Consolidate curl's patch files

Consolidate all of curl's patch files into a single file (one for each browser). The modified curl source code is now maintained in Git (at https://github.com/lwthiker/curl) and it is easier to just generate the needed patch with 'git --diff'.
2025-08-08 04:42:26 +00:00 · 2022-02-25 22:27:03 +02:00
parent 0f7b39a367
commit 46d5d21941
11 changed files with 391 additions and 273 deletions
--- a/chrome/patches/curl-configure.patch
+++ b/chrome/patches/curl-configure.patch
@@ -1,17 +0,0 @@
 --- curl-7.81.0-original/configure.ac	2022-01-03 18:36:46.000000000 +0200
 +++ curl-7.81.0/configure.ac	2022-02-17 13:40:02.248497926 +0200
@@ -2575,3 +2575,3 @@
     LIB_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path])
 -      $PKGCONFIG --libs-only-l libnghttp2`
 +      $PKGCONFIG --static --libs-only-l libnghttp2`
     AC_MSG_NOTICE([-l is $LIB_H2])
@@ -2579,3 +2579,3 @@
     CPP_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path]) dnl
 -      $PKGCONFIG --cflags-only-I libnghttp2`
 +      $PKGCONFIG --static --cflags-only-I libnghttp2`
     AC_MSG_NOTICE([-I is $CPP_H2])
@@ -2583,3 +2583,3 @@
     LD_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path])
 -      $PKGCONFIG --libs-only-L libnghttp2`
 +      $PKGCONFIG --static --libs-only-L libnghttp2`
     AC_MSG_NOTICE([-L is $LD_H2])
--- a/chrome/patches/curl-http-h.patch
+++ b/chrome/patches/curl-http-h.patch
@@ -1,8 +0,0 @@
 --- curl-7.81.0-original/lib/http.h	2022-01-03 18:36:46.000000000 +0200
 +++ curl-7.81.0/lib/http.h	2022-02-19 00:44:48.347052308 +0200
@@ -280,3 +280,4 @@
   /* list of settings that will be sent */
 -  nghttp2_settings_entry local_settings[3];
 +  /* curl-impersonate: Align HTTP/2 settings to Chrome's */
 +  nghttp2_settings_entry local_settings[5];
   size_t local_settings_num;
--- a/chrome/patches/curl-http2-c.patch
+++ b/chrome/patches/curl-http2-c.patch
@@ -1,80 +0,0 @@
 --- curl-7.81.0-original/lib/http2.c	2022-01-03 18:36:46.000000000 +0200
 +++ curl-7.81.0/lib/http2.c	2022-02-19 00:43:56.613992732 +0200
@@ -43,2 +43,3 @@
 #include "memdebug.h"
 +#include "rand.h"
@@ -1195,12 +1196,23 @@
 -  iv[0].settings_id = NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS;
 -  iv[0].value = Curl_multi_max_concurrent_streams(data->multi);
 +  /* curl-impersonate: Align HTTP/2 settings to Chrome's */
 +  iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE;
 +  iv[0].value = 0x10000;
 +
 +  iv[1].settings_id = NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS;
 +  iv[1].value = Curl_multi_max_concurrent_streams(data->multi);
 +
 +  iv[2].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
 +  iv[2].value = 0x600000;
 +
 +  iv[3].settings_id = NGHTTP2_SETTINGS_MAX_HEADER_LIST_SIZE;
 +  iv[3].value = 0x40000;
 +
 +  // iv[2].settings_id = NGHTTP2_SETTINGS_ENABLE_PUSH;
 +  // iv[2].value = data->multi->push_cb != NULL;
 +  
 +  // Looks like random setting set by Chrome, maybe similar to TLS GREASE. */
 +  Curl_rand(data, (unsigned char *)&iv[4].settings_id, sizeof(iv[4].settings_id));
 +  Curl_rand(data, (unsigned char *)&iv[4].value, sizeof(iv[4].value));
 -  iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
 -  iv[1].value = HTTP2_HUGE_WINDOW_SIZE;
 -
 -  iv[2].settings_id = NGHTTP2_SETTINGS_ENABLE_PUSH;
 -  iv[2].value = data->multi->push_cb != NULL;
 -
 -  httpc->local_settings_num = 3;
 +  httpc->local_settings_num = 5;
 }
@@ -1820,3 +1832,4 @@
    field list. */
 -#define AUTHORITY_DST_IDX 3
 +/* curl-impersonate: Put the ":authority" header in the first place. */
 +#define AUTHORITY_DST_IDX 1
@@ -2034,8 +2047,9 @@
     goto fail;
 -  nva[1].name = (unsigned char *)":path";
