[Daniel's week] March 27, 2026

Daniel Stenberg daniel at haxx.se
Fri Mar 27 17:29:54 CET 2026 

# March 27, 2026

What a week. Things moved forward. Fun and busy.

## Feature window

We opened the curl feature windows this Saturday and there has been fierce 
activity this week to merge a series of pull requests with changes. The 
in-the-works RELEASE-NOTES currently lists eight changes and over one hundred 
thirty bugfixes.

## Dropping RTMP

For six months we have repeatedly mentioned that RTMP is going away in the 
next release. This week we finally removed the code and there is no more 
support for the suite of URL schemes the RTMP protocol used [1].

## NTLM

We have moved NTLM support over to opt-in [2]. Unless you specifically ask for 
it when you build curl, it will not build with support for this quirky old 
authentication method. We have also added complete “NTLM removal” in the 
deprecated document. Scheduled to happen in September unless someone makes a 
lot of noise about it.

## SMB

curl only ever supported SMB version one, which is old, deprecated and 
insecure. This protocol also goes opt-in now and is only enabled when 
explicitly told so when building curl. As an extra bonus, SMB requires NTLM to 
function so you need to enable that as well if you truly want SMB. This too is 
a warm-up for September 2026 when we plan to completely rip out support for 
this protocol from curl.

## local crypto

In our ongoing quest to remove code we don’t need, or perhaps don’t want, we 
fell over our crypto implementations this week. They are in-tree 
implementations for md4, md5 and sha256 to make it possible to build curl and 
use it without a TLS/crypto library - and still offer some of the features 
that need those algorithms.

Since building without TLD is such a rare thing these days and since the TLS 
libraries all provide these algorithms themselves, we have decided we want to 
get rid of our implementations and rather just say that if you want these 
features you need a TLS library. The plan is to drop the local implementations 
in October 2026. This gives everyone some time to figure out if you are 
affected and if so, what to do about it.

## emails

I received yet another “weird email” this week where someone asked me details 
about something I have no idea about and they contacted me probably because 
they found my email in the curl license that probably is shown somewhere in 
the product. As I made this latest email public I realized my official 
collection now has 100 emails and I wrote a blog post about it [3].

## Don’t trust, verify

It started out as a document [4] for curl on how you can verify that the curl 
you download is in fact the tarball made available by the project and that the 
tarball has only and exactly the correct contents, but as I did that I 
realized it could be worth also doing a blog post version [5] of the document 
just to help spreading the message more widely.

Not only how users and consumers of curl can verify curl but it also details 
and enumerates a lot of what we verify when we work on curl and how we work 
hard to keep curl safe and secure.

It is hard and deliberate work. Security does not come by accident.

## Distro meeting

About fifteen persons joined the curo distro meeting 2026 on Thursday evening 
(my time), with representatives from some six, seven different distributions. 
There were some notable ones absent, but I was pleased to see the attendance 
and I think we had a good discussion and time well spent.

I talked briefly about where we are in the project right now and what to 
expect coming up soon, like the things going opt-in and what we have removed 
recently and plan to remove later this year. To keep everyone in the loop.

We talked about testing, release candidates, potential issues with running the 
test suite in parallel. Some time was spent on the QUIC and HTTP/3 situation, 
about how we got here and what’s in the tea leaves for the future.

All of us were there because we want curl to work smoothly for end users of 
these distros. We all share a common goal. A friendly and goal-oriented group 
of people.

## ECH on Debian

Samuel Henrique wrote a blog post about using curl with ECH on Debian [6]. ECH 
is Encrypted Client Hello and is a way to finally encrypt the target host name 
in TLS handshakes. curl has experimental support for this and support exists 
in the soon coming OpenSSL version 4, as well as in some of the other TLS 
backends curl supports.

## curl on a big screen

Jenson Hwang (Nvidia CEO) did a presentation about something AI related and as 
a consequence I could do a screengrab with a very large curl command line 
installing software via a pipe to bash [7].

## Security

We received more than ten security reports this week, both via Hackerone but 
also several over email. One of the reports has been determined accurate and 
it will be published as a CVE in sync with the pending release. We strongly 
discourage users from sending us reports over email and instead use Hackerone 
for two primary reasons:

A) as a means for us to keep track of a large number of concurrent issues that 
each exists, transitions and is discussed independently of each other. That 
operation gets much more complicated over email. *In particular* when multiple 
issues are bundled into single emails.

B) to allow us to easily disclose and make public every single report 
(including the entire communication chain) once we have dealt with them. Email 
communication makes this much more complicated.

## Coming up

- another week of open feature window

## Links

[1] = https://daniel.haxx.se/blog/2026/03/21/bye-bye-rtmp/
[2] = https://daniel.haxx.se/blog/2026/03/22/ntlm-and-smb-go-opt-in/
[3] = https://daniel.haxx.se/blog/2026/03/25/one-hundred-weirdo-emails/
[4] = https://curl.se/docs/verify.html
[5] = https://daniel.haxx.se/blog/2026/03/26/dont-trust-verify/
[6] = https://samueloph.dev/blog/i-use-curl-with-ech-btw-in-debian/
[7] = https://mastodon.social/@bagder/116280705328672025

-- 

  / daniel.haxx.se

More information about the daniel mailing list