TLS: TLSv1.3 earlydata support for curl

Based on #14135, implement TLSv1.3 earlydata support for the curl command line, libcurl and its implementation in GnuTLS. If a known TLS session announces early data support, and the feature is enabled *and* it is not a "connect-only" transfer, delay the TLS handshake until the first request is being sent. - Add --tls-earldata as new boolean command line option for curl. - Add CURLSSLOPT_EARLYDATA to libcurl to enable use of the feature. - Add CURLINFO_EARLYDATA_SENT_T to libcurl, reporting the amount of bytes sent and accepted/rejected by the server. Implementation details: - store the ALPN protocol selected at the SSL session. - When reusing the session and enabling earlydata, use exactly that ALPN protocol for negoptiation with the server. When the sessions ALPN does not match the connections ALPN, earlydata will not be enabled. - Check that the server selected the correct ALPN protocol for an earlydata connect. If the server does not confirm or reports something different, the connect fails. - HTTP/2: delay sending the initial SETTINGS frames during connect, if not connect-only. Verification: - add test_02_32 to verify earlydata GET with nghttpx. - add test_07_70 to verify earlydata PUT with nghttpx. - add support in 'hx-download', 'hx-upload' clients for the feature Assisted-by: ad-chaos on github Closes #15211
2024-10-09 14:46:32 +02:00 · 2024-10-09 14:46:32 +02:00 · 962097b8dd
commit 962097b8dd
parent d0377f5a86
40 changed files with 899 additions and 134 deletions
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@ -281,6 +281,7 @@ DPAGES = \
  tftp-blksize.md \
  tftp-no-options.md \
  time-cond.md \
  tls-earlydata.md \
  tls-max.md \
  tls13-ciphers.md \
  tlsauthtype.md \
--- a/docs/cmdline-opts/tls-earlydata.md
+++ b/docs/cmdline-opts/tls-earlydata.md
@ -0,0 +1,41 @@
 ---
 c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 SPDX-License-Identifier: curl
 Long: tls-earlydata
 Help: Allow use of TLSv1.3 early data (0RTT)
 Protocols: TLS
 Added: 8.11.0
 Category: tls
 Multi: boolean
 See-also:
  - tlsv1.3
  - tls-max
 Example:
  - --tls-earlydata $URL
 ---
 # `--tls-earlydata`
 Enable the use of TLSv1.3 early data, also known as '0RTT' where possible.
 This has security implications for the requests sent that way.
 This option is used when curl is built to use GnuTLS.
 If a server supports this TLSv1.3 feature, and to what extent, is announced
 as part of the TLS "session" sent back to curl. Until curl has seen such
 a session in a previous request, early data cannot be used.
 When a new connection is initiated with a known TLSv1.3 session, and that
 session announced early data support, the first request on this connection is
 sent *before* the TLS handshake is complete. While the early data is also
 encrypted, it is not protected against replays. An attacker can send
 your early data to the server again and the server would accept it.
 If your request contacts a public server and only retrieves a file, there
 may be no harm in that. If the first request orders a refrigerator
 for you, it is probably not a good idea to use early data for it. curl
 cannot deduce what the security implications of your requests actually
 are and make this decision for you.
 **WARNING**: this option has security implications. See above for more
 details.
--- a/docs/libcurl/curl_easy_getinfo.md
+++ b/docs/libcurl/curl_easy_getinfo.md
@ -112,6 +112,11 @@ curl_easy_header(3) instead. See CURLINFO_CONTENT_TYPE(3)
 List of all known cookies. See CURLINFO_COOKIELIST(3)
 ## CURLINFO_EARLYDATA_SENT_T
 Amount of TLS early data sent (in number of bytes) when
 CURLSSLOPT_EARLYDATA is enabled.
 ## CURLINFO_EFFECTIVE_METHOD
 Last used HTTP method. See CURLINFO_EFFECTIVE_METHOD(3)
--- a/docs/libcurl/opts/CURLINFO_EARLYDATA_SENT_T.md
+++ b/docs/libcurl/opts/CURLINFO_EARLYDATA_SENT_T.md
@ -0,0 +1,75 @@
 ---
 c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 SPDX-License-Identifier: curl
 Title: CURLINFO_EARLYDATA_SENT_T
 Section: 3
 Source: libcurl
 See-also:
  - curl_easy_getinfo (3)
  - curl_easy_setopt (3)
 Protocol:
  - TLS
 TLS-backend:
  - GnuTLS
 Added-in: 8.11.0
 ---
 # NAME
 CURLINFO_EARLYDATA_SENT_T - get the number of bytes sent as TLS early data
 # SYNOPSIS
 ~~~c
 #include <curl/curl.h>
 CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_EARLYDATA_SENT_T,
                           curl_off_t *amount);
 ~~~
 # DESCRIPTION
 Pass a pointer to an *curl_off_t* to receive the total amount of bytes that
 were sent to the server as TLSv1.3 early data. When no TLS early
 data is used, this reports 0.
 TLS early data is only attempted when CURLSSLOPT_EARLYDATA is set for the
 transfer. In addition, it is only used by libcurl when a TLS session exists
 that announces support.
 The amount is **negative** when the sent data was rejected
 by the server. TLS allows a server that announces support for early data to
 reject any attempt to use it at its own discretion. When for example 127
 bytes had been sent, but were rejected, it reports -127 as the amount "sent".
 # %PROTOCOLS%
 # EXAMPLE
 ~~~c
 int main(void)
 {
  CURL *curl = curl_easy_init();
  if(curl) {
    CURLcode res;
    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
    /* Perform the request */
    res = curl_easy_perform(curl);
    if(!res) {
      curl_off_t amount;
      res = curl_easy_getinfo(curl, CURLINFO_EARLYDATA_SENT_T, &amount);
      if(!res) {
        printf("TLS earlydata: %" CURL_FORMAT_CURL_OFF_T " bytes\n", amount);
      }
    }
  }
 }
 ~~~
 # %AVAILABILITY%
 # RETURN VALUE
 Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
--- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md
+++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md
@ -86,6 +86,15 @@ certificate that supports client authentication in the OS certificate store it
 could be a privacy violation and unexpected.
 (Added in 7.77.0)
 ## CURLSSLOPT_EARLYDATA
 Tell libcurl to try sending application data as TLS1.3 early data. This option
 is only supported for GnuTLS. This option works on a best effort basis,
 in cases when it wasn't possible to send early data the request is resent
 normally post-handshake.
 This option does not work when using QUIC.
 (Added in 8.11.0)
 # DEFAULT
 0
--- a/docs/libcurl/opts/Makefile.inc
+++ b/docs/libcurl/opts/Makefile.inc
@ -167,6 +167,7 @@ man_MANS =                                      \
  CURLOPT_DOH_SSL_VERIFYPEER.3                  \
  CURLOPT_DOH_SSL_VERIFYSTATUS.3                \
  CURLOPT_DOH_URL.3                             \
  CURLINFO_EARLYDATA_SENT_T.3                   \
  CURLOPT_ECH.3                                 \
  CURLOPT_EGDSOCKET.3                           \
  CURLOPT_ERRORBUFFER.3                         \
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@ -435,6 +435,7 @@ CURLINFO_COOKIELIST             7.14.1
 CURLINFO_DATA_IN                7.9.6
 CURLINFO_DATA_OUT               7.9.6
 CURLINFO_DOUBLE                 7.4.1
 CURLINFO_EARLYDATA_SENT_T       8.11.0
 CURLINFO_EFFECTIVE_METHOD       7.72.0
 CURLINFO_EFFECTIVE_URL          7.4
 CURLINFO_END                    7.9.6
@ -1054,6 +1055,7 @@ CURLSSLOPT_NATIVE_CA            7.71.0
 CURLSSLOPT_NO_PARTIALCHAIN      7.68.0
 CURLSSLOPT_NO_REVOKE            7.44.0
 CURLSSLOPT_REVOKE_BEST_EFFORT   7.70.0
 CURLSSLOPT_EARLYDATA            8.11.0
 CURLSSLSET_NO_BACKENDS          7.56.0
 CURLSSLSET_OK                   7.56.0
 CURLSSLSET_TOO_LATE             7.56.0
--- a/docs/options-in-versions
+++ b/docs/options-in-versions
@ -246,6 +246,7 @@
 --tftp-blksize                       7.20.0
 --tftp-no-options                    7.48.0
 --time-cond (-z)                     5.8
 --tls-earlydata                      8.11.0
 --tls-max                            7.54.0
 --tls13-ciphers                      7.61.0
 --tlsauthtype                        7.21.4
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@ -943,6 +943,9 @@ typedef enum {
   a client certificate for authentication. (Schannel) */
 #define CURLSSLOPT_AUTO_CLIENT_CERT (1<<5)
 /* If possible, send data using TLS 1.3 early data */
 #define CURLSSLOPT_EARLYDATA (1<<6)
 /* The default connection attempt delay in milliseconds for happy eyeballs.
   CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
   this value, keep them in sync. */
@ -2954,7 +2957,8 @@ typedef enum {
  CURLINFO_QUEUE_TIME_T     = CURLINFO_OFF_T + 65,
  CURLINFO_USED_PROXY       = CURLINFO_LONG + 66,
  CURLINFO_POSTTRANSFER_TIME_T = CURLINFO_OFF_T + 67,
-  CURLINFO_LASTONE          = 67
+  CURLINFO_EARLYDATA_SENT_T = CURLINFO_OFF_T + 68,
  CURLINFO_LASTONE          = 68
 } CURLINFO;
 /* CURLINFO_RESPONSE_CODE is the new name for the option previously known as
--- a/lib/cf-https-connect.c
+++ b/lib/cf-https-connect.c
@ -174,6 +174,7 @@ static CURLcode baller_connected(struct Curl_cfilter *cf,
 {
  struct cf_hc_ctx *ctx = cf->ctx;
  CURLcode result = CURLE_OK;
  int reply_ms;
  DEBUGASSERT(winner->cf);
  if(winner != &ctx->h3_baller)
@ -181,9 +182,15 @@ static CURLcode baller_connected(struct Curl_cfilter *cf,
  if(winner != &ctx->h21_baller)
    cf_hc_baller_reset(&ctx->h21_baller, data);
-  CURL_TRC_CF(data, cf, "connect+handshake %s: %dms, 1st data: %dms",
+  reply_ms = cf_hc_baller_reply_ms(winner, data);
-              winner->name, (int)Curl_timediff(Curl_now(), winner->started),
+  if(reply_ms >= 0)
-              cf_hc_baller_reply_ms(winner, data));
+    CURL_TRC_CF(data, cf, "connect+handshake %s: %dms, 1st data: %dms",
                winner->name, (int)Curl_timediff(Curl_now(), winner->started),
                reply_ms);
  else
    CURL_TRC_CF(data, cf, "deferred handshake %s: %dms",
                winner->name, (int)Curl_timediff(Curl_now(), winner->started));
  cf->next = winner->cf;
  winner->cf = NULL;
--- a/lib/getinfo.c
+++ b/lib/getinfo.c
@ -449,6 +449,9 @@ static CURLcode getinfo_offt(struct Curl_easy *data, CURLINFO info,
    *param_offt = data->conn ?
      data->conn->connection_id : data->state.recent_conn_id;
    break;
  case CURLINFO_EARLYDATA_SENT_T:
    *param_offt = data->progress.earlydata_sent;
    break;
  default:
    return CURLE_UNKNOWN_OPTION;
  }
--- a/lib/http2.c
+++ b/lib/http2.c
@ -789,8 +789,11 @@ static ssize_t send_callback(nghttp2_session *h2,
  (void)flags;
  DEBUGASSERT(data);
-  nwritten = Curl_bufq_write_pass(&ctx->outbufq, buf, blen,
+  if(!cf->connected)
-                                  nw_out_writer, cf, &result);
+    nwritten = Curl_bufq_write(&ctx->outbufq, buf, blen, &result);
  else
    nwritten = Curl_bufq_write_pass(&ctx->outbufq, buf, blen,
                                    nw_out_writer, cf, &result);
  if(nwritten < 0) {
    if(result == CURLE_AGAIN) {
      ctx->nw_out_blocked = 1;
@ -1898,6 +1901,11 @@ out:
                nghttp2_strerror(rv), rv);
    return CURLE_SEND_ERROR;
  }
  /* Defer flushing during the connect phase so that the SETTINGS and
   * other initial frames are sent together with the first request.