 -  nva[1].namelen = strlen((char *)nva[1].name);
 -  nva[1].value = (unsigned char *)hdbuf;
 -  nva[1].valuelen = (size_t)(end - hdbuf);
 -  nva[1].flags = NGHTTP2_NV_FLAG_NONE;
 -  if(HEADER_OVERFLOW(nva[1])) {
 +  /* curl-impersonate: Switch the places of ":path" and ":scheme". */
 +  nva[2].name = (unsigned char *)":path";
 +  nva[2].namelen = strlen((char *)nva[2].name);
 +  nva[2].value = (unsigned char *)hdbuf;
 +  nva[2].valuelen = (size_t)(end - hdbuf);
 +  nva[2].flags = NGHTTP2_NV_FLAG_NONE;
 +  if(HEADER_OVERFLOW(nva[2])) {
     failf(data, "Failed sending HTTP request: Header overflow");
@@ -2044,11 +2058,11 @@
 -  nva[2].name = (unsigned char *)":scheme";
 -  nva[2].namelen = strlen((char *)nva[2].name);
 +  nva[1].name = (unsigned char *)":scheme";
 +  nva[1].namelen = strlen((char *)nva[1].name);
   if(conn->handler->flags & PROTOPT_SSL)
 -    nva[2].value = (unsigned char *)"https";
 +    nva[1].value = (unsigned char *)"https";
   else
 -    nva[2].value = (unsigned char *)"http";
 -  nva[2].valuelen = strlen((char *)nva[2].value);
 -  nva[2].flags = NGHTTP2_NV_FLAG_NONE;
 -  if(HEADER_OVERFLOW(nva[2])) {
 +    nva[1].value = (unsigned char *)"http";
 +  nva[1].valuelen = strlen((char *)nva[1].value);
 +  nva[1].flags = NGHTTP2_NV_FLAG_NONE;
 +  if(HEADER_OVERFLOW(nva[1])) {
     failf(data, "Failed sending HTTP request: Header overflow");
--- a/chrome/patches/curl-http2-h.patch
+++ b/chrome/patches/curl-http2-h.patch
@@ -1,8 +0,0 @@
 --- curl-7.81.0-original/lib/http2.h	2021-12-10 09:40:37.000000000 +0200
 +++ curl-7.81.0/lib/http2.h	2022-02-19 00:45:53.440376589 +0200
@@ -31,3 +31,4 @@
    from the peer */
 -#define DEFAULT_MAX_CONCURRENT_STREAMS 100
 +/* curl-impersonate: Use 1000 concurrent streams like Chrome. */
 +#define DEFAULT_MAX_CONCURRENT_STREAMS 1000
--- a/chrome/patches/curl-impersonate.patch
+++ b/chrome/patches/curl-impersonate.patch
@@ -0,0 +1,293 @@
 diff --git a/configure.ac b/configure.ac
 index 63e320236..deb054300 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -2573,15 +2573,15 @@ if test X"$want_nghttp2" != Xno; then
   if test "$PKGCONFIG" != "no" ; then
     LIB_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path])
 -      $PKGCONFIG --libs-only-l libnghttp2`
 +      $PKGCONFIG --static --libs-only-l libnghttp2`
     AC_MSG_NOTICE([-l is $LIB_H2])
     CPP_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path]) dnl
 -      $PKGCONFIG --cflags-only-I libnghttp2`
 +      $PKGCONFIG --static --cflags-only-I libnghttp2`
     AC_MSG_NOTICE([-I is $CPP_H2])
     LD_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path])
 -      $PKGCONFIG --libs-only-L libnghttp2`
 +      $PKGCONFIG --static --libs-only-L libnghttp2`
     AC_MSG_NOTICE([-L is $LD_H2])
     LDFLAGS="$LDFLAGS $LD_H2"
 diff --git a/lib/http.h b/lib/http.h
 index b4aaba2a2..1cf65c4b1 100644
 --- a/lib/http.h
 +++ b/lib/http.h
@@ -278,7 +278,8 @@ struct http_conn {
   struct h2settings settings;
   /* list of settings that will be sent */
 -  nghttp2_settings_entry local_settings[3];
 +  /* curl-impersonate: Align HTTP/2 settings to Chrome's */
 +  nghttp2_settings_entry local_settings[5];
   size_t local_settings_num;
 #else
   int unused; /* prevent a compiler warning */
 diff --git a/lib/http2.c b/lib/http2.c
 index e74400a4c..33197df20 100644
 --- a/lib/http2.c
 +++ b/lib/http2.c
@@ -41,6 +41,7 @@
 #include "curl_printf.h"
 #include "curl_memory.h"
 #include "memdebug.h"
 +#include "rand.h"
 #define H2_BUFSIZE 32768
@@ -1193,16 +1194,27 @@ static void populate_settings(struct Curl_easy *data,
 {
   nghttp2_settings_entry *iv = httpc->local_settings;
