilla.mozilla.org/show_bug.cgi?id=378637
235
2361.9 Cache negative name resolves
237
238 A name resolve that has failed is likely to fail when made again within a
239 short period of time. Currently we only cache positive responses.
240
2411.10 Support IDNA2008
242
243 International Domain Names are supported in libcurl since years back, powered
244 by libidn. libidn implements IDNA2003 which has been superseded by IDNA2008.
245 libidn2 is an existing library offering support for IDNA2008.
246
2471.11 minimize dependencies with dynamicly loaded modules
248
249 We can create a system with loadable modules/plug-ins, where these modules
250 would be the ones that link to 3rd party libs. That would allow us to avoid
251 having to load ALL dependencies since only the necessary ones for this
252 app/invoke/used protocols would be necessary to load.  See
253 https://github.com/curl/curl/issues/349
254
2551.12 have form functions use CURL handle argument
256
257 curl_formadd() and curl_formget() both currently have no CURL handle
258 argument, but both can use a callback that is set in the easy handle, and
259 thus curl_formget() with callback cannot function without first having
260 curl_easy_perform() (or similar) called - which is hard to grasp and a design
261 mistake.
262
263 The curl_formadd() design can probably also be reconsidered to make it easier
264 to use and less error-prone. Probably easiest by splitting it into several
265 function calls.
266
2671.13 Add CURLOPT_MAIL_CLIENT option
268
269 Rather than use the URL to specify the mail client string to present in the
270 HELO and EHLO commands, libcurl should support a new CURLOPT specifically for
271 specifying this data as the URL is non-standard and to be honest a bit of a
272 hack ;-)
273
274 Please see the following thread for more information:
275 https://curl.haxx.se/mail/lib-2012-05/0178.html
276
2771.14 Typesafe curl_easy_setopt()
278
279 One of the most common problems in libcurl using applications is the lack of
280 type checks for curl_easy_setopt() which happens because it accepts varargs
281 and thus can take any type.
282
283 One possible solution to this is to introduce a few different versions of the
284 setopt version for the different kinds of data you can set.
285
286  curl_easy_set_num() - sets a long value
287
288  curl_easy_set_large() - sets a curl_off_t value
289
290  curl_easy_set_ptr() - sets a pointer
291
292  curl_easy_set_cb() - sets a callback PLUS its callback data
293
2941.15 Monitor connections in the connection pool
295
296 libcurl's connection cache or pool holds a number of open connections for the
297 purpose of possible subsequent connection reuse. It may contain a few up to a
298 significant amount of connections. Currently, libcurl leaves all connections
299 as they are and first when a connection is iterated over for matching or
300 reuse purpose it is verified that it is still alive.
301
302 Those connections may get closed by the server side for idleness or they may
303 get a HTTP/2 ping from the peer to verify that they're still alive. By adding
304 monitoring of the connections while in the pool, libcurl can detect dead
305 connections (and close them) better and earlier, and it can handle HTTP/2
306 pings to keep such ones alive even when not actively doing transfers on them.
307
3081.16 Try to URL encode given URL
309
310 Given a URL that for example contains spaces, libcurl could have an option
311 that would try somewhat harder than it does now and convert spaces to %20 and
312 perhaps URL encoded byte values over 128 etc (basically do what the redirect
313 following code already does).
314
315 https://github.com/curl/curl/issues/514
316
3171.17 Add support for IRIs
318
319 IRIs (RFC 3987) allow localized, non-ascii, names in the URL. To properly
320 support this, curl/libcurl would need to translate/encode the given input
321 from the input string encoding into percent encoded output "over the wire".
322
323 To make that work smoothly for curl users even on Windows, curl would
324 probably need to be able to convert from several input encodings.
325
3261.18 try next proxy if one doesn't work
327
328 Allow an application to specify a list of proxies to try, and failing to
329 connect to the first go on and try the next instead until the list is
330 exhausted. Browsers support this feature at least when they specify proxies
331 using PACs.
