Changes in 8.16.0 - September 10 2025

Changes:

• build: bump minimum required mingw-w64 to v3.0 (from v1.0)
• curl: add --follow
• curl: add --out-null
• curl: add --parallel-max-host to limit concurrent connections per host
• curl: make --retry-delay and --retry-max-time accept decimal seconds
• hostip: cache negative name resolves
• ip happy eyeballing: keep attempts running
• mbedtls: bump minimum version required to 3.2.0
• multi: add curl_multi_get_offt
• multi: add CURLMOPT_NETWORK_CHANGED to signal network changed
• netrc: use the NETRC environment variable (first) if set
• smtp: allow suffix behind a mail address for RFC 3461
• tls: make default TLS version be minimum 1.2
• tool_getparam: add support for `--longopt=value`
• vquic: drop msh3
• websocket: support CURLOPT_READFUNCTION
• writeout: add %time{}

Bugfixes:

• _PROTOCOLS.md: mention file:// is only for absolute paths
• acinclude: --with-ca-fallback only works with OpenSSL
• alpn: query filter
• ares: destroy channel on shutdown
• ares: use `ares_strerror()` to retrieve error messages
• asyn-thrdd: fix --disable-socketpair builds
• asyn-thrdd: fix Curl_async_pollset without socketpair
• asyn-thrdd: fix no `HAVE_GETADDRINFO` builds
• asyn-thrdd: manage DEFERRED and locks better
• autotools: make curl-config executable
• aws-lc: do not use large buffer
• BINDINGS.md: add LibQurl
• bufq: add integer overflow checks before chunk allocations
• bufq: removed "Useless Assignment"
• bufq: simplify condition
• build: allow libtests/clients to use libcurl dependencies directly
• build: disable `TCP_NODELAY` for emscripten
• build: enable _GNU_SOURCE on GNU/Hurd
• build: extend GNU C guards to clang where applicable, fix fallouts
• build: fix build errors/warnings in rare configurations
• build: fix disable-verbose
• build: fix mingw-w64 version guard for mingw32ce
• build: if no perl, fix to use the pre-built hugehelp, if present
• build: link to Apple frameworks required by static wolfSSL
• build: support LibreSSL native crypto lib with ngtcp2 1.15.0+
• build: tidy up compiler definition for tests
• cf-https-connect: delete unused declaration
• clang-tidy: disable `clang-analyzer-security.ArrayBound`
• cmake: `CURL_CA_FALLBACK` only works with OpenSSL
• cmake: capitalize 'Rustls' in the config summary
• cmake: defer building `unitprotos.h` till a test target needs it
• cmake: define `WIN32_LEAN_AND_MEAN` for examples
• cmake: drop redundant unity mode for `curlinfo`
• cmake: enable `-Wall` for MSVC 1944
• cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
• cmake: fix setting LTO properties on the wrong targets
• cmake: fix to disable Schannel and SSPI for non-Windows targets
• cmake: fix to restrict `SystemConfiguration` to macOS
• cmake: honor `CMAKE_C_FLAGS` in test 1119 and 1167
• cmake: improve error message for invalid HTTP/3 MultiSSL configs
• cmake: keep websockets disabled if HTTP is disabled
• cmake: make `runtests` targets build the curl tool
• cmake: make the ExternalProject test work
• cmake: omit linking duplicate/unnecessary libs to tests & examples
• cmake: re-add simple test target, and name it `tests`
• cmake: set `CURL_DIRSUFFIX` automatically in multi-config builds
• CODE_STYLE: sync with recent `checksrc.pl` updates
• config-win32.h: do not use winsock2 `inet_ntop()`/`inet_pton()`
• configure: if no perl, disable unity and shell completion, related tidy ups
• configure: tidy up internal names in ngtcp2 ossl detection logic
• connectdata: remove primary+secondary ip_quadruple
• connection: terminate after goaway
• contrithanks: fix for BSD `sed` tool
• cookie: don't treat the leading slash as trailing
• cookie: remove expired cookies before listing
• curl-config: remove X prefix use
• curl/system.h: fix for GCC 3.3.x and older
• curl: make the URL indexes 64 bit
• curl: tool_read_cb fix of segfault
• curl_addrinfo: drop workaround for old-mingw
• curl_easy_ssls_export: make the example more clear
• curl_fnmatch, servers: drop local macros in favour of `sizeof()`
• curl_mime_data_cb.md: mention what datasize is for
• curl_ossl: extend callback table for nghttp3 1.11.0
• curl_setup.h: include `stdint.h` earlier
• curl_setup.h: move UWP detection after `config-win32.h` (revert)
• curl_setup.h: move UWP detection after `config-win32.h`
• CURLINFO_FILETIME*.md: correct the examples
• CURLOPT: bump `CURL_REDIR_*` macros to `long`
• CURLOPT: bump `CURL_SSLVERSION_*` macros to `long`
• CURLOPT: bump `CURLALTSVC_*` macros to `long`
• CURLOPT: bump `CURLFTP*` enums to `long`, drop casts
• CURLOPT: bump `CURLHEADER_*` macros to `long`, drop casts
