curl-impersonate.patch

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 656aa7c74..594e9574a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -627,6 +627,29 @@ macro(openssl_check_symbol_exists SYMBOL FILES VARIABLE)
   cmake_pop_check_state()
 endmacro()
 
+option(USE_ECH "Enable ECH support" OFF)
+if(USE_ECH)
+  if(USE_OPENSSL OR USE_WOLFSSL)
+    # Be sure that the OpenSSL/wolfSSL library actually supports ECH.
+    if(NOT DEFINED HAVE_ECH)
+      if(USE_OPENSSL AND HAVE_BORINGSSL)
+        openssl_check_symbol_exists(SSL_set1_ech_config_list "openssl/ssl.h" HAVE_ECH)
+      elseif(USE_OPENSSL)
+        openssl_check_symbol_exists(SSL_ech_set1_echconfig "openssl/ech.h" HAVE_ECH)
+      elseif(USE_WOLFSSL)
+        openssl_check_symbol_exists(wolfSSL_CTX_GenerateEchConfig "wolfssl/options.h;wolfssl/ssl.h" HAVE_ECH)
+      endif()
+    endif()
+    if(NOT HAVE_ECH)
+      message(FATAL_ERROR "ECH support missing in OpenSSL/BoringSSL/wolfSSL")
+    else()
+      message("ECH enabled.")
+    endif()
+  else()
+    message(FATAL_ERROR "ECH requires ECH-enablded OpenSSL, BoringSSL or wolfSSL")
+  endif()
+endif()
+
 # Ensure that the OpenSSL fork actually supports QUIC.
 macro(openssl_check_quic)
   if(NOT DEFINED HAVE_SSL_CTX_SET_QUIC_METHOD)
diff --git a/Makefile.am b/Makefile.am
index 658189e47..1ebc38b5a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -132,13 +132,13 @@ CLEANFILES = $(VC14_LIBVCXPROJ) $(VC14_SRCVCXPROJ) \
  $(VC14_20_LIBVCXPROJ) $(VC14_20_SRCVCXPROJ)       \
  $(VC14_30_LIBVCXPROJ) $(VC14_30_SRCVCXPROJ)
 
-bin_SCRIPTS = curl-config
+bin_SCRIPTS = curl-impersonate-chrome-config
 
 SUBDIRS = lib docs src scripts
 DIST_SUBDIRS = $(SUBDIRS) tests packages scripts include docs
 
 pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = libcurl.pc
+pkgconfig_DATA = libcurl-impersonate-chrome.pc
 
 # List of files required to generate VC IDE .dsp, .vcproj and .vcxproj files
 include lib/Makefile.inc
diff --git a/configure.ac b/configure.ac
index 49371a755..a19c12b95 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1422,7 +1422,8 @@ if test X"$OPT_BROTLI" != Xno; then
 
   dnl if given with a prefix, we set -L and -I based on that
   if test -n "$PREFIX_BROTLI"; then
-    LIB_BROTLI="-lbrotlidec"
+    # curl-impersonate: Use static libbrotli, -static postfix dropped since brotli 1.1.0
+    LIB_BROTLI="-lbrotlidec -lbrotlicommon"
     LD_BROTLI=-L${PREFIX_BROTLI}/lib$libsuff
     CPP_BROTLI=-I${PREFIX_BROTLI}/include
     DIR_BROTLI=${PREFIX_BROTLI}/lib$libsuff
@@ -1432,7 +1433,11 @@ if test X"$OPT_BROTLI" != Xno; then
   CPPFLAGS="$CPPFLAGS $CPP_BROTLI"
   LIBS="$LIB_BROTLI $LIBS"
 
-  AC_CHECK_LIB(brotlidec, BrotliDecoderDecompress)
+  AC_CHECK_LIB(brotlidec, BrotliDecoderDecompress,
+    # curl-impersonate: Define 'action-if-found' explicitly to prevent
+    # -lbrotlidec from being added to LIBS (already added before)
+    AC_DEFINE(HAVE_LIBBROTLI, 1, [Define to 1 if libbrotli exists])
+  )
 
   AC_CHECK_HEADERS(brotli/decode.h,
     curl_brotli_msg="enabled (libbrotlidec)"
@@ -4547,14 +4552,23 @@ if test "x$want_ech" != "xno"; then
   ECH_ENABLED=0
   ECH_SUPPORT=''
 
-  dnl OpenSSL with a chosen ECH function should be enough
-  dnl so more exhaustive checking seems unnecessary for now
+  dnl check for OpenSSL
+  if test "x$OPENSSL_ENABLED" = "x1"; then
+    AC_CHECK_FUNCS(SSL_ech_set1_echconfig,
+      ECH_SUPPORT="ECH support available via OpenSSL with SSL_ech_set1_echconfig"
+      ECH_ENABLED=1)
+  fi
+  dnl check for boringssl equivalent
   if test "x$OPENSSL_ENABLED" = "x1"; then
-    AC_CHECK_FUNCS(SSL_get_ech_status,
-      ECH_SUPPORT="ECH support available (OpenSSL with SSL_get_ech_status)"
+    AC_CHECK_FUNCS(SSL_set1_ech_config_list,
+      ECH_SUPPORT="ECH support available via boringssl with SSL_set1_ech_config_list"
+      ECH_ENABLED=1)
+  fi
+  if test "x$WOLFSSL_ENABLED" = "x1"; then
+    AC_CHECK_FUNCS(wolfSSL_CTX_GenerateEchConfig,
+      ECH_SUPPORT="ECH support available via WolfSSL with wolfSSL_CTX_GenerateEchConfig"
       ECH_ENABLED=1)
 
-  dnl add 'elif' chain here for additional implementations
   fi
 
   dnl now deal with whatever we found
@@ -4962,8 +4976,8 @@ AC_CONFIG_FILES([Makefile \
            tests/http/clients/Makefile \
            packages/Makefile \
            packages/vms/Makefile \
-           curl-config \
-           libcurl.pc
+           curl-impersonate-chrome-config:curl-config.in \
+           libcurl-impersonate-chrome.pc:libcurl.pc.in
 ])
 AC_OUTPUT
 
diff --git a/curl-config.in b/curl-config.in
index 54f92d931..ea5895e9b 100644
--- a/curl-config.in
+++ b/curl-config.in
@@ -163,9 +163,9 @@ while test $# -gt 0; do
            CURLLIBDIR=""
         fi
         if test "X@ENABLE_SHARED@" = "Xno"; then
-          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
+          echo ${CURLLIBDIR}-lcurl-impersonate-chrome @LIBCURL_LIBS@
         else
-          echo ${CURLLIBDIR}-lcurl
+          echo ${CURLLIBDIR}-lcurl-impersonate-chrome
         fi
         ;;
     --ssl-backends)
@@ -174,7 +174,7 @@ while test $# -gt 0; do
 
     --static-libs)
         if test "X@ENABLE_STATIC@" != "Xno" ; then
-          echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@
+          echo "@libdir@/libcurl-impersonate-chrome.@libext@" @LDFLAGS@ @LIBCURL_LIBS@
         else
           echo "curl was built with static libraries disabled" >&2
           exit 1
diff --git a/export.sh b/export.sh
new file mode 100755
index 000000000..7bced6879
--- /dev/null
+++ b/export.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# TODO: use cmake to generate mingw makefile, see:
+#
+# 1. https://github.com/curl/curl/pull/13244/files
+# 2. https://everything.curl.dev/build/windows.html
+
+git df curl-8_7_1 > chrome.patch
+mv chrome.patch ../curl-impersonate/chrome/patches/curl-impersonate.patch
diff --git a/include/curl/curl.h b/include/curl/curl.h
index b2377b789..d695b803e 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -632,6 +632,7 @@ typedef enum {
   CURLE_SSL_CLIENTCERT,          /* 98 - client-side certificate required */
   CURLE_UNRECOVERABLE_POLL,      /* 99 - poll/select returned fatal error */
   CURLE_TOO_LARGE,               /* 100 - a value/data met its maximum */
+  CURLE_ECH_REQUIRED,            /* 101 - ECH tried but failed */
   CURL_LAST /* never use! */
 } CURLcode;
 
@@ -2206,6 +2207,85 @@ typedef enum {
   /* millisecond version */
   CURLOPT(CURLOPT_SERVER_RESPONSE_TIMEOUT_MS, CURLOPTTYPE_LONG, 324),
 
+  /* curl-impersonate: A list of headers used by the impersonated browser.
+   * If given, merged with CURLOPT_HTTPHEADER. */
+  CURLOPT(CURLOPT_HTTPBASEHEADER, CURLOPTTYPE_SLISTPOINT, 1000),
+
+  /* curl-impersonate: A list of TLS signature hash algorithms.
+   * See https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1 */
+  CURLOPT(CURLOPT_SSL_SIG_HASH_ALGS, CURLOPTTYPE_STRINGPOINT, 1001),
+
+  /* curl-impersonate: Whether to enable ALPS in TLS or not.
+   * See https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps.
+   * Support for ALPS is minimal and is intended only for the TLS client
+   * hello to match. */
+  CURLOPT(CURLOPT_SSL_ENABLE_ALPS, CURLOPTTYPE_LONG, 1002),
+
+  /* curl-impersonate: Comma-separated list of certificate compression
+   * algorithms to use. These are published in the client hello.
+   * Supported algorithms are "zlib" and "brotli".
+   * See https://datatracker.ietf.org/doc/html/rfc8879 */
+  CURLOPT(CURLOPT_SSL_CERT_COMPRESSION, CURLOPTTYPE_STRINGPOINT, 1003),
+
+  /* Enable/disable TLS session ticket extension (RFC5077) */
+  CURLOPT(CURLOPT_SSL_ENABLE_TICKET, CURLOPTTYPE_LONG, 1004),
+
+  /*
+   * curl-impersonate:
+   * Set the order of the HTTP/2 pseudo headers. The value must contain
+   * the letters 'm', 'a', 's', 'p' representing the pseudo-headers
+   * ":method", ":authority", ":scheme", ":path" in the desired order of
+   * appearance in the HTTP/2 HEADERS frame.
+   */
+  CURLOPT(CURLOPT_HTTP2_PSEUDO_HEADERS_ORDER, CURLOPTTYPE_STRINGPOINT, 1005),
+
+  /*
+   * curl-impersonate:
+   * HTTP2 settings frame keys and values, format: 1:v;2:v;3:v
+   */
+  CURLOPT(CURLOPT_HTTP2_SETTINGS, CURLOPTTYPE_STRINGPOINT, 1006),
+
+  /* 
+   * curl-impersonate: Whether to enable Boringssl permute extensions
+   * See https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_set_permute_extensions.
+   */
+  CURLOPT(CURLOPT_SSL_PERMUTE_EXTENSIONS, CURLOPTTYPE_LONG, 1007),
+
+  /*
+   * curl-impersonate:
+   * HTTP2 initial window update
+   */
+  CURLOPT(CURLOPT_HTTP2_WINDOW_UPDATE, CURLOPTTYPE_LONG, 1008),
+
+  /* curl-impersonate:
+   * set ECH configuration
+   */
+  CURLOPT(CURLOPT_ECH, CURLOPTTYPE_STRINGPOINT, 1009),
+
+  /*
+   * curl-impersonate:
+   * Set the initial streams settings for http2.
+   */
+  CURLOPT(CURLOPT_HTTP2_STREAMS, CURLOPTTYPE_STRINGPOINT, 1010),
+
+  /* curl-impersonate: enable tls grease */
+  CURLOPT(CURLOPT_TLS_GREASE, CURLOPTTYPE_LONG, 1011),
+
+  /* curl-impersonate: set tls extension order */
+  CURLOPT(CURLOPT_TLS_EXTENSION_ORDER, CURLOPTTYPE_STRINGPOINT, 1012),
+
+  /* curl-impersonate: Set stream exclusiveness, 0 or 1 */
+  CURLOPT(CURLOPT_STREAM_EXCLUSIVE, CURLOPTTYPE_LONG, 1013),
+
+  /* curl-impersonate: enable tls key usage check, defaults: on */
+  CURLOPT(CURLOPT_TLS_KEY_USAGE_NO_CHECK, CURLOPTTYPE_LONG, 1014),
+
+  /* curl-impersonate: enable tls signed cert stamps */
+  CURLOPT(CURLOPT_TLS_SIGNED_CERT_TIMESTAMPS, CURLOPTTYPE_LONG, 1015),
+
+  /* curl-impersonate: enable tls status request */
+  CURLOPT(CURLOPT_TLS_STATUS_REQUEST, CURLOPTTYPE_LONG, 1016),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
diff --git a/include/curl/easy.h b/include/curl/easy.h
index 1285101c5..c620065dc 100644
--- a/include/curl/easy.h
+++ b/include/curl/easy.h
@@ -43,6 +43,16 @@ CURL_EXTERN CURLcode curl_easy_setopt(CURL *curl, CURLoption option, ...);
 CURL_EXTERN CURLcode curl_easy_perform(CURL *curl);
 CURL_EXTERN void curl_easy_cleanup(CURL *curl);
 
+/*
+ * curl-impersonate: Tell libcurl to impersonate a browser.
+ * This is a wrapper function that calls curl_easy_setopt()
+ * multiple times with all the parameters required. That's also why it was
+ * created as a separate API function and not just as another option to
+ * curl_easy_setopt().
+ */
+CURL_EXTERN CURLcode curl_easy_impersonate(CURL *curl, const char *target,
+                                           int default_headers);
+
 /*
  * NAME curl_easy_getinfo()
  *
diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h
index b880f3dc6..79074e011 100644
--- a/include/curl/typecheck-gcc.h
+++ b/include/curl/typecheck-gcc.h
@@ -275,6 +275,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t,
    (option) == CURLOPT_DNS_LOCAL_IP6 ||                                       \
    (option) == CURLOPT_DNS_SERVERS ||                                         \
    (option) == CURLOPT_DOH_URL ||                                             \
+   (option) == CURLOPT_ECH ||                                                 \
    (option) == CURLOPT_EGDSOCKET ||                                           \
    (option) == CURLOPT_FTP_ACCOUNT ||                                         \
    (option) == CURLOPT_FTP_ALTERNATIVE_TO_USER ||                             \
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 1237c8e99..6b2961018 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -31,7 +31,7 @@ EXTRA_DIST = Makefile.mk config-win32.h config-win32ce.h config-plan9.h    \
  config-os400.h setup-os400.h $(CMAKE_DIST) setup-win32.h .checksrc \
  Makefile.soname
 
-lib_LTLIBRARIES = libcurl.la
+lib_LTLIBRARIES = libcurl-impersonate-chrome.la
 
 if BUILD_UNITTESTS
 noinst_LTLIBRARIES = libcurlu.la
@@ -67,51 +67,51 @@ AM_CFLAGS =
 # Makefile.inc provides the CSOURCES and HHEADERS defines
 include Makefile.inc
 
-libcurl_la_SOURCES = $(CSOURCES) $(HHEADERS)
+libcurl_impersonate_chrome_la_SOURCES = $(CSOURCES) $(HHEADERS)
 libcurlu_la_SOURCES = $(CSOURCES) $(HHEADERS)
 