332
333 https://github.com/curl/curl/issues/896
334
3351.19 Timeout idle connections from the pool
336
337 libcurl currently keeps connections in its connection pool for an indefinite
338 period of time, until it either gets reused, gets noticed that it has been
339 closed by the server or gets pruned to make room for a new connection.
340
341 To reduce overhead (especially for when we add monitoring of the connections
342 in the pool), we should introduce a timeout so that connections that have
343 been idle for N seconds get closed.
344
345
3462. libcurl - multi interface
347
3482.1 More non-blocking
349
350 Make sure we don't ever loop because of non-blocking sockets returning
351 EWOULDBLOCK or similar. Blocking cases include:
352
353 - Name resolves on non-windows unless c-ares is used
354 - NSS SSL connections
355 - HTTP proxy CONNECT operations
356 - SOCKS proxy handshakes
357 - file:// transfers
358 - TELNET transfers
359 - The "DONE" operation (post transfer protocol-specific actions) for the
360   protocols SFTP, SMTP, FTP. Fixing Curl_done() for this is a worthy task.
361
3622.2 Better support for same name resolves
363
364 If a name resolve has been initiated for name NN and a second easy handle
365 wants to resolve that name as well, make it wait for the first resolve to end
366 up in the cache instead of doing a second separate resolve. This is
367 especially needed when adding many simultaneous handles using the same host
368 name when the DNS resolver can get flooded.
369
3702.3 Non-blocking curl_multi_remove_handle()
371
372 The multi interface has a few API calls that assume a blocking behavior, like
373 add_handle() and remove_handle() which limits what we can do internally. The
374 multi API need to be moved even more into a single function that "drives"
375 everything in a non-blocking manner and signals when something is done. A
376 remove or add would then only ask for the action to get started and then
377 multi_perform() etc still be called until the add/remove is completed.
378
3792.4 Split connect and authentication process
380
381 The multi interface treats the authentication process as part of the connect
382 phase. As such any failures during authentication won't trigger the relevant
383 QUIT or LOGOFF for protocols such as IMAP, POP3 and SMTP.
384
3852.5 Edge-triggered sockets should work
386
387 The multi_socket API should work with edge-triggered socket events. One of
388 the internal actions that need to be improved for this to work perfectly is
389 the 'maxloops' handling in transfer.c:readwrite_data().
390
3913. Documentation
392
3933.1 Update date and version in man pages
394
395 'maketgz' or another suitable script could update the .TH sections of the man
396 pages at release time to use the current date and curl/libcurl version
397 number.
398
3993.2 Provide cmake config-file
400
401 A config-file package is a set of files provided by us to allow applications
402 to write cmake scripts to find and use libcurl easier. See
403 https://github.com/curl/curl/issues/885
404
4054. FTP
406
4074.1 HOST
408
409 HOST is a command for a client to tell which host name to use, to offer FTP
410 servers named-based virtual hosting:
411
412 https://tools.ietf.org/html/rfc7151
413
4144.2 Alter passive/active on failure and retry
415
416 When trying to connect passively to a server which only supports active
417 connections, libcurl returns CURLE_FTP_WEIRD_PASV_REPLY and closes the
418 connection. There could be a way to fallback to an active connection (and
419 vice versa). https://curl.haxx.se/bug/feature.cgi?id=1754793
420
4214.3 Earlier bad letter detection
422
423 Make the detection of (bad) %0d and %0a codes in FTP URL parts earlier in the
424 process to avoid doing a resolve and connect in vain.
425
4264.4 REST for large files
427
428 REST fix for servers not behaving well on >2GB requests. This should fail if
429 the server doesn't set the pointer to the requested index. The tricky
430 (impossible?) part is to figure out if the server did the right thing or not.
431
4324.5 ASCII support
433
434 FTP ASCII transfers do not follow RFC959. They don't convert the data
435 accordingly.
436
4374.6 GSSAPI via Windows SSPI
438
439In addition to currently supporting the SASL GSSAPI mechanism (Kerberos V5)
440via third-party GSS-API libraries, such as Heimdal or MIT Kerberos, also add
441support for GSSAPI authentication via Windows SSPI.