 -  iv[0].settings_id = NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS;
 -  iv[0].value = Curl_multi_max_concurrent_streams(data->multi);
 +  /* curl-impersonate: Align HTTP/2 settings to Chrome's */
 +  iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE;
 +  iv[0].value = 0x10000;
 -  iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
 -  iv[1].value = HTTP2_HUGE_WINDOW_SIZE;
 +  iv[1].settings_id = NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS;
 +  iv[1].value = Curl_multi_max_concurrent_streams(data->multi);
 -  iv[2].settings_id = NGHTTP2_SETTINGS_ENABLE_PUSH;
 -  iv[2].value = data->multi->push_cb != NULL;
 +  iv[2].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
 +  iv[2].value = 0x600000;
 -  httpc->local_settings_num = 3;
 +  iv[3].settings_id = NGHTTP2_SETTINGS_MAX_HEADER_LIST_SIZE;
 +  iv[3].value = 0x40000;
 +
 +  // iv[2].settings_id = NGHTTP2_SETTINGS_ENABLE_PUSH;
 +  // iv[2].value = data->multi->push_cb != NULL;
 +  
 +  // Looks like random setting set by Chrome, maybe similar to TLS GREASE. */
 +  Curl_rand(data, (unsigned char *)&iv[4].settings_id, sizeof(iv[4].settings_id));
 +  Curl_rand(data, (unsigned char *)&iv[4].value, sizeof(iv[4].value));
 +
 +  httpc->local_settings_num = 5;
 }
 void Curl_http2_done(struct Curl_easy *data, bool premature)
@@ -1818,7 +1830,8 @@ static ssize_t http2_recv(struct Curl_easy *data, int sockindex,
 /* Index where :authority header field will appear in request header
    field list. */
 -#define AUTHORITY_DST_IDX 3
 +/* curl-impersonate: Put the ":authority" header in the first place. */
 +#define AUTHORITY_DST_IDX 1
 /* USHRT_MAX is 65535 == 0xffff */
 #define HEADER_OVERFLOW(x) \
@@ -2032,25 +2045,26 @@ static ssize_t http2_send(struct Curl_easy *data, int sockindex,
   }
   if(!end || end == hdbuf)
     goto fail;
 -  nva[1].name = (unsigned char *)":path";
 -  nva[1].namelen = strlen((char *)nva[1].name);
 -  nva[1].value = (unsigned char *)hdbuf;
 -  nva[1].valuelen = (size_t)(end - hdbuf);
 -  nva[1].flags = NGHTTP2_NV_FLAG_NONE;
 -  if(HEADER_OVERFLOW(nva[1])) {
 +  /* curl-impersonate: Switch the places of ":path" and ":scheme". */
 +  nva[2].name = (unsigned char *)":path";
 +  nva[2].namelen = strlen((char *)nva[2].name);
 +  nva[2].value = (unsigned char *)hdbuf;
 +  nva[2].valuelen = (size_t)(end - hdbuf);
 +  nva[2].flags = NGHTTP2_NV_FLAG_NONE;
 +  if(HEADER_OVERFLOW(nva[2])) {
     failf(data, "Failed sending HTTP request: Header overflow");
     goto fail;
   }
 -  nva[2].name = (unsigned char *)":scheme";
 -  nva[2].namelen = strlen((char *)nva[2].name);
 +  nva[1].name = (unsigned char *)":scheme";
 +  nva[1].namelen = strlen((char *)nva[1].name);
   if(conn->handler->flags & PROTOPT_SSL)
 -    nva[2].value = (unsigned char *)"https";
 +    nva[1].value = (unsigned char *)"https";
   else
 -    nva[2].value = (unsigned char *)"http";
 -  nva[2].valuelen = strlen((char *)nva[2].value);
 -  nva[2].flags = NGHTTP2_NV_FLAG_NONE;
 -  if(HEADER_OVERFLOW(nva[2])) {
 +    nva[1].value = (unsigned char *)"http";
 +  nva[1].valuelen = strlen((char *)nva[1].value);
 +  nva[1].flags = NGHTTP2_NV_FLAG_NONE;
 +  if(HEADER_OVERFLOW(nva[1])) {
     failf(data, "Failed sending HTTP request: Header overflow");
     goto fail;
   }
 diff --git a/lib/http2.h b/lib/http2.h
 index d6986d97f..fa5c90e7f 100644
 --- a/lib/http2.h
 +++ b/lib/http2.h
@@ -29,7 +29,8 @@
 /* value for MAX_CONCURRENT_STREAMS we use until we get an updated setting
    from the peer */
 -#define DEFAULT_MAX_CONCURRENT_STREAMS 100
 +/* curl-impersonate: Use 1000 concurrent streams like Chrome. */
 +#define DEFAULT_MAX_CONCURRENT_STREAMS 1000
 /*
  * Store nghttp2 version info in this buffer.