   * Unless we are 'connect_only' where the request will never come. */
  if(!cf->connected && !cf->conn->connect_only)
    return CURLE_OK;
  return nw_out_flush(cf, data);
 }
@ -2439,6 +2447,7 @@ static CURLcode cf_h2_connect(struct Curl_cfilter *cf,
  struct cf_h2_ctx *ctx = cf->ctx;
  CURLcode result = CURLE_OK;
  struct cf_call_data save;
  bool first_time = FALSE;
  if(cf->connected) {
    *done = TRUE;
@ -2460,11 +2469,14 @@ static CURLcode cf_h2_connect(struct Curl_cfilter *cf,
    result = cf_h2_ctx_open(cf, data);
    if(result)
      goto out;
    first_time = TRUE;
  }
-  result = h2_progress_ingress(cf, data, H2_CHUNK_SIZE);
+  if(!first_time) {
-  if(result)
+    result = h2_progress_ingress(cf, data, H2_CHUNK_SIZE);
-    goto out;
+    if(result)
      goto out;
  }
  /* Send out our SETTINGS and ACKs and such. If that blocks, we
   * have it buffered and  can count this filter as being connected */
--- a/lib/progress.c
+++ b/lib/progress.c
@ -381,6 +381,11 @@ void Curl_pgrsSetUploadSize(struct Curl_easy *data, curl_off_t size)
  }
 }
 void Curl_pgrsEarlyData(struct Curl_easy *data, curl_off_t sent)
 {
    data->progress.earlydata_sent = sent;
 }
 /* returns the average speed in bytes / second */
 static curl_off_t trspeed(curl_off_t size, /* number of bytes */
                          curl_off_t us)   /* microseconds */
--- a/lib/progress.h
+++ b/lib/progress.h
@ -69,6 +69,8 @@ timediff_t Curl_pgrsLimitWaitTime(struct pgrs_dir *d,
 void Curl_pgrsTimeWas(struct Curl_easy *data, timerid timer,
                      struct curltime timestamp);
 void Curl_pgrsEarlyData(struct Curl_easy *data, curl_off_t sent);
 #define PGRS_HIDE    (1<<4)
 #define PGRS_UL_SIZE_KNOWN (1<<5)
 #define PGRS_DL_SIZE_KNOWN (1<<6)
--- a/lib/setopt.c
+++ b/lib/setopt.c
@ -2369,6 +2369,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
    data->set.ssl.revoke_best_effort = !!(arg & CURLSSLOPT_REVOKE_BEST_EFFORT);
    data->set.ssl.native_ca_store = !!(arg & CURLSSLOPT_NATIVE_CA);
    data->set.ssl.auto_client_cert = !!(arg & CURLSSLOPT_AUTO_CLIENT_CERT);
    data->set.ssl.earlydata = !!(arg & CURLSSLOPT_EARLYDATA);
    /* If a setting is added here it should also be added in dohprobe()
       which sets its own CURLOPT_SSL_OPTIONS based on these settings. */
    break;
--- a/lib/urldata.h
+++ b/lib/urldata.h
@ -324,6 +324,7 @@ struct ssl_config_data {
  char *key_passwd; /* plain text private key password */
  BIT(certinfo);     /* gather lots of certificate info */
  BIT(falsestart);
  BIT(earlydata);    /* use tls1.3 early data */
  BIT(enable_beast); /* allow this flaw for interoperability's sake */
  BIT(no_revoke);    /* disable SSL certificate revocation checks */
  BIT(no_partialchain); /* do not accept partial certificate chains */
@ -346,6 +347,7 @@ struct Curl_ssl_session {
  char *name;       /* hostname for which this ID was used */
  char *conn_to_host; /* hostname for the connection (may be NULL) */
  const char *scheme; /* protocol scheme used */
  char *alpn;         /* APLN TLS negotiated protocol string */
  void *sessionid;  /* as returned from the SSL layer */
  size_t idsize;    /* if known, otherwise 0 */
  Curl_ssl_sessionid_dtor *sessionid_free; /* free `sessionid` callback */
@ -1069,6 +1071,7 @@ struct Progress {
  struct pgrs_dir dl;
  curl_off_t current_speed; /* uses the currently fastest transfer */
  curl_off_t earlydata_sent;
  int width; /* screen width at download start */
  int flags; /* see progress.h */
--- a/lib/vtls/bearssl.c
+++ b/lib/vtls/bearssl.c
@ -613,7 +613,8 @@ static CURLcode bearssl_connect_step1(struct Curl_cfilter *cf,
    CURL_TRC_CF(data, cf, "connect_step1, check session cache");
    Curl_ssl_sessionid_lock(data);
-    if(!Curl_ssl_getsessionid(cf, data, &connssl->peer, &session, NULL)) {
+    if(!Curl_ssl_getsessionid(cf, data, &connssl->peer,
                              &session, NULL, NULL)) {
      br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
      session_set = 1;
      infof(data, "BearSSL: reusing session ID");
@ -823,7 +824,7 @@ static CURLcode bearssl_connect_step3(struct Curl_cfilter *cf,
    const char *proto;
    proto = br_ssl_engine_get_selected_protocol(&backend->ctx.eng);
-    Curl_alpn_set_negotiated(cf, data, (const unsigned char *)proto,
+    Curl_alpn_set_negotiated(cf, data, connssl, (const unsigned char *)proto,
                             proto ? strlen(proto) : 0);
  }
@ -835,7 +836,7 @@ static CURLcode bearssl_connect_step3(struct Curl_cfilter *cf,
      return CURLE_OUT_OF_MEMORY;
    br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
    Curl_ssl_sessionid_lock(data);
-    ret = Curl_ssl_set_sessionid(cf, data, &connssl->peer, session, 0,
+    ret = Curl_ssl_set_sessionid(cf, data, &connssl->peer, NULL, session, 0,
                                 bearssl_session_free);
    Curl_ssl_sessionid_unlock(data);
    if(ret)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@ -50,6 +50,7 @@
 #include "vauth/vauth.h"
 #include "parsedate.h"
 #include "connect.h" /* for the connect timeout */
 #include "progress.h"
 #include "select.h"
 #include "strcase.h"
 #include "warnless.h"
@ -284,7 +285,7 @@ static CURLcode handshake(struct Curl_cfilter *cf,
      }
      else if(0 == what) {
        if(nonblocking)
-          return CURLE_OK;
+          return CURLE_AGAIN;
        else if(timeout_ms) {
          /* timeout */
          failf(data, "SSL connection timeout at %ld", (long)timeout_ms);
@ -737,6 +738,9 @@ static CURLcode gtls_update_session_id(struct Curl_cfilter *cf,
    /* get the session ID data size */
    gnutls_session_get_data(session, NULL, &connect_idsize);
    if(!connect_idsize) /* gnutls does this for some version combinations */
      return CURLE_OK;
    connect_sessionid = malloc(connect_idsize); /* get a buffer for it */
    if(!connect_sessionid) {
      return CURLE_OUT_OF_MEMORY;
@ -750,6 +754,7 @@ static CURLcode gtls_update_session_id(struct Curl_cfilter *cf,
      Curl_ssl_sessionid_lock(data);
      /* store this session id, takes ownership */
      result = Curl_ssl_set_sessionid(cf, data, &connssl->peer,
                                      connssl->alpn_negotiated,
                                      connect_sessionid, connect_idsize,
                                      gtls_sessionid_free);
      Curl_ssl_sessionid_unlock(data);
@ -845,9 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
  init_flags |= GNUTLS_FORCE_CLIENT_CERT;
 #endif
-#if defined(GNUTLS_NO_TICKETS)
+#if defined(GNUTLS_NO_TICKETS_TLS12)
-  /* Disable TLS session tickets */
+    init_flags |= GNUTLS_NO_TICKETS_TLS12;
-  init_flags |= GNUTLS_NO_TICKETS;
+#elif defined(GNUTLS_NO_TICKETS)
  /* Disable TLS session tickets for non 1.3 connections */
  if((config->version != CURL_SSLVERSION_TLSv1_3) &&
     (config->version != CURL_SSLVERSION_DEFAULT))
    init_flags |= GNUTLS_NO_TICKETS;
 #endif
 #if defined(GNUTLS_NO_STATUS_REQUEST)
@ -1039,6 +1048,10 @@ CURLcode Curl_gtls_ctx_init(struct gtls_ctx *gctx,
                            void *ssl_user_data)
 {
  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
  struct ssl_connect_data *connssl = cf->ctx;
  gnutls_datum_t gtls_alpns[5];
  size_t gtls_alpns_count = 0;
  CURLcode result;
  DEBUGASSERT(gctx);
@ -1061,52 +1074,90 @@ CURLcode Curl_gtls_ctx_init(struct gtls_ctx *gctx,
    gnutls_session_set_keylog_function(gctx->session, keylog_callback);
  }
  /* convert the ALPN string from our arguments to a list of strings
   * that gnutls wants and will convert internally back to this very
   * string for sending to the server. nice. */
