In pytests test_08 with the Caddy server, the new rate-limiting in
ngtcp2 did close the connection because it found "too many" stream data
packet repeats.
It is unclear if this is some Caddy issue or if the ngtcp2 implementaton
is wrong. Or if curl can do anything here.
Reported as https://github.com/ngtcp2/ngtcp2/issues/1850
This PR overwrites the ratelimit defaults in ngtcp2 with ten times
increased values. This makes the errors disappear on macOS.
Enable test_08_04/05 in CI again to see if there are any issues
to be found there. (We had those disabled before having parallel
pytests.)
Closes#19274
Change the test certificate to carry a altname 'dns:127.0.0.1' which
should *not* match in test_17_05_bad_ip_addr.
wolfSSL: since `wolfSSL_check_domain_name()` does not differentiate
between DNS and IP names, use if only for DNS names. For IP addresses,
get the peer certificate after the handshake and check that using
wolfSSL_X509_check_ip_asc().
Unfortunately, this succeeds where it should not, as wolfSSL internally
used the same check code for both cases. So, skip the test case until
wolfSSL fixes that.
Reported-by: Joshua Rogers
Closes#19252
- cryptography from 46.0.2 to 46.0.3 in /tests
- filelock from 3.19.1 to 3.20.0 in /tests
- psutil from 7.1.0 to 7.1.1 in /tests
Closes#19217Closes#19218Closes#19219
- honor request id (`id=<number>`) in `curltest/put` and
`curltest/sslinfo` handlers.
- do not truncate `max_upload` input parameter.
- delete unused variables.
- formatting.
Inspired by Joshua's report on tests.
Closes#19061
In MOST protocols and runs, the 'pretransfer' time is less than the
'starttransfer'. E.g. request being sent before response comes in.
However, when curl is starved of cpu a server response might start
streaming in before the multi-state transitioned to DID (and recorded
the 'pretransfer' time).
Do no longer check that 'pretransfer' is less or equal 'starttransfer'.
Check that is is less or equal to the total time instead.
Closes#19096
When calling scorecard with --flame to produce a flamegraph, use
"perf" on linux platforms to do the measurements. Update the scorecard
documentation about it.
Closes#19058
Protocol handlers not flagging PROTOPT_SSL that allow reuse of existing
SSL connections now need to carry the flag PROTOPT_SSL_REUSE.
Add PROTOPT_SSL_REUSE to imap, ldap, pop3, smtp and ftp.
Add tests the http: urls do not reuse https: connections and vice versa.
Reported-by: Sakthi SK
Fixes#19006Closes#19007
- cryptography from 44.0.1 to 46.0.2 in tests/http
- ruff from 0.13.2 to 0.14.0 in .github/scripts
- reuse from 6.0.0 to 6.1.2 in .github/scripts
- github/codeql-action from 3.30.5 to 4.30.7
Closes#18941Closes#18942Closes#18943Closes#18945Closes#18947
Add infrastructure to colled and dispatch notifications for transfers
and the multi handle in general. Applications can register a callback
and en-/disable notification type the are interested in.
Without a callback installed, notifications are not collected. Same when
a notification type has not been enabled.
Memory allocation failures on adding notifications lead to a general
multi failure state and result in CURLM_OUT_OF_MEMORY returned from
curl_multi_perform() and curl_multi_socket*() invocations.
Closes#18432
- configure/cmake support for enabling the option
- supported in OpenSSL and GnuTLS backends
- when configured, Apple SecTrust is the default trust store
for peer verification. When one of the CURLOPT_* for adding
certificates is used, that default does not apply.
- add documentation of build options and SSL use
Closes#18703
Detect via curlinfo if curl has verbose strings disabled, and skip
tests that require it.
Also:
- cmake: make pytests depend on curlinfo.
Cherry-picked from #18797Closes#18801
When attempts on all addresses have been started, do no longer set any
EXPIRE_HAPPY_EYEBALLS timeouts.
Fixes#18767
Reported-by: Johannes Schindelin
Closes#18768
Fail on errors from SSL_handle_events().
Force quit Caddy test instance that is left hanging longer with
openssl-quic tests for unknown reasons.
Reported in Joshua's sarif data
Closes#18720
- requirements.txt: shorten copyright headers.
- requirements.txt: pin packages to versions.
- GHA/windows: use `tests/requirements.txt`.
Pick a `cryptography` package version that satifies both `impacket`
and pytests dependencies.
- GHA/checksrc: move pip deps into a new `requirements.txt`.
To make Dependabot detect and bump them.