• CURLOPT: bump `CURLPROTO_*` macros to `long`
• CURLOPT: bump `CURLPROXY_*` enums to `long`, drop casts
• CURLOPT: bump `CURLWS_NOAUTOPONG`, `CURLWS_RAW_MODE` macros to `long`
• CURLOPT: bump remaining macros to `long`
• CURLOPT: drop redundant `long` casts
• CURLOPT: replace `(long)` cast with `L` suffix for `CURLHSTS_*` macros
• CURLOPT_HTTP_VERSION: mention new default value
• CURLOPT_SSL_CTX_*: replace the base64 with XXXX
• delta: fix warnings, fix for non-GNU `date` tool
• DEPRECATE.md: drop old OpenSSL versions
• DEPRECATE.md: drop support for c-ares versions before 1.16.0
• DEPRECATE.md: drop support for Windows XP/2003
• DEPRECATE.md: remove leftover "nothing"
• DISTROS.md: add Haiku
• docs/cmdline-opts: the auth types are not mutually exclusive
• docs: add CURLOPT type change history, drop casts where present
• docs: fix link CONTRIBUTE.md link
• docs: fix name in curl_easy_ssls_export man page
• docs: fix typo (staring -> starting)
• docs: point two broken links to archive.org
• doh: rename symbols to avoid collision with mingw-w64 headers
• easy handle: check validity on external calls
• examples: drop long cast for `CURLALTSVC_*`
• examples: make `CURLPIPE_MULTIPLEX` fallback `long`
• examples: remove base64 encoded chunks from examples
• examples: remove href_extractor.c
• ftp: store dir components as start+len instead of memdup'ing
• ftp: use 'conn' instead of 'data->conn'
• gnutls: fix building with older supported GnuTLS versions
• gnutls: some small cleanups
• hmac: return error if init fails
• hostip: do DNS cache pruning in milliseconds
• HTTP3.md: avoid `configure` issue for ngtcp2 1.14.0+ compatibility
• http: const up readonly H2_NON_FIELD
• http: do the cookie list access under lock
• http: silence `-Warray-bounds` with gcc 13+
• idn: reject conversions that end up as a zero length hostname
• inet_pton, inet_ntop: drop declarations when unused
• lib1560: fix memory leak when run without UTF-8 support
• lib1560: replace an `int` with `bool`
• lib2700: use `testnum`
• lib517: use `LL` 64-bit literals & re-enable a test case (`time_t`)
• lib: drop `UNUSED_PARAM` macro
• libcurl: reset rewind flag in curl_easy_reset()
• libssh: Use sftp_aio instead of sftp_async for sftp_recv
• libtests: update format strings to avoid casts, drop some macros
• libtests: use `FMT_SOCKET_T`, drop more casts
• managen: reset text mode at end of table marker
• mbedtls: check for feature macros instead of version
• mdlinkcheck: handle links with a leading slash properly
• memanalyze: fix warnings
• memory: make function overrides work reliably in unity builds
• multi event: remove only announced
• multi: don't insert a node into the splay tree twice
• multi: fix assert in multi_getsock()
• multi: fix bad splay management
• multi: process pending, one by one
• multi: replace remaining EXPIRE_RUN_NOW
• multissl: initialize when requesting a random number
• ngtcp2: extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0
• ngtcp2: handshake timeout should be equal to --connect-timeout
• ngtcp2: use custom mem funcs
• openssl: add and use `HAVE_BORINGSSL_LIKE` internal macro
• openssl: add and use `HAVE_OPENSSL3` internal macro
• openssl: assume `OPENSSL_VERSION_NUMBER`
• openssl: auto-pause on verify callback retry
• openssl: check SSL_write() length on retries
• openssl: clear errors after a failed `d2i_X509()`
• openssl: drop more legacy cruft
• openssl: drop redundant `HAVE_OPENSSL_VERSION` macro
• openssl: drop redundant version check
• openssl: drop single-use interim macro `USE_OPENSSL_SRP`
• openssl: enable `HAVE_KEYLOG_CALLBACK` for AWS-LC
• openssl: merge two `#if` blocks
• openssl: output unescaped utf8 x509 issuer/subject DNs
• openssl: remove legacy cruft, document macro guards
• openssl: save and restore OpenSSL error queue in two functions
• openssl: some small cleanups
• openssl: split cert_stuff into smaller sub functions
• openssl: sync an AWS-LC guard with BoringSSL
• openssl: use `RSA_flags()` again with BoringSSL
• parallel-max: bump the max value to 65535
• parsedate: make Curl_getdate_capped able to return epoch
• processhelp.pm: fix to use the correct null device on Windows
• processhelp.pm: use `Win32::Process*` perl modules if available
• projects: drop unused logic from `generate.bat`
• projects: fix Windows project 'clean' function
• pytest: add SOCKS tests and scoring
• pytest: fix test_17_09_ssl_min_max for BoringSSL
• pytest: increase server KeepAliveTimeout
• pytest: relax error check on test_07_22
• resolving: dns error tracing
• runtests: assume `Time::HiRes`, drop Perl Win32 dependency