  if(alpn && alpn_len) {
    gnutls_datum_t alpns[5];
    size_t i, alen = alpn_len;
    unsigned char *s = (unsigned char *)alpn;
    unsigned char slen;
    for(i = 0; (i < ARRAYSIZE(alpns)) && alen; ++i) {
      slen = s[0];
      if(slen >= alen)
        return CURLE_FAILED_INIT;
      alpns[i].data = s + 1;
      alpns[i].size = slen;
      s += slen + 1;
      alen -= (size_t)slen + 1;
    }
    if(alen) /* not all alpn chars used, wrong format or too many */
        return CURLE_FAILED_INIT;
    if(i && gnutls_alpn_set_protocols(gctx->session,
                                      alpns, (unsigned int)i,
                                      GNUTLS_ALPN_MANDATORY)) {
      failf(data, "failed setting ALPN");
      return CURLE_SSL_CONNECT_ERROR;
    }
  }
  /* This might be a reconnect, so we check for a session ID in the cache
     to speed up things */
  if(conn_config->cache_session) {
    void *ssl_sessionid;
    size_t ssl_idsize;
-
+    char *session_alpn;
    Curl_ssl_sessionid_lock(data);
-    if(!Curl_ssl_getsessionid(cf, data, peer, &ssl_sessionid, &ssl_idsize)) {
+    if(!Curl_ssl_getsessionid(cf, data, peer,
                              &ssl_sessionid, &ssl_idsize, &session_alpn)) {
      /* we got a session id, use it! */
      int rc;
      rc = gnutls_session_set_data(gctx->session, ssl_sessionid, ssl_idsize);
      if(rc < 0)
        infof(data, "SSL failed to set session ID");
-      else
+      else {
        infof(data, "SSL reusing session ID (size=%zu)", ssl_idsize);
 #ifdef DEBUGBUILD
        if((ssl_config->earlydata || !!getenv("CURL_USE_EARLYDATA")) &&
 #else
        if(ssl_config->earlydata &&
 #endif
           !cf->conn->connect_only &&
           (gnutls_protocol_get_version(gctx->session) == GNUTLS_TLS1_3) &&
           Curl_alpn_contains_proto(connssl->alpn, session_alpn)) {
          connssl->earlydata_max =
            gnutls_record_get_max_early_data_size(gctx->session);
          if((!connssl->earlydata_max ||
              connssl->earlydata_max == 0xFFFFFFFFUL)) {
            /* Seems to be GnuTLS way to signal no EarlyData in session */
            CURL_TRC_CF(data, cf, "TLS session does not allow earlydata");
          }
          else {
            CURL_TRC_CF(data, cf, "TLS session allows %zu earlydata bytes, "
                        "reusing ALPN '%s'",
                        connssl->earlydata_max, session_alpn);
            connssl->earlydata_state = ssl_earlydata_use;
            connssl->state = ssl_connection_deferred;
            result = Curl_alpn_set_negotiated(cf, data, connssl,
                            (const unsigned char *)session_alpn,
                            session_alpn ? strlen(session_alpn) : 0);
            if(result)
              return result;
            /* We only try the ALPN protocol the session used before,
             * otherwise we might send early data for the wrong protocol */
            gtls_alpns[0].data = (unsigned char *)session_alpn;
            gtls_alpns[0].size = (unsigned)strlen(session_alpn);
            gtls_alpns_count = 1;
          }
        }
      }
    }
    Curl_ssl_sessionid_unlock(data);
  }
  /* convert the ALPN string from our arguments to a list of strings
   * that gnutls wants and will convert internally back to this very
   * string for sending to the server. nice. */
  if(!gtls_alpns_count && alpn && alpn_len) {
    size_t i, alen = alpn_len;
    unsigned char *s = (unsigned char *)alpn;
    unsigned char slen;
    for(i = 0; (i < ARRAYSIZE(gtls_alpns)) && alen; ++i) {
      slen = s[0];
      if(slen >= alen)
        return CURLE_FAILED_INIT;
      gtls_alpns[i].data = s + 1;
      gtls_alpns[i].size = slen;
      s += slen + 1;
      alen -= (size_t)slen + 1;
    }
    if(alen) /* not all alpn chars used, wrong format or too many */
        return CURLE_FAILED_INIT;
    gtls_alpns_count = i;
  }
  if(gtls_alpns_count &&
     gnutls_alpn_set_protocols(gctx->session,
                               gtls_alpns, (unsigned int)gtls_alpns_count,
                               GNUTLS_ALPN_MANDATORY)) {
    failf(data, "failed setting ALPN");
    return CURLE_SSL_CONNECT_ERROR;
  }
  return CURLE_OK;
 }
@ -1141,6 +1192,11 @@ gtls_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
  if(result)
    return result;
  if(connssl->alpn && (connssl->state != ssl_connection_deferred)) {
    Curl_alpn_to_proto_str(&proto, connssl->alpn);
    infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
  }
  gnutls_handshake_set_hook_function(backend->gtls.session,
                                     GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST,
                                     gtls_handshake_cb);
@ -1675,17 +1731,6 @@ static CURLcode gtls_verifyserver(struct Curl_cfilter *cf,
  if(result)
    goto out;
  if(connssl->alpn) {
    gnutls_datum_t proto;
    int rc;
    rc = gnutls_alpn_get_selected_protocol(session, &proto);
    if(rc == 0)
      Curl_alpn_set_negotiated(cf, data, proto.data, proto.size);
    else
      Curl_alpn_set_negotiated(cf, data, NULL, 0);
  }
  /* Only on TLSv1.2 or lower do we have the session id now. For
   * TLSv1.3 we get it via a SESSION_TICKET message that arrives later. */
  if(gnutls_protocol_get_version(session) < GNUTLS_TLS1_3)
@ -1695,6 +1740,70 @@ out:
  return result;
 }
 static CURLcode gtls_set_earlydata(struct Curl_cfilter *cf,
                                   struct Curl_easy *data,
                                   const void *buf, size_t blen)
 {
  struct ssl_connect_data *connssl = cf->ctx;
  ssize_t nwritten = 0;
  CURLcode result = CURLE_OK;
  DEBUGASSERT(connssl->earlydata_state == ssl_earlydata_use);
  DEBUGASSERT(Curl_bufq_is_empty(&connssl->earlydata));
  if(blen) {
    if(blen > connssl->earlydata_max)
      blen = connssl->earlydata_max;
    nwritten = Curl_bufq_write(&connssl->earlydata, buf, blen, &result);
    CURL_TRC_CF(data, cf, "gtls_set_earlydata(len=%zu) -> %zd",
                blen, nwritten);
    if(nwritten < 0)
      return result;
  }
  connssl->earlydata_state = ssl_earlydata_sending;
  connssl->earlydata_skip = Curl_bufq_len(&connssl->earlydata);
  return CURLE_OK;
 }
 static CURLcode gtls_send_earlydata(struct Curl_cfilter *cf,
                                    struct Curl_easy *data)
 {
  struct ssl_connect_data *connssl = cf->ctx;
  struct gtls_ssl_backend_data *backend =
      (struct gtls_ssl_backend_data *)connssl->backend;
  CURLcode result = CURLE_OK;
  const unsigned char *buf;
  size_t blen;
  ssize_t n;
  DEBUGASSERT(connssl->earlydata_state == ssl_earlydata_sending);
  backend->gtls.io_result = CURLE_OK;
  while(Curl_bufq_peek(&connssl->earlydata, &buf, &blen)) {
    n = gnutls_record_send_early_data(backend->gtls.session, buf, blen);
    CURL_TRC_CF(data, cf, "gtls_send_earlydata(len=%zu) -> %zd",
                blen, n);
    if(n < 0) {
      if(n == GNUTLS_E_AGAIN)
        result = CURLE_AGAIN;
      else
        result = backend->gtls.io_result ?
                 backend->gtls.io_result : CURLE_SEND_ERROR;
      goto out;
    }
    else if(!n) {
      /* gnutls is buggy, it *SHOULD* return the amount of bytes it took in.
       * Instead it returns 0 if everything was written. */
      n = (ssize_t)blen;
    }
    Curl_bufq_skip(&connssl->earlydata, (size_t)n);
  }
  /* sent everything there was */
  infof(data, "SSL sending %" FMT_OFF_T " bytes of early data",
        connssl->earlydata_skip);
 out:
  return result;
 }
 /*
 * This function is called after the TCP connect has completed. Setup the TLS
 * layer and do all necessary magic.