- GHA/checksrc: replace apt packages for python test deps with pip
install `tests/**/requirements.txt` to a venv.
- GHA/checksrc: use venv and drop `--break-system-packages`.
- GHA/linux: fix to actually activate venvs.
Follow-up to 2638570241#15578
- GHA/linux: fixup (did not cause an issue)
Follow-up to d75785c7de#18660
- GHA: create venvs later, simplify commands.
- GHA: sync pip command-line options, e.g. drop progress-bar,
everywhere.
Assisted-by: Dan Fandrich
Closes#18708
Access the error codes of ngtcp2 when a connect attempt failes. Trace
the information for analysis. Treat errors as permanent failure by
default, trigger retrying only when the server refused without
indicating an error.
Closes#18521
Tweaks around handling of --limit-rate:
* tracing: trace outstanding timeouts by name
* multi: do not mark transfer as dirty that have
an EXPIRE_TOOFAST set
* multi: have one static function to asses speed limits
* multi: when setting EXPIRE_TOOFAST remove the transfers
from the dirty set
* progress: rename vars and comment on how speed limit
timeouts are calculated, for clarity
* transfer: when speed limiting, exit the receive loop
after a quarter of the limit has been received, not
on the first chunk received.
* cf-ip-happy.c: clear EXPIRE_HAPPY_EYEBALLS on connect
* scorecard: add --limit-rate parameter to test with
speed limits in effect
Closes#18454
test_10_08, uploading larger files for a h2 proxy, sporadically fails
with a decrpytion error on received data in AWS-LC. The frequency can
be increased by simulated network receive blocks.
Not setting a 4 * TLS record sized buffer, leaving AWS-LC at its
default buffer size seems to mitigate this problem.
Closes#18434
Write out 9-length frames to client's WRITEFUNCTION
Read 0-length frames from READFUNCTION *if* the function
started a new frame via `curl_ws_start_frame()`.
Fixes#18286Closes#18332
Reported-by: Andriy Druk
Add support for CURLOPT_READFUNCTION with WebSocket urls when *not* in
connect-only mode, e.g. when using curl_multi_perform.
Install the callback function and set CURLOPT_UPLOAD. Return
CURL_READFUNC_PAUSE when having nothing more to send and unpause the
transfer when more data is ready.
This will send the read bytes in a WebSocket BINARY frame.
Add support for this mode in the pytest "ws_data" client and have all
tests run in 'curl_ws_send/recv' and 'peform' mode as well.
Add `curl_ws_start_frame()`. Document, cover in libcurl-ws.md and
explain the READFUNCTION mode for websockets.
Add example `websocket-updown` for this.
Closes#17683
When an SSL_write() blocks we need to retry it with the
same length as before or stupid OpenSSL freaks out. Remember
it, limit any longer sends and fail shorter ones.
Fixes#18121
Reported-by: adamse on github
Closes#18132
test_02_36 tests h1/h2/h3 with urls longer than 1/16/32/64K.
Protocols behave the same until the size exceed 64k when h2 frame limits
bite and h3 exhibits a different http status.
Failed attempt to reproduce #18121Closes#18129
Since the content varies during connection setup and while doing it
(eyeballing), remove these strcut from `connectdata` and replace use
with querying the connection filters. Those keep that information
already.
Change the info logging of established connections to also give the
local address and port.
Closes#17960
libtests and clients were built the same way after recent overhauls.
libtests are used by runtests, clients by pytests.
Merge clients into libtests, aligning their entry function signature,
dropping common utility functions, and simplifying the build.
Note: After this patch `CURLDEBUG` applies to cli tests, when enabled.
Also:
- lib552: drop local copy-paste debug callback in favor of testtrace.
- lib552: drop local copy-paste dump function in favor of testtrace.
- clients: use `long` for HTTP version, drop casts.
- clients: replace local dump function in favor of testrace clone.
- sync cli test entry function prototype with libtests'.
- h2_serverpush: replace local trace callback with testtrace.
- de-duplicate 3 websocket close, ping, ping, functions. Kept the pong
iteration from `ws_pingpong`. Note: the pong clone in `lib2304` was
returning an error when `curl_ws_recv()` returned non-zero and
the payload matched the expected one anyway. After this patch, this
case returns success, as it does in `ws_pingpong`.
`lib2304` keeps passing, but I'm not sure if the previous behavior
was intentional.
- display full value in websocket close, ping, pong, drop casts.