 diff --git a/lib/multi.c b/lib/multi.c
 index f8dcc63b4..e6b728592 100644
 --- a/lib/multi.c
 +++ b/lib/multi.c
@@ -393,7 +393,8 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */
   /* -1 means it not set by user, use the default value */
   multi->maxconnects = -1;
 -  multi->max_concurrent_streams = 100;
 +  /* curl-impersonate: Use 1000 concurrent streams like Chrome. */
 +  multi->max_concurrent_streams = 1000;
   multi->ipv6_works = Curl_ipv6works(NULL);
 #ifdef USE_WINSOCK
 diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
 index f836c63b0..5c562549f 100644
 --- a/lib/vtls/openssl.c
 +++ b/lib/vtls/openssl.c
@@ -76,6 +76,8 @@
 #include <openssl/buffer.h>
 #include <openssl/pkcs12.h>
 +#include <brotli/decode.h>
 +
 #ifdef USE_AMISSL
 #include "amigaos.h"
 #endif
@@ -2629,6 +2631,31 @@ static CURLcode load_cacert_from_memory(SSL_CTX *ctx,
   return (count > 0 ? CURLE_OK : CURLE_SSL_CACERT_BADFILE);
 }
 +/* Taken from Chromium and adapted to C,
 + * see net/ssl/cert_compression.cc
 + */
 +int DecompressBrotliCert(SSL* ssl,
 +                         CRYPTO_BUFFER** out,
 +                         size_t uncompressed_len,
 +                         const uint8_t* in,
 +                         size_t in_len) {
 +  uint8_t* data;
 +  CRYPTO_BUFFER* decompressed = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
 +  if (!decompressed) {
 +    return 0;
 +  }
 +
 +  size_t output_size = uncompressed_len;
 +  if (BrotliDecoderDecompress(in_len, in, &output_size, data) !=
 +          BROTLI_DECODER_RESULT_SUCCESS ||
 +      output_size != uncompressed_len) {
 +    return 0;
 +  }
 +
 +  *out = decompressed;
 +  return 1;
 +}
 +
 static CURLcode ossl_connect_step1(struct Curl_easy *data,
                                    struct connectdata *conn, int sockindex)
 {
@@ -2767,7 +2794,10 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
   ctx_options = SSL_OP_ALL;
 #ifdef SSL_OP_NO_TICKET
 -  ctx_options |= SSL_OP_NO_TICKET;
 +  /* curl-impersonate patch.
 +   * Turn off SSL_OP_NO_TICKET, we want TLS extension 35 (session_ticket)
 +   * to be sent. */
 +  ctx_options &= ~SSL_OP_NO_TICKET;
 #endif
 #ifdef SSL_OP_NO_COMPRESSION
@@ -2821,8 +2851,11 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
   SSL_CTX_set_options(backend->ctx, ctx_options);
 #ifdef HAS_NPN
 +  /* curl-impersonate: Do not enable the NPN extension. */
 +  /*
   if(conn->bits.tls_enable_npn)
     SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, data);
 +  */
 #endif
 #ifdef HAS_ALPN
@@ -2937,6 +2970,19 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
   }
 #endif
 +  /* curl-impersonate:
 +   * Configure BoringSSL to behave like Chrome. 
 +   * See Constructor of SSLContext at net/socket/ssl_client_socket_impl.cc
 +   * and SSLClientSocketImpl::Init()
 +   * in the Chromium's source code. */
 +
 +  /* Enable TLS GREASE. */
 +  SSL_CTX_set_grease_enabled(backend->ctx, 1);
 +
 +  /* Add support for TLS extension 27 - compress_certificate.
 +   * Add Brotli decompression. See Chromium net/ssl/cert_compression.cc */
 +  SSL_CTX_add_cert_compression_alg(backend->ctx,
 +          TLSEXT_cert_compression_brotli, NULL, DecompressBrotliCert);
 #if defined(USE_WIN32_CRYPTO)
   /* Import certificates from the Windows root certificate store if requested.
@@ -3236,6 +3282,41 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
   SSL_set_connect_state(backend->handle);
 +#ifdef USE_HTTP2
 +  /* curl-impersonate: This adds the ALPS extension (17513).