@ -1708,46 +1817,89 @@ static CURLcode
 gtls_connect_common(struct Curl_cfilter *cf,
                    struct Curl_easy *data,
                    bool nonblocking,
-                    bool *done)
+                    bool *done) {
 {
  struct ssl_connect_data *connssl = cf->ctx;
-  CURLcode rc;
+  struct gtls_ssl_backend_data *backend =
      (struct gtls_ssl_backend_data *)connssl->backend;
  CURLcode result = CURLE_OK;
  DEBUGASSERT(backend);
  /* Initiate the connection, if not already done */
-  if(ssl_connect_1 == connssl->connecting_state) {
+  if(connssl->connecting_state == ssl_connect_1) {
-    rc = gtls_connect_step1(cf, data);
+    result = gtls_connect_step1(cf, data);
-    if(rc) {
+    if(result)
      result = rc;
      goto out;
-    }
+    connssl->connecting_state = ssl_connect_2;
  }
-  rc = handshake(cf, data, TRUE, nonblocking);
+  if(connssl->connecting_state == ssl_connect_2) {
-  if(rc) {
+    if(connssl->earlydata_state == ssl_earlydata_use) {
-    /* handshake() sets its own error message with failf() */
+      goto out;
-    result = rc;
+    }
-    goto out;
+    else if(connssl->earlydata_state == ssl_earlydata_sending) {
      result = gtls_send_earlydata(cf, data);
      if(result)
        goto out;
      connssl->earlydata_state = ssl_earlydata_sent;
      if(!Curl_ssl_cf_is_proxy(cf))
        Curl_pgrsEarlyData(data, (curl_off_t)connssl->earlydata_skip);
    }
    DEBUGASSERT((connssl->earlydata_state == ssl_earlydata_none) ||
                (connssl->earlydata_state == ssl_earlydata_sent));
    result = handshake(cf, data, TRUE, nonblocking);
    if(result)
      goto out;
    connssl->connecting_state = ssl_connect_3;
  }
  /* Finish connecting once the handshake is done */
-  if(ssl_connect_1 == connssl->connecting_state) {
+  if(connssl->connecting_state == ssl_connect_3) {
-    struct gtls_ssl_backend_data *backend =
+    gnutls_datum_t proto;
-      (struct gtls_ssl_backend_data *)connssl->backend;
+    int rc;
-    gnutls_session_t session;
+    result = gtls_verifyserver(cf, data, backend->gtls.session);
-    DEBUGASSERT(backend);
+    if(result)
    session = backend->gtls.session;
    rc = gtls_verifyserver(cf, data, session);
    if(rc) {
      result = rc;
      goto out;
-    }
+
    connssl->state = ssl_connection_complete;
    connssl->connecting_state = ssl_connect_1;
    rc = gnutls_alpn_get_selected_protocol(backend->gtls.session, &proto);
    if(rc) {  /* No ALPN from server */
      proto.data = NULL;
      proto.size = 0;
    }
    result = Curl_alpn_set_negotiated(cf, data, connssl,
                                      proto.data, proto.size);
    if(result)
      goto out;
    if(connssl->earlydata_state == ssl_earlydata_sent) {
      if(gnutls_session_get_flags(backend->gtls.session) &
         GNUTLS_SFLAGS_EARLY_DATA) {
        connssl->earlydata_state = ssl_earlydata_accepted;
        infof(data, "Server accepted %zu bytes of TLS early data.",
              connssl->earlydata_skip);
      }
      else {
        connssl->earlydata_state = ssl_earlydata_rejected;
        if(!Curl_ssl_cf_is_proxy(cf))
          Curl_pgrsEarlyData(data, -(curl_off_t)connssl->earlydata_skip);
        infof(data, "Server rejected TLS early data.");
        connssl->earlydata_skip = 0;
      }
    }
  }
 out:
-  *done = ssl_connect_1 == connssl->connecting_state;
+  if(result == CURLE_AGAIN) {
-
+    *done = FALSE;
    return CURLE_OK;
  }
  *done = ((connssl->connecting_state == ssl_connect_1) ||
           (connssl->state == ssl_connection_deferred));
  return result;
 }
@ -1755,6 +1907,12 @@ static CURLcode gtls_connect_nonblocking(struct Curl_cfilter *cf,
                                         struct Curl_easy *data,
                                         bool *done)
 {
  struct ssl_connect_data *connssl = cf->ctx;
  if(connssl->state == ssl_connection_deferred) {
    /* We refuse to be pushed, we are waiting for someone to send/recv. */
    *done = TRUE;
    return CURLE_OK;
  }
  return gtls_connect_common(cf, data, TRUE, done);
 }
@ -1773,6 +1931,26 @@ static CURLcode gtls_connect(struct Curl_cfilter *cf,
  return CURLE_OK;
 }
 static CURLcode gtls_connect_deferred(struct Curl_cfilter *cf,
                                      struct Curl_easy *data,
                                      const void *buf,
                                      size_t blen,
                                      bool *done)
 {
  struct ssl_connect_data *connssl = cf->ctx;
  CURLcode result = CURLE_OK;
  DEBUGASSERT(connssl->state == ssl_connection_deferred);
  *done = FALSE;
  if(connssl->earlydata_state == ssl_earlydata_use) {
    result = gtls_set_earlydata(cf, data, buf, blen);
    if(result)
      return result;
  }
  return gtls_connect_common(cf, data, TRUE, done);
 }
 static bool gtls_data_pending(struct Curl_cfilter *cf,
                              const struct Curl_easy *data)
 {
@ -1800,8 +1978,38 @@ static ssize_t gtls_send(struct Curl_cfilter *cf,
  ssize_t rc;
  size_t nwritten, total_written = 0;
  (void)data;
  DEBUGASSERT(backend);
  if(connssl->state == ssl_connection_deferred) {
    bool done = FALSE;
    *curlcode = gtls_connect_deferred(cf, data, buf, blen, &done);
    if(*curlcode) {
      rc = -1;
      goto out;
    }
    else if(!done) {
      *curlcode = CURLE_AGAIN;
      rc = -1;
      goto out;
    }
    DEBUGASSERT(connssl->state == ssl_connection_complete);
  }
  if(connssl->earlydata_skip) {
    if(connssl->earlydata_skip >= blen) {
      connssl->earlydata_skip -= blen;
      *curlcode = CURLE_OK;
      rc = (ssize_t)blen;
      goto out;
    }
    else {
      total_written += connssl->earlydata_skip;
      buf = ((const char *)buf) + connssl->earlydata_skip;
      blen -= connssl->earlydata_skip;
      connssl->earlydata_skip = 0;
    }
  }
  while(blen) {
    backend->gtls.io_result = CURLE_OK;
    rc = gnutls_record_send(backend->gtls.session, buf, blen);
@ -1848,7 +2056,9 @@ static CURLcode gtls_shutdown(struct Curl_cfilter *cf,
  size_t i;
  DEBUGASSERT(backend);
-  if(!backend->gtls.session || cf->shutdown) {
+   /* If we have no handshaked connection or already shut down */
  if(!backend->gtls.session || cf->shutdown ||
     connssl->state != ssl_connection_complete) {
    *done = TRUE;
    goto out;
  }
@ -1946,7 +2156,21 @@ static ssize_t gtls_recv(struct Curl_cfilter *cf,
  (void)data;
  DEBUGASSERT(backend);
-  backend->gtls.io_result = CURLE_OK;
+  if(connssl->state == ssl_connection_deferred) {
    bool done = FALSE;
    *curlcode = gtls_connect_deferred(cf, data, NULL, 0, &done);
    if(*curlcode) {
      ret = -1;
      goto out;
    }
    else if(!done) {
      *curlcode = CURLE_AGAIN;
      ret = -1;
      goto out;
    }
    DEBUGASSERT(connssl->state == ssl_connection_complete);
  }
  ret = gnutls_record_recv(backend->gtls.session, buf, buffersize);
  if((ret == GNUTLS_E_AGAIN) || (ret == GNUTLS_E_INTERRUPTED)) {
    *curlcode = CURLE_AGAIN;
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@ -877,7 +877,8 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
    void *old_session = NULL;
    Curl_ssl_sessionid_lock(data);
-    if(!Curl_ssl_getsessionid(cf, data, &connssl->peer, &old_session, NULL)) {
+    if(!Curl_ssl_getsessionid(cf, data, &connssl->peer,
                              &old_session, NULL, NULL)) {
      ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
      if(ret) {
        Curl_ssl_sessionid_unlock(data);
@ -1093,7 +1094,7 @@ pinnedpubkey_error:
  if(connssl->alpn) {
    const char *proto = mbedtls_ssl_get_alpn_protocol(&backend->ssl);
-    Curl_alpn_set_negotiated(cf, data, (const unsigned char *)proto,
+    Curl_alpn_set_negotiated(cf, data, connssl, (const unsigned char *)proto,
                             proto ? strlen(proto) : 0);
  }
 #endif
@ -1144,7 +1145,7 @@ mbed_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data)
    /* If there is already a matching session in the cache, delete it */
    Curl_ssl_sessionid_lock(data);
-    retcode = Curl_ssl_set_sessionid(cf, data, &connssl->peer,
+    retcode = Curl_ssl_set_sessionid(cf, data, &connssl->peer, NULL,
                                     our_ssl_sessionid, 0,
                                     mbedtls_session_free);
    Curl_ssl_sessionid_unlock(data);
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -2914,7 +2914,7 @@ CURLcode Curl_ossl_add_session(struct Curl_cfilter *cf,
    }
    Curl_ssl_sessionid_lock(data);
-    result = Curl_ssl_set_sessionid(cf, data, peer, der_session_buf,
+    result = Curl_ssl_set_sessionid(cf, data, peer, NULL, der_session_buf,
                                    der_session_size, ossl_session_free);
    Curl_ssl_sessionid_unlock(data);
  }
@ -3973,7 +3973,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
  if(ssl_config->primary.cache_session && transport == TRNSPRT_TCP) {
    Curl_ssl_sessionid_lock(data);
    if(!Curl_ssl_getsessionid(cf, data, peer, (void **)&der_sessionid,
-      &der_sessionid_size)) {
+      &der_sessionid_size, NULL)) {
      /* we got a session id, use it! */
      ssl_session = d2i_SSL_SESSION(NULL, &der_sessionid,
        (long)der_sessionid_size);
@ -4377,7 +4377,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
      unsigned int len;
      SSL_get0_alpn_selected(octx->ssl, &neg_protocol, &len);
-      return Curl_alpn_set_negotiated(cf, data, neg_protocol, len);
+      return Curl_alpn_set_negotiated(cf, data, connssl, neg_protocol, len);
    }
 #endif
@ -4710,7 +4710,7 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf,
        bool incache;
        Curl_ssl_sessionid_lock(data);
        incache = !(Curl_ssl_getsessionid(cf, data, peer,
-                                          &old_ssl_sessionid, NULL));
+                                          &old_ssl_sessionid, NULL, NULL));
        if(incache) {
          infof(data, "Remove session ID again from cache");
          Curl_ssl_delsessionid(data, old_ssl_sessionid);
--- a/lib/vtls/rustls.c
+++ b/lib/vtls/rustls.c
@ -768,11 +768,12 @@ static void
 cr_set_negotiated_alpn(struct Curl_cfilter *cf, struct Curl_easy *data,
  const struct rustls_connection *rconn)
 {
  struct ssl_connect_data *const connssl = cf->ctx;
  const uint8_t *protocol = NULL;
  size_t len = 0;
  rustls_connection_get_alpn_protocol(rconn, &protocol, &len);
-  Curl_alpn_set_negotiated(cf, data, protocol, len);
+  Curl_alpn_set_negotiated(cf, data, connssl, protocol, len);
 }
 /* Given an established network connection, do a TLS handshake.