• runtests: remove warning message
• runtests: replace `--ci` with `--buidinfo`, show OS/Perl version again
• runtests: show still running tests when nothing has happened for a while
• schannel: add an error message for client cert not found
• schannel: assume `CERT_CHAIN_REVOCATION_CHECK_CHAIN`
• schannel: drop fallbacks for 4 macros
• schannel: drop fallbacks for unused `BCRYPT_*` macros
• schannel: drop old-mingw special case
• schannel: fix recent update for mingw32ce
• schannel: fix renegotiation
• schannel: improve handshake procedure
• schannel: not supported with UWP, drop redundant code
• schannel: use if(result) like the code style says
• scripts: enable strict warnings in Perl where missing, fix fallouts
• scripts: fix two Perl uninitialized value warnings
• sendf: getting less data than "max allowed" is okay
• servers: convert two macros to scoped static const strings
• setopt: refactor out the booleans from setopt_long to setopt_bool
• setopt: split out cookielist() and cookiefile()
• socks: do_SOCKS5: Fix invalid buffer content on short send
• socks_sspi: simplify, clean up Curl_SOCKS5_gssapi_negotiate
• spacecheck.pl: when detecting unicode, mention line number
• spacecheck: warn for 3+ empty lines in a row, fix fallouts
• spelling: file system
• test1148: drop redundant `LC_NUMBER=` env setting
• test1557: pass `long` type to `multi_setopt()`
• test1560: set locale/codeset with `LC_ALL` (was: `LANG`), test in CI
• test1560: skip some URLs if UTF-8 is not supported
• test1: raise alloc limits
• test428: re-enable for Windows
• test436: fix running on Windows with `_curlrc` present
• test: add `cygwin` feature and use it (test 1056, 1517)
• tests/ech_tests.sh: indent, if/for style, inline ifs
• tests: constify command-line arguments
• tests: delete unused commands
• tests: drop unused `BLANK` envs, unset `CURL_NOT_SET`
• tests: drop unused `CURL_FORCEHOST` envs
• tests: fix perl warnings in http2-server, http3-server
• tests: fix prechecks to call the bundle libtest tool
• tests: fix UTF-8 detection, per-test `LC_*` settings, CI coverage
• tests: merge clients into libtests, drop duplicate code
• tests: remove the QUIT filters
• tests: set `CURL_ENTROPY` per test, not globally
• tests: unset some envs instead of blanking them
• threaded-resolver: fix shutdown
• tidy-up: `Curl_thread_create()` callback return type
• tidy-up: move literal to the right side of comparisons
• tidy-up: prefer `ifdef`/`ifndef` for single checks
• tls: CURLINFO_TLS_SSL_PTR testing
• TODO: remove session export item
• TODO: remove the expand ~ idea
• tool_cb_wrt: stop alloc/free for every chunk windows console output
• tool_filetime: accept setting negative filetime
• tool_getparam: let --trace-config override -v
• tool_getparam: warn on more unicode prefixes
• tool_operate: avoid superfluous strdup'ing output
• tool_operate: use stricter curl_multi_setopt() arguments
• tool_operate: use the correct config pointer
• tool_paramhlp: fix secs2ms()
• tool_parsecfg: use dynbuf for quoted arguments
• tool_urlglob: add integer overflow protection
• tool_urlglob: polish, cleanups, improvements
• typecheck-gcc: add type checks for curl_multi_setopt()
• unit-tests: build the unitprotos.h from here
• unit2604: avoid `UNCONST()`
• URL-SYNTAX.md: drop link to codepoints.net to pass linkcheck
• urlapi: allow more path characters "raw" when asked to URL encode
• urldata: reduce two long struct fields to unsigned short
• urlglob: only accept 255 globs
• vquic-tls: fix SSL backend type for QUIC connections using gnutls
• vquic: use curl_getenv
• vtls: set seen http version on successful ALPN
• websocket example: cast print values to unsigned int
• websocket: handling of PONG frames
• websocket: improve handling of 0-len frames
• websocket: reset upload_done when sending data
• windows: assume `ADDRESS_FAMILY`, drop feature checks
• windows: document toolchain support for `CERT_NAME_SEARCH_ALL_NAMES_FLAG`
• windows: document toolchain support for some macros (cont.)
• windows: document toolchain support for some macros
• windows: drop `CRYPT_E_*` macro fallbacks, limit one to mingw32ce
• windows: drop two interim, single-use macros
• windows: drop unused `curlx/version_win32.h` includes
• windows: fix `if_nametoindex()` detection with autotools, improve with cmake
• windows: include `wincrypt.h` before `iphlpapi.h` for mingw-w64 <6
• windows: target version macro tidy-ups
• wolfssl: rename ML-KEM hybrids to match IETF draft
• write-out.md: header_json is not included the json object
• ws: avoid NULL pointer deref in curl_ws_recv

Further