-libcurl_la_CPPFLAGS_EXTRA =
-libcurl_la_LDFLAGS_EXTRA =
-libcurl_la_CFLAGS_EXTRA =
+libcurl_impersonate_chrome_la_CPPFLAGS_EXTRA =
+libcurl_impersonate_chrome_la_LDFLAGS_EXTRA =
+libcurl_impersonate_chrome_la_CFLAGS_EXTRA =
 
 if CURL_LT_SHLIB_USE_VERSION_INFO
-libcurl_la_LDFLAGS_EXTRA += $(VERSIONINFO)
+libcurl_impersonate_chrome_la_LDFLAGS_EXTRA += $(VERSIONINFO)
 endif
 
 if CURL_LT_SHLIB_USE_NO_UNDEFINED
-libcurl_la_LDFLAGS_EXTRA += -no-undefined
+libcurl_impersonate_chrome_la_LDFLAGS_EXTRA += -no-undefined
 endif
 
 if CURL_LT_SHLIB_USE_MIMPURE_TEXT
-libcurl_la_LDFLAGS_EXTRA += -mimpure-text
+libcurl_impersonate_chrome_la_LDFLAGS_EXTRA += -mimpure-text
 endif
 
 if CURL_LT_SHLIB_USE_VERSIONED_SYMBOLS
-libcurl_la_LDFLAGS_EXTRA += -Wl,--version-script=libcurl.vers
+libcurl_impersonate_chrome_la_LDFLAGS_EXTRA += -Wl,--version-script=libcurl.vers
 else
 # if symbol-hiding is enabled, hide them!
 if DOING_CURL_SYMBOL_HIDING
-libcurl_la_LDFLAGS_EXTRA += -export-symbols-regex '^curl_.*'
+libcurl_impersonate_chrome_la_LDFLAGS_EXTRA += -export-symbols-regex '^curl_.*'
 endif
 endif
 
 if USE_CPPFLAG_CURL_STATICLIB
-libcurl_la_CPPFLAGS_EXTRA += -DCURL_STATICLIB
+libcurl_impersonate_chrome_la_CPPFLAGS_EXTRA += -DCURL_STATICLIB
 else
 if HAVE_WINDRES
-libcurl_la_SOURCES += $(LIB_RCFILES)
+libcurl_impersonate_chrome_la_SOURCES += $(LIB_RCFILES)
 $(LIB_RCFILES): $(top_srcdir)/include/curl/curlver.h
 endif
 endif
 
 if DOING_CURL_SYMBOL_HIDING
-libcurl_la_CPPFLAGS_EXTRA += -DCURL_HIDDEN_SYMBOLS
-libcurl_la_CFLAGS_EXTRA += $(CFLAG_CURL_SYMBOL_HIDING)
+libcurl_impersonate_chrome_la_CPPFLAGS_EXTRA += -DCURL_HIDDEN_SYMBOLS
+libcurl_impersonate_chrome_la_CFLAGS_EXTRA += $(CFLAG_CURL_SYMBOL_HIDING)
 endif
 
-libcurl_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_la_CPPFLAGS_EXTRA)
-libcurl_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_la_LDFLAGS_EXTRA) $(CURL_LDFLAGS_LIB) $(LIBCURL_LIBS)
-libcurl_la_CFLAGS = $(AM_CFLAGS) $(libcurl_la_CFLAGS_EXTRA)
+libcurl_impersonate_chrome_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_impersonate_chrome_la_CPPFLAGS_EXTRA)
+libcurl_impersonate_chrome_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_impersonate_chrome_la_LDFLAGS_EXTRA) $(CURL_LDFLAGS_LIB) $(LIBCURL_LIBS)
+libcurl_impersonate_chrome_la_CFLAGS = $(AM_CFLAGS) $(libcurl_impersonate_chrome_la_CFLAGS_EXTRA)
 
 libcurlu_la_CPPFLAGS = $(AM_CPPFLAGS) -DCURL_STATICLIB -DUNITTESTS
 libcurlu_la_LDFLAGS = $(AM_LDFLAGS) -static $(LIBCURL_LIBS)
diff --git a/lib/Makefile.inc b/lib/Makefile.inc
index 400e2b1ac..ff3e479aa 100644
--- a/lib/Makefile.inc
+++ b/lib/Makefile.inc
@@ -177,6 +177,7 @@ LIB_CFILES =         \
   idn.c              \
   if2ip.c            \
   imap.c             \
+  impersonate.c      \
   inet_ntop.c        \
   inet_pton.c        \
   krb5.c             \
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
index c1abf24e8..8e926dd2e 100644
--- a/lib/content_encoding.c
+++ b/lib/content_encoding.c
@@ -300,7 +300,7 @@ static CURLcode deflate_do_write(struct Curl_easy *data,
   struct zlib_writer *zp = (struct zlib_writer *) writer;
   z_stream *z = &zp->z;     /* zlib state structure */
 
-  if(!(type & CLIENTWRITE_BODY))
+  if(!(type & CLIENTWRITE_BODY) || !nbytes)
     return Curl_cwriter_write(data, writer->next, type, buf, nbytes);
 
   /* Set the compressed input when this function is called */
@@ -457,7 +457,7 @@ static CURLcode gzip_do_write(struct Curl_easy *data,
   struct zlib_writer *zp = (struct zlib_writer *) writer;
   z_stream *z = &zp->z;     /* zlib state structure */
 
-  if(!(type & CLIENTWRITE_BODY))
+  if(!(type & CLIENTWRITE_BODY) || !nbytes)
     return Curl_cwriter_write(data, writer->next, type, buf, nbytes);
 
   if(zp->zlib_init == ZLIB_INIT_GZIP) {
@@ -669,7 +669,7 @@ static CURLcode brotli_do_write(struct Curl_easy *data,
   CURLcode result = CURLE_OK;
   BrotliDecoderResult r = BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT;
 
-  if(!(type & CLIENTWRITE_BODY))
+  if(!(type & CLIENTWRITE_BODY) || !nbytes)
     return Curl_cwriter_write(data, writer->next, type, buf, nbytes);
 
   if(!bp->br)
@@ -762,7 +762,7 @@ static CURLcode zstd_do_write(struct Curl_easy *data,
   ZSTD_outBuffer out;
   size_t errorCode;
 
-  if(!(type & CLIENTWRITE_BODY))
+  if(!(type & CLIENTWRITE_BODY) || !nbytes)
     return Curl_cwriter_write(data, writer->next, type, buf, nbytes);
 
   if(!zp->decomp) {
@@ -916,7 +916,7 @@ static CURLcode error_do_write(struct Curl_easy *data,
   (void) buf;
   (void) nbytes;
 
-  if(!(type & CLIENTWRITE_BODY))
+  if(!(type & CLIENTWRITE_BODY) || !nbytes)
     return Curl_cwriter_write(data, writer->next, type, buf, nbytes);
 
   failf(data, "Unrecognized content encoding type. "
diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
index 0f4db6982..dfabbefca 100644
--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
@@ -796,3 +796,6 @@ ${SIZEOF_TIME_T_CODE}
 
 /* Define to 1 to enable TLS-SRP support. */
 #cmakedefine USE_TLS_SRP 1
+
+/* if ECH support is available */
+#cmakedefine USE_ECH 1
diff --git a/lib/dynhds.c b/lib/dynhds.c
index d7548959b..00f97506b 100644
--- a/lib/dynhds.c
+++ b/lib/dynhds.c
@@ -56,6 +56,8 @@ entry_new(const char *name, size_t namelen,
   e->valuelen = valuelen;
   if(opts & DYNHDS_OPT_LOWERCASE)
     Curl_strntolower(e->name, e->name, e->namelen);
+  if(opts & DYNHDS_OPT_LOWERCASE_VAL)
+    Curl_strntolower(e->value, e->value, e->valuelen);
   return e;
 }
 
@@ -138,6 +140,16 @@ void Curl_dynhds_set_opts(struct dynhds *dynhds, int opts)
   dynhds->opts = opts;
 }
 
+void Curl_dynhds_set_opt(struct dynhds *dynhds, int opt)
+{
+  dynhds->opts |= opt;
+}
+
+void Curl_dynhds_del_opt(struct dynhds *dynhds, int opt)
+{
+  dynhds->opts &= ~opt;
+}
+
 struct dynhds_entry *Curl_dynhds_getn(struct dynhds *dynhds, size_t n)
 {
   DEBUGASSERT(dynhds);
diff --git a/lib/dynhds.h b/lib/dynhds.h
index 3b536000a..d7135698f 100644
--- a/lib/dynhds.h
+++ b/lib/dynhds.h
@@ -53,6 +53,7 @@ struct dynhds {
 
 #define DYNHDS_OPT_NONE          (0)
 #define DYNHDS_OPT_LOWERCASE     (1 << 0)
+#define DYNHDS_OPT_LOWERCASE_VAL (1 << 1)
 
 /**
  * Init for use on first time or after a reset.
@@ -82,6 +83,8 @@ size_t Curl_dynhds_count(struct dynhds *dynhds);
  * This will not have an effect on already existing headers.
  */
 void Curl_dynhds_set_opts(struct dynhds *dynhds, int opts);
+void Curl_dynhds_set_opt(struct dynhds *dynhds, int opt);
+void Curl_dynhds_del_opt(struct dynhds *dynhds, int opt);
 
 /**
  * Return the n-th header entry or NULL if it does not exist.
diff --git a/lib/easy.c b/lib/easy.c
index dc4870608..4746133e9 100644
--- a/lib/easy.c
+++ b/lib/easy.c
@@ -75,6 +75,8 @@
 #include "dynbuf.h"
 #include "altsvc.h"
 #include "hsts.h"
+#include "strcase.h"
+#include "impersonate.h"
 
 #include "easy_lock.h"
 
@@ -342,6 +344,221 @@ CURLsslset curl_global_sslset(curl_sslbackend id, const char *name,
   return rc;
 }
 
+
+/*
+ * curl-impersonate:
+ * Actually call curl_easy_setopt() with all the needed options
+ * */
+static CURLcode _do_impersonate(struct Curl_easy *data,
+                        const struct impersonate_opts *opts,
+                        int default_headers)
+{
+  int i;
+  int ret;
+  struct curl_slist *headers = NULL;
+
+  if(opts->target == NULL) {
+    DEBUGF(fprintf(stderr, "Error: unknown impersonation target '%s'\n",
+                   opts->target));
+    return CURLE_BAD_FUNCTION_ARGUMENT;
+  }
+
+  if(opts->httpversion != CURL_HTTP_VERSION_NONE) {
+    ret = curl_easy_setopt(data, CURLOPT_HTTP_VERSION, opts->httpversion);
+    if(ret)
+      return ret;
+  }
+
+  if (opts->ssl_version != CURL_SSLVERSION_DEFAULT) {
+    ret = curl_easy_setopt(data, CURLOPT_SSLVERSION, opts->ssl_version);
+    if(ret)
+      return ret;
+  }
+
+  if(opts->ciphers) {
+    ret = curl_easy_setopt(data, CURLOPT_SSL_CIPHER_LIST, opts->ciphers);
+    if (ret)
+      return ret;
+  }
+
+  if(opts->curves) {
+    ret = curl_easy_setopt(data, CURLOPT_SSL_EC_CURVES, opts->curves);
+    if(ret)
+      return ret;
+  }
+
+  if(opts->sig_hash_algs) {
+    ret = curl_easy_setopt(data, CURLOPT_SSL_SIG_HASH_ALGS,
+                           opts->sig_hash_algs);
+    if(ret)
+      return ret;
+  }
+
+  ret = curl_easy_setopt(data, CURLOPT_SSL_ENABLE_NPN, opts->npn ? 1 : 0);
+  if(ret)
+    return ret;
+
+  ret = curl_easy_setopt(data, CURLOPT_SSL_ENABLE_ALPN, opts->alpn ? 1 : 0);
+  if(ret)
+    return ret;
+
+  ret = curl_easy_setopt(data, CURLOPT_SSL_ENABLE_ALPS, opts->alps ? 1 : 0);
+  if(ret)
+    return ret;
+
+  ret = curl_easy_setopt(data, CURLOPT_SSL_ENABLE_TICKET,
+                         opts->tls_session_ticket ? 1 : 0);
+  if(ret)
+    return ret;
+
+  // always enable this for browsers
+  ret = curl_easy_setopt(data, CURLOPT_TLS_SIGNED_CERT_TIMESTAMPS, 1);
+  if(ret)
+    return ret;
+
+  // always enable this for browsers
+  ret = curl_easy_setopt(data, CURLOPT_TLS_STATUS_REQUEST, 1);
+  if(ret)
+    return ret;
+
+  if(opts->tls_permute_extensions) {
+    ret = curl_easy_setopt(data, CURLOPT_SSL_PERMUTE_EXTENSIONS, 1);
+    if(ret)
+      return ret;
+  }
+
+  if(opts->cert_compression) {
+    ret = curl_easy_setopt(data,
+                           CURLOPT_SSL_CERT_COMPRESSION,
+                           opts->cert_compression);
+    if(ret)
+      return ret;
+  }
+
+  if(default_headers) {
+    /* Build a linked list out of the static array of headers. */
+    for(i = 0; i < IMPERSONATE_MAX_HEADERS; i++) {
+      if(opts->http_headers[i]) {
+        headers = curl_slist_append(headers, opts->http_headers[i]);
+        if(!headers) {
+          return CURLE_OUT_OF_MEMORY;
+        }
+      }
+    }
+
+    if(headers) {
+      ret = curl_easy_setopt(data, CURLOPT_HTTPBASEHEADER, headers);
+      curl_slist_free_all(headers);
+      if(ret)
+        return ret;
+    }
+  }
+
+  if(opts->http2_pseudo_headers_order) {
+    ret = curl_easy_setopt(data,
+                           CURLOPT_HTTP2_PSEUDO_HEADERS_ORDER,
+                           opts->http2_pseudo_headers_order);
+    if(ret)
+      return ret;
+  }
+
+  if(opts->http2_settings) {
+    ret = curl_easy_setopt(data, CURLOPT_HTTP2_SETTINGS, opts->http2_settings);
+    if(ret)
+      return ret;
+  }
+
+  if(opts->http2_window_update) {
+    ret = curl_easy_setopt(data, CURLOPT_HTTP2_WINDOW_UPDATE, opts->http2_window_update);
+    if(ret)
+      return ret;
+  }
+
+  if(opts->http2_streams) {
+    ret = curl_easy_setopt(data, CURLOPT_HTTP2_STREAMS, opts->http2_streams);
+    if(ret)
+      return ret;
+  }
+
+  if(opts->ech) {
+    ret = curl_easy_setopt(data, CURLOPT_ECH, opts->ech);
+    if(ret)
+      return ret;
+  }
+
+  if(opts->tls_grease) {
+    ret = curl_easy_setopt(data, CURLOPT_TLS_GREASE, opts->tls_grease);
+  }
+
+  if(opts->tls_extension_order) {
+    // printf("setting extension order as: %s\n", opts->tls_extension_order);
+    ret = curl_easy_setopt(data, CURLOPT_TLS_EXTENSION_ORDER, opts->tls_extension_order);
+  }
+
+  if(opts->http2_stream_weight) {
+    ret = curl_easy_setopt(data, CURLOPT_STREAM_WEIGHT, opts->http2_stream_weight);
+  }
+
+  if(opts->http2_stream_exclusive) {
+    ret = curl_easy_setopt(data, CURLOPT_STREAM_EXCLUSIVE, opts->http2_stream_exclusive);
+  }
+
+  /* Always enable all supported compressions. */
+  ret = curl_easy_setopt(data, CURLOPT_ACCEPT_ENCODING, "");
+  if(ret)
+    return ret;
+
+  return CURLE_OK;
+}
+
+
+/*
+ * curl-impersonate:
+ * Call curl_easy_setopt() with all the needed options as defined by the target
+ * */
+CURLcode curl_easy_impersonate_customized(struct Curl_easy *data,
+                                          const struct impersonate_opts *opts,
+                                          int default_headers)
+{
+  int ret;
+
+  ret = _do_impersonate(data, opts, default_headers);
+  if(ret)
+    return ret;
+
+  return CURLE_OK;
+}
+
+/*
+ * curl-impersonate:
+ * Call curl_easy_setopt() with all the needed options as defined in the
+ * 'impersonations' array.
+ * */
+CURLcode curl_easy_impersonate(struct Curl_easy *data, const char *target,
+                               int default_headers)
+{
+  int ret;
+  const struct impersonate_opts *opts = NULL;
+
+  for(opts = impersonations; opts->target != NULL; opts++) {
+    if (strcasecompare(target, opts->target)) {
+      break;
+    }
+  }
+
+  if(opts->target == NULL) {
+    DEBUGF(fprintf(stderr, "Error: unknown impersonation target '%s'\n",
+                   target));
+    return CURLE_BAD_FUNCTION_ARGUMENT;
+  }
+
+  ret = _do_impersonate(data, opts, default_headers);
+  if(ret)
+    return ret;
+
+  return CURLE_OK;
+}
+
 /*
  * curl_easy_init() is the external interface to alloc, setup and init an
  * easy handle that is returned. If anything goes wrong, NULL is returned.
@@ -350,6 +567,8 @@ struct Curl_easy *curl_easy_init(void)
 {
   CURLcode result;
   struct Curl_easy *data;
+  char *env_target;
+  char *env_headers;
 
   /* Make sure we inited the global SSL stuff */
   global_init_lock();
@@ -372,6 +591,29 @@ struct Curl_easy *curl_easy_init(void)
     return NULL;
   }
 