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@ -1130,7 +1130,7 @@ schannel_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
  if(ssl_config->primary.cache_session) {
    Curl_ssl_sessionid_lock(data);
    if(!Curl_ssl_getsessionid(cf, data, &connssl->peer,
-                              (void **)&old_cred, NULL)) {
+                              (void **)&old_cred, NULL, NULL)) {
      backend->cred = old_cred;
      DEBUGF(infof(data, "schannel: reusing existing credential handle"));
@ -1752,7 +1752,7 @@ schannel_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data)
       SecApplicationProtocolNegotiationStatus_Success) {
      unsigned char prev_alpn = cf->conn->alpn;
-      Curl_alpn_set_negotiated(cf, data, alpn_result.ProtocolId,
+      Curl_alpn_set_negotiated(cf, data, connssl, alpn_result.ProtocolId,
                               alpn_result.ProtocolIdSize);
      if(backend->recv_renegotiating) {
        if(prev_alpn != cf->conn->alpn &&
@ -1766,7 +1766,7 @@ schannel_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data)
    }
    else {
      if(!backend->recv_renegotiating)
-        Curl_alpn_set_negotiated(cf, data, NULL, 0);
+        Curl_alpn_set_negotiated(cf, data, connssl, NULL, 0);
    }
  }
 #endif
@ -1776,7 +1776,8 @@ schannel_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data)
    Curl_ssl_sessionid_lock(data);
    /* Up ref count since call takes ownership */
    backend->cred->refcount++;
-    result = Curl_ssl_set_sessionid(cf, data, &connssl->peer, backend->cred,
+    result = Curl_ssl_set_sessionid(cf, data, &connssl->peer, NULL,
                                    backend->cred,
                                    sizeof(struct Curl_schannel_cred),
                                    schannel_session_free);
    Curl_ssl_sessionid_unlock(data);
--- a/lib/vtls/sectransp.c
+++ b/lib/vtls/sectransp.c
@ -1334,7 +1334,8 @@ static CURLcode sectransp_connect_step1(struct Curl_cfilter *cf,
    Curl_ssl_sessionid_lock(data);
    if(!Curl_ssl_getsessionid(cf, data, &connssl->peer,
-                              (void **)&ssl_sessionid, &ssl_sessionid_len)) {
+                              (void **)&ssl_sessionid, &ssl_sessionid_len,
                              NULL)) {
      /* we got a session id, use it! */
      err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
      Curl_ssl_sessionid_unlock(data);
@ -1362,8 +1363,8 @@ static CURLcode sectransp_connect_step1(struct Curl_cfilter *cf,
        return CURLE_SSL_CONNECT_ERROR;
      }
-      result = Curl_ssl_set_sessionid(cf, data, &connssl->peer, ssl_sessionid,
+      result = Curl_ssl_set_sessionid(cf, data, &connssl->peer, NULL,
-                                      ssl_sessionid_len,
+                                      ssl_sessionid, ssl_sessionid_len,
                                      sectransp_session_free);
      Curl_ssl_sessionid_unlock(data);
      if(result)
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@ -454,6 +454,7 @@ static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
    return NULL;
  ctx->alpn = alpn;
  Curl_bufq_init2(&ctx->earlydata, CURL_SSL_EARLY_MAX, 1, BUFQ_OPT_NO_SPARES);
  ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data);
  if(!ctx->backend) {
    free(ctx);
@ -465,6 +466,8 @@ static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
 static void cf_ctx_free(struct ssl_connect_data *ctx)
 {
  if(ctx) {
    Curl_safefree(ctx->alpn_negotiated);
    Curl_bufq_free(&ctx->earlydata);
    free(ctx->backend);
    free(ctx);
  }
@ -527,7 +530,8 @@ bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
                           struct Curl_easy *data,
                           const struct ssl_peer *peer,
                           void **ssl_sessionid,
-                           size_t *idsize) /* set 0 if unknown */
+                           size_t *idsize, /* set 0 if unknown */
                           char **palpn)
 {
  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
@ -537,6 +541,8 @@ bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
  bool no_match = TRUE;
  *ssl_sessionid = NULL;
  if(palpn)
    *palpn = NULL;
  if(!ssl_config)
    return TRUE;
@ -575,6 +581,8 @@ bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
      *ssl_sessionid = check->sessionid;
      if(idsize)
        *idsize = check->idsize;
      if(palpn)
        *palpn = check->alpn;
      no_match = FALSE;
      break;
    }
@ -605,6 +613,7 @@ void Curl_ssl_kill_session(struct Curl_ssl_session *session)
    Curl_safefree(session->name);
    Curl_safefree(session->conn_to_host);
    Curl_safefree(session->alpn);
  }
 }
@ -628,6 +637,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
 CURLcode Curl_ssl_set_sessionid(struct Curl_cfilter *cf,
                                struct Curl_easy *data,
                                const struct ssl_peer *peer,
                                const char *alpn,
                                void *ssl_sessionid,
                                size_t idsize,
                                Curl_ssl_sessionid_dtor *sessionid_free_cb)
@ -639,6 +649,7 @@ CURLcode Curl_ssl_set_sessionid(struct Curl_cfilter *cf,
  long oldest_age;
  char *clone_host = NULL;
  char *clone_conn_to_host = NULL;
  char *clone_alpn = NULL;
  int conn_to_port;
  long *general_age;
  void *old_sessionid;
@ -653,7 +664,7 @@ CURLcode Curl_ssl_set_sessionid(struct Curl_cfilter *cf,
    return CURLE_OK;
  }
-  if(!Curl_ssl_getsessionid(cf, data, peer, &old_sessionid, &old_size)) {
+  if(!Curl_ssl_getsessionid(cf, data, peer, &old_sessionid, &old_size, NULL)) {
    if((old_size == idsize) &&
       ((old_sessionid == ssl_sessionid) ||
        (idsize && !memcmp(old_sessionid, ssl_sessionid, idsize)))) {
@ -679,6 +690,10 @@ CURLcode Curl_ssl_set_sessionid(struct Curl_cfilter *cf,
      goto out;
  }
  clone_alpn = alpn ? strdup(alpn) : NULL;
  if(alpn && !clone_alpn)
    goto out;
  if(cf->conn->bits.conn_to_port)
    conn_to_port = cf->conn->conn_to_port;
  else
@ -727,6 +742,8 @@ CURLcode Curl_ssl_set_sessionid(struct Curl_cfilter *cf,
  store->conn_to_host = clone_conn_to_host; /* clone connect to hostname */
  clone_conn_to_host = NULL;
  store->conn_to_port = conn_to_port; /* connect to port number */
  store->alpn = clone_alpn;
  clone_alpn = NULL;
  /* port number */
  store->remote_port = peer->port;
  store->scheme = cf->conn->handler->scheme;
@ -737,6 +754,7 @@ CURLcode Curl_ssl_set_sessionid(struct Curl_cfilter *cf,
 out:
  free(clone_host);
  free(clone_conn_to_host);
  free(clone_alpn);
  if(result) {
    failf(data, "Failed to add Session ID to cache for %s://%s:%d [%s]",
          store->scheme, store->name, store->remote_port,
@ -1716,7 +1734,9 @@ static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
  if(!result && *done) {
    cf->connected = TRUE;
    connssl->handshake_done = Curl_now();
-    DEBUGASSERT(connssl->state == ssl_connection_complete);
+    /* Connection can be deferred when sending early data */
    DEBUGASSERT(connssl->state == ssl_connection_complete ||
                connssl->state == ssl_connection_deferred);
  }
 out:
  CURL_TRC_CF(data, cf, "cf_connect() -> %d, done=%d", result, *done);
@ -2219,11 +2239,25 @@ CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
  return CURLE_OK;
 }
 bool Curl_alpn_contains_proto(const struct alpn_spec *spec,
                              const char *proto)
 {
  size_t i, plen = proto ? strlen(proto) : 0;
  for(i = 0; spec && plen && i < spec->count; ++i) {
    size_t slen = strlen(spec->entries[i]);
    if((slen == plen) && !memcmp(proto, spec->entries[i], plen))
      return TRUE;
  }
  return FALSE;
 }
 CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
                                  struct Curl_easy *data,
                                  struct ssl_connect_data *connssl,
                                  const unsigned char *proto,
                                  size_t proto_len)
 {
  CURLcode result = CURLE_OK;
  unsigned char *palpn =
 #ifndef CURL_DISABLE_PROXY
    (cf->conn->bits.tunnel_proxy && Curl_ssl_cf_is_proxy(cf)) ?
@ -2233,6 +2267,45 @@ CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
 #endif
    ;
  if(connssl->alpn_negotiated) {
    /* When we ask for a specific ALPN protocol, we need the confirmation
     * of it by the server, as we have installed protocol handler and
     * connection filter chain for exactly this protocol. */
    if(!proto_len) {
      failf(data, "ALPN: asked for '%s' from previous session, "
            "but server did not confirm it. Refusing to continue.",
            connssl->alpn_negotiated);
      result = CURLE_SSL_CONNECT_ERROR;
      goto out;
    }
    else if((strlen(connssl->alpn_negotiated) != proto_len) ||
            memcmp(connssl->alpn_negotiated, proto, proto_len)) {
      failf(data, "ALPN: asked for '%s' from previous session, but server "
            "selected '%.*s'. Refusing to continue.",
            connssl->alpn_negotiated, (int)proto_len, proto);
      result = CURLE_SSL_CONNECT_ERROR;
      goto out;
    }
    /* ALPN is exactly what we asked for, done. */
    infof(data, "ALPN: server confirmed to use '%s'",
          connssl->alpn_negotiated);
    goto out;
  }
  if(proto && proto_len) {
    if(memchr(proto, '\0', proto_len)) {
      failf(data, "ALPN: server selected protocol contains NUL. "
            "Refusing to continue.");
      result = CURLE_SSL_CONNECT_ERROR;
      goto out;
    }
    connssl->alpn_negotiated = malloc(proto_len + 1);
    if(!connssl->alpn_negotiated)
      return CURLE_OUT_OF_MEMORY;
    memcpy(connssl->alpn_negotiated, proto, proto_len);
    connssl->alpn_negotiated[proto_len] = 0;
  }
  if(proto && proto_len) {
    if(proto_len == ALPN_HTTP_1_1_LENGTH &&
       !memcmp(ALPN_HTTP_1_1, proto, ALPN_HTTP_1_1_LENGTH)) {
@ -2258,15 +2331,22 @@ CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
      /* return CURLE_NOT_BUILT_IN; */
      goto out;
    }
-    infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, (int)proto_len, proto);
+
    if(connssl->state == ssl_connection_deferred)
      infof(data, VTLS_INFOF_ALPN_DEFERRED, (int)proto_len, proto);
    else
      infof(data, VTLS_INFOF_ALPN_ACCEPTED, (int)proto_len, proto);
  }
  else {
    *palpn = CURL_HTTP_VERSION_NONE;
-    infof(data, VTLS_INFOF_NO_ALPN);
+    if(connssl->state == ssl_connection_deferred)
      infof(data, VTLS_INFOF_NO_ALPN_DEFERRED);
    else
      infof(data, VTLS_INFOF_NO_ALPN);
  }
 out:
-  return CURLE_OK;
+  return result;
 }
 #endif /* USE_SSL */
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@ -43,15 +43,18 @@ struct Curl_ssl_session;
 #define ALPN_ACCEPTED "ALPN: server accepted "
-#define VTLS_INFOF_NO_ALPN                                      \
+#define VTLS_INFOF_NO_ALPN            \
  "ALPN: server did not agree on a protocol. Uses default."
-#define VTLS_INFOF_ALPN_OFFER_1STR              \
+#define VTLS_INFOF_ALPN_OFFER_1STR    \
  "ALPN: curl offers %s"
-#define VTLS_INFOF_ALPN_ACCEPTED_1STR           \
+#define VTLS_INFOF_ALPN_ACCEPTED      \
  ALPN_ACCEPTED "%s"
 #define VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR       \
  ALPN_ACCEPTED "%.*s"
 #define VTLS_INFOF_NO_ALPN_DEFERRED   \
  "ALPN: deferred handshake for early data without specific protocol."
 #define VTLS_INFOF_ALPN_DEFERRED      \
  "ALPN: deferred handshake for early data using '%.*s'."