442
4434.7 STAT for LIST without data connection
444
445Some FTP servers allow STAT for listing directories instead of using LIST, and
446the response is then sent over the control connection instead of as the
447otherwise usedw data connection: http://www.nsftools.com/tips/RawFTP.htm#STAT
448
449This is not detailed in any FTP specification.
450
4515. HTTP
452
4535.1 Better persistency for HTTP 1.0
454
455 "Better" support for persistent connections over HTTP 1.0
456 https://curl.haxx.se/bug/feature.cgi?id=1089001
457
4585.2 support FF3 sqlite cookie files
459
460 Firefox 3 is changing from its former format to a a sqlite database instead.
461 We should consider how (lib)curl can/should support this.
462 https://curl.haxx.se/bug/feature.cgi?id=1871388
463
4645.3 Rearrange request header order
465
466 Server implementors often make an effort to detect browser and to reject
467 clients it can detect to not match. One of the last details we cannot yet
468 control in libcurl's HTTP requests, which also can be exploited to detect
469 that libcurl is in fact used even when it tries to impersonate a browser, is
470 the order of the request headers. I propose that we introduce a new option in
471 which you give headers a value, and then when the HTTP request is built it
472 sorts the headers based on that number. We could then have internally created
473 headers use a default value so only headers that need to be moved have to be
474 specified.
475
4765.4 SPDY
477
478 Chrome and Firefox already support SPDY and lots of web services do. There's
479 a library for us to use for this (spdylay) that has a similar API and the
480 same author as nghttp2.
481
482 spdylay: https://github.com/tatsuhiro-t/spdylay
483
4845.5 auth= in URLs
485
486 Add the ability to specify the preferred authentication mechanism to use by
487 using ;auth=<mech> in the login part of the URL.
488
489 For example:
490
491 http://test:pass;auth=NTLM@example.com would be equivalent to specifying --user
492 test:pass;auth=NTLM or --user test:pass --ntlm from the command line.
493
494 Additionally this should be implemented for proxy base URLs as well.
495
4965.6 Refuse "downgrade" redirects
497
498 See https://github.com/curl/curl/issues/226
499
500 Consider a way to tell curl to refuse to "downgrade" protocol with a redirect
501 and/or possibly a bit that refuses redirect to change protocol completely.
502
5035.7 More compressions
504
505 Compression algorithms that perform better than gzip are being considered for
506 use and inclusion in existing browsers. For example 'brotli'. If servers
507 follow along it is a good reason for us to also allow users to take advantage
508 of this. The algorithm: https://github.com/google/brotli The Firefox bug:
509 https://bugzilla.mozilla.org/show_bug.cgi?id=366559
510
511
5126. TELNET
513
5146.1 ditch stdin
515
516Reading input (to send to the remote server) on stdin is a crappy solution for
517library purposes. We need to invent a good way for the application to be able
518to provide the data to send.
519
5206.2 ditch telnet-specific select
521
522 Move the telnet support's network select() loop go away and merge the code
523 into the main transfer loop. Until this is done, the multi interface won't
524 work for telnet.
525
5266.3 feature negotiation debug data
527
528  Add telnet feature negotiation data to the debug callback as header data.
529
5306.4 send data in chunks
531
532  Currently, telnet sends data one byte at a time.  This is fine for interactive
533  use, but inefficient for any other.  Sent data should be sent in larger
534  chunks.
535
5367. SMTP
537
5387.1 Pipelining
539
540 Add support for pipelining emails.
541
5427.2 Enhanced capability support
543
544 Add the ability, for an application that uses libcurl, to obtain the list of
545 capabilities returned from the EHLO command.
546
5478. POP3
548
5498.1 Pipelining
550
551 Add support for pipelining commands.
552
5538.2 Enhanced capability support
554
555 Add the ability, for an application that uses libcurl, to obtain the list of
556 capabilities returned from the CAPA command.