+  /*
+   * curl-impersonate: Hook into curl_easy_init() to set the required options
+   * from an environment variable.
+   * This is a bit hacky but allows seamless integration of libcurl-impersonate
+   * without code modifications to the app.
+   */
+  env_target = curl_getenv("CURL_IMPERSONATE");
+  if(env_target) {
+    env_headers = curl_getenv("CURL_IMPERSONATE_HEADERS");
+    if(env_headers) {
+      result = curl_easy_impersonate(data, env_target,
+                                     !strcasecompare(env_headers, "no"));
+      free(env_headers);
+    } else {
+      result = curl_easy_impersonate(data, env_target, true);
+    }
+    free(env_target);
+    if(result) {
+      Curl_close(&data);
+      return NULL;
+    }
+  }
+
   return data;
 }
 
@@ -952,6 +1194,13 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
     outcurl->state.referer_alloc = TRUE;
   }
 
+  if(data->state.base_headers) {
+    outcurl->state.base_headers =
+      Curl_slist_duplicate(data->state.base_headers);
+    if(!outcurl->state.base_headers)
+      goto fail;
+  }
+
   /* Reinitialize an SSL engine for the new handle
    * note: the engine name has already been copied by dupset */
   if(outcurl->set.str[STRING_SSL_ENGINE]) {
@@ -1040,6 +1289,9 @@ fail:
  */
 void curl_easy_reset(struct Curl_easy *data)
 {
+  char *env_target;
+  char *env_headers;
+
   Curl_req_hard_reset(&data->req, data);
 
   /* zero out UserDefined data: */
@@ -1064,6 +1316,23 @@ void curl_easy_reset(struct Curl_easy *data)
 #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
   Curl_http_auth_cleanup_digest(data);
 #endif
+
+  /*
+   * curl-impersonate: Hook into curl_easy_reset() to set the required options
+   * from an environment variable, just like in curl_easy_init().
+   */
+  env_target = curl_getenv("CURL_IMPERSONATE");
+  if(env_target) {
+    env_headers = curl_getenv("CURL_IMPERSONATE_HEADERS");
+    if(env_headers) {
+      curl_easy_impersonate(data, env_target,
+                            !strcasecompare(env_headers, "no"));
+      free(env_headers);
+    } else {
+      curl_easy_impersonate(data, env_target, true);
+    }
+    free(env_target);
+  }
 }
 
 /*
diff --git a/lib/easyoptions.c b/lib/easyoptions.c
index 9c4438a10..56eabf082 100644
--- a/lib/easyoptions.c
+++ b/lib/easyoptions.c
@@ -86,6 +86,7 @@ struct curl_easyoption Curl_easyopts[] = {
   {"DOH_SSL_VERIFYPEER", CURLOPT_DOH_SSL_VERIFYPEER, CURLOT_LONG, 0},
   {"DOH_SSL_VERIFYSTATUS", CURLOPT_DOH_SSL_VERIFYSTATUS, CURLOT_LONG, 0},
   {"DOH_URL", CURLOPT_DOH_URL, CURLOT_STRING, 0},
+  {"ECH", CURLOPT_ECH, CURLOT_STRING, 0},
   {"EGDSOCKET", CURLOPT_EGDSOCKET, CURLOT_STRING, 0},
   {"ENCODING", CURLOPT_ACCEPT_ENCODING, CURLOT_STRING, CURLOT_FLAG_ALIAS},
   {"ERRORBUFFER", CURLOPT_ERRORBUFFER, CURLOT_OBJECT, 0},
@@ -133,8 +134,14 @@ struct curl_easyoption Curl_easyopts[] = {
   {"HSTS_CTRL", CURLOPT_HSTS_CTRL, CURLOT_LONG, 0},
   {"HTTP09_ALLOWED", CURLOPT_HTTP09_ALLOWED, CURLOT_LONG, 0},
   {"HTTP200ALIASES", CURLOPT_HTTP200ALIASES, CURLOT_SLIST, 0},
+  {"HTTP2_PSEUDO_HEADERS_ORDER", CURLOPT_HTTP2_PSEUDO_HEADERS_ORDER,
+      CURLOT_STRING, 0},
+  {"HTTP2_SETTINGS", CURLOPT_HTTP2_SETTINGS, CURLOT_STRING, 0},
+  {"HTTP2_STREAMS", CURLOPT_HTTP2_STREAMS, CURLOT_STRING, 0},
+  {"HTTP2_WINDOW_UPDATE", CURLOPT_HTTP2_WINDOW_UPDATE, CURLOT_LONG, 0},
   {"HTTPAUTH", CURLOPT_HTTPAUTH, CURLOT_VALUES, 0},
   {"HTTPGET", CURLOPT_HTTPGET, CURLOT_LONG, 0},
+  {"HTTPBASEHEADER", CURLOPT_HTTPBASEHEADER, CURLOT_SLIST, 0},
   {"HTTPHEADER", CURLOPT_HTTPHEADER, CURLOT_SLIST, 0},
   {"HTTPPOST", CURLOPT_HTTPPOST, CURLOT_OBJECT, 0},
   {"HTTPPROXYTUNNEL", CURLOPT_HTTPPROXYTUNNEL, CURLOT_LONG, 0},
@@ -307,22 +314,28 @@ struct curl_easyoption Curl_easyopts[] = {
   {"SSLKEYTYPE", CURLOPT_SSLKEYTYPE, CURLOT_STRING, 0},
   {"SSLKEY_BLOB", CURLOPT_SSLKEY_BLOB, CURLOT_BLOB, 0},
   {"SSLVERSION", CURLOPT_SSLVERSION, CURLOT_VALUES, 0},
+  {"SSL_CERT_COMPRESSION", CURLOPT_SSL_CERT_COMPRESSION, CURLOT_STRING, 0},
   {"SSL_CIPHER_LIST", CURLOPT_SSL_CIPHER_LIST, CURLOT_STRING, 0},
   {"SSL_CTX_DATA", CURLOPT_SSL_CTX_DATA, CURLOT_CBPTR, 0},
   {"SSL_CTX_FUNCTION", CURLOPT_SSL_CTX_FUNCTION, CURLOT_FUNCTION, 0},
   {"SSL_EC_CURVES", CURLOPT_SSL_EC_CURVES, CURLOT_STRING, 0},
   {"SSL_ENABLE_ALPN", CURLOPT_SSL_ENABLE_ALPN, CURLOT_LONG, 0},
+  {"SSL_ENABLE_ALPS", CURLOPT_SSL_ENABLE_ALPS, CURLOT_LONG, 0},
   {"SSL_ENABLE_NPN", CURLOPT_SSL_ENABLE_NPN, CURLOT_LONG, 0},
+  {"SSL_ENABLE_TICKET", CURLOPT_SSL_ENABLE_TICKET, CURLOT_LONG, 0},
   {"SSL_FALSESTART", CURLOPT_SSL_FALSESTART, CURLOT_LONG, 0},
   {"SSL_OPTIONS", CURLOPT_SSL_OPTIONS, CURLOT_VALUES, 0},
   {"SSL_SESSIONID_CACHE", CURLOPT_SSL_SESSIONID_CACHE, CURLOT_LONG, 0},
+  {"SSL_SIG_HASH_ALGS", CURLOPT_SSL_SIG_HASH_ALGS, CURLOT_STRING, 0},
   {"SSL_VERIFYHOST", CURLOPT_SSL_VERIFYHOST, CURLOT_LONG, 0},
   {"SSL_VERIFYPEER", CURLOPT_SSL_VERIFYPEER, CURLOT_LONG, 0},
   {"SSL_VERIFYSTATUS", CURLOPT_SSL_VERIFYSTATUS, CURLOT_LONG, 0},
+  {"SSL_PERMUTE_EXTENSIONS", CURLOPT_SSL_PERMUTE_EXTENSIONS, CURLOT_LONG, 0},
   {"STDERR", CURLOPT_STDERR, CURLOT_OBJECT, 0},
   {"STREAM_DEPENDS", CURLOPT_STREAM_DEPENDS, CURLOT_OBJECT, 0},
   {"STREAM_DEPENDS_E", CURLOPT_STREAM_DEPENDS_E, CURLOT_OBJECT, 0},
   {"STREAM_WEIGHT", CURLOPT_STREAM_WEIGHT, CURLOT_LONG, 0},
+  {"STREAM_EXCLUSIVE", CURLOPT_STREAM_EXCLUSIVE, CURLOT_LONG, 0},
   {"SUPPRESS_CONNECT_HEADERS", CURLOPT_SUPPRESS_CONNECT_HEADERS,
    CURLOT_LONG, 0},
   {"TCP_FASTOPEN", CURLOPT_TCP_FASTOPEN, CURLOT_LONG, 0},
@@ -342,6 +355,11 @@ struct curl_easyoption Curl_easyopts[] = {
   {"TLSAUTH_PASSWORD", CURLOPT_TLSAUTH_PASSWORD, CURLOT_STRING, 0},
   {"TLSAUTH_TYPE", CURLOPT_TLSAUTH_TYPE, CURLOT_STRING, 0},
   {"TLSAUTH_USERNAME", CURLOPT_TLSAUTH_USERNAME, CURLOT_STRING, 0},
+  {"TLS_EXTENSION_ORDER", CURLOPT_TLS_EXTENSION_ORDER, CURLOT_STRING, 0},
+  {"TLS_GREASE", CURLOPT_TLS_GREASE, CURLOT_LONG, 0},
+  {"TLS_KEY_USAGE_NO_CHECK", CURLOPT_TLS_KEY_USAGE_NO_CHECK, CURLOT_LONG, 0},
+  {"TLS_SIGNED_CERT_TIMESTAMPS", CURLOPT_TLS_SIGNED_CERT_TIMESTAMPS, CURLOT_LONG, 0},
+  {"TLS_STATUS_REQUEST", CURLOPT_TLS_STATUS_REQUEST, CURLOT_LONG, 0},
   {"TRAILERDATA", CURLOPT_TRAILERDATA, CURLOT_CBPTR, 0},
   {"TRAILERFUNCTION", CURLOPT_TRAILERFUNCTION, CURLOT_FUNCTION, 0},
   {"TRANSFERTEXT", CURLOPT_TRANSFERTEXT, CURLOT_LONG, 0},
@@ -375,6 +393,6 @@ struct curl_easyoption Curl_easyopts[] = {
  */
 int Curl_easyopts_check(void)
 {
-  return ((CURLOPT_LASTENTRY%10000) != (324 + 1));
+  return ((CURLOPT_LASTENTRY%10000) != (1013 + 1));
 }
 #endif
diff --git a/lib/http.c b/lib/http.c
index 92c04e69c..84ece2a16 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -91,6 +91,7 @@
 #include "ws.h"
 #include "c-hyper.h"
 #include "curl_ctype.h"
+#include "slist.h"
 
 /* The last 3 #include files should be in this order */
 #include "curl_printf.h"
@@ -1451,6 +1452,15 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
   int numlists = 1; /* by default */
   int i;
 
+  /*
+   * curl-impersonate: Use the merged list of headers if it exists (i.e. when
+   * the CURLOPT_HTTPBASEHEADER option was set.
+   */
+  struct curl_slist *noproxyheaders =
+    (data->state.merged_headers ?
+     data->state.merged_headers :
+     data->set.headers);
+
 #ifndef CURL_DISABLE_PROXY
   enum proxy_use proxy;
 
@@ -1462,10 +1472,10 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
 
   switch(proxy) {
   case HEADER_SERVER:
-    h[0] = data->set.headers;
+    h[0] = noproxyheaders;
     break;
   case HEADER_PROXY:
-    h[0] = data->set.headers;
+    h[0] = noproxyheaders;
     if(data->set.sep_headers) {
       h[1] = data->set.proxyheaders;
       numlists++;
@@ -1475,12 +1485,12 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
     if(data->set.sep_headers)
       h[0] = data->set.proxyheaders;
     else
-      h[0] = data->set.headers;
+      h[0] = noproxyheaders;
     break;
   }
 #else
   (void)is_connect;
-  h[0] = data->set.headers;
+  h[0] = noproxyheaders;
 #endif
 
   /* loop through one or two lists */
@@ -1717,6 +1727,108 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn,
   *reqp = httpreq;
 }
 
+/*
+ * curl-impersonate:
+ * Create a new linked list of headers.
+ * The new list is a merge between the "base" headers and the application given
+ * headers. The "base" headers contain curl-impersonate's list of headers
+ * used by default by the impersonated browser.
+ *
+ * The application given headers will override the "base" headers if supplied.
+ */
+CURLcode Curl_http_merge_headers(struct Curl_easy *data)
+{
+  int i;
+  int ret;
+  struct curl_slist *head;
+  struct curl_slist *dup = NULL;
+  struct curl_slist *new_list = NULL;
+  char *uagent;
+
+  if (!data->state.base_headers)
+    return CURLE_OK;
+
+  /* Duplicate the list for temporary use. */
+  if (data->set.headers) {
+    dup = Curl_slist_duplicate(data->set.headers);
+    if(!dup)
+      return CURLE_OUT_OF_MEMORY;
+  }
+
+  for(head = data->state.base_headers; head; head = head->next) {
+    char *sep;
+    size_t prefix_len;
+    bool found = FALSE;
+    struct curl_slist *head2;
+
+    sep = strchr(head->data, ':');
+    if(!sep)
+      continue;
+
+    prefix_len = sep - head->data;
+
+    /* Check if this header was added by the application. */
+    for(head2 = dup; head2; head2 = head2->next) {
+      if(head2->data &&
+         strncasecompare(head2->data, head->data, prefix_len) &&
+         Curl_headersep(head2->data[prefix_len]) ) {
+        new_list = curl_slist_append(new_list, head2->data);
+        /* Free and set to NULL to mark that it's been added. */
+        Curl_safefree(head2->data);
+        found = TRUE;
+        break;
+      }
+    }
+
+    /* If the user agent was set with CURLOPT_USERAGENT, but not with
+     * CURLOPT_HTTPHEADER, take it from there instead. */
+    if(!found &&
+       strncasecompare(head->data, "User-Agent", prefix_len) &&
+       data->set.str[STRING_USERAGENT] &&
+       *data->set.str[STRING_USERAGENT]) {
+      uagent = aprintf("User-Agent: %s", data->set.str[STRING_USERAGENT]);
+      if(!uagent) {
+        ret = CURLE_OUT_OF_MEMORY;
+        goto fail;
+      }
+      new_list = Curl_slist_append_nodup(new_list, uagent);
+      found = TRUE;
+    }
+
+    if (!found) {
+      new_list = curl_slist_append(new_list, head->data);
+    }
+
+    if (!new_list) {
+      ret = CURLE_OUT_OF_MEMORY;
+      goto fail;
+    }
+  }
+
+  /* Now go over any additional application-supplied headers. */
+  for(head = dup; head; head = head->next) {
+    if(head->data) {
+      new_list = curl_slist_append(new_list, head->data);
+      if(!new_list) {
+        ret = CURLE_OUT_OF_MEMORY;
+        goto fail;
+      }
+    }
+  }
+
+  curl_slist_free_all(dup);
+  /* Save the new, merged list separately, so it can be freed later. */
+  curl_slist_free_all(data->state.merged_headers);
+  data->state.merged_headers = new_list;
+
+  return CURLE_OK;
+
+fail:
+  Curl_safefree(dup);
+  curl_slist_free_all(new_list);
+  return ret;
+}
+
 CURLcode Curl_http_useragent(struct Curl_easy *data)
 {
   /* The User-Agent string might have been allocated in url.c already, because
@@ -2558,6 +2670,11 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done)
   if(result)
     goto fail;
 
+  /* curl-impersonate: Add HTTP headers to impersonate real browsers. */
+  result = Curl_http_merge_headers(data);
+  if (result)
+    return result;
+
   result = Curl_http_host(data, conn);
   if(result)
     goto fail;
@@ -4269,12 +4386,41 @@ static bool h2_non_field(const char *name, size_t namelen)
   return FALSE;
 }
 