 /* Curl_multi SSL backend-specific data; declared differently by each SSL
   backend */
 struct Curl_cfilter;
--- a/lib/vtls/vtls_int.h
+++ b/lib/vtls/vtls_int.h
@ -29,6 +29,8 @@
 #ifdef USE_SSL
 struct ssl_connect_data;
 /* see https://www.iana.org/assignments/tls-extensiontype-values/ */
 #define ALPN_HTTP_1_1_LENGTH 8
 #define ALPN_HTTP_1_1 "http/1.1"
@ -61,9 +63,13 @@ CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
 CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
                                  struct Curl_easy *data,
                                  struct ssl_connect_data *connssl,
                                  const unsigned char *proto,
                                  size_t proto_len);
 bool Curl_alpn_contains_proto(const struct alpn_spec *spec,
                              const char *proto);
 /* enum for the nonblocking SSL connection state machine */
 typedef enum {
  ssl_connect_1,
@ -74,14 +80,27 @@ typedef enum {
 typedef enum {
  ssl_connection_none,
  ssl_connection_deferred,
  ssl_connection_negotiating,
  ssl_connection_complete
 } ssl_connection_state;
 typedef enum {
  ssl_earlydata_none,
  ssl_earlydata_use,
  ssl_earlydata_sending,
  ssl_earlydata_sent,
  ssl_earlydata_accepted,
  ssl_earlydata_rejected
 } ssl_earlydata_state;
 #define CURL_SSL_IO_NEED_NONE   (0)
 #define CURL_SSL_IO_NEED_RECV   (1<<0)
 #define CURL_SSL_IO_NEED_SEND   (1<<1)
 /* Max earlydata payload we want to send */
 #define CURL_SSL_EARLY_MAX       (64*1024)
 /* Information in each SSL cfilter context: cf->ctx */
 struct ssl_connect_data {
  struct ssl_peer peer;
@ -89,8 +108,14 @@ struct ssl_connect_data {
  void *backend;                    /* vtls backend specific props */
  struct cf_call_data call_data;    /* data handle used in current call */
  struct curltime handshake_done;   /* time when handshake finished */
  char *alpn_negotiated;            /* negotiated ALPN value or NULL */
  struct bufq earlydata;            /* earlydata to be send to peer */
  size_t earlydata_max;             /* max earlydata allowed by peer */
  size_t earlydata_skip;            /* sending bytes to skip when earlydata
                                     * is accepted by peer */
  ssl_connection_state state;
  ssl_connect_state connecting_state;
  ssl_earlydata_state earlydata_state;
  int io_need;                      /* TLS signals special SEND/RECV needs */
  BIT(use_alpn);                    /* if ALPN shall be used in handshake */
  BIT(peer_closed);                 /* peer has closed connection */
@ -193,12 +218,20 @@ bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf);
 * Caller must make sure that the ownership of returned sessionid object
 * is properly taken (e.g. its refcount is incremented
 * under sessionid mutex).
 * @param cf      the connection filter wanting to use it
 * @param data    the transfer involved
 * @param peer    the peer the filter wants to talk to
 * @param sessionid on return the TLS session
 * @param idsize  on return the size of the TLS session data
 * @param palpn   on return the ALPN string used by the session,
 *                set to NULL when not interested
 */
 bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
                           struct Curl_easy *data,
                           const struct ssl_peer *peer,
                           void **ssl_sessionid,
-                           size_t *idsize); /* set 0 if unknown */
+                           size_t *idsize, /* set 0 if unknown */
                           char **palpn);
 /* Set a TLS session ID for `peer`. Replaces an existing session ID if
 * not already the very same.
@ -212,6 +245,7 @@ bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
 CURLcode Curl_ssl_set_sessionid(struct Curl_cfilter *cf,
                                struct Curl_easy *data,
                                const struct ssl_peer *peer,
                                const char *alpn,
                                void *sessionid,
                                size_t sessionid_size,
                                Curl_ssl_sessionid_dtor *sessionid_free_cb);
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@ -1059,7 +1059,7 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
    Curl_ssl_sessionid_lock(data);
    if(!Curl_ssl_getsessionid(cf, data, &connssl->peer,
-                              &ssl_sessionid, NULL)) {
+                              &ssl_sessionid, NULL, NULL)) {
      /* we got a session id, use it! */
      if(!SSL_set_session(backend->handle, ssl_sessionid)) {
        Curl_ssl_delsessionid(data, ssl_sessionid);
@ -1406,11 +1406,11 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
    rc = wolfSSL_ALPN_GetProtocol(backend->handle, &protocol, &protocol_len);
    if(rc == SSL_SUCCESS) {
-      Curl_alpn_set_negotiated(cf, data, (const unsigned char *)protocol,
+      Curl_alpn_set_negotiated(cf, data, connssl,
-                               protocol_len);
+                               (const unsigned char *)protocol, protocol_len);
    }
    else if(rc == SSL_ALPN_NOT_FOUND)
-      Curl_alpn_set_negotiated(cf, data, NULL, 0);
+      Curl_alpn_set_negotiated(cf, data, connssl, NULL, 0);
    else {
      failf(data, "ALPN, failure getting protocol, error %d", rc);
      return CURLE_SSL_CONNECT_ERROR;
@ -1457,7 +1457,7 @@ wolfssl_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data)
    if(our_ssl_sessionid) {
      Curl_ssl_sessionid_lock(data);
      /* call takes ownership of `our_ssl_sessionid` */
-      result = Curl_ssl_set_sessionid(cf, data, &connssl->peer,
+      result = Curl_ssl_set_sessionid(cf, data, &connssl->peer, NULL,
                                      our_ssl_sessionid, 0,
                                      wolfssl_session_free);
      Curl_ssl_sessionid_unlock(data);
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@ -261,6 +261,7 @@ struct OperationConfig {
  bool xattr;               /* store metadata in extended attributes */
  long gssapi_delegation;
  bool ssl_allow_beast;     /* allow this SSL vulnerability */
  bool ssl_allow_earlydata; /* allow use of TLSv1.3 early data */
  bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy */
  bool ssl_no_revoke;       /* disable SSL certificate revocation checks */
  bool ssl_revoke_best_effort; /* ignore SSL revocation offline/missing
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@ -316,6 +316,7 @@ static const struct LongShort aliases[]= {
  {"tftp-blksize",               ARG_STRG, ' ', C_TFTP_BLKSIZE},
  {"tftp-no-options",            ARG_BOOL, ' ', C_TFTP_NO_OPTIONS},
  {"time-cond",                  ARG_STRG, 'z', C_TIME_COND},
  {"tls-earlydata",              ARG_BOOL, ' ', C_TLS_EARLYDATA},
  {"tls-max",                    ARG_STRG, ' ', C_TLS_MAX},
  {"tls13-ciphers",              ARG_STRG, ' ', C_TLS13_CIPHERS},
  {"tlsauthtype",                ARG_STRG, ' ', C_TLSAUTHTYPE},
@ -1691,6 +1692,10 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
      config->abstract_unix_socket = TRUE;
      err = getstr(&config->unix_socket_path, nextarg, DENY_BLANK);
      break;
    case C_TLS_EARLYDATA: /* --tls-earlydata */
      if(feature_ssl)
        config->ssl_allow_earlydata = toggle;
      break;
    case C_TLS_MAX: /* --tls-max */
      err = str2tls_max(&config->ssl_version_max, nextarg);
      break;
--- a/src/tool_getparam.h
+++ b/src/tool_getparam.h
@ -271,6 +271,7 @@ typedef enum {
  C_TFTP_BLKSIZE,
  C_TFTP_NO_OPTIONS,
  C_TIME_COND,
  C_TLS_EARLYDATA,
  C_TLS_MAX,
  C_TLS13_CIPHERS,
  C_TLSAUTHTYPE,
--- a/src/tool_listhelp.c
+++ b/src/tool_listhelp.c
@ -748,6 +748,9 @@ const struct helptxt helptext[] = {
  {"-z, --time-cond <time>",
   "Transfer based on a time condition",
   CURLHELP_HTTP | CURLHELP_FTP},
  {"    --tls-earlydata",
   "Allow use of TLSv1.3 early data (0RTT)",
   CURLHELP_TLS},
  {"    --tls-max <VERSION>",
   "Maximum allowed TLS version",
   CURLHELP_TLS},
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@ -1932,6 +1932,8 @@ static CURLcode single_transfer(struct GlobalConfig *global,
            long mask =
              (config->ssl_allow_beast ?
               CURLSSLOPT_ALLOW_BEAST : 0) |
              (config->ssl_allow_earlydata ?
               CURLSSLOPT_EARLYDATA : 0) |
              (config->ssl_no_revoke ?
               CURLSSLOPT_NO_REVOKE : 0) |
              (config->ssl_revoke_best_effort ?