Closes#18079
- add startup check for 'danted' to avoid fails on low cpu
- rename 'sockd' to 'danted' everywhere to clarify what we use
- add proper defaults for 'danted' for debian
- install 'dante-server' in pytest ci runs
Closes#18075
Add a new commandline option --out-null that discards all
response bytes into the void. Replaces non-portable use of
'-o /dev/null' with more efficiency.
Feature added in 8.16.0
Closes#17800
Add a connection filter query to obtained the negotiated ALPN
protocol to check in setup/protocols how the connection needs
to behave.
Remove the members `alpn` and `proxy_alpn` from `connectdata`.
Closes#17947
Fix compile error when building with `--disable-verbose`.
Adjust pytest to skip when curl is not a debug build but needs
traces.
Follow-up to b453a447ceCloses#18053
This still allows users to explictily ask for 1.0 or 1.1 as the minimum
version. If the TLS library allows it.
Starting with this change, the CURL_SSLVERSION_DEFAULT value is no
longer used as minimum version when the TLS backend are called.
This also makes curl set the minimum version to 1.2 independently of
libcurl for the rare case where a newer curl tool would use an older
libcurl.
URL: https://curl.se/mail/lib-2025-07/0007.html
Assisted-by: Stefan Eissing
Closes#17894
Configure curl with `--with-test-sockd=<path to sockd>` for a locally
installed dante sockd server and new `test_40_*` will verify that
down- and uploads work via SOCKS.
Invoke scorecard.py with `--socks4` or `--socks5` to run performance
tests with SOCKS. Note that SOCKS is not supported for HTTP/3.
Ref: #17969Closes#17986
- codespell: break logic out into its own runnable script. Allowing
to run it on local machines.
- codespell: install via `pip`, bump to latest version.
- codespell: show version number in CI log.
- codespell: drop no longer needed word exception: `msdos`.
- codespell: include all curl source tree, except `packages` and
`winbuild`. Drop an obsolete file exclusion.
- add new spellchecker job using the `typos` tool. It includes
the codespell dictionary and a couple more. Use linuxbrew to install
it. This takes 10 seconds, while installing via `cargo` from source
would take over a minute.
- codespell: introduce an inline ignore filter compatible with `cspell`
Make `typos` recognize it, too. Move single exceptions inline.
Fix new typos found. Also rename variables and words to keep
spellchecking exceptions at minumum. This involves touching some tests.
Also switch base64 strings to `%b64[]` to avoid false positives.
Ref: https://github.com/crate-ci/typos/blob/master/docs/reference.md
Ref: https://github.com/codespell-project/codespell?tab=readme-ov-file#inline-ignore
Ref: https://github.com/codespell-project/codespell/issues/1212#issuecomment-1721152455
Ref: https://cspell.org/docs/Configuration/document-settingsCloses#17905
When CI is not able to give clients enough cpu, the default Apache
KeepAliveTimeout of 5 seconds may trigger and cause tests to fail.
Increase the timeout to 30 seconds for reliability.
Ref: #17963Closes#17968
Eliminating the socket readability check in the socket connection
filters for the 'data_pending' callback. Improves performance of
handling of transfers, up to ~30%, depending on parallelism and response
size.
Whatever `data_pending()` once was, its semantics are now:
"Is there anything buffered in the connection filters that needs
receive?"
Any checks of the socket's readability are done via `multi_wait()`
and friends.
Fix the one place in HTTP/1 proxy code that checked `data_pending()` and
did an early return if false. Remove that check and actually try to
receive data every time.
Closes#17785
To have all the tests binaries directly under the tests directory.
There seems to be no issue adding non-http test clients to this subdir.
Closes#17637
Sync build properties with libtests.
This allows accessing macros from `curl_config.h`, for feature flags.
Smoothens out platform bumps, allowing to drop local replicas from
client sources. It enables using Windows wrappers, e.g. for `fopen()`.
Also fix client sources to use `curl_mfprintf()` where curl format
strings are used. (To avoid build failure with older mingw-w64, e.g.
6.4.0 in CI.)
Follow-up to 739c09c8a4#17627Closes#17642
To make building the http client tests faster, with no duplication, by
using the build method that other test binaries already use.
The difference compared to other tests is that these don't use internal
libcurl headers or code. With the exception of `curl_config.h`, for
a feature macro.
Before this patch, these tests were built like examples.
Also:
- de-duplicate code and give unique names to colliding symbols.
- add local getopt implementation and enable all code for MSVC.
Adapted for curl via Public Domain source:
4e618ef782/getopt.h
Credits-to: Christopher Wellons
Thanks!
Closes#17627