+/*
+ * curl-impersonate:
+ * Determine the position of HTTP/2 pseudo headers.
+ * The pseudo headers ":method", ":path", ":scheme", ":authority"
+ * are sent in different order by different browsers. An important part of the
+ * impersonation is ordering them like the browser does.
+ */
+static CURLcode h2_check_pseudo_header_order(const char *order)
+{
+  if(strlen(order) != 4)
+    return CURLE_BAD_FUNCTION_ARGUMENT;
+
+  // :method should always be first
+  if(order[0] != 'm')
+    return CURLE_BAD_FUNCTION_ARGUMENT;
+
+  // All pseudo-headers must be present
+  if(!strchr(order, 'm') ||
+     !strchr(order, 'a') ||
+     !strchr(order, 's') ||
+     !strchr(order, 'p'))
+    return CURLE_BAD_FUNCTION_ARGUMENT;
+
+  return CURLE_OK;
+}
+
 CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers,
                              struct httpreq *req, struct Curl_easy *data)
 {
   const char *scheme = NULL, *authority = NULL;
   struct dynhds_entry *e;
   size_t i;
+  // Use the Chrome ordering by default:
+  // :method, :authority, :scheme, :path
+  char *order = "masp";
   CURLcode result;
 
   DEBUGASSERT(req);
@@ -4308,25 +4454,56 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers,
 
   Curl_dynhds_reset(h2_headers);
   Curl_dynhds_set_opts(h2_headers, DYNHDS_OPT_LOWERCASE);
-  result = Curl_dynhds_add(h2_headers, STRCONST(HTTP_PSEUDO_METHOD),
-                           req->method, strlen(req->method));
-  if(!result && scheme) {
-    result = Curl_dynhds_add(h2_headers, STRCONST(HTTP_PSEUDO_SCHEME),
-                             scheme, strlen(scheme));
-  }
-  if(!result && authority) {
-    result = Curl_dynhds_add(h2_headers, STRCONST(HTTP_PSEUDO_AUTHORITY),
-                             authority, strlen(authority));
+
+  /* curl-impersonate: order of pseudo headers is different from the default */
+  if(data->set.str[STRING_HTTP2_PSEUDO_HEADERS_ORDER]) {
+    order = data->set.str[STRING_HTTP2_PSEUDO_HEADERS_ORDER];
   }
-  if(!result && req->path) {
-    result = Curl_dynhds_add(h2_headers, STRCONST(HTTP_PSEUDO_PATH),
-                             req->path, strlen(req->path));
+
+  result = h2_check_pseudo_header_order(order);
+
+  /* curl-impersonate: add http2 pseudo headers according to the specified order. */
+  for(i = 0; !result && i < strlen(order); ++i) {
+    switch(order[i]) {
+      case 'm':
+        result = Curl_dynhds_add(h2_headers, STRCONST(HTTP_PSEUDO_METHOD),
+                                 req->method, strlen(req->method));
+        break;
+      case 'a':
+        if(authority) {
+          result = Curl_dynhds_add(h2_headers, STRCONST(HTTP_PSEUDO_AUTHORITY),
+                                   authority, strlen(authority));
+        }
+        break;
+      case 's':
+        if(scheme) {
+          result = Curl_dynhds_add(h2_headers, STRCONST(HTTP_PSEUDO_SCHEME),
+                                   scheme, strlen(scheme));
+        }
+        break;
+      case 'p':
+        if(req->path) {
+          result = Curl_dynhds_add(h2_headers, STRCONST(HTTP_PSEUDO_PATH),
+                                   req->path, strlen(req->path));
+        }
+        break;
+    }
   }
+
   for(i = 0; !result && i < Curl_dynhds_count(&req->headers); ++i) {
     e = Curl_dynhds_getn(&req->headers, i);
     if(!h2_non_field(e->name, e->namelen)) {
+      /* curl-impersonate:
+       * Some HTTP/2 servers reject 'te' header value that is not lowercase (e.g. 'Trailers).
+       * Convert to lowercase explicitly.
+       */
+      if(e->namelen == 2 && strcasecompare(e->name, "te"))
+        Curl_dynhds_set_opt(h2_headers, DYNHDS_OPT_LOWERCASE_VAL);
+
       result = Curl_dynhds_add(h2_headers, e->name, e->namelen,
                                e->value, e->valuelen);
+
+      Curl_dynhds_del_opt(h2_headers, DYNHDS_OPT_LOWERCASE_VAL);
     }
   }
 
diff --git a/lib/http2.c b/lib/http2.c
index 99d7f3b0e..da160907e 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -51,6 +51,7 @@
 #include "curl_printf.h"
 #include "curl_memory.h"
 #include "memdebug.h"
+#include "rand.h"
 
 #if (NGHTTP2_VERSION_NUM < 0x010c00)
 #error too old nghttp2 version, upgrade!
@@ -69,7 +70,7 @@
  * use 16K as chunk size, as that fits H2 DATA frames well */
 #define H2_CHUNK_SIZE           (16 * 1024)
 /* this is how much we want "in flight" for a stream */
-#define H2_STREAM_WINDOW_SIZE   (10 * 1024 * 1024)
+#define H2_STREAM_WINDOW_SIZE   (1024 * 1024)
 /* on receiving from TLS, we prep for holding a full stream window */
 #define H2_NW_RECV_CHUNKS       (H2_STREAM_WINDOW_SIZE / H2_CHUNK_SIZE)
 /* on send into TLS, we just want to accumulate small frames */
@@ -87,26 +88,87 @@
  * will block their received QUOTA in the connection window. And if we
  * run out of space, the server is blocked from sending us any data.
  * See #10988 for an issue with this. */
-#define HTTP2_HUGE_WINDOW_SIZE (100 * H2_STREAM_WINDOW_SIZE)
+/* curl-impersonate: match Chrome window size. */
+#define HTTP2_HUGE_WINDOW_SIZE (15 * H2_STREAM_WINDOW_SIZE)
 
-#define H2_SETTINGS_IV_LEN  3
+#define H2_SETTINGS_IV_LEN  8
 #define H2_BINSETTINGS_LEN 80
 
+
 static int populate_settings(nghttp2_settings_entry *iv,
                              struct Curl_easy *data)
 {
-  iv[0].settings_id = NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS;
-  iv[0].value = Curl_multi_max_concurrent_streams(data->multi);
+  // curl-impersonate:
+  // Setting http2 settings frame based on user instruction.
+  // https://httpwg.org/specs/rfc7540.html#SETTINGS
+  // Format example: 1:65536;2:0;4:6291456;6:262144
+
+  // TODO check if the http2 settings is valid
+  int i = 0;
+  char *delimiter = ";";
+
+  // Use chrome's settings as default
+  char *http2_settings = "1:65536;2:0;4:6291456;6:262144";
+  if(data->set.str[STRING_HTTP2_SETTINGS]) {
+    http2_settings = data->set.str[STRING_HTTP2_SETTINGS];
+  }
 
-  iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
-  iv[1].value = H2_STREAM_WINDOW_SIZE;
+  // printf("USING settings %s\n", http2_settings);
 
-  iv[2].settings_id = NGHTTP2_SETTINGS_ENABLE_PUSH;
-  iv[2].value = data->multi->push_cb != NULL;
+  char *tmp = strdup(http2_settings);
+  char *setting = strtok(tmp, delimiter);
 
-  return 3;
+  // loop through the string to extract all other tokens
+  while(setting != NULL) {
+    // deal with each setting
+    switch(setting[0]) {
+      case '1':
+        iv[i].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE;
+        iv[i].value = atoi(setting + 2);
+        i++;
+        break;
+      case '2':
+        iv[i].settings_id = NGHTTP2_SETTINGS_ENABLE_PUSH;
+        iv[i].value = atoi(setting + 2);
+        i++;
+        break;
+      case '3':
+        // FIXME We also need to notify curl_multi about this setting
+        iv[i].settings_id = NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS;
+        iv[i].value = atoi(setting + 2);
+        i++;
+        break;
+      case '4':
+        iv[i].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
+        iv[i].value = atoi(setting + 2);
+        i++;
+        break;
+      case '5':
+        iv[i].settings_id = NGHTTP2_SETTINGS_MAX_FRAME_SIZE;
+        iv[i].value = atoi(setting + 2);
+        i++;
+        break;
+      case '6':
+        iv[i].settings_id = NGHTTP2_SETTINGS_MAX_HEADER_LIST_SIZE;
+        iv[i].value = atoi(setting + 2);
+        i++;
+        break;
+    }
+    setting = strtok(NULL, delimiter);
+  }
+  free(tmp);
+
+  // curl-impersonate:
+  // Up until Chrome 98, there was a randomly chosen setting number in the
+  // HTTP2 SETTINGS frame. This might be something similar to TLS GREASE.
+  // However, it seems to have been removed since.
+  // Curl_rand(data, (unsigned char *)&iv[4].settings_id, sizeof(iv[4].settings_id));
+  // Curl_rand(data, (unsigned char *)&iv[4].value, sizeof(iv[4].value));
+
+  return i;
 }
 
+
 static ssize_t populate_binsettings(uint8_t *binsettings,
                                     struct Curl_easy *data)
 {
@@ -165,6 +227,75 @@ static void cf_h2_ctx_free(struct cf_h2_ctx *ctx)
   }
 }
 
+static CURLcode http2_set_stream_priority(struct Curl_cfilter *cf,
+                                          struct Curl_easy *data,
+                                          int32_t stream_id,
+                                          int32_t dep_stream_id,
+                                          int32_t weight,
+                                          int exclusive
+                                          )
+{
+  int rv;
+  struct cf_h2_ctx *ctx = cf->ctx;
+  nghttp2_priority_spec pri_spec;
+
+  nghttp2_priority_spec_init(&pri_spec, dep_stream_id, weight, exclusive);
+  rv = nghttp2_submit_priority(ctx->h2, NGHTTP2_FLAG_NONE,
+                               stream_id, &pri_spec);
+  if(rv) {
+    failf(data, "nghttp2_submit_priority() failed: %s(%d)",
+          nghttp2_strerror(rv), rv);
+    return CURLE_HTTP2;
+  }
+
+  return CURLE_OK;
+}
+
+/*
+ * curl-impersonate: Firefox uses an elaborate scheme of http/2 streams to
+ * split the load for html/js/css/images. It builds a tree of streams with
+ * different weights (priorities) by default and communicates this to the
+ * server. Imitate that behavior.
+ */
+static CURLcode http2_set_stream_priorities(struct Curl_cfilter *cf,
+                                            struct Curl_easy *data)
+{
+  CURLcode result;
+  char *stream_delimiter = ",";
+  char *value_delimiter = ":";
+
+  if(!data->set.str[STRING_HTTP2_STREAMS])
+    return CURLE_OK;
+
+  char *tmp1 = strdup(data->set.str[STRING_HTTP2_STREAMS]);
+  char *end1;
+  char *stream = strtok_r(tmp1, stream_delimiter, &end1);
+
+  while(stream != NULL) {
+
+    char *tmp2 = strdup(stream);
+    char *end2;
+
+    int32_t stream_id = atoi(strtok_r(tmp2, value_delimiter, &end2));
+    int exclusive = atoi(strtok_r(NULL, value_delimiter, &end2));
+    int32_t dep_stream_id = atoi(strtok_r(NULL, value_delimiter, &end2));
+    int32_t weight = atoi(strtok_r(NULL, value_delimiter, &end2));
+
+    free(tmp2);
+
+    result = http2_set_stream_priority(cf, data, stream_id, dep_stream_id, weight, exclusive);
+    if(result) {
+      free(tmp1);
+      return result;
+    }
+
+    stream = strtok_r(NULL, stream_delimiter, &end1);
+  }
+
+  free(tmp1);
+  return CURLE_OK;
+}
+
 static CURLcode h2_progress_egress(struct Curl_cfilter *cf,
                                   struct Curl_easy *data);
 
@@ -491,8 +622,22 @@ static CURLcode cf_h2_ctx_init(struct Curl_cfilter *cf,
     }
   }
 
-  rc = nghttp2_session_set_local_window_size(ctx->h2, NGHTTP2_FLAG_NONE, 0,
-                                             HTTP2_HUGE_WINDOW_SIZE);
+  // curl-impersonate:
+  // Directly changing the initial window update using users' settings.
+  int current_window_size = nghttp2_session_get_local_window_size(ctx->h2);
+
+  // Use chrome's value as default
+  int window_update = 15663105;
+  if(data->set.http2_window_update) {
+    window_update = data->set.http2_window_update;
+  }
+
+  // printf("Using window update %d\n", window_update);
+
+  rc = nghttp2_session_set_local_window_size(
+      ctx->h2, NGHTTP2_FLAG_NONE, 0,
+      current_window_size + window_update);
+
   if(rc) {
     failf(data, "nghttp2_session_set_local_window_size() failed: %s(%d)",
           nghttp2_strerror(rc), rc);
@@ -500,6 +645,16 @@ static CURLcode cf_h2_ctx_init(struct Curl_cfilter *cf,
     goto out;
   }
 
+  // curl-impersonate: set stream priorities
+  result = http2_set_stream_priorities(cf, data);
+  if(result)
+    goto out;
+
+#define FIREFOX_DEFAULT_STREAM_ID   (15)
+  /* Best effort to set the request's stream id to 15, like Firefox does. */
+  // Let's ignore this for now, as it seems not to be targeted as fingerprints.
+  // nghttp2_session_set_next_stream_id(ctx->h2, FIREFOX_DEFAULT_STREAM_ID);
+
   /* all set, traffic will be send on connect */
   result = CURLE_OK;
   CURL_TRC_CF(data, cf, "[0] created h2 session%s",
@@ -1716,11 +1871,19 @@ out:
   return rv;
 }
 
+/*
+ * curl-impersonate: Use Chrome's default HTTP/2 stream weight
+ * instead of NGINX default stream weight.
+ */
+#define CHROME_DEFAULT_STREAM_WEIGHT    (256)
+#define SAFARI_DEFAULT_STREAM_WEIGHT    (255)
+#define FIREFOX_DEFAULT_STREAM_WEIGHT   (42)
+
 static int sweight_wanted(const struct Curl_easy *data)
 {
   /* 0 weight is not set by user and we take the nghttp2 default one */
   return data->set.priority.weight?
-    data->set.priority.weight : NGHTTP2_DEFAULT_WEIGHT;
+    data->set.priority.weight : CHROME_DEFAULT_STREAM_WEIGHT;
 }
 
 static int sweight_in_effect(const struct Curl_easy *data)
@@ -1736,12 +1899,23 @@ static int sweight_in_effect(const struct Curl_easy *data)
  * struct.
  */
 
+/*
+ * curl-impersonate: By default Firefox uses stream 13 as the "parent" of the
+ * stream that fetches the main html resource of the web page.
+ */
+#define FIREFOX_DEFAULT_STREAM_DEP  (13)
+
 static void h2_pri_spec(struct Curl_easy *data,
                         nghttp2_priority_spec *pri_spec)
 {
   struct Curl_data_priority *prio = &data->set.priority;
   struct h2_stream_ctx *depstream = H2_STREAM_CTX(prio->parent);
   int32_t depstream_id = depstream? depstream->id:0;
+  // int32_t depstream_id = depstream? depstream->id:FIREFOX_DEFAULT_STREAM_DEP;
+
+  /* curl-impersonate: Set stream exclusive flag based on user option.
+   * Use data->set, not data->state.
+   */
   nghttp2_priority_spec_init(pri_spec, depstream_id,
                              sweight_wanted(data),
                              data->set.priority.exclusive);
@@ -1761,20 +1935,24 @@ static CURLcode h2_progress_egress(struct Curl_cfilter *cf,
   struct h2_stream_ctx *stream = H2_STREAM_CTX(data);
   int rv = 0;
 