--- a/tests/http/clients/hx-download.c
+++ b/tests/http/clients/hx-download.c
@ -228,8 +228,10 @@ static int my_progress_cb(void *userdata,
 }
 static int setup(CURL *hnd, const char *url, struct transfer *t,
-                 int http_version)
+                 int http_version, struct curl_slist *host,
                 CURLSH *share, int use_earlydata)
 {
  curl_easy_setopt(hnd, CURLOPT_SHARE, share);
  curl_easy_setopt(hnd, CURLOPT_URL, url);
  curl_easy_setopt(hnd, CURLOPT_HTTP_VERSION, http_version);
  curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYPEER, 0L);
@ -240,8 +242,12 @@ static int setup(CURL *hnd, const char *url, struct transfer *t,
  curl_easy_setopt(hnd, CURLOPT_NOPROGRESS, 0L);
  curl_easy_setopt(hnd, CURLOPT_XFERINFOFUNCTION, my_progress_cb);
  curl_easy_setopt(hnd, CURLOPT_XFERINFODATA, t);
  if(use_earlydata)
    curl_easy_setopt(hnd, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_EARLYDATA);
  if(forbid_reuse)
    curl_easy_setopt(hnd, CURLOPT_FORBID_REUSE, 1L);
  if(host)
    curl_easy_setopt(hnd, CURLOPT_RESOLVE, host);
  /* please be verbose */
  if(verbose) {
@ -265,10 +271,14 @@ static void usage(const char *msg)
    "  download a url with following options:\n"
    "  -a         abort paused transfer\n"
    "  -m number  max parallel downloads\n"
-    "  -n number  total downloads\n"
+    "  -e         use TLS early data when possible\n"
    "  -f         forbid connection reuse\n"
    "  -n number  total downloads\n");
  fprintf(stderr,
    "  -A number  abort transfer after `number` response bytes\n"
    "  -F number  fail writing response after `number` response bytes\n"
    "  -P number  pause transfer after `number` response bytes\n"
    "  -r <host>:<port>:<addr>  resolve information\n"
    "  -V http_version (http/1.1, h2, h3) http version to use\n"
  );
 }
@ -282,18 +292,21 @@ int main(int argc, char *argv[])
 #ifndef _MSC_VER
  CURLM *multi_handle;
  struct CURLMsg *m;
  CURLSH *share;
  const char *url;
  size_t i, n, max_parallel = 1;
  size_t active_transfers;
  size_t pause_offset = 0;
  size_t abort_offset = 0;
  size_t fail_offset = 0;
-  int abort_paused = 0;
+  int abort_paused = 0, use_earlydata = 0;
  struct transfer *t;
  int http_version = CURL_HTTP_VERSION_2_0;
  int ch;
  struct curl_slist *host = NULL;
  const char *resolve = NULL;
-  while((ch = getopt(argc, argv, "afhm:n:A:F:P:V:")) != -1) {
+  while((ch = getopt(argc, argv, "aefhm:n:A:F:P:r:V:")) != -1) {
    switch(ch) {
    case 'h':
      usage(NULL);
@ -301,6 +314,9 @@ int main(int argc, char *argv[])
    case 'a':
      abort_paused = 1;
      break;
    case 'e':
      use_earlydata = 1;
      break;
    case 'f':
      forbid_reuse = 1;
      break;
@ -319,6 +335,9 @@ int main(int argc, char *argv[])
    case 'P':
      pause_offset = (size_t)strtol(optarg, NULL, 10);
      break;
    case 'r':
      resolve = optarg;
      break;
    case 'V': {
      if(!strcmp("http/1.1", optarg))
        http_version = CURL_HTTP_VERSION_1_1;
@ -349,6 +368,21 @@ int main(int argc, char *argv[])
  }
  url = argv[0];
  if(resolve)
    host = curl_slist_append(NULL, resolve);
  share = curl_share_init();
  if(!share) {
    fprintf(stderr, "error allocating share\n");
    return 1;
  }
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_COOKIE);
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_DNS);
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION);
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT);
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL);
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS);
  transfers = calloc(transfer_count, sizeof(*transfers));
  if(!transfers) {
    fprintf(stderr, "error allocating transfer structs\n");
@ -371,7 +405,8 @@ int main(int argc, char *argv[])
  for(i = 0; i < n; ++i) {
    t = &transfers[i];
    t->easy = curl_easy_init();
-    if(!t->easy || setup(t->easy, url, t, http_version)) {
+    if(!t->easy ||
       setup(t->easy, url, t, http_version, host, share, use_earlydata)) {
      fprintf(stderr, "[t-%d] FAILED setup\n", (int)i);
      return 1;
    }
@ -404,6 +439,11 @@ int main(int argc, char *argv[])
        if(t) {
          t->done = 1;
          fprintf(stderr, "[t-%d] FINISHED\n", t->idx);
          if(use_earlydata) {
            curl_off_t sent;
            curl_easy_getinfo(e, CURLINFO_EARLYDATA_SENT_T, &sent);
            fprintf(stderr, "[t-%d] EarlyData: %ld\n", t->idx, (long)sent);
          }
        }
        else {
          curl_easy_cleanup(e);
@ -444,7 +484,9 @@ int main(int argc, char *argv[])
          t = &transfers[i];
          if(!t->started) {
            t->easy = curl_easy_init();
-            if(!t->easy || setup(t->easy, url, t, http_version)) {
+            if(!t->easy ||
               setup(t->easy, url, t, http_version, host, share,
                     use_earlydata)) {
              fprintf(stderr, "[t-%d] FAILED setup\n", (int)i);
              return 1;
            }
@ -463,6 +505,8 @@ int main(int argc, char *argv[])
  } while(active_transfers); /* as long as we have transfers going */
  curl_multi_cleanup(multi_handle);
  for(i = 0; i < transfer_count; ++i) {
    t = &transfers[i];
    if(t->out) {
@ -476,7 +520,7 @@ int main(int argc, char *argv[])
  }
  free(transfers);
-  curl_multi_cleanup(multi_handle);
+  curl_share_cleanup(share);
  return 0;
 #else
--- a/tests/http/clients/hx-upload.c
+++ b/tests/http/clients/hx-upload.c
@ -252,8 +252,10 @@ static int my_progress_cb(void *userdata,
 }
 static int setup(CURL *hnd, const char *url, struct transfer *t,
-                 int http_version)
+                 int http_version, struct curl_slist *host,
                 CURLSH *share, int use_earlydata, int announce_length)
 {
  curl_easy_setopt(hnd, CURLOPT_SHARE, share);
  curl_easy_setopt(hnd, CURLOPT_URL, url);
  curl_easy_setopt(hnd, CURLOPT_HTTP_VERSION, http_version);
  curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYPEER, 0L);
@ -261,6 +263,8 @@ static int setup(CURL *hnd, const char *url, struct transfer *t,
  curl_easy_setopt(hnd, CURLOPT_BUFFERSIZE, (long)(128 * 1024));
  curl_easy_setopt(hnd, CURLOPT_WRITEFUNCTION, my_write_cb);
  curl_easy_setopt(hnd, CURLOPT_WRITEDATA, t);
  if(use_earlydata)
    curl_easy_setopt(hnd, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_EARLYDATA);
  if(!t->method || !strcmp("PUT", t->method))
    curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
@ -272,11 +276,16 @@ static int setup(CURL *hnd, const char *url, struct transfer *t,
  }
  curl_easy_setopt(hnd, CURLOPT_READFUNCTION, my_read_cb);
  curl_easy_setopt(hnd, CURLOPT_READDATA, t);
  if(announce_length)
    curl_easy_setopt(hnd, CURLOPT_INFILESIZE_LARGE, t->send_total);
  curl_easy_setopt(hnd, CURLOPT_NOPROGRESS, 0L);
  curl_easy_setopt(hnd, CURLOPT_XFERINFOFUNCTION, my_progress_cb);
  curl_easy_setopt(hnd, CURLOPT_XFERINFODATA, t);
  if(forbid_reuse)
    curl_easy_setopt(hnd, CURLOPT_FORBID_REUSE, 1L);
  if(host)
    curl_easy_setopt(hnd, CURLOPT_RESOLVE, host);
  /* please be verbose */
  if(verbose) {
@ -299,11 +308,13 @@ static void usage(const char *msg)
    "usage: [options] url\n"
    "  upload to a url with following options:\n"
    "  -a         abort paused transfer\n"
    "  -e         use TLS earlydata\n"
    "  -m number  max parallel uploads\n"
    "  -n number  total uploads\n"
    "  -A number  abort transfer after `number` request body bytes\n"
    "  -F number  fail reading request body after `number` of bytes\n"
    "  -P number  pause transfer after `number` request body bytes\n"
    "  -r <host>:<port>:<addr>  resolve information\n"
    "  -S number  size to upload\n"
    "  -V http_version (http/1.1, h2, h3) http version to use\n"
  );
@ -318,6 +329,7 @@ int main(int argc, char *argv[])
 #ifndef _MSC_VER
  CURLM *multi_handle;
  struct CURLMsg *m;
  CURLSH *share;
  const char *url;
  const char *method = "PUT";
  size_t i, n, max_parallel = 1;
@ -328,11 +340,15 @@ int main(int argc, char *argv[])
  size_t send_total = (128 * 1024);
  int abort_paused = 0;
  int reuse_easy = 0;
  int use_earlydata = 0;
  int announce_length = 0;
  struct transfer *t;
  int http_version = CURL_HTTP_VERSION_2_0;
  struct curl_slist *host = NULL;
  const char *resolve = NULL;
  int ch;
-  while((ch = getopt(argc, argv, "afhm:n:A:F:M:P:RS:V:")) != -1) {
+  while((ch = getopt(argc, argv, "aefhlm:n:A:F:M:P:r:RS:V:")) != -1) {
    switch(ch) {
    case 'h':
      usage(NULL);
@ -340,9 +356,15 @@ int main(int argc, char *argv[])
    case 'a':
      abort_paused = 1;
      break;
    case 'e':
      use_earlydata = 1;
      break;
    case 'f':
      forbid_reuse = 1;
      break;
    case 'l':
      announce_length = 1;
      break;
    case 'm':
      max_parallel = (size_t)strtol(optarg, NULL, 10);
      break;
@ -361,6 +383,9 @@ int main(int argc, char *argv[])
    case 'P':
      pause_offset = (size_t)strtol(optarg, NULL, 10);
      break;
    case 'r':
      resolve = optarg;
      break;
    case 'R':
      reuse_easy = 1;
      break;
@ -402,6 +427,21 @@ int main(int argc, char *argv[])
  }
  url = argv[0];
  if(resolve)
    host = curl_slist_append(NULL, resolve);
  share = curl_share_init();
  if(!share) {
    fprintf(stderr, "error allocating share\n");
    return 1;
  }
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_COOKIE);
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_DNS);
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION);
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT);
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL);
  curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS);
  transfers = calloc(transfer_count, sizeof(*transfers));
  if(!transfers) {
    fprintf(stderr, "error allocating transfer structs\n");
@ -429,7 +469,8 @@ int main(int argc, char *argv[])
    for(i = 0; i < transfer_count; ++i) {
      t = &transfers[i];
      t->easy = easy;
-      if(setup(t->easy, url, t, http_version)) {
+      if(setup(t->easy, url, t, http_version, host, share, use_earlydata,
               announce_length)) {
        fprintf(stderr, "[t-%d] FAILED setup\n", (int)i);
        return 1;
      }
@ -450,7 +491,8 @@ int main(int argc, char *argv[])
    for(i = 0; i < n; ++i) {
      t = &transfers[i];
      t->easy = curl_easy_init();
-      if(!t->easy || setup(t->easy, url, t, http_version)) {
+      if(!t->easy || setup(t->easy, url, t, http_version, host, share,
                           use_earlydata, announce_length)) {
        fprintf(stderr, "[t-%d] FAILED setup\n", (int)i);
        return 1;
      }
@ -483,6 +525,11 @@ int main(int argc, char *argv[])
          if(t) {
            t->done = 1;
            fprintf(stderr, "[t-%d] FINISHED\n", t->idx);
            if(use_earlydata) {
              curl_off_t sent;
              curl_easy_getinfo(e, CURLINFO_EARLYDATA_SENT_T, &sent);
              fprintf(stderr, "[t-%d] EarlyData: %ld\n", t->idx, (long)sent);
            }
          }
          else {
            curl_easy_cleanup(e);
@ -523,7 +570,8 @@ int main(int argc, char *argv[])
            t = &transfers[i];
            if(!t->started) {
              t->easy = curl_easy_init();
-              if(!t->easy || setup(t->easy, url, t, http_version)) {
+              if(!t->easy || setup(t->easy, url, t, http_version, host,
                                   share, use_earlydata, announce_length)) {
                fprintf(stderr, "[t-%d] FAILED setup\n", (int)i);
                return 1;
              }
@ -557,6 +605,7 @@ int main(int argc, char *argv[])
    }
  }
  free(transfers);
  curl_share_cleanup(share);
  return 0;
 #else
--- a/tests/http/test_02_download.py
+++ b/tests/http/test_02_download.py
@ -29,6 +29,7 @@ import filecmp
 import logging
 import math
 import os
 import re
 from datetime import timedelta
 import pytest
@ -591,3 +592,48 @@ class TestDownload:
