@buherator @bagder Nice bug. I agree that curl is the "victim" here. If the underlying OS is doing dumb shit, then it's hard to circumvent that. Especially since the application is sitting "on top" of the OS and not below. At the same time, when there's a widespread pattern of insecure code and the lower layer (the OS) is known not to fix it or not fast enough, there's value in providing temporary hacks as a mitigation.
But yeah, that's a tough call :)