+  /* curl-impersonate: Check if stream exclusive flag is true. */
   if(stream && stream->id > 0 &&
      ((sweight_wanted(data) != sweight_in_effect(data)) ||
-      (data->set.priority.exclusive != data->state.priority.exclusive) ||
-      (data->set.priority.parent != data->state.priority.parent)) ) {
+     (data->set.priority.exclusive != 1) ||
+     (data->set.priority.parent != data->state.priority.parent))) {
     /* send new weight and/or dependency */
     nghttp2_priority_spec pri_spec;
 
     h2_pri_spec(data, &pri_spec);
-    CURL_TRC_CF(data, cf, "[%d] Queuing PRIORITY", stream->id);
-    DEBUGASSERT(stream->id != -1);
-    rv = nghttp2_submit_priority(ctx->h2, NGHTTP2_FLAG_NONE,
-                                 stream->id, &pri_spec);
-    if(rv)
-      goto out;
+    /* curl-impersonate: Don't send PRIORITY frames for main stream. */
+    if(stream->id != 1) {
+      CURL_TRC_CF(data, cf, "[%d] Queuing PRIORITY", stream->id);
+      DEBUGASSERT(stream->id != -1);
+      rv = nghttp2_submit_priority(ctx->h2, NGHTTP2_FLAG_NONE,
+                                   stream->id, &pri_spec);
+      if(rv)
+        goto out;
+    }
   }
 
   ctx->nw_out_blocked = 0;
diff --git a/lib/http2.h b/lib/http2.h
index 80e183480..8ee390b7e 100644
--- a/lib/http2.h
+++ b/lib/http2.h
@@ -31,7 +31,8 @@
 
 /* value for MAX_CONCURRENT_STREAMS we use until we get an updated setting
    from the peer */
-#define DEFAULT_MAX_CONCURRENT_STREAMS 100
+/* curl-impersonate: Use 1000 concurrent streams like Chrome. */
+#define DEFAULT_MAX_CONCURRENT_STREAMS 1000
 
 /*
  * Store nghttp2 version info in this buffer.
diff --git a/lib/impersonate.c b/lib/impersonate.c
new file mode 100644
index 000000000..b18b3a7b5
--- /dev/null
+++ b/lib/impersonate.c
@@ -0,0 +1,1007 @@
+#include "curl_setup.h"
+
+#include <curl/curl.h>
+
+#include "impersonate.h"
+
+const struct impersonate_opts impersonations[] = {
+  {
+    .target = "chrome99",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"99\", \"Google Chrome\";v=\"99\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"Windows\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;3:1000;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome100",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"100\", \"Google Chrome\";v=\"100\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"Windows\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;3:1000;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome101",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"101\", \"Google Chrome\";v=\"101\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"Windows\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;3:1000;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome104",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \"Chromium\";v=\"104\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"104\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"Windows\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;3:1000;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome107",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"Windows\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;2:0;3:1000;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome110",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_permute_extensions = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"Windows\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;2:0;3:1000;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome116",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_permute_extensions = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \"Chromium\";v=\"116\", \"Not)A;Brand\";v=\"24\", \"Google Chrome\";v=\"116\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"Windows\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;2:0;3:1000;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome119",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_permute_extensions = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \"Google Chrome\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"macOS\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;2:0;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .ech = "GREASE",
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome120",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_permute_extensions = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \"Not_A Brand\";v=\"8\", \"Chromium\";v=\"120\", \"Google Chrome\";v=\"120\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"macOS\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;2:0;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .ech = "GREASE",
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome123",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_permute_extensions = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \"Google Chrome\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"macOS\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br, zstd",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;2:0;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .ech = "GREASE",
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome124",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .curves = "X25519Kyber768Draft00:X25519:P-256:P-384",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_permute_extensions = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \"Chromium\";v=\"124\", \"Google Chrome\";v=\"124\", \"Not-A.Brand\";v=\"99\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"macOS\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br, zstd",
+      "Accept-Language: en-US,en;q=0.9",
+      "Priority: u=0, i"
+    },
+    .http2_settings = "1:65536;2:0;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .ech = "GREASE",
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "chrome99_android",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"99\", \"Google Chrome\";v=\"99\"",
+      "sec-ch-ua-mobile: ?1",
+      "sec-ch-ua-platform: \"Android\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Linux; Android 12; Pixel 6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.58 Mobile Safari/537.36",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;3:1000;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "edge99",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"99\", \"Microsoft Edge\";v=\"99\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"Windows\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.30",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;3:1000;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "edge101",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "ECDHE-ECDSA-AES128-GCM-SHA256,"
+      "ECDHE-RSA-AES128-GCM-SHA256,"
+      "ECDHE-ECDSA-AES256-GCM-SHA384,"
+      "ECDHE-RSA-AES256-GCM-SHA384,"
+      "ECDHE-ECDSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-CHACHA20-POLY1305,"
+      "ECDHE-RSA-AES128-SHA,"
+      "ECDHE-RSA-AES256-SHA,"
+      "AES128-GCM-SHA256,"
+      "AES256-GCM-SHA384,"
+      "AES128-SHA,"
+      "AES256-SHA",
+    .npn = false,
+    .alpn = true,
+    .alps = true,
+    .tls_session_ticket = true,
+    .cert_compression = "brotli",
+    .http_headers = {
+      "sec-ch-ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"101\", \"Microsoft Edge\";v=\"101\"",
+      "sec-ch-ua-mobile: ?0",
+      "sec-ch-ua-platform: \"Windows\"",
+      "Upgrade-Insecure-Requests: 1",
+      "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36 Edg/101.0.1210.47",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-User: ?1",
+      "Sec-Fetch-Dest: document",
+      "Accept-Encoding: gzip, deflate, br",
+      "Accept-Language: en-US,en;q=0.9"
+    },
+    .http2_settings = "1:65536;3:1000;4:6291456;6:262144",
+    .http2_window_update = 15663105,
+    .http2_stream_weight = 256,
+    .http2_stream_exclusive = 1,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "safari15_3",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,"
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,"
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_RSA_WITH_AES_256_CBC_SHA256,"
+      "TLS_RSA_WITH_AES_128_CBC_SHA256,"
+      "TLS_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,"
+      "TLS_RSA_WITH_3DES_EDE_CBC_SHA,",
+    .curves = "X25519:P-256:P-384:P-521",
+    .sig_hash_algs =
+      "ecdsa_secp256r1_sha256,"
+      "rsa_pss_rsae_sha256,"
+      "rsa_pkcs1_sha256,"
+      "ecdsa_secp384r1_sha384,"
+      "ecdsa_sha1,"
+      "rsa_pss_rsae_sha384,"
+      "rsa_pss_rsae_sha384,"
+      "rsa_pkcs1_sha384,"
+      "rsa_pss_rsae_sha512,"
+      "rsa_pkcs1_sha512,"
+      "rsa_pkcs1_sha1",
+    .npn = false,
+    .alpn = true,
+    .alps = false,
+    .tls_session_ticket = false,
+    .http_headers = {
+      "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+      "Accept-Language: en-us",
+      "Accept-Encoding: gzip, deflate, br"
+    },
+    .http2_settings = "4:4194304;3:100",
+    .http2_window_update = 10485760,
+    .http2_pseudo_headers_order = "mspa",
+    .http2_stream_weight = 255,
+    .http2_stream_exclusive = 0,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "safari15_5",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,"
+      "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+    .curves = "X25519:P-256:P-384:P-521",
+    .sig_hash_algs =
+      "ecdsa_secp256r1_sha256,"
+      "rsa_pss_rsae_sha256,"
+      "rsa_pkcs1_sha256,"
+      "ecdsa_secp384r1_sha384,"
+      "ecdsa_sha1,"
+      "rsa_pss_rsae_sha384,"
+      "rsa_pss_rsae_sha384,"
+      "rsa_pkcs1_sha384,"
+      "rsa_pss_rsae_sha512,"
+      "rsa_pkcs1_sha512,"
+      "rsa_pkcs1_sha1",
+    .npn = false,
+    .alpn = true,
+    .alps = false,
+    .tls_session_ticket = false,
+    .cert_compression = "zlib",
+    .http_headers = {
+      "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/605.1.15",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+      "Accept-Language: en-GB,en-US;q=0.9,en;q=0.8",
+      "Accept-Encoding: gzip, deflate, br"
+    },
+    .http2_settings = "4:4194304;3:100",
+    .http2_window_update = 10485760,
+    .http2_pseudo_headers_order = "mspa",
+    .http2_stream_weight = 255,
+    .http2_stream_exclusive = 0,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "safari17_2_ios",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,"
+      "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+    .curves = "X25519:P-256:P-384:P-521",
+    .sig_hash_algs =
+      "ecdsa_secp256r1_sha256,"
+      "rsa_pss_rsae_sha256,"
+      "rsa_pkcs1_sha256,"
+      "ecdsa_secp384r1_sha384,"
+      "ecdsa_sha1,"
+      "rsa_pss_rsae_sha384,"
+      "rsa_pss_rsae_sha384,"
+      "rsa_pkcs1_sha384,"
+      "rsa_pss_rsae_sha512,"
+      "rsa_pkcs1_sha512,"
+      "rsa_pkcs1_sha1",
+    .npn = false,
+    .alpn = true,
+    .alps = false,
+    .tls_session_ticket = false,
+    .cert_compression = "zlib",
+    .http_headers = {
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+      "Sec-Fetch-Site: none",
+      "Accept-Encoding: gzip, deflate, br",
+      "Sec-Fetch-Mode: navigate",
+      "User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1",
+      "Accept-Language: en-US,en;q=0.9",
+      "Sec-Fetch-Dest: document"
+    },
+    .http2_settings = "2:0;4:2097152;3:100",
+    .http2_window_update = 10485760,
+    .http2_pseudo_headers_order = "mspa",
+    .http2_stream_weight = 255,
+    .http2_stream_exclusive = 0,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "safari17_0",
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,"
+      "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+    .curves = "X25519:P-256:P-384:P-521",
+    .sig_hash_algs =
+      "ecdsa_secp256r1_sha256,"
+      "rsa_pss_rsae_sha256,"
+      "rsa_pkcs1_sha256,"
+      "ecdsa_secp384r1_sha384,"
+      "ecdsa_sha1,"
+      "rsa_pss_rsae_sha384,"
+      "rsa_pss_rsae_sha384,"
+      "rsa_pkcs1_sha384,"
+      "rsa_pss_rsae_sha512,"
+      "rsa_pkcs1_sha512,"
+      "rsa_pkcs1_sha1",
+    .npn = false,
+    .alpn = true,
+    .alps = false,
+    .tls_session_ticket = false,
+    .cert_compression = "zlib",
+    .http_headers = {
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+      "Sec-Fetch-Site: none",
+      "Accept-Encoding: gzip, deflate, br",
+      "Sec-Fetch-Mode: navigate",
+      "user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15",
+      "Accept-Language: en-US,en;q=0.9",
+      "Sec-Fetch-Dest: document"
+    },
+    .http2_settings = "2:0;4:4194304;3:100",
+    .http2_window_update = 10485760,
+    .http2_pseudo_headers_order = "mspa",
+    .http2_stream_weight = 255,
+    .http2_stream_exclusive = 0,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "okhttp4", /* not working */
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,"
+      "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+    .curves = "X25519:P-256:P-384:P-521",
+    .sig_hash_algs =
+      "ecdsa_secp256r1_sha256,"
+      "rsa_pss_rsae_sha256,"
+      "rsa_pkcs1_sha256,"
+      "ecdsa_secp384r1_sha384,"
+      "ecdsa_sha1,"
+      "rsa_pss_rsae_sha384,"
+      "rsa_pss_rsae_sha384,"
+      "rsa_pkcs1_sha384,"
+      "rsa_pss_rsae_sha512,"
+      "rsa_pkcs1_sha512,"
+      "rsa_pkcs1_sha1",
+    .npn = false,
+    .alpn = true,
+    .alps = false,
+    .tls_session_ticket = false,
+    .cert_compression = "zlib",
+    .http_headers = {
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+      "Sec-Fetch-Site: none",
+      "Accept-Encoding: gzip, deflate, br",
+      "Sec-Fetch-Mode: navigate",
+      "user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15",
+      "Accept-Language: en-US,en;q=0.9",
+      "Sec-Fetch-Dest: document"
+    },
+    .http2_settings = "2:0;4:4194304;3:100",
+    .http2_window_update = 10485760,
+    .http2_pseudo_headers_order = "mspa",
+    .http2_stream_weight = 255,
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    .target = "firefox120", /* not working */
+    .httpversion = CURL_HTTP_VERSION_2_0,
+    .ssl_version = CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT,
+    .ciphers =
+      "TLS_AES_128_GCM_SHA256,"
+      "TLS_CHACHA20_POLY1305_SHA256,"
+      "TLS_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,"
+      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,"
+      "TLS_RSA_WITH_AES_128_GCM_SHA256,"
+      "TLS_RSA_WITH_AES_256_GCM_SHA384,"
+      "TLS_RSA_WITH_AES_128_CBC_SHA,"
+      "TLS_RSA_WITH_AES_256_CBC_SHA",
+    .http_headers = {
+      "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0",
+      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
+      "Accept-Language: en-US,en;q=0.5",
+      "Accept-Encoding: gzip, deflate, br",
+      "Upgrade-Insecure-Requests: 1",
+      "Sec-Fetch-Dest: document",
+      "Sec-Fetch-Mode: navigate",
+      "Sec-Fetch-Site: none",
+      "Sec-Fetch-User: ?1",
+      "Te: trailers"
+    },
+    .http2_settings = "1:65536;4:131072;5:16384",
+    .http2_window_update = 12517377,
+    .http2_pseudo_headers_order = "mpas",
+    .http2_streams = "3:0:0:201,5:0:0:101,7:0:0:1,9:0:7:1,11:0:3:1,13:0:0:241",
+    .tls_extension_order = NULL,
+    .tls_grease = true
+  },
+  {
+    /* Last one must be NULL. */
+    .target = NULL
+  }
+};
diff --git a/lib/impersonate.h b/lib/impersonate.h
new file mode 100644
index 000000000..988a7f86a
--- /dev/null
+++ b/lib/impersonate.h
@@ -0,0 +1,52 @@
+#ifndef HEADER_CURL_IMPERSONATE_H
+#define HEADER_CURL_IMPERSONATE_H
+
+#define IMPERSONATE_MAX_HEADERS 32
+
+/*
+ * curl-impersonate: Options to be set for each supported target browser.
+ */
+struct impersonate_opts {
+  const char *target;
+  int httpversion;
+  int ssl_version;
+  const char *ciphers;
+  /* Elliptic curves (TLS extension 10).
+   * Passed to CURLOPT_SSL_EC_CURVES */
+  const char *curves;
+  /* Signature hash algorithms (TLS extension 13).
+   * Passed to CURLOPT_SSL_SIG_HASH_ALGS */
+  const char *sig_hash_algs;
+  /* Enable TLS NPN extension. */
+  bool npn;
+  /* Enable TLS ALPN extension. */
+  bool alpn;
+  /* Enable TLS ALPS extension. */
+  bool alps;
+  /* Enable TLS session ticket extension. */
+  bool tls_session_ticket;
+  /* TLS certificate compression algorithms.
+   * (TLS extension 27) */
+  const char *cert_compression;
+  const char *http_headers[IMPERSONATE_MAX_HEADERS];
+  const char *http2_pseudo_headers_order;
+  const char *http2_settings;
+  int http2_window_update;
+  const char *http2_streams;
+  bool tls_permute_extensions;
+  const char *ech;
+  const char *tls_extension_order;
+  bool tls_grease;
+  int http2_stream_weight;
+  int http2_stream_exclusive;
+  /* Other TLS options will come here in the future once they are
+   * configurable through curl_easy_setopt() */
+};
+
+/*
+ * curl-impersonate: Global array of supported browsers and their
+ * impersonation options.
+ */
+extern const struct impersonate_opts impersonations[];
+
+#endif /* HEADER_CURL_IMPERSONATE_H */
diff --git a/lib/multi.c b/lib/multi.c
index ed9cac796..6ca666e4a 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -401,7 +401,8 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */
   Curl_llist_init(&multi->msgsent, NULL);
 
   multi->multiplexing = TRUE;
-  multi->max_concurrent_streams = 100;
+  /* curl-impersonate: Use 1000 concurrent streams like Chrome. */
+  multi->max_concurrent_streams = 1000;
 
 #ifdef USE_WINSOCK
   multi->wsa_event = WSACreateEvent();
diff --git a/lib/setopt.c b/lib/setopt.c
index 8a5a5d7c3..feddeeccb 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -51,6 +51,7 @@
 #include "altsvc.h"
 #include "hsts.h"
 #include "tftp.h"
+#include "slist.h"
 #include "strdup.h"
 /* The last 3 #include files should be in this order */
 #include "curl_printf.h"
@@ -717,6 +718,23 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
                             va_arg(param, char *));
     break;
 