 +   * Chromium calls this function as well in SSLClientSocketImpl::Init().
 +   * The 4th parameter is called "settings", and I don't know what it
 +   * should contain. For now, use an empty string. */
 +  SSL_add_application_settings(backend->handle, "h2", 2, NULL, 0);
 +#endif
 +
 +  SSL_set_options(backend->handle,
 +      SSL_OP_LEGACY_SERVER_CONNECT);
 +  SSL_set_mode(backend->handle,
 +      SSL_MODE_CBC_RECORD_SPLITTING | SSL_MODE_ENABLE_FALSE_START);
 +
 +  /* curl-impersonate: Enable TLS extensions 5 - status_request and
 +   * 18 - signed_certificate_timestamp. */
 +  SSL_enable_signed_cert_timestamps(backend->handle);
 +  SSL_enable_ocsp_stapling(backend->handle);
 +
 +  /* curl-impersonate: Some SSL settings copied over from Chrome. */
 +  SSL_set_shed_handshake_config(backend->handle, 1);
 +
 +  /* curl-impersonate: Set the signature algorithms.
 +   * (TLS extension 13).
 +   * See net/socket/ssl_client_socket_impl.cc in Chromium's source. */
 +  static const uint16_t kVerifyPrefs[] = {
 +    SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256,
 +    SSL_SIGN_RSA_PKCS1_SHA256,       SSL_SIGN_ECDSA_SECP384R1_SHA384,
 +    SSL_SIGN_RSA_PSS_RSAE_SHA384,    SSL_SIGN_RSA_PKCS1_SHA384,
 +    SSL_SIGN_RSA_PSS_RSAE_SHA512,    SSL_SIGN_RSA_PKCS1_SHA512,
 +  };
 +  if (!SSL_set_verify_algorithm_prefs(backend->handle, kVerifyPrefs,
 +              sizeof(kVerifyPrefs) / sizeof(kVerifyPrefs[0]))) {
 +    return CURLE_SSL_CIPHER;
 +  }
 +
   backend->server_cert = 0x0;
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
   if((0 == Curl_inet_pton(AF_INET, hostname, &addr)) &&
--- a/chrome/patches/curl-multi-c.patch
+++ b/chrome/patches/curl-multi-c.patch
@@ -1,8 +0,0 @@
 --- curl-7.81.0-original/lib/multi.c	2022-01-03 18:36:46.000000000 +0200
 +++ curl-7.81.0/lib/multi.c	2022-02-18 22:43:54.939227658 +0200
@@ -395,3 +395,4 @@
   multi->maxconnects = -1;
 -  multi->max_concurrent_streams = 100;
 +  /* curl-impersonate: Use 1000 concurrent streams like Chrome. */
 +  multi->max_concurrent_streams = 1000;
   multi->ipv6_works = Curl_ipv6works(NULL);
--- a/chrome/patches/curl-openssl-c.patch
+++ b/chrome/patches/curl-openssl-c.patch
@@ -1,105 +0,0 @@
 --- curl-7.81.0-original/lib/vtls/openssl.c	2022-01-03 18:36:46.000000000 +0200
 +++ curl-7.81.0/lib/vtls/openssl.c	2022-02-18 20:02:23.559231773 +0200
@@ -78,2 +78,4 @@
 +#include <brotli/decode.h>
 +
 #ifdef USE_AMISSL
@@ -2631,2 +2633,27 @@
 +/* Taken from Chromium and adapted to C,
 + * see net/ssl/cert_compression.cc
 + */
 +int DecompressBrotliCert(SSL* ssl,
 +                         CRYPTO_BUFFER** out,
 +                         size_t uncompressed_len,
 +                         const uint8_t* in,
 +                         size_t in_len) {
 +  uint8_t* data;
 +  CRYPTO_BUFFER* decompressed = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
 +  if (!decompressed) {
 +    return 0;
 +  }
 +
 +  size_t output_size = uncompressed_len;
 +  if (BrotliDecoderDecompress(in_len, in, &output_size, data) !=
 +          BROTLI_DECODER_RESULT_SUCCESS ||
 +      output_size != uncompressed_len) {
 +    return 0;
 +  }
 +
 +  *out = decompressed;
 +  return 1;
 +}
 +
 static CURLcode ossl_connect_step1(struct Curl_easy *data,
@@ -2769,3 +2796,6 @@
 #ifdef SSL_OP_NO_TICKET
 -  ctx_options |= SSL_OP_NO_TICKET;
 +  /* curl-impersonate patch.