557
5589. IMAP
559
5609.1 Enhanced capability support
561
562 Add the ability, for an application that uses libcurl, to obtain the list of
563 capabilities returned from the CAPABILITY command.
564
56510. LDAP
566
56710.1 SASL based authentication mechanisms
568
569 Currently the LDAP module only supports ldap_simple_bind_s() in order to bind
570 to an LDAP server. However, this function sends username and password details
571 using the simple authentication mechanism (as clear text). However, it should
572 be possible to use ldap_bind_s() instead specifying the security context
573 information ourselves.
574
57511. SMB
576
57711.1 File listing support
578
579Add support for listing the contents of a SMB share. The output should probably
580be the same as/similar to FTP.
581
58211.2 Honor file timestamps
583
584The timestamp of the transferred file should reflect that of the original file.
585
58611.3 Use NTLMv2
587
588Currently the SMB authentication uses NTLMv1.
589
59011.4 Create remote directories
591
592Support for creating remote directories when uploading a file to a directory
593that doesn't exist on the server, just like --ftp-create-dirs.
594
59512. New protocols
596
59712.1 RSYNC
598
599 There's no RFC for the protocol or an URI/URL format.  An implementation
600 should most probably use an existing rsync library, such as librsync.
601
60213. SSL
603
60413.1 Disable specific versions
605
606 Provide an option that allows for disabling specific SSL versions, such as
607 SSLv2 https://curl.haxx.se/bug/feature.cgi?id=1767276
608
60913.2 Provide mutex locking API
610
611 Provide a libcurl API for setting mutex callbacks in the underlying SSL
612 library, so that the same application code can use mutex-locking
613 independently of OpenSSL or GnutTLS being used.
614
61513.3 Evaluate SSL patches
616
617 Evaluate/apply Gertjan van Wingerde's SSL patches:
618 https://curl.haxx.se/mail/lib-2004-03/0087.html
619
62013.4 Cache OpenSSL contexts
621
622 "Look at SSL cafile - quick traces look to me like these are done on every
623 request as well, when they should only be necessary once per SSL context (or
624 once per handle)". The major improvement we can rather easily do is to make
625 sure we don't create and kill a new SSL "context" for every request, but
626 instead make one for every connection and re-use that SSL context in the same
627 style connections are re-used. It will make us use slightly more memory but
628 it will libcurl do less creations and deletions of SSL contexts.
629
63013.5 Export session ids
631
632 Add an interface to libcurl that enables "session IDs" to get
633 exported/imported. Cris Bailiff said: "OpenSSL has functions which can
634 serialise the current SSL state to a buffer of your choice, and recover/reset
635 the state from such a buffer at a later date - this is used by mod_ssl for
636 apache to implement and SSL session ID cache".
637
63813.6 Provide callback for cert verification
639
640 OpenSSL supports a callback for customised verification of the peer
641 certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
642 it be? There's so much that could be done if it were!
643
64413.7 improve configure --with-ssl
645
646 make the configure --with-ssl option first check for OpenSSL, then GnuTLS,
647 then NSS...
648
64913.8 Support DANE
650
651 DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
652 keys and certs over DNS using DNSSEC as an alternative to the CA model.
653 https://www.rfc-editor.org/rfc/rfc6698.txt
654
655 An initial patch was posted by Suresh Krishnaswamy on March 7th 2013
656 (https://curl.haxx.se/mail/lib-2013-03/0075.html) but it was a too simple
657 approach. See Daniel's comments:
658 https://curl.haxx.se/mail/lib-2013-03/0103.html . libunbound may be the
659 correct library to base this development on.
660
66114. GnuTLS
662
66314.1 SSL engine stuff
664
665 Is this even possible?
666
66714.2 check connection
668
669 Add a way to check if the connection seems to be alive, to correspond to the
670 SSL_peak() way we use with OpenSSL.
671
67215. WinSSL/SChannel
673
67415.1 Add support for client certificate authentication
675
676 WinSSL/SChannel currently makes use of the OS-level system and user
677 certificate and private key stores. This does not allow the application
678 or the user to supply a custom client certificate using curl or libcurl.