+  case CURLOPT_HTTPBASEHEADER:
+    /*
+     * curl-impersonate:
+     * Set a list of "base" headers. These will be merged with any headers
+     * set by CURLOPT_HTTPHEADER. curl-impersonate uses this option in order
+     * to set a list of default browser headers.
+     *
+     * Unlike CURLOPT_HTTPHEADER,
+     * the list is copied and can be immediately freed by the user.
+     */
+    curl_slist_free_all(data->state.base_headers);
+    data->state.base_headers = \
+      Curl_slist_duplicate(va_arg(param, struct curl_slist *));
+    if (!data->state.base_headers)
+      result = CURLE_OUT_OF_MEMORY;
+    break;
+
 #ifndef CURL_DISABLE_PROXY
   case CURLOPT_PROXYHEADER:
     /*
@@ -2398,6 +2416,27 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
     result = Curl_setstropt(&data->set.str[STRING_SSL_EC_CURVES],
                             va_arg(param, char *));
     break;
+
+  case CURLOPT_SSL_SIG_HASH_ALGS:
+    /*
+     * Set the list of hash algorithms we want to use in the SSL connection.
+     * Specify comma-delimited list of algorithms to use.
+     */
+    result = Curl_setstropt(&data->set.str[STRING_SSL_SIG_HASH_ALGS],
+                            va_arg(param, char *));
+    break;
+
+  case CURLOPT_SSL_CERT_COMPRESSION:
+    /*
+     * Set the list of ceritifcate compression algorithms we support in the TLS
+     * connection.
+     * Specify comma-delimited list of algorithms to use. Options are "zlib"
+     * and "brotli".
+     */
+    result = Curl_setstropt(&data->set.str[STRING_SSL_CERT_COMPRESSION],
+                            va_arg(param, char *));
+    break;
+
 #endif
   case CURLOPT_IPRESOLVE:
     arg = va_arg(param, long);
@@ -2936,6 +2975,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
   case CURLOPT_SSL_ENABLE_ALPN:
     data->set.ssl_enable_alpn = (0 != va_arg(param, long));
     break;
+  case CURLOPT_SSL_ENABLE_ALPS:
+    data->set.ssl_enable_alps = (0 != va_arg(param, long)) ? TRUE : FALSE;
+    break;
+  case CURLOPT_SSL_ENABLE_TICKET:
+    data->set.ssl_enable_ticket = (0 != va_arg(param, long)) ? TRUE : FALSE;
+    break;
+  case CURLOPT_SSL_PERMUTE_EXTENSIONS:
+    data->set.ssl_permute_extensions = (0 != va_arg(param, long)) ? TRUE : FALSE;
+    break;
+  case CURLOPT_TLS_GREASE:
+    data->set.tls_grease = (0 != va_arg(param, long)) ? TRUE : FALSE;
+    break;
+  case CURLOPT_TLS_EXTENSION_ORDER:
+    result = Curl_setstropt(&data->set.str[STRING_TLS_EXTENSION_ORDER],
+                            va_arg(param, char *));
+    break;
+  case CURLOPT_TLS_KEY_USAGE_NO_CHECK:
+    data->set.tls_key_usage_no_check = (0 != va_arg(param, long)) ? TRUE : FALSE;
+    break;
+  case CURLOPT_TLS_SIGNED_CERT_TIMESTAMPS:
+    data->set.tls_signed_cert_timestamps = (0 != va_arg(param, long)) ? TRUE : FALSE;
+    break;
+  case CURLOPT_TLS_STATUS_REQUEST:
+    data->set.tls_status_request = (0 != va_arg(param, long)) ? TRUE : FALSE;
+    break;
+
+#ifdef USE_HTTP2
+  case CURLOPT_HTTP2_PSEUDO_HEADERS_ORDER:
+    result = Curl_setstropt(&data->set.str[STRING_HTTP2_PSEUDO_HEADERS_ORDER],
+                            va_arg(param, char *));
+    break;
+  case CURLOPT_HTTP2_SETTINGS:
+    result = Curl_setstropt(&data->set.str[STRING_HTTP2_SETTINGS],
+                            va_arg(param, char *));
+    break;
+  case CURLOPT_HTTP2_WINDOW_UPDATE:
+    arg = va_arg(param, long);
+    if(arg < -1)
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    data->set.http2_window_update = arg;
+    break;
+  case CURLOPT_HTTP2_STREAMS:
+    result = Curl_setstropt(&data->set.str[STRING_HTTP2_STREAMS],
+                            va_arg(param, char *));
+    break;
+#endif
 #ifdef USE_UNIX_SOCKETS
   case CURLOPT_UNIX_SOCKET_PATH:
     data->set.abstract_unix_socket = FALSE;
@@ -2963,6 +3048,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
     break;
 #else
     return CURLE_NOT_BUILT_IN;
+#endif
+  case CURLOPT_STREAM_EXCLUSIVE:
+#if defined(USE_HTTP2) || defined(USE_HTTP3)
+    arg = va_arg(param, long);
+    data->set.priority.exclusive = (int)arg;
+    break;
+#else
+    return CURLE_NOT_BUILT_IN;
 #endif
   case CURLOPT_STREAM_DEPENDS:
   case CURLOPT_STREAM_DEPENDS_E:
@@ -3132,6 +3225,31 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
     data->set.ws_raw_mode = raw;
     break;
   }
+#endif
+#ifdef USE_ECH
+  case CURLOPT_ECH: {
+    size_t plen = 0;
+    argptr = va_arg(param, char *);
+    if(!argptr) {
+      data->set.tls_ech = CURLECH_DISABLE;
+      result = CURLE_BAD_FUNCTION_ARGUMENT;
+      return result;
+    }
+    plen = strlen(argptr);
+    if(plen > CURL_MAX_INPUT_LENGTH) {
+      data->set.tls_ech = CURLECH_DISABLE;
+      result = CURLE_BAD_FUNCTION_ARGUMENT;
+      return result;
+    }
+    if(plen == 6 && strcasecompare(argptr, "GREASE"))
+      data->set.tls_ech = CURLECH_GREASE;
+    else {
+      data->set.tls_ech = CURLECH_DISABLE;
+      result = CURLE_BAD_FUNCTION_ARGUMENT;
+      return result;
+    }
+    break;
+  }
 #endif
   case CURLOPT_QUICK_EXIT:
     data->set.quick_exit = (0 != va_arg(param, long)) ? 1L:0L;
diff --git a/lib/strerror.c b/lib/strerror.c
index a900e78d1..e7d54905a 100644
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -322,6 +322,11 @@ curl_easy_strerror(CURLcode error)
   case CURLE_TOO_LARGE:
     return "A value or data field grew larger than allowed";
 
+#ifdef USE_ECH
+  case CURLE_ECH_REQUIRED:
+    return "ECH attempted but failed";
+#endif
+
     /* error codes not used by current libcurl */
   case CURLE_OBSOLETE20:
   case CURLE_OBSOLETE24:
diff --git a/lib/transfer.c b/lib/transfer.c
index e31d1d6db..66e106901 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -105,7 +105,15 @@ char *Curl_checkheaders(const struct Curl_easy *data,
   DEBUGASSERT(thislen);
   DEBUGASSERT(thisheader[thislen-1] != ':');
 
-  for(head = data->set.headers; head; head = head->next) {
+  /*
+   * curl-impersonate:
+   * Check if we have overriden the user-supplied list of headers.
+   */
+  head = data->set.headers;
+  if (data->state.merged_headers)
+    head = data->state.merged_headers;
+
+  for(; head; head = head->next) {
     if(strncasecompare(head->data, thisheader, thislen) &&
        Curl_headersep(head->data[thislen]) )
       return head->data;
diff --git a/lib/url.c b/lib/url.c
index 224b9f3e2..db07bfa40 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -320,6 +320,20 @@ CURLcode Curl_close(struct Curl_easy **datap)
   Curl_safefree(data->state.aptr.proxyuser);
   Curl_safefree(data->state.aptr.proxypasswd);
 
+  /* curl-impersonate: Free the list set by CURLOPT_HTTPBASEHEADER. */
+  curl_slist_free_all(data->state.base_headers);
+  /* curl-impersonate: Free the dynamic list of headers. */
+  curl_slist_free_all(data->state.merged_headers);
+
+#ifndef CURL_DISABLE_DOH
+  if(data->req.doh) {
+    Curl_dyn_free(&data->req.doh->probe[0].serverdoh);
+    Curl_dyn_free(&data->req.doh->probe[1].serverdoh);
+    curl_slist_free_all(data->req.doh->headers);
+    Curl_safefree(data->req.doh);
+  }
+#endif
+
 #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_FORM_API)
   Curl_mime_cleanpart(data->state.formp);
   Curl_safefree(data->state.formp);
@@ -458,6 +472,8 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
   set->tcp_fastopen = FALSE;
   set->tcp_nodelay = TRUE;
   set->ssl_enable_alpn = TRUE;
+  set->ssl_enable_ticket = TRUE;
+  set->tls_grease = TRUE;
   set->expect_100_timeout = 1000L; /* Wait for a second by default. */
   set->sep_headers = TRUE; /* separated header lists by default */
   set->buffer_size = READBUFFER_SIZE;
@@ -3664,6 +3680,11 @@ static CURLcode create_conn(struct Curl_easy *data,
          (default) */
       if(data->set.ssl_enable_alpn)
         conn->bits.tls_enable_alpn = TRUE;
+
+      /* curl-impersonate: Turn on ALPS if ALPN is enabled and the bit is
+       * enabled. */
+      if(data->set.ssl_enable_alps)
+        conn->bits.tls_enable_alps = TRUE;
     }
 
     if(waitpipe)
diff --git a/lib/urldata.h b/lib/urldata.h
index ce28f25bb..c61641d5a 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -53,6 +53,15 @@
 #define PORT_GOPHER 70
 #define PORT_MQTT 1883
 
+#ifdef USE_ECH
+/* CURLECH_ defines are for the tls_ech option */
+# define CURLECH_DISABLE    0
+# define CURLECH_GREASE     1
+# define CURLECH_ENABLE     2
+# define CURLECH_HARD       3
+# define CURLECH_CLA_CFG    4
+#endif
+
 struct curl_trc_featt;
 
 #ifdef USE_WEBSOCKETS
@@ -298,6 +307,8 @@ struct ssl_primary_config {
   char *password; /* TLS password (for, e.g., SRP) */
 #endif
   char *curves;          /* list of curves to use */
+  char *sig_hash_algs;   /* List of signature hash algorithms to use */
+  char *cert_compression;  /* List of certificate compression algorithms. */
   unsigned char ssl_options;  /* the CURLOPT_SSL_OPTIONS bitmask */
   unsigned int version_max; /* max supported version the client wants to use */
   unsigned char version;    /* what version the client wants to use */
@@ -305,6 +316,7 @@ struct ssl_primary_config {
   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
   BIT(verifystatus);     /* set TRUE if certificate status must be checked */
   BIT(sessionid);        /* cache session IDs or not */
+  // BIT(grease);           /* grease enabled? */
 };
 
 struct ssl_config_data {
@@ -545,6 +557,10 @@ struct ConnectBits {
   BIT(multiplex); /* connection is multiplexed */
   BIT(tcp_fastopen); /* use TCP Fast Open */
   BIT(tls_enable_alpn); /* TLS ALPN extension? */
+  BIT(tls_enable_alps); /* TLS ALPS extension? */
+  BIT(tls_enable_ticket); /* TLS session ticket extension? */
+  BIT(tls_permute_extensions); /* TLS extension permutations */
+  BIT(tls_grease);  /* TLS grease? */
 #ifndef CURL_DISABLE_DOH
   BIT(doh);
 #endif
@@ -1320,6 +1336,19 @@ struct UrlState {
   CURLcode hresult; /* used to pass return codes back from hyper callbacks */
 #endif
 
+  /*
+   * curl-impersonate:
+   * List of "base" headers set by CURLOPT_HTTPBASEHEADER.
+   */
+  struct curl_slist *base_headers;
+  /*
+   * curl-impersonate:
+   * Dynamically-constructed list of HTTP headers.
+   * This list is a merge of the default HTTP headers needed to impersonate a
+   * browser, together with any user-supplied headers.
+   */
+  struct curl_slist *merged_headers;
+
 #ifndef CURL_DISABLE_VERBOSE_STRINGS
   struct curl_trc_feat *feat; /* opt. trace feature transfer is part of */
 #endif
@@ -1496,6 +1525,14 @@ enum dupstring {
   STRING_SSL_EC_CURVES,
   STRING_AWS_SIGV4, /* Parameters for V4 signature */
   STRING_HAPROXY_CLIENT_IP,     /* CURLOPT_HAPROXY_CLIENT_IP */
+  STRING_SSL_SIG_HASH_ALGS,
+  STRING_SSL_CERT_COMPRESSION,
+  STRING_HTTP2_PSEUDO_HEADERS_ORDER,
+  STRING_HTTP2_SETTINGS,
+  STRING_HTTP2_STREAMS,
+  STRING_ECH_CONFIG,            /* CURLOPT_ECH_CONFIG */
+  STRING_ECH_PUBLIC,            /* CURLOPT_ECH_PUBLIC */
+  STRING_TLS_EXTENSION_ORDER,
 
   /* -- end of null-terminated strings -- */
 
@@ -1791,6 +1828,13 @@ struct UserDefined {
   BIT(tcp_keepalive);  /* use TCP keepalives */
   BIT(tcp_fastopen);   /* use TCP Fast Open */
   BIT(ssl_enable_alpn);/* TLS ALPN extension? */
+  BIT(ssl_enable_alps);/* TLS ALPS extension? */
+  BIT(ssl_enable_ticket); /* TLS session ticket extension */
+  BIT(ssl_permute_extensions); /* TLS Permute extensions */
+  BIT(tls_grease);  /* TLS grease? */
+  BIT(tls_key_usage_no_check);  /* TLS key_usage_check? */
+  BIT(tls_signed_cert_timestamps);  /* TLS signed cert timestamps? */
+  BIT(tls_status_request);  /* TLS status request */
   BIT(path_as_is);     /* allow dotdots? */
   BIT(pipewait);       /* wait for multiplex status before starting a new
                           connection */
@@ -1811,6 +1855,10 @@ struct UserDefined {
 #ifdef USE_WEBSOCKETS
   BIT(ws_raw_mode);
 #endif
+#ifdef USE_ECH
+  int tls_ech;      /* TLS ECH configuration  */
+#endif
+  int http2_window_update;
 };
 
 #ifndef CURL_DISABLE_MIME
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index a3953f6c3..a3421e2bb 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -79,9 +79,24 @@
 #include <openssl/bio.h>
 #include <openssl/buffer.h>
 #include <openssl/pkcs12.h>
+#include <openssl/pool.h>
 #include <openssl/tls1.h>
 #include <openssl/evp.h>
 
+#ifdef HAVE_LIBZ
+#include <zlib.h>
+#endif
+#ifdef HAVE_BROTLI
+#include <brotli/decode.h>
+#endif
+
+#ifdef USE_ECH
+# ifndef OPENSSL_IS_BORINGSSL
+#  include <openssl/ech.h>
+# endif
+# include "curl_base64.h"
+#endif /* USE_ECH */
+
 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
 #include <openssl/ocsp.h>
 #endif
@@ -276,6 +291,113 @@
 #define HAVE_OPENSSL_VERSION
 #endif
 