 +   * Turn off SSL_OP_NO_TICKET, we want TLS extension 35 (session_ticket)
 +   * to be sent. */
 +  ctx_options &= ~SSL_OP_NO_TICKET;
 #endif
@@ -2823,4 +2853,7 @@
 #ifdef HAS_NPN
 +  /* curl-impersonate: Do not enable the NPN extension. */
 +  /*
   if(conn->bits.tls_enable_npn)
     SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, data);
 +  */
 #endif
@@ -2939,2 +2972,15 @@
 +  /* curl-impersonate:
 +   * Configure BoringSSL to behave like Chrome. 
 +   * See Constructor of SSLContext at net/socket/ssl_client_socket_impl.cc
 +   * and SSLClientSocketImpl::Init()
 +   * in the Chromium's source code. */
 +
 +  /* Enable TLS GREASE. */
 +  SSL_CTX_set_grease_enabled(backend->ctx, 1);
 +
 +  /* Add support for TLS extension 27 - compress_certificate.
 +   * Add Brotli decompression. See Chromium net/ssl/cert_compression.cc */
 +  SSL_CTX_add_cert_compression_alg(backend->ctx,
 +          TLSEXT_cert_compression_brotli, NULL, DecompressBrotliCert);
@@ -3238,2 +3284,37 @@
 +#ifdef USE_HTTP2
 +  /* curl-impersonate: This adds the ALPS extension (17513).
 +   * Chromium calls this function as well in SSLClientSocketImpl::Init().
 +   * The 4th parameter is called "settings", and I don't know what it
 +   * should contain. For now, use an empty string. */
 +  SSL_add_application_settings(backend->handle, "h2", 2, NULL, 0);
 +#endif
 +
 +  SSL_set_options(backend->handle,
 +      SSL_OP_LEGACY_SERVER_CONNECT);
 +  SSL_set_mode(backend->handle,
 +      SSL_MODE_CBC_RECORD_SPLITTING | SSL_MODE_ENABLE_FALSE_START);
 +
 +  /* curl-impersonate: Enable TLS extensions 5 - status_request and
 +   * 18 - signed_certificate_timestamp. */
 +  SSL_enable_signed_cert_timestamps(backend->handle);
 +  SSL_enable_ocsp_stapling(backend->handle);
 +
 +  /* curl-impersonate: Some SSL settings copied over from Chrome. */
 +  SSL_set_shed_handshake_config(backend->handle, 1);
 +
 +  /* curl-impersonate: Set the signature algorithms.
 +   * (TLS extension 13).
 +   * See net/socket/ssl_client_socket_impl.cc in Chromium's source. */
 +  static const uint16_t kVerifyPrefs[] = {
 +    SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256,
 +    SSL_SIGN_RSA_PKCS1_SHA256,       SSL_SIGN_ECDSA_SECP384R1_SHA384,
 +    SSL_SIGN_RSA_PSS_RSAE_SHA384,    SSL_SIGN_RSA_PKCS1_SHA384,
 +    SSL_SIGN_RSA_PSS_RSAE_SHA512,    SSL_SIGN_RSA_PKCS1_SHA512,
 +  };
 +  if (!SSL_set_verify_algorithm_prefs(backend->handle, kVerifyPrefs,
 +              sizeof(kVerifyPrefs) / sizeof(kVerifyPrefs[0]))) {
 +    return CURLE_SSL_CIPHER;
 +  }
 +
   backend->server_cert = 0x0;
--- a/firefox/patches/curl-configure.patch
+++ b/firefox/patches/curl-configure.patch
@@ -1,17 +0,0 @@
 --- curl-7.81.0-original/configure.ac	2022-01-03 18:36:46.000000000 +0200
 +++ curl-7.81.0/configure.ac	2022-02-17 13:40:02.248497926 +0200
@@ -2575,3 +2575,3 @@
     LIB_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path])
 -      $PKGCONFIG --libs-only-l libnghttp2`
 +      $PKGCONFIG --static --libs-only-l libnghttp2`
     AC_MSG_NOTICE([-l is $LIB_H2])
@@ -2579,3 +2579,3 @@
     CPP_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path]) dnl
 -      $PKGCONFIG --cflags-only-I libnghttp2`
 +      $PKGCONFIG --static --cflags-only-I libnghttp2`
     AC_MSG_NOTICE([-I is $CPP_H2])
@@ -2583,3 +2583,3 @@
     LD_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path])