679
680 Therefore support for the existing -E/--cert and --key options should be
681 implemented by supplying a custom certificate to the SChannel APIs, see:
682 - Getting a Certificate for Schannel
683   https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx
684
68515.2 Add support for custom server certificate validation
686
687 WinSSL/SChannel currently makes use of the OS-level system and user
688 certificate trust store. This does not allow the application or user to
689 customize the server certificate validation process using curl or libcurl.
690
691 Therefore support for the existing --cacert or --capath options should be
692 implemented by supplying a custom certificate to the SChannel APIs, see:
693 - Getting a Certificate for Schannel
694   https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx
695
69615.3 Add support for the --ciphers option
697
698 The cipher suites used by WinSSL/SChannel are configured on an OS-level
699 instead of an application-level. This does not allow the application or
700 the user to customize the configured cipher suites using curl or libcurl.
701
702 Therefore support for the existing --ciphers option should be implemented
703 by mapping the OpenSSL/GnuTLS cipher suites to the SChannel APIs, see
704 - Specifying Schannel Ciphers and Cipher Strengths
705   https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx
706
70716. SASL
708
70916.1 Other authentication mechanisms
710
711 Add support for other authentication mechanisms such as OLP,
712 GSS-SPNEGO and others.
713
71416.2 Add QOP support to GSSAPI authentication
715
716 Currently the GSSAPI authentication only supports the default QOP of auth
717 (Authentication), whilst Kerberos V5 supports both auth-int (Authentication
718 with integrity protection) and auth-conf (Authentication with integrity and
719 privacy protection).
720
72116.3 Support binary messages (i.e.: non-base64)
722
723  Mandatory to support LDAP SASL authentication.
724
72517. Command line tool
726
72717.1 sync
728
729 "curl --sync http://example.com/feed[1-100].rss" or
730 "curl --sync http://example.net/{index,calendar,history}.html"
731
732 Downloads a range or set of URLs using the remote name, but only if the
733 remote file is newer than the local file. A Last-Modified HTTP date header
734 should also be used to set the mod date on the downloaded file.
735
73617.2 glob posts
737
738 Globbing support for -d and -F, as in 'curl -d "name=foo[0-9]" URL'.
739 This is easily scripted though.
740
74117.3 prevent file overwriting
742
743 Add an option that prevents cURL from overwriting existing local files. When
744 used, and there already is an existing file with the target file name
745 (either -O or -o), a number should be appended (and increased if already
746 existing). So that index.html becomes first index.html.1 and then
747 index.html.2 etc.
748
74917.4 simultaneous parallel transfers
750
751 The client could be told to use maximum N simultaneous parallel transfers and
752 then just make sure that happens. It should of course not make more than one
753 connection to the same remote host. This would require the client to use the
754 multi interface. https://curl.haxx.se/bug/feature.cgi?id=1558595
755
756 Using the multi interface would also allow properly using parallel transfers
757 with HTTP/2 and supporting HTTP/2 server push from the command line.
758
75917.5 provide formpost headers
760
761 Extending the capabilities of the multipart formposting. How about leaving
762 the ';type=foo' syntax as it is and adding an extra tag (headers) which
763 works like this: curl -F "coolfiles=@fil1.txt;headers=@fil1.hdr" where
764 fil1.hdr contains extra headers like
765
766   Content-Type: text/plain; charset=KOI8-R"
767   Content-Transfer-Encoding: base64
768   X-User-Comment: Please don't use browser specific HTML code
769
770 which should overwrite the program reasonable defaults (plain/text,
771 8bit...)
772
77317.6 warning when setting an option
774
775 Display a warning when libcurl returns an error when setting an option.
776 This can be useful to tell when support for a particular feature hasn't been
777 compiled into the library.
778
77917.7 warning when sending binary output to terminal
780
781 Provide a way that prompts the user for confirmation before binary data is
782 sent to the terminal, much in the style 'less' does it.