+#if defined(OPENSSL_IS_BORINGSSL)
+#define HAVE_SSL_CTX_SET_VERIFY_ALGORITHM_PREFS
+
+/*
+ * kMaxSignatureAlgorithmNameLen and kSignatureAlgorithmNames
+ * Taken from BoringSSL, see ssl/ssl_privkey.cc
+ * */
+static const size_t kMaxSignatureAlgorithmNameLen = 23;
+
+static const struct {
+  uint16_t signature_algorithm;
+  const char *name;
+} kSignatureAlgorithmNames[] = {
+    {SSL_SIGN_RSA_PKCS1_MD5_SHA1, "rsa_pkcs1_md5_sha1"},
+    {SSL_SIGN_RSA_PKCS1_SHA1, "rsa_pkcs1_sha1"},
+    {SSL_SIGN_RSA_PKCS1_SHA256, "rsa_pkcs1_sha256"},
+    {SSL_SIGN_RSA_PKCS1_SHA384, "rsa_pkcs1_sha384"},
+    {SSL_SIGN_RSA_PKCS1_SHA512, "rsa_pkcs1_sha512"},
+    {SSL_SIGN_ECDSA_SHA1, "ecdsa_sha1"},
+    {SSL_SIGN_ECDSA_SECP256R1_SHA256, "ecdsa_secp256r1_sha256"},
+    {SSL_SIGN_ECDSA_SECP384R1_SHA384, "ecdsa_secp384r1_sha384"},
+    {SSL_SIGN_ECDSA_SECP521R1_SHA512, "ecdsa_secp521r1_sha512"},
+    {SSL_SIGN_RSA_PSS_RSAE_SHA256, "rsa_pss_rsae_sha256"},
+    {SSL_SIGN_RSA_PSS_RSAE_SHA384, "rsa_pss_rsae_sha384"},
+    {SSL_SIGN_RSA_PSS_RSAE_SHA512, "rsa_pss_rsae_sha512"},
+    {SSL_SIGN_ED25519, "ed25519"},
+};
+
+#define MAX_SIG_ALGS \
+  sizeof(kSignatureAlgorithmNames) / sizeof(kSignatureAlgorithmNames[0])
+
+/* Default signature hash algorithms taken from Chrome/Chromium.
+ * See kVerifyPeers @ net/socket/ssl_client_socket_impl.cc */
+static const uint16_t default_sig_algs[] = {
+  SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256,
+  SSL_SIGN_RSA_PKCS1_SHA256,       SSL_SIGN_ECDSA_SECP384R1_SHA384,
+  SSL_SIGN_RSA_PSS_RSAE_SHA384,    SSL_SIGN_RSA_PKCS1_SHA384,
+  SSL_SIGN_RSA_PSS_RSAE_SHA512,    SSL_SIGN_RSA_PKCS1_SHA512,
+};
+
+#define DEFAULT_SIG_ALGS_LENGTH  \
+  sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
+
+static CURLcode parse_sig_algs(struct Curl_easy *data,
+                               const char *sigalgs,
+                               uint16_t *algs,
+                               size_t *nalgs)
+{
+  *nalgs = 0;
+  while (sigalgs && sigalgs[0]) {
+    int i;
+    bool found = FALSE;
+    const char *end;
+    size_t len;
+    char algname[kMaxSignatureAlgorithmNameLen + 1];
+
+    end = strpbrk(sigalgs, ":,");
+    if (end)
+      len = end - sigalgs;
+    else
+      len = strlen(sigalgs);
+
+    if (len > kMaxSignatureAlgorithmNameLen) {
+      failf(data, "Bad signature hash algorithm list");
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    }
+
+    if (!len) {
+      ++sigalgs;
+      continue;
+    }
+
+    if (*nalgs == MAX_SIG_ALGS) {
+      /* Reached the maximum number of possible algorithms, but more data
+       * available in the list. */
+      failf(data, "Bad signature hash algorithm list");
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    }
+
+    memcpy(algname, sigalgs, len);
+    algname[len] = 0;
+
+    for (i = 0; i < MAX_SIG_ALGS; i++) {
+      if (strcasecompare(algname, kSignatureAlgorithmNames[i].name)) {
+        algs[*nalgs] = kSignatureAlgorithmNames[i].signature_algorithm;
+        (*nalgs)++;
+        found = TRUE;
+        break;
+      }
+    }
+
+    if (!found) {
+      failf(data, "Unknown signature hash algorithm: '%s'", algname);
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    }
+
+    if (end)
+      sigalgs = ++end;
+    else
+      break;
+  }
+
+  return CURLE_OK;
+}
+
+#endif
+
 #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 typedef uint32_t sslerr_t;
 #else
@@ -2644,6 +2766,151 @@ static const char *tls_rt_type(int type)
   }
 }
 
+#ifdef HAVE_LIBZ
+int DecompressZlibCert(SSL *ssl,
+                       CRYPTO_BUFFER** out,
+                       size_t uncompressed_len,
+                       const uint8_t* in,
+                       size_t in_len)
+{
+  z_stream strm;
+  uint8_t* data;
+  CRYPTO_BUFFER* decompressed = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
+  if(!decompressed) {
+    return 0;
+  }
+
+  strm.zalloc = NULL;
+  strm.zfree = NULL;
+  strm.opaque = NULL;
+  strm.next_in = (Bytef *)in;
+  strm.avail_in = in_len;
+  strm.next_out = (Bytef *)data;
+  strm.avail_out = uncompressed_len;
+
+  if(inflateInit(&strm) != Z_OK) {
+    CRYPTO_BUFFER_free(decompressed);
+    return 0;
+  }
+
+  if(inflate(&strm, Z_FINISH) != Z_STREAM_END ||
+    strm.avail_in != 0 ||
+    strm.avail_out != 0) {
+    inflateEnd(&strm);
+    CRYPTO_BUFFER_free(decompressed);
+    return 0;
+  }
+
+  inflateEnd(&strm);
+  *out = decompressed;
+  return 1;
+}
+#endif
+
+#ifdef HAVE_BROTLI
+
+/* Taken from Chromium and adapted to C,
+ * see net/ssl/cert_compression.cc
+ */
+int DecompressBrotliCert(SSL* ssl,
+                         CRYPTO_BUFFER** out,
+                         size_t uncompressed_len,
+                         const uint8_t* in,
+                         size_t in_len) {
+  uint8_t* data;
+  CRYPTO_BUFFER* decompressed = CRYPTO_BUFFER_alloc(&data, uncompressed_len);
+  if (!decompressed) {
+    return 0;
+  }
+
+  size_t output_size = uncompressed_len;
+  if (BrotliDecoderDecompress(in_len, in, &output_size, data) !=
+          BROTLI_DECODER_RESULT_SUCCESS ||
+      output_size != uncompressed_len) {
+    CRYPTO_BUFFER_free(decompressed);
+    return 0;
+  }
+
+  *out = decompressed;
+  return 1;
+}
+#endif
+
+#if defined(HAVE_LIBZ) || defined(HAVE_BROTLI)
+static struct {
+  char *alg_name;
+  uint16_t alg_id;
+  ssl_cert_compression_func_t compress;
+  ssl_cert_decompression_func_t decompress;
+} cert_compress_algs[] = {
+#ifdef HAVE_LIBZ
+  {"zlib", TLSEXT_cert_compression_zlib, NULL, DecompressZlibCert},
+#endif
+#ifdef HAVE_BROTLI
+  {"brotli", TLSEXT_cert_compression_brotli, NULL, DecompressBrotliCert},
+#endif
+};
+
+#define NUM_CERT_COMPRESSION_ALGS \
+  sizeof(cert_compress_algs) / sizeof(cert_compress_algs[0])
+
+/*
+ * curl-impersonate:
+ * Add support for TLS extension 27 - compress_certificate.
+ * This calls the BoringSSL-specific API SSL_CTX_add_cert_compression_alg
+ * for each algorithm specified in cert_compression, which is a comma separated list.
+ */
+static CURLcode add_cert_compression(struct Curl_easy *data,
+                                     SSL_CTX *ctx,
+                                     const char *algorithms)
+{
+  int i;
+  const char *s = algorithms;
+  char *alg_name;
+  size_t alg_name_len;
+  bool found;
+
+  while (s && s[0]) {
+    found = FALSE;
+
+    for(i = 0; i < NUM_CERT_COMPRESSION_ALGS; i++) {
+      alg_name = cert_compress_algs[i].alg_name;
+      alg_name_len = strlen(alg_name);
+      if(strlen(s) >= alg_name_len &&
+         strncasecompare(s, alg_name, alg_name_len) &&
+         (s[alg_name_len] == ',' || s[alg_name_len] == 0)) {
+        if(!SSL_CTX_add_cert_compression_alg(ctx,
+                    cert_compress_algs[i].alg_id,
+                    cert_compress_algs[i].compress,
+                    cert_compress_algs[i].decompress)) {
+          failf(data, "Error adding certificate compression algorithm '%s'",
+                alg_name);
+          return CURLE_SSL_CIPHER;
+        }
+        s += alg_name_len;
+        if(*s == ',')
+          s += 1;
+        found = TRUE;
+        break;
+      }
+    }
+
+    if(!found) {
+      failf(data, "Invalid compression algorithm list");
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    }
+  }
+
+  return CURLE_OK;
+}
+#else
+static CURLcode add_cert_compression(SSL_CTX *ctx, const char *algorithms)
+{
+  /* No compression algorithms are available. */
+  return CURLE_BAD_FUNCTION_ARGUMENT;
+}
+#endif
+
 /*
  * Our callback from the SSL/TLS layers.
  */
@@ -3616,7 +3883,14 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
   ctx_options = SSL_OP_ALL;
 
 #ifdef SSL_OP_NO_TICKET
-  ctx_options |= SSL_OP_NO_TICKET;
+  if(data->set.ssl_enable_ticket) {
+  /* curl-impersonate:
+   * Turn off SSL_OP_NO_TICKET, we want TLS extension 35 (session_ticket)
+   * to be present in the client hello. */
+    ctx_options &= ~SSL_OP_NO_TICKET;
+  } else {
+    ctx_options |= SSL_OP_NO_TICKET;
+  }
 #endif
 
 #ifdef SSL_OP_NO_COMPRESSION
@@ -3683,6 +3957,21 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
   }
 #endif
 
+  SSL_CTX_set_options(backend->ctx,
+      SSL_OP_LEGACY_SERVER_CONNECT);
+  SSL_CTX_set_mode(backend->ctx,
+      SSL_MODE_CBC_RECORD_SPLITTING | SSL_MODE_ENABLE_FALSE_START);
+
+  /* curl-impersonate: Enable TLS extensions 18 - signed_certificate_timestamp. */
+  if(data->set.tls_signed_cert_timestamps) {
+    SSL_CTX_enable_signed_cert_timestamps(backend->ctx);
+  }
+
+  /* curl-impersonate: Enable TLS extensions 5 - status_request */
+  if(data->set.tls_status_request) {
+    SSL_CTX_enable_ocsp_stapling(backend->ctx);
+  }
+
   if(ssl_cert || ssl_cert_blob || ssl_cert_type) {
     if(!result &&
        !cert_stuff(data, backend->ctx,
@@ -3736,6 +4025,35 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
   }
 #endif
 
+#ifdef HAVE_SSL_CTX_SET_VERIFY_ALGORITHM_PREFS
+  {
+    uint16_t algs[MAX_SIG_ALGS];
+    size_t nalgs;
+    /* curl-impersonate: Set the signature algorithms (TLS extension 13).
+     * See net/socket/ssl_client_socket_impl.cc in Chromium's source. */
+    char *sig_hash_algs = conn_config->sig_hash_algs;
+    if (sig_hash_algs) {
+      CURLcode result = parse_sig_algs(data, sig_hash_algs, algs, &nalgs);
+      if (result)
+        return result;
+      if (!SSL_CTX_set_verify_algorithm_prefs(backend->ctx, algs, nalgs)) {
+        failf(data, "failed setting signature hash algorithms list: '%s'",
+              sig_hash_algs);
+        return CURLE_SSL_CIPHER;
+      }
+    } else {
+      /* Use defaults from Chrome. */
+      if (!SSL_CTX_set_verify_algorithm_prefs(backend->ctx,
+                                              default_sig_algs,
+                                              DEFAULT_SIG_ALGS_LENGTH)) {
+        failf(data, "failed setting signature hash algorithms list: '%s'",
+              sig_hash_algs);
+        return CURLE_SSL_CIPHER;
+      }
+    }
+  }
+#endif
+
 #ifdef USE_OPENSSL_SRP
   if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) {
     char * const ssl_username = ssl_config->primary.username;
@@ -3761,6 +4079,44 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
   }
 #endif
 
+  /* curl-impersonate:
+   * Configure BoringSSL to behave like Chrome. 
+   * See Constructor of SSLContext at net/socket/ssl_client_socket_impl.cc
+   * and SSLClientSocketImpl::Init()
+   * in the Chromium's source code. */
+
+  /* curl-impersonate: Enable TLS GREASE. */
+  if(data->set.tls_grease) {
+    SSL_CTX_set_grease_enabled(backend->ctx, 1);
+  }
+
+  /*
+   * curl-impersonate: Enable TLS extension permutation, enabled by default
+   * since Chrome 110.
+   */
+  if(data->set.ssl_permute_extensions) {
+    SSL_CTX_set_permute_extensions(backend->ctx, 1);
+  }
+
+  /* curl-impersonate: Set TLS extensions order. */
+  if(data->set.str[STRING_TLS_EXTENSION_ORDER]) {
+    SSL_CTX_set_extension_order(backend->ctx, data->set.str[STRING_TLS_EXTENSION_ORDER]);
+  }
+
+  // curl-impersonate: Set key usage check
+  if(data->set.tls_key_usage_no_check) {
+    SSL_CTX_set_key_usage_check_enabled(backend->ctx, 0);
+  }else{
+    SSL_CTX_set_key_usage_check_enabled(backend->ctx, 1);
+  }
+
+  if(conn_config->cert_compression &&
+     add_cert_compression(data,
+                          backend->ctx,
+                          conn_config->cert_compression))
+    return CURLE_SSL_CIPHER;
+
+
   /* OpenSSL always tries to verify the peer, this only says whether it should
    * fail to connect if the verification fails, or if it should continue
    * anyway. In the latter case the result of the verification is checked with
@@ -3816,6 +4172,24 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
 
   SSL_set_app_data(backend->handle, cf);
 
+#ifdef HAS_ALPN
+  if(connssl->alps) {
+    size_t i;
+    struct alpn_proto_buf proto;
+
+    for(i = 0; i < connssl->alps->count; ++i) {
+      /* curl-impersonate: Add the ALPS extension (17513) like Chrome does. */
+      // XXX: Firefox does not enable this.
+      SSL_add_application_settings(backend->handle, connssl->alps->entries[i],
+                                   strlen(connssl->alps->entries[i]), NULL,
+                                   0);
+    }
+
+    Curl_alpn_to_proto_str(&proto, connssl->alps);
+    infof(data, VTLS_INFOF_ALPS_OFFER_1STR, proto.data);
+  }
+#endif
+
 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
   !defined(OPENSSL_NO_OCSP)
   if(conn_config->verifystatus)
@@ -3839,6 +4213,21 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
   }
 #endif
 
+#ifdef USE_ECH
+  if(data->set.tls_ech != CURLECH_DISABLE) {
+    unsigned char *ech_config = NULL;
+    size_t ech_config_len = 0;
+    int trying_ech_now = 0;
+    if(data->set.tls_ech == CURLECH_GREASE) {
+# ifdef OPENSSL_IS_BORINGSSL
+      SSL_set_enable_ech_grease(backend->handle, 1);
+# else
+      SSL_set_options(backend->handle, SSL_OP_ECH_GREASE);
+# endif
+    }
+  }
+#endif
+
   SSL_set_app_data(backend->handle, cf);
 
   connssl->reused_session = FALSE;
@@ -4050,6 +4439,60 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
           negotiated_group_name? negotiated_group_name : "[blank]",
           OBJ_nid2sn(psigtype_nid));
 