        # we see 3 connections, because Apache only every serves a single
        # request via Upgrade: and then closed the connection.
        assert r.total_connects == 3, r.dump_logs()
    # nghttpx is the only server we have that supports TLS early data
    @pytest.mark.skipif(condition=not Env.have_nghttpx(), reason="no nghttpx")
    @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
    def test_02_32_earlydata(self, env: Env, httpd, nghttpx, proto):
        if not env.curl_uses_lib('gnutls'):
            pytest.skip('TLS earlydata only implemented in GnuTLS')
        if proto == 'h3' and not env.have_h3():
            pytest.skip("h3 not supported")
        count = 2
        docname = 'data-10k'
        # we want this test to always connect to nghttpx, since it is
        # the only server we have that supports TLS earlydata
        port = env.port_for(proto)
        if proto != 'h3':
            port = env.nghttpx_https_port
        # url = f'https://{env.domain1}:{env.port_for(proto)}/{docname}'
        url = f'https://{env.domain1}:{port}/{docname}'
        client = LocalClient(name='hx-download', env=env)
        if not client.exists():
            pytest.skip(f'example client not built: {client.name}')
        r = client.run(args=[
             '-n', f'{count}',
             '-e',  # use TLS earlydata
             '-f',  # forbid reuse of connections
             '-r', f'{env.domain1}:{port}:127.0.0.1',
             '-V', proto, url
        ])
        r.check_exit_code(0)
        srcfile = os.path.join(httpd.docs_dir, docname)
        self.check_downloads(client, srcfile, count)
        # check that TLS earlydata worked as expected
        earlydata = {}
        for line in r.trace_lines:
            m = re.match(r'^\[t-(\d+)] EarlyData: (\d+)', line)
            if m:
                earlydata[int(m.group(1))] = int(m.group(2))
        assert earlydata[0] == 0, f'{earlydata}'
        if proto == 'http/1.1':
            assert earlydata[1] == 69, f'{earlydata}'
        elif proto == 'h2':
            assert earlydata[1] == 107, f'{earlydata}'
        elif proto == 'h3':
            # not implemented
            assert earlydata[1] == 0, f'{earlydata}'
--- a/tests/http/test_07_upload.py
+++ b/tests/http/test_07_upload.py
@ -28,6 +28,7 @@ import difflib
 import filecmp
 import logging
 import os
 import re
 import pytest
 from typing import List
@ -43,6 +44,7 @@ class TestUpload:
    def _class_scope(self, env, httpd, nghttpx):
        if env.have_h3():
            nghttpx.start_if_needed()
        env.make_data_file(indir=env.gen_dir, fname="data-10k", fsize=10*1024)
        env.make_data_file(indir=env.gen_dir, fname="data-63k", fsize=63*1024)
        env.make_data_file(indir=env.gen_dir, fname="data-64k", fsize=64*1024)
        env.make_data_file(indir=env.gen_dir, fname="data-100k", fsize=100*1024)
@ -651,6 +653,51 @@ class TestUpload:
        ])
        r.check_stats(count=1, http_status=200, exitcode=0)
    # nghttpx is the only server we have that supports TLS early data and
    # has a limit of 16k it announces
    @pytest.mark.skipif(condition=not Env.have_nghttpx(), reason="no nghttpx")
    @pytest.mark.parametrize("proto,upload_size,exp_early", [
        ['http/1.1', 100, 203],        # headers+body
        ['http/1.1', 10*1024, 10345],  # headers+body
        ['http/1.1', 32*1024, 16384],  # headers+body, limited by server max
        ['h2', 10*1024, 10378],        # headers+body
        ['h2', 32*1024, 16384],        # headers+body, limited by server max
        ['h3', 1024, 0],               # earlydata not supported
    ])
    def test_07_70_put_earlydata(self, env: Env, httpd, nghttpx, proto, upload_size, exp_early):
        if not env.curl_uses_lib('gnutls'):
            pytest.skip('TLS earlydata only implemented in GnuTLS')
        if proto == 'h3' and not env.have_h3():
            pytest.skip("h3 not supported")
        count = 2
        # we want this test to always connect to nghttpx, since it is
        # the only server we have that supports TLS earlydata
        port = env.port_for(proto)
        if proto != 'h3':
            port = env.nghttpx_https_port
        url = f'https://{env.domain1}:{port}/curltest/put?id=[0-{count-1}]'
        client = LocalClient(name='hx-upload', env=env)
        if not client.exists():
            pytest.skip(f'example client not built: {client.name}')
        r = client.run(args=[
             '-n', f'{count}',
             '-e',  # use TLS earlydata
             '-f',  # forbid reuse of connections
             '-l',  # announce upload length, no 'Expect: 100'
             '-S', f'{upload_size}',
             '-r', f'{env.domain1}:{port}:127.0.0.1',
             '-V', proto, url
        ])
        r.check_exit_code(0)
        self.check_downloads(client, [f"{upload_size}"], count)
        earlydata = {}
        for line in r.trace_lines:
            m = re.match(r'^\[t-(\d+)] EarlyData: (\d+)', line)
            if m:
                earlydata[int(m.group(1))] = int(m.group(2))
        assert earlydata[0] == 0, f'{earlydata}'
        assert earlydata[1] == exp_early, f'{earlydata}'
    def check_downloads(self, client, source: List[str], count: int,
                        complete: bool = True):
        for i in range(count):
--- a/tests/http/test_08_caddy.py
+++ b/tests/http/test_08_caddy.py
@ -24,11 +24,14 @@
 #
 ###########################################################################
 #
 import difflib
 import filecmp
 import logging
 import os
 import re
 import pytest
-from testenv import Env, CurlClient, Caddy
+from testenv import Env, CurlClient, Caddy, LocalClient
 log = logging.getLogger(__name__)
@ -57,6 +60,7 @@ class TestCaddy:
    @pytest.fixture(autouse=True, scope='class')
    def _class_scope(self, env, caddy):
        self._make_docs_file(docs_dir=caddy.docs_dir, fname='data10k.data', fsize=10*1024)
        self._make_docs_file(docs_dir=caddy.docs_dir, fname='data1.data', fsize=1024*1024)
        self._make_docs_file(docs_dir=caddy.docs_dir, fname='data5.data', fsize=5*1024*1024)
        self._make_docs_file(docs_dir=caddy.docs_dir, fname='data10.data', fsize=10*1024*1024)
@ -205,3 +209,43 @@ class TestCaddy:
        for i in range(count):
            respdata = open(curl.response_file(i)).readlines()
            assert respdata == exp_data
    @pytest.mark.parametrize("proto", ['http/1.1', 'h2'])
    def test_08_08_earlydata(self, env: Env, httpd, caddy, proto):
        count = 2
        docname = 'data10k.data'
        url = f'https://{env.domain1}:{caddy.port}/{docname}'
        client = LocalClient(name='hx-download', env=env)
        if not client.exists():
            pytest.skip(f'example client not built: {client.name}')
        r = client.run(args=[
             '-n', f'{count}',
             '-e',  # use TLS earlydata
             '-f',  # forbid reuse of connections
             '-r', f'{env.domain1}:{caddy.port}:127.0.0.1',
             '-V', proto, url
        ])
        r.check_exit_code(0)
        srcfile = os.path.join(caddy.docs_dir, docname)
        self.check_downloads(client, srcfile, count)
        earlydata = {}
        for line in r.trace_lines:
            m = re.match(r'^\[t-(\d+)] EarlyData: (\d+)', line)
            if m:
                earlydata[int(m.group(1))] = int(m.group(2))
        # Caddy does not support early data
        assert earlydata[0] == 0, f'{earlydata}'
        assert earlydata[1] == 0, f'{earlydata}'
    def check_downloads(self, client, srcfile: str, count: int,
                        complete: bool = True):
        for i in range(count):
            dfile = client.download_file(i)
            assert os.path.exists(dfile)
            if complete and not filecmp.cmp(srcfile, dfile, shallow=False):
                diff = "".join(difflib.unified_diff(a=open(srcfile).readlines(),
                                                    b=open(dfile).readlines(),
                                                    fromfile=srcfile,
                                                    tofile=dfile,
                                                    n=1))
                assert False, f'download {dfile} differs:\n{diff}'
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@ -64,9 +64,6 @@ class TestSSLUse:
        count = 3
        exp_resumed = 'Resumed'
        xargs = ['--sessionid', '--tls-max', tls_max, f'--tlsv{tls_max}']
        if env.curl_uses_lib('gnutls'):
            if tls_max == '1.3':
                exp_resumed = 'Initial'  # 1.2 works in GnuTLS, but 1.3 does not, TODO
        if env.curl_uses_lib('libressl'):
            if tls_max == '1.3':
                exp_resumed = 'Initial'  # 1.2 works in LibreSSL, but 1.3 does not, TODO
@ -279,7 +276,9 @@ class TestSSLUse:
        ])
        httpd.reload_if_config_changed()
        proto = 'http/1.1'
-        curl = CurlClient(env=env)
+        run_env = os.environ.copy()
        run_env['CURL_USE_EARLYDATA'] = '1'
        curl = CurlClient(env=env, run_env=run_env)
        url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
        # SSL backend specifics
        if env.curl_uses_lib('bearssl'):
--- a/tests/http/testenv/env.py
+++ b/tests/http/testenv/env.py
@ -110,6 +110,7 @@ class EnvConfig:
            'ftps': socket.SOCK_STREAM,
            'http': socket.SOCK_STREAM,
            'https': socket.SOCK_STREAM,
            'nghttpx_https': socket.SOCK_STREAM,
            'proxy': socket.SOCK_STREAM,
            'proxys': socket.SOCK_STREAM,
            'h2proxys': socket.SOCK_STREAM,
@ -472,6 +473,10 @@ class Env:
    def https_port(self) -> int:
        return self.CONFIG.ports['https']
    @property
    def nghttpx_https_port(self) -> int:
        return self.CONFIG.ports['nghttpx_https']
    @property
    def h3_port(self) -> int:
        return self.https_port
--- a/tests/http/testenv/nghttpx.py
+++ b/tests/http/testenv/nghttpx.py
@ -184,6 +184,7 @@ class NghttpxQuic(Nghttpx):
        args = [
            self._cmd,
            f'--frontend=*,{self.env.h3_port};quic',
            f'--frontend=*,{self.env.nghttpx_https_port};tls',
            f'--backend=127.0.0.1,{self.env.https_port};{self.env.domain1};sni={self.env.domain1};proto=h2;tls',
            f'--backend=127.0.0.1,{self.env.http_port}',
            '--log-level=INFO',