 -      $PKGCONFIG --libs-only-L libnghttp2`
 +      $PKGCONFIG --static --libs-only-L libnghttp2`
     AC_MSG_NOTICE([-L is $LD_H2])
--- a/firefox/patches/curl-http2-c.patch
+++ b/firefox/patches/curl-http2-c.patch
@@ -1,8 +0,0 @@
 --- curl-7.81.0-original/lib/http2.c	2022-01-03 18:36:46.000000000 +0200
 +++ curl-7.81.0/lib/http2.c	2022-02-19 20:21:06.381022445 +0200
@@ -1820,3 +1820,4 @@
    field list. */
 -#define AUTHORITY_DST_IDX 3
 +/* curl-impersonate: Put the ":authority" header in the second place. */
 +#define AUTHORITY_DST_IDX 2
--- a/firefox/patches/curl-impersonate.patch
+++ b/firefox/patches/curl-impersonate.patch
@@ -1,10 +1,55 @@
--- curl-7.81.0-original/lib/vtls/nss.c	2022-01-03 18:36:46.000000000 +0200
+diff --git a/configure.ac b/configure.ac
-+++ curl-7.81.0/lib/vtls/nss.c	2022-02-18 07:47:17.612205091 +0200
+index 63e320236..deb054300 100644
-@@ -145,2 +145,3 @@
+--- a/configure.ac
 +++ b/configure.ac
@@ -2573,15 +2573,15 @@ if test X"$want_nghttp2" != Xno; then
   if test "$PKGCONFIG" != "no" ; then
     LIB_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path])
 -      $PKGCONFIG --libs-only-l libnghttp2`
 +      $PKGCONFIG --static --libs-only-l libnghttp2`
     AC_MSG_NOTICE([-l is $LIB_H2])
     CPP_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path]) dnl
 -      $PKGCONFIG --cflags-only-I libnghttp2`
 +      $PKGCONFIG --static --cflags-only-I libnghttp2`
     AC_MSG_NOTICE([-I is $CPP_H2])
     LD_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path])
 -      $PKGCONFIG --libs-only-L libnghttp2`
 +      $PKGCONFIG --static --libs-only-L libnghttp2`
     AC_MSG_NOTICE([-L is $LD_H2])
     LDFLAGS="$LDFLAGS $LD_H2"
 diff --git a/lib/http2.c b/lib/http2.c
 index e74400a4c..1f4d496f3 100644
 --- a/lib/http2.c
 +++ b/lib/http2.c
@@ -1818,7 +1818,8 @@ static ssize_t http2_recv(struct Curl_easy *data, int sockindex,
 /* Index where :authority header field will appear in request header
    field list. */
 -#define AUTHORITY_DST_IDX 3
 +/* curl-impersonate: Put the ":authority" header in the second place. */
 +#define AUTHORITY_DST_IDX 2
 /* USHRT_MAX is 65535 == 0xffff */
 #define HEADER_OVERFLOW(x) \
 diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
 index 2b44f0512..4c60797c7 100644
 --- a/lib/vtls/nss.c
 +++ b/lib/vtls/nss.c
@@ -143,6 +143,7 @@ static const struct cipher_s cipherlist[] = {
   {"dhe_dss_3des_sha",           SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA},
   {"dhe_rsa_des_sha",            SSL_DHE_RSA_WITH_DES_CBC_SHA},
   {"dhe_dss_des_sha",            SSL_DHE_DSS_WITH_DES_CBC_SHA},
 +  {"rsa_3des_ede_cbc_sha",       TLS_RSA_WITH_3DES_EDE_CBC_SHA},
   /* TLS 1.0: Exportable 56-bit Cipher Suites. */
-@@ -380,2 +381,91 @@
+   {"rsa_des_56_sha",             TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},
   {"rsa_rc4_56_sha",             TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
@@ -378,6 +379,95 @@ static SECStatus set_ciphers(struct Curl_easy *data, PRFileDesc *model,
   return SECSuccess;
 }
 +/* See nsSSLIOLayerSetOptions@nsNSSIOLayer.cpp, Firefox source code */
 +const SSLNamedGroup named_groups[] = {
@@ -96,7 +141,11 @@
 +}
 +
 /*
-@@ -1322,2 +1412,20 @@
+  * Return true if at least one cipher-suite is enabled. Used to determine
  * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers.