783
78417.8 offer color-coded HTTP header output
785
786 By offering different color output on the header name and the header
787 contents, they could be made more readable and thus help users working on
788 HTTP services.
789
79017.9 Choose the name of file in braces for complex URLs
791
792 When using braces to download a list of URLs and you use complicated names
793 in the list of alternatives, it could be handy to allow curl to use other
794 names when saving.
795
796 Consider a way to offer that. Possibly like
797 {partURL1:name1,partURL2:name2,partURL3:name3} where the name following the
798 colon is the output name.
799
800 See https://github.com/curl/curl/issues/221
801
80217.10 improve how curl works in a windows console window
803
804 If you pull the scrollbar when transferring with curl in a Windows console
805 window, the transfer is interrupted and can get disconnected. This can
806 probably be improved. See https://github.com/curl/curl/issues/322
807
80817.11 -w output to stderr
809
810 -w is quite useful, but not to those of us who use curl without -o or -O
811 (such as for scripting through a higher level language). It would be nice to
812 have an option that is exactly like -w but sends it to stderr
813 instead. Proposed name: --write-stderr. See
814 https://github.com/curl/curl/issues/613
815
81617.12 keep running, read instructions from pipe/socket
817
818 Provide an option that makes curl not exit after the last URL (or even work
819 without a given URL), and then make it read instructions passed on a pipe or
820 over a socket to make further instructions so that a second subsequent curl
821 invoke can talk to the still running instance and ask for transfers to get
822 done, and thus maintain its connection pool, DNS cache and more.
823
82417.13 support metalink in http headers
825
826 Curl has support for downloading a metalink xml file, processing it, and then
827 downloading the target of the metalink. This is done via the --metalink option.
828 It would be nice if metalink also supported downloading via metalink
829 information that is stored in HTTP headers (RFC 6249). Theoretically this could
830 also be supported with the --metalink option.
831
832 See https://tools.ietf.org/html/rfc6249
833
834 See also https://lists.gnu.org/archive/html/bug-wget/2015-06/msg00034.html for
835 an implematation of this in wget.
836
83717.14 --fail without --location should treat 3xx as a failure
838
839 To allow a command line like this to detect a redirect and consider it a
840 failure:
841
842    curl -v --fail -O https://example.com/curl-7.48.0.tar.gz
843
844 ... --fail must treat 3xx responses as failures too. The least problematic
845 way to implement this is probably to add that new logic in the command line
846 tool only and not in the underlying CURLOPT_FAILONERROR logic.
847
848
84918. Build
850
85118.1 roffit
852
853 Consider extending 'roffit' to produce decent ASCII output, and use that
854 instead of (g)nroff when building src/tool_hugehelp.c
855
85619. Test suite
857
85819.1 SSL tunnel
859
860 Make our own version of stunnel for simple port forwarding to enable HTTPS
861 and FTP-SSL tests without the stunnel dependency, and it could allow us to
862 provide test tools built with either OpenSSL or GnuTLS
863
86419.2 nicer lacking perl message
865
866 If perl wasn't found by the configure script, don't attempt to run the tests
867 but explain something nice why it doesn't.
868
86919.3 more protocols supported
870
871 Extend the test suite to include more protocols. The telnet could just do FTP
872 or http operations (for which we have test servers).
873
87419.4 more platforms supported
875
876 Make the test suite work on more platforms. OpenBSD and Mac OS. Remove
877 fork()s and it should become even more portable.
878
87919.5 Add support for concurrent connections
880
881 Tests 836, 882 and 938 were designed to verify that separate connections aren't
882 used when using different login credentials in protocols that shouldn't re-use
883 a connection under such circumstances.
884
885 Unfortunately, ftpserver.pl doesn't appear to support multiple concurrent
886 connections. The read while() loop seems to loop until it receives a disconnect
887 from the client, where it then enters the waiting for connections loop. When
888 the client opens a second connection to the server, the first connection hasn't
889 been dropped (unless it has been forced - which we shouldn't do in these tests)
890 and thus the wait for connections loop is never entered to receive the second
891 connection.
