When curl 8.19.0 ships in the beginning of March 2026, we have also added MQTTS; meaning MQTT done securely over TLS.
This bumps the number of supported transfer protocols to 29 not too long after the project turned 29 years old.
The 29 transfer protocols (or schemes) that curl supports in January 2026
libcurl backends as of now
What’s MQTT?
Wikipedia describes it as a lightweight, publish–subscribe, machine-to-machine network protocol for message queue/message queuing service. It is designed for connections with remote locations that have devices with resource constraints or limited network bandwidth, such as in the Internet of things (IoT). It must run over a transport protocol that provides ordered, lossless, bi-directional connections—typically, TCP/IP.
Coming protocol support reduction
If things go as planned, the number of supported protocols will decrease soon as we have RTMP scheduled for removal later in the spring of 2026.
The first kept curl git commit is dated December 29, 1999. That is the date of our source code import into SourceForge as I quite annoyingly decided to not keep the prior history. The three years of development and the commits that happened before that import date are therefore not included in this count.
These 20,000 commits have been done on 5,589 separate days, meaning 59% of all days since December 1999. It also means I have done an average of 2.1 commits per day since then.
The curl commits done before 2010 were not actually made with git, but with CVS. The curl source repository was converted to git when we switched hosting over to GitHub.
As of today, 1,431 separate individuals have authored commits merged into the curl source repository. 16 of us have made more than 100 commits. Five authors have written more than 1,000 commits. 941 of the authors only wrote a single commit (so far)!
The second-most curl committer by number of commits (Yang Tse) has almost 2,600 commits but he stopped being active already back in 2013.
My fellow top committers
The top-20 all time curl commit authors as of now:
Daniel Stenberg (20000 commits)
Yang Tse (2587 commits)
Viktor Szakats (2496 commits)
Steve Holme (1916 commits)
Dan Fandrich (1435 commits)
Stefan Eissing (941 commits)
Jay Satiro (773 commits)
Guenter Knauf (662 commits)
Gisle Vanem (498 commits)
Marc Hoersken (461 commits)
Marcel Raad (405 commits)
Patrick Monnerat (362 commits)
Kamil Dudka (255 commits)
Daniel Gustafsson (217 commits)
renovate[bot] (183 commits)
Tatsuhiro Tsujikawa (150 commits)
Michael Kaufmann (84 commits)
Alessandro Ghedini (83 commits)
Fabian Keil (77 commits)
Nick Zitzmann (70 commits)
Graphs
My share of the total amount of commits has been shrinking gradually since a long time and that is a good thing. It means we have awesome contributors and maintainers helping out. Not too far into the future I expect my share to go below 50%.
the number of commits done by the top-20 commit authors in curl over time
Number of commit authors in curl over time
Number of unique authors per month over time
Daniel’s share of authored commits over time
Future
These are my first 20,000 commits.
I have no plans to go anywhere. I have averaged at about 800 commits per year in the curl source code repository for the last 25 years. That would imply reaching 30,000 would take another 12.5 years, so about by mid 2038 or so. If I manage to keep up that speed. Feels distant.
In the curl project we have a long tradition of offering multiple optional backends for specific protocols. In this spirit we have added experimental support for a number of different HTTP/3 + QUIC backends over time. A while ago we dropped one of those experiments, the msh3 backend.
Today we cleanup even more and remove support for yet another backend: the OpenSSL-QUIC stack and we are now down to only supporting two different HTTP/3 alternatives: the ngtcp2 + nghttp3 combo or quiche. And out of those two, the quiche backend is still considered experimental.
The first release shipping with this change will be curl 8.19.0.
OpenSSL-QUIC
This is the QUIC stack implemented and provided by OpenSSL. To make matters a little complicated, this is a separate thing from the QUIC API that OpenSSL also offers. The first one is a full QUIC implementation, the second one is an API that is powerful enough to allow a separate QUIC implementation use OpenSSL for its cryptographic and TLS needs.
A quick recap how history unfolded
2019 – BoringSSL introduced an API for QUIC. QUIC implementations picked it up and it worked. A pull request was made for OpenSSL to allow them to provide the same API so that QUIC stacks all over could use OpenSSL.