@@ -1320,6 +1410,24 @@ static CURLcode nss_load_module(SECMODModule **pmod, const char *library,
   if(module)
     SECMOD_DestroyModule(module);
 +
 +  /* Patch for Ubuntu - add a "nss/" suffix to the library name */
@@ -117,7 +166,11 @@
 +    SECMOD_DestroyModule(module);
 +
   return CURLE_FAILED_INIT;
-@@ -1923,2 +2031,8 @@
+ }
@@ -1921,6 +2029,12 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
   if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
     goto error;
 +  if(SSL_SET_OPTION(primary.sessionid)) {
 +    if(SSL_OptionSet(model, SSL_ENABLE_SESSION_TICKETS,
@@ -126,7 +179,11 @@
 +  }
 +
   /* enable/disable the requested SSL version(s) */
-@@ -1962,2 +2076,10 @@
+   if(nss_init_sslver(&sslver, data, conn) != CURLE_OK)
     goto error;
@@ -1960,6 +2074,14 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
     }
   }
 +  if (set_named_groups(model) != SECSuccess ||
 +      set_additional_key_shares(model) != SECSuccess ||
@@ -137,16 +194,48 @@
 +  }
 +
   if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost))
-@@ -2115,2 +2237,6 @@
+     infof(data, "warning: ignoring value of ssl.verifyhost");
@@ -2113,6 +2235,10 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
     int cur = 0;
     unsigned char protocols[128];
 +    protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
 +    memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
 +    cur += ALPN_HTTP_1_1_LENGTH;
 +
 #ifdef USE_HTTP2
-@@ -2126,5 +2252,2 @@
+     if(data->state.httpwant >= CURL_HTTP_VERSION_2
 #ifndef CURL_DISABLE_PROXY
@@ -2124,9 +2250,6 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
       cur += ALPN_H2_LENGTH;
     }
 #endif
 -    protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
 -    memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
 -    cur += ALPN_HTTP_1_1_LENGTH;
     if(SSL_SetNextProtoNego(backend->handle, protocols, cur) != SECSuccess)
       goto error;
 diff --git a/m4/curl-nss.m4 b/m4/curl-nss.m4
 index 397ba71b1..abc09a91c 100644
 --- a/m4/curl-nss.m4
 +++ b/m4/curl-nss.m4
@@ -74,7 +74,7 @@ if test "x$OPT_NSS" != xno; then
       # Without pkg-config, we'll kludge in some defaults
       AC_MSG_WARN([Using hard-wired libraries and compilation flags for NSS.])
       addld="-L$OPT_NSS/lib"
 -      addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4"
 +      addlib="-Wl,-Bstatic -Wl,--start-group -lssl -lnss_static -lpk11wrap_static -lcertdb -lcerthi -lsmime -lnsspki -lnssdev -lsoftokn_static -lfreebl_static -lsha-x86_c_lib -lgcm-aes-x86_c_lib -lhw-acc-crypto-avx -lhw-acc-crypto-avx2  -lnssutil -lnssb -lcryptohi -l:libplc4.a -l:libplds4.a -l:libnspr4.a -lsqlite -Wl,--end-group -Wl,-Bdynamic -pthread -ldl"
       addcflags="-I$OPT_NSS/include"
       version="unknown"
       nssprefix=$OPT_NSS
@@ -91,7 +91,7 @@ if test "x$OPT_NSS" != xno; then
     fi
     dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0
 -    AC_CHECK_LIB(nss3, SSL_VersionRangeSet,
 +    AC_CHECK_LIB(nss_static, SSL_VersionRangeSet,
      [
      AC_DEFINE(USE_NSS, 1, [if NSS is enabled])
      AC_SUBST(USE_NSS, [1])
--- a/firefox/patches/curl-static-libnss.patch
+++ b/firefox/patches/curl-static-libnss.patch
@@ -1,13 +0,0 @@
 diff -u1 -Nar curl-7.81.0-original/m4/curl-nss.m4 curl-7.81.0/m4/curl-nss.m4
 --- curl-7.81.0-original/m4/curl-nss.m4	2021-12-10 09:40:37.000000000 +0200
 +++ curl-7.81.0/m4/curl-nss.m4	2022-02-16 09:15:11.162546224 +0200
@@ -76,3 +76,3 @@
       addld="-L$OPT_NSS/lib"
 -      addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4"
 +      addlib="-Wl,-Bstatic -Wl,--start-group -lssl -lnss_static -lpk11wrap_static -lcertdb -lcerthi -lsmime -lnsspki -lnssdev -lsoftokn_static -lfreebl_static -lsha-x86_c_lib -lgcm-aes-x86_c_lib -lhw-acc-crypto-avx -lhw-acc-crypto-avx2  -lnssutil -lnssb -lcryptohi -l:libplc4.a -l:libplds4.a -l:libnspr4.a -lsqlite -Wl,--end-group -Wl,-Bdynamic -pthread -ldl"
       addcflags="-I$OPT_NSS/include"
@@ -93,3 +93,3 @@
     dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0
 -    AC_CHECK_LIB(nss3, SSL_VersionRangeSet,
 +    AC_CHECK_LIB(nss_static, SSL_VersionRangeSet,
      [