892
89319.6 Use the RFC6265 test suite
894
895 A test suite made for HTTP cookies (RFC 6265) by Adam Barth is available at
896 https://github.com/abarth/http-state/tree/master/tests
897
898 It'd be really awesome if someone would write a script/setup that would run
899 curl with that test suite and detect deviances. Ideally, that would even be
900 incorporated into our regular test suite.
901
902
90320. Next SONAME bump
904
90520.1 http-style HEAD output for FTP
906
907 #undef CURL_FTP_HTTPSTYLE_HEAD in lib/ftp.c to remove the HTTP-style headers
908 from being output in NOBODY requests over FTP
909
91020.2 combine error codes
911
912 Combine some of the error codes to remove duplicates.  The original
913 numbering should not be changed, and the old identifiers would be
914 macroed to the new ones in an CURL_NO_OLDIES section to help with
915 backward compatibility.
916
917 Candidates for removal and their replacements:
918
919    CURLE_FILE_COULDNT_READ_FILE => CURLE_REMOTE_FILE_NOT_FOUND
920
921    CURLE_FTP_COULDNT_RETR_FILE => CURLE_REMOTE_FILE_NOT_FOUND
922
923    CURLE_FTP_COULDNT_USE_REST => CURLE_RANGE_ERROR
924
925    CURLE_FUNCTION_NOT_FOUND => CURLE_FAILED_INIT
926
927    CURLE_LDAP_INVALID_URL => CURLE_URL_MALFORMAT
928
929    CURLE_TFTP_NOSUCHUSER => CURLE_TFTP_ILLEGAL
930
931    CURLE_TFTP_NOTFOUND => CURLE_REMOTE_FILE_NOT_FOUND
932
933    CURLE_TFTP_PERM => CURLE_REMOTE_ACCESS_DENIED
934
93520.3 extend CURLOPT_SOCKOPTFUNCTION prototype
936
937 The current prototype only provides 'purpose' that tells what the
938 connection/socket is for, but not any protocol or similar. It makes it hard
939 for applications to differentiate on TCP vs UDP and even HTTP vs FTP and
940 similar.
941
94221. Next major release
943
94421.1 cleanup return codes
945
946 curl_easy_cleanup() returns void, but curl_multi_cleanup() returns a
947 CURLMcode. These should be changed to be the same.
948
94921.2 remove obsolete defines
950
951 remove obsolete defines from curl/curl.h
952
95321.3 size_t
954
955 make several functions use size_t instead of int in their APIs
956
95721.4 remove several functions
958
959 remove the following functions from the public API:
960
961 curl_getenv
962
963 curl_mprintf (and variations)
964
965 curl_strequal
966
967 curl_strnequal
968
969 They will instead become curlx_ - alternatives. That makes the curl app
970 still capable of using them, by building with them from source.
971
972 These functions have no purpose anymore:
973
974 curl_multi_socket
975
976 curl_multi_socket_all
977
97821.5 remove CURLOPT_FAILONERROR
979
980 Remove support for CURLOPT_FAILONERROR, it has gotten too kludgy and weird
981 internally. Let the app judge success or not for itself.
982
98321.6 remove CURLOPT_DNS_USE_GLOBAL_CACHE
984
985 Remove support for a global DNS cache. Anything global is silly, and we
986 already offer the share interface for the same functionality but done
987 "right".
988
98921.7 remove progress meter from libcurl
990
991 The internally provided progress meter output doesn't belong in the library.
992 Basically no application wants it (apart from curl) but instead applications
993 can and should do their own progress meters using the progress callback.
994
995 The progress callback should then be bumped as well to get proper 64bit
996 variable types passed to it instead of doubles so that big files work
997 correctly.
998
99921.8 remove 'curl_httppost' from public
1000
1001 curl_formadd() was made to fill in a public struct, but the fact that the
1002 struct is public is never really used by application for their own advantage
1003 but instead often restricts how the form functions can or can't be modified.
1004
1005 Changing them to return a private handle will benefit the implementation and
1006 allow us much greater freedoms while still maintaining a solid API and ABI.
1007