2021 – OpenSSL eventually denied merging the pull-request and announced they would instead implement their own QUIC stack – that nobody had asked for.
2023 – OpenSSL 3.2 shipped with support for their own QUIC stack. It was broken in many ways.
2025: OpenSSL version 3.4.1 was released and now the QUIC stack worked decently. In OpenSSL 3.5.0 they announced a QUIC API that now finally allowed independent QUIC stacks to use OpenSSL.
Experimental
Skilled contributors added support for OpenSSL-QUIC to curl primarily to allow people using OpenSSL to still be able to use HTTP/3.
OpenSSL’s own QUIC implementation only reached experimental state in curl meaning that we explicitly and strongly discourage users from using it in production and reserve ourselves the right to change functionality and more between versions.
There are three reasons why it did not graduate from experimental and they are also the reasons why we think we are better off without offering support for it:
The API is lacking. We have communicated with the OpenSSL-QUIC team since even before the API first shipped and it still does not offer the knobs and controls we would like to make it a competitive QUIC alternative. We don’t feel they care much.
The performance is bad. And by bad I mean really bad. The leading QUIC implementation alternative ngtcp2 transfers data much faster in all benchmarks and comparisons. Sometimes up to a factor three difference.
The memory use is abysmal. The amount of more memory required to do transfers with OpenSSL-QUIC compared to ngtcp2 can reach a factortwenty.
A drawing
This makes the curl backend situation simpler in the HTTP/3 and QUIC department as the image below tries to show.
CVE-2025-15224: libssh key passphrase bypass without agent set
Changes
There are a few this time, mostly around dropping support for various dependencies:
drop support for VS2008 (Windows)
drop Windows CE / CeGCC support
drop support for GnuTLS < 3.6.5
gnutls: implement CURLOPT_CAINFO_BLOB
openssl: bump minimum OpenSSL version to 3.0.0
Bugfixes
See the release presentation video for a walk-through of some of the most important/interesting fixes done for this release, or go check out the full list in the changelog.
I am heading to FOSDEM again at the end of January. I go there every year and I have learned that there is a really sticker-happy audience there. The last few times I have been there, I have given away several thousands of curl stickers.
As I realized I did not actually have a few thousand stickers left, I had to restock. I consider stickers a fun and somewhat easy way to market the curl project. It helps us getting known and seen out there in the world.
The stickers are paid for by curl donations. Thanks to all of you who have donated!
This time I ordered the stickers from stickerapp.se. They have a rather fancy web UI editor and tools to make sure the stickers become exactly the way I want them. I believe the total order price was actually slightly cheaper than the previous provider I used.
I ordered five classic curl sticker designs and I introduced a new one. Here is the full set:
Six different curl stickers
Die cut curl logo 7.5cm x 2.8cm – the classic “small” curl logo sticker. (bottom left in the photo)
Die cut curl logo 10cm x 3.7cm – the slightly larger curl logo sticker. (top row in the photo)
Rounded rectangle 7.5cm x 4.1cm – yes we curl, the curl symbol and my face (mid left in the photo)
Oval 7.5cm x 4cm – with the curl logo (bottom right in the photo)
Round 2.5cm x 2.5 cm – small curl symbol. (in the middle of the photo). My favorite. Perfect for the backside of a phone. Fits perfectly in the logo on the lid of a Frame Work laptop.
Round 4cm x 4cm – curl symbol in a slightly larger round version. The new sticker variant in the set. (on the right side in the middle row in the photo)
The quality and feel of the products are next to identical to previous sticker orders. They look great!
I got 1,000 copies of each variant this time.
The logo
The official curl logo, the curl symbol, the colors and everything related is freely available and anyone is welcome to print their own stickers at will: https://curl.se/logo/
How to get one?
I bring curl stickers to all events I go to. Ask me!
There is no way to buy stickers from me or from the curl project. I encourage you to look me up and ask for one or a few. At FOSDEM I try to make sure the wolfSSL stand has plenty to hand out, since it is a fixed geographical point that might be easier to find than me.