+#ifdef USE_ECH
+# ifndef OPENSSL_IS_BORINGSSL
+    if(data->set.tls_ech != CURLECH_DISABLE) {
+      char *inner = NULL, *outer = NULL;
+      const char *status = NULL;
+      int rv;
+
+      rv = SSL_ech_get_status(backend->handle, &inner, &outer);
+      switch(rv) {
+      case SSL_ECH_STATUS_SUCCESS:
+        status = "Succeeded";
+        break;
+      case SSL_ECH_STATUS_GREASE_ECH:
+        status = "sent GREASE, got retry-configs";
+        break;
+      case SSL_ECH_STATUS_GREASE:
+        status = "sent GREASE";
+        break;
+      case SSL_ECH_STATUS_NOT_TRIED:
+        status = "not attempted";
+        break;
+      case SSL_ECH_STATUS_NOT_CONFIGURED:
+        status = "not configured";
+        break;
+      case SSL_ECH_STATUS_BACKEND:
+        status = "backend (unexpected)";
+        break;
+      case SSL_ECH_STATUS_FAILED:
+        status = "failed";
+        break;
+      case SSL_ECH_STATUS_BAD_CALL:
+        status = "bad call (unexpected)";
+        break;
+      case SSL_ECH_STATUS_BAD_NAME:
+        status = "bad name (unexpected)";
+        break;
+      default:
+        status = "unexpected status";
+        infof(data, "ECH: unexpected status %d",rv);
+      }
+      infof(data, "ECH: result: status is %s, inner is %s, outer is %s",
+             (status?status:"NULL"),
+             (inner?inner:"NULL"),
+             (outer?outer:"NULL"));
+      OPENSSL_free(inner);
+      OPENSSL_free(outer);
+      if(rv != SSL_ECH_STATUS_SUCCESS && data->set.tls_ech == CURLECH_HARD) {
+        infof(data, "ECH: ech-hard failed");
+        return CURLE_SSL_CONNECT_ERROR;
+      }
+   }
+# endif  /* BORING */
+#endif  /* USE_ECH */
+
 #ifdef HAS_ALPN
     /* Sets data and len to negotiated protocol, len is 0 if no protocol was
      * negotiated
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index d13a3cb1b..5ec3db492 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -139,6 +139,9 @@ static const struct alpn_spec ALPN_SPEC_H11 = {
 static const struct alpn_spec ALPN_SPEC_H2_H11 = {
   { ALPN_H2, ALPN_HTTP_1_1 }, 2
 };
+static const struct alpn_spec ALPN_SPEC_H2 = {
+  { ALPN_H2 }, 1
+};
 #endif
 
 static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn)
@@ -155,6 +158,17 @@ static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn)
      Avoid "http/1.0" because some servers don't support it. */
   return &ALPN_SPEC_H11;
 }
+
+static const struct alpn_spec *alps_get_spec(int httpwant, bool use_alps)
+{
+  if(!use_alps)
+    return NULL;
+#ifdef USE_HTTP2
+  if(httpwant >= CURL_HTTP_VERSION_2)
+    return &ALPN_SPEC_H2;
+#endif
+  return NULL;
+}
 #endif /* USE_SSL */
 
 
@@ -198,6 +212,8 @@ match_ssl_primary_config(struct Curl_easy *data,
      strcasecompare(c1->cipher_list, c2->cipher_list) &&
      strcasecompare(c1->cipher_list13, c2->cipher_list13) &&
      strcasecompare(c1->curves, c2->curves) &&
+     strcasecompare(c1->sig_hash_algs, c2->sig_hash_algs) &&
+     strcasecompare(c1->cert_compression, c2->cert_compression) &&
      strcasecompare(c1->CRLfile, c2->CRLfile) &&
      strcasecompare(c1->pinned_key, c2->pinned_key))
     return TRUE;
@@ -242,6 +258,8 @@ static bool clone_ssl_primary_config(struct ssl_primary_config *source,
   CLONE_STRING(cipher_list13);
   CLONE_STRING(pinned_key);
   CLONE_STRING(curves);
+  CLONE_STRING(sig_hash_algs);
+  CLONE_STRING(cert_compression);
   CLONE_STRING(CRLfile);
 #ifdef USE_TLS_SRP
   CLONE_STRING(username);
@@ -264,6 +282,8 @@ static void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
   Curl_safefree(sslc->ca_info_blob);
   Curl_safefree(sslc->issuercert_blob);
   Curl_safefree(sslc->curves);
+  Curl_safefree(sslc->sig_hash_algs);
+  Curl_safefree(sslc->cert_compression);
   Curl_safefree(sslc->CRLfile);
 #ifdef USE_TLS_SRP
   Curl_safefree(sslc->username);
@@ -287,6 +307,8 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
   data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT];
   data->set.ssl.primary.ca_info_blob = data->set.blobs[BLOB_CAINFO];
   data->set.ssl.primary.curves = data->set.str[STRING_SSL_EC_CURVES];
+  data->set.ssl.primary.sig_hash_algs = data->set.str[STRING_SSL_SIG_HASH_ALGS];
+  data->set.ssl.primary.cert_compression = data->set.str[STRING_SSL_CERT_COMPRESSION];
 #ifdef USE_TLS_SRP
   data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
   data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
@@ -453,7 +475,8 @@ static bool ssl_prefs_check(struct Curl_easy *data)
 }
 
 static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
-                                     const struct alpn_spec *alpn)
+                                     const struct alpn_spec *alpn,
+                                     const struct alpn_spec *alps)
 {
   struct ssl_connect_data *ctx;
 
@@ -463,6 +486,7 @@ static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
     return NULL;
 
   ctx->alpn = alpn;
+  ctx->alps = alps;
   ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data);
   if(!ctx->backend) {
     free(ctx);
@@ -1885,8 +1909,11 @@ static CURLcode cf_ssl_create(struct Curl_cfilter **pcf,
 
   DEBUGASSERT(data->conn);
 
-  ctx = cf_ctx_new(data, alpn_get_spec(data->state.httpwant,
-                                       conn->bits.tls_enable_alpn));
+  ctx = cf_ctx_new(data,
+                   alpn_get_spec(data->state.httpwant,
+                                 conn->bits.tls_enable_alpn),
+                   alps_get_spec(data->state.httpwant,
+                                 conn->bits.tls_enable_alps));
   if(!ctx) {
     result = CURLE_OUT_OF_MEMORY;
     goto out;
@@ -1936,6 +1963,7 @@ static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
   struct ssl_connect_data *ctx;
   CURLcode result;
   bool use_alpn = conn->bits.tls_enable_alpn;
+  bool use_alps = conn->bits.tls_enable_alps;
   int httpwant = CURL_HTTP_VERSION_1_1;
 
 #ifdef USE_HTTP2
@@ -1945,7 +1973,8 @@ static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
   }
 #endif
 
-  ctx = cf_ctx_new(data, alpn_get_spec(httpwant, use_alpn));
+  ctx = cf_ctx_new(data, alpn_get_spec(httpwant, use_alpn),
+                   alps_get_spec(httpwant, use_alps));
   if(!ctx) {
     result = CURLE_OUT_OF_MEMORY;
     goto out;
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index 744bbf8fd..3bd42ee9d 100644
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -44,6 +44,8 @@ struct Curl_ssl_session;
   "ALPN: server did not agree on a protocol. Uses default."
 #define VTLS_INFOF_ALPN_OFFER_1STR              \
   "ALPN: curl offers %s"
+#define VTLS_INFOF_ALPS_OFFER_1STR              \
+  "ALPS: offers %s"
 #define VTLS_INFOF_ALPN_ACCEPTED_1STR           \
   ALPN_ACCEPTED "%s"
 #define VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR       \
diff --git a/lib/vtls/vtls_int.h b/lib/vtls/vtls_int.h
index 0361fa95a..417e6a689 100644
--- a/lib/vtls/vtls_int.h
+++ b/lib/vtls/vtls_int.h
@@ -70,6 +70,7 @@ struct ssl_connect_data {
   ssl_connect_state connecting_state;
   struct ssl_peer peer;
   const struct alpn_spec *alpn;     /* ALPN to use or NULL for none */
+  const struct alpn_spec *alps;     /* ALPS to use or NULL for none */
   void *backend;                    /* vtls backend specific props */
   struct cf_call_data call_data;    /* data handle used in current call */
   struct curltime handshake_done;   /* time when handshake finished */
diff --git a/libcurl.def b/libcurl.def
index c6c96063a..ac52a596d 100644
--- a/libcurl.def
+++ b/libcurl.def
@@ -5,6 +5,7 @@ curl_easy_escape
 curl_easy_getinfo
 curl_easy_header
 curl_easy_init
+curl_easy_impersonate
 curl_easy_nextheader
 curl_easy_option_by_id
 curl_easy_option_by_name
diff --git a/libcurl.pc.in b/libcurl.pc.in
index 9db6b0f89..14c2f23e0 100644
--- a/libcurl.pc.in
+++ b/libcurl.pc.in
@@ -36,6 +36,6 @@ Name: libcurl
 URL: https://curl.se/
 Description: Library to transfer files with ftp, http, etc.
 Version: @CURLVERSION@
-Libs: -L${libdir} -lcurl @LIBCURL_NO_SHARED@
+Libs: -L${libdir} -lcurl-impersonate-chrome @LIBCURL_NO_SHARED@
 Libs.private: @LIBCURL_LIBS@
 Cflags: -I${includedir} @CPPFLAG_CURL_STATICLIB@
diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
index 9a4547709..42bc87373 100644
--- a/m4/curl-compilers.m4
+++ b/m4/curl-compilers.m4
@@ -381,42 +381,55 @@ AC_DEFUN([CURL_CONVERT_INCLUDE_TO_ISYSTEM], [
   AC_REQUIRE([CURL_SHFUNC_SQUEEZE])dnl
   AC_REQUIRE([CURL_CHECK_COMPILER])dnl
   AC_MSG_CHECKING([convert -I options to -isystem])
-  if test "$compiler_id" = "GNU_C" ||
-    test "$compiler_id" = "CLANG"; then
-    AC_MSG_RESULT([yes])
-    tmp_has_include="no"
-    tmp_chg_FLAGS="$CFLAGS"
-    for word1 in $tmp_chg_FLAGS; do
-      case "$word1" in
-        -I*)
-          tmp_has_include="yes"
-          ;;
-      esac
-    done
-    if test "$tmp_has_include" = "yes"; then
-      tmp_chg_FLAGS=`echo "$tmp_chg_FLAGS" | "$SED" 's/^-I/ -isystem /g'`
-      tmp_chg_FLAGS=`echo "$tmp_chg_FLAGS" | "$SED" 's/ -I/ -isystem /g'`
-      CFLAGS="$tmp_chg_FLAGS"
-      squeeze CFLAGS
-    fi
-    tmp_has_include="no"
-    tmp_chg_FLAGS="$CPPFLAGS"
-    for word1 in $tmp_chg_FLAGS; do
-      case "$word1" in
-        -I*)
-          tmp_has_include="yes"
-          ;;
-      esac
-    done
-    if test "$tmp_has_include" = "yes"; then
-      tmp_chg_FLAGS=`echo "$tmp_chg_FLAGS" | "$SED" 's/^-I/ -isystem /g'`
-      tmp_chg_FLAGS=`echo "$tmp_chg_FLAGS" | "$SED" 's/ -I/ -isystem /g'`
-      CPPFLAGS="$tmp_chg_FLAGS"
-      squeeze CPPFLAGS
-    fi
-  else
+  case $host_os in
+  darwin*)
+    dnl curl-impersonate: On macos, clang gives priority to /usr/local/include
+    dnl over locations specified with -isystem for some unknown reason. In turn
+    dnl this causes clang to use the system's openssl, which conflicts with
+    dnl curl-impersonate's boringssl headers.
+    dnl To prevent that, disable curl's automatic conversion of -I flags to
+    dnl -isystem.
     AC_MSG_RESULT([no])
-  fi
+    ;;
+  *)
+    if test "$compiler_id" = "GNU_C" ||
+      test "$compiler_id" = "CLANG"; then
+      AC_MSG_RESULT([yes])
+      tmp_has_include="no"
+      tmp_chg_FLAGS="$CFLAGS"
+      for word1 in $tmp_chg_FLAGS; do
+        case "$word1" in
+          -I*)
+            tmp_has_include="yes"
+            ;;
+        esac
+      done
+      if test "$tmp_has_include" = "yes"; then
+        tmp_chg_FLAGS=`echo "$tmp_chg_FLAGS" | "$SED" 's/^-I/ -isystem /g'`
+        tmp_chg_FLAGS=`echo "$tmp_chg_FLAGS" | "$SED" 's/ -I/ -isystem /g'`
+        CFLAGS="$tmp_chg_FLAGS"
+        squeeze CFLAGS
+      fi
+      tmp_has_include="no"
+      tmp_chg_FLAGS="$CPPFLAGS"
+      for word1 in $tmp_chg_FLAGS; do
+        case "$word1" in
+          -I*)
+            tmp_has_include="yes"
+            ;;
+        esac
+      done
+      if test "$tmp_has_include" = "yes"; then
+        tmp_chg_FLAGS=`echo "$tmp_chg_FLAGS" | "$SED" 's/^-I/ -isystem /g'`
+        tmp_chg_FLAGS=`echo "$tmp_chg_FLAGS" | "$SED" 's/ -I/ -isystem /g'`
+        CPPFLAGS="$tmp_chg_FLAGS"
+        squeeze CPPFLAGS
+      fi
+    else
+      AC_MSG_RESULT([no])
+    fi
+    ;;
+  esac
 ])
 
 
diff --git a/scripts/singleuse.pl b/scripts/singleuse.pl
index 064990226..172bdc2d0 100755
--- a/scripts/singleuse.pl
+++ b/scripts/singleuse.pl
@@ -56,6 +56,7 @@ my %api = (
     'curl_easy_escape' => 'API',
     'curl_easy_getinfo' => 'API',
     'curl_easy_init' => 'API',
+    'curl_easy_impersonate' => 'API',
     'curl_easy_pause' => 'API',
     'curl_easy_perform' => 'API',
     'curl_easy_recv' => 'API',
diff --git a/src/Makefile.am b/src/Makefile.am
index fcc9cfdf9..18766b7dc 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -43,7 +43,7 @@ AM_CPPFLAGS = -I$(top_srcdir)/include        \
               -I$(top_srcdir)/lib            \
               -I$(top_srcdir)/src
 
-bin_PROGRAMS = curl
+bin_PROGRAMS = curl-impersonate-chrome
 
 if BUILD_DOCS
 SUBDIRS = ../docs
@@ -57,9 +57,9 @@ AM_CPPFLAGS += -DBUILDING_CURL
 include Makefile.inc
 
 # CURL_FILES comes from Makefile.inc
-curl_SOURCES = $(CURL_FILES)
+curl_impersonate_chrome_SOURCES = $(CURL_FILES)
 if HAVE_WINDRES
-curl_SOURCES += $(CURL_RCFILES)
+curl_impersonate_chrome_SOURCES += $(CURL_RCFILES)
 $(CURL_RCFILES): tool_version.h
 endif
 
@@ -72,9 +72,9 @@ CFLAGS += @CURL_CFLAG_EXTRAS@
 LIBS = $(BLANK_AT_MAKETIME)
 
 if USE_EXPLICIT_LIB_DEPS
-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@
+curl_impersonate_chrome_LDADD = $(top_builddir)/lib/libcurl-impersonate-chrome.la @LIBCURL_LIBS@
 else
-curl_LDADD = $(top_builddir)/lib/libcurl.la @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@
+curl_impersonate_chrome_LDADD = $(top_builddir)/lib/libcurl-impersonate-chrome.la @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@
 endif
 
 # if unit tests are enabled, build a static library to link them with
diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
index 3259bc7a5..e46fd7539 100644
--- a/src/tool_cfgable.c
+++ b/src/tool_cfgable.c
@@ -96,6 +96,14 @@ static void free_config_fields(struct OperationConfig *config)
   Curl_safefree(config->proto_str);
   Curl_safefree(config->proto_redir_str);
 
+  // curl-impersonate
+  Curl_safefree(config->ssl_sig_hash_algs);
+  Curl_safefree(config->ssl_cert_compression);
+  Curl_safefree(config->http2_pseudo_headers_order);
+  Curl_safefree(config->http2_settings);
+  Curl_safefree(config->http2_streams);
+  Curl_safefree(config->tls_extension_order);
+
   urlnode = config->url_list;
   while(urlnode) {
     struct getout *next = urlnode->next;
@@ -176,6 +184,14 @@ static void free_config_fields(struct OperationConfig *config)
   Curl_safefree(config->aws_sigv4);
   Curl_safefree(config->proto_str);
   Curl_safefree(config->proto_redir_str);
+#ifdef USE_ECH
+  Curl_safefree(config->ech);
+  config->ech = NULL;
+  Curl_safefree(config->ech_config);
+  config->ech_config = NULL;
+  Curl_safefree(config->ech_public);
+  config->ech_public = NULL;
+#endif
 }
 
 void config_free(struct OperationConfig *config)
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index dfa74d81f..349a46af6 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -161,8 +161,18 @@ struct OperationConfig {
   bool crlf;
   char *customrequest;
   char *ssl_ec_curves;
+  char *ssl_sig_hash_algs;
+  char *ssl_cert_compression;
   char *krblevel;
   char *request_target;
+  char *http2_pseudo_headers_order;
+  char *http2_settings;
+  long http2_window_update;
+  long http2_stream_weight;
+  long http2_stream_exclusive;
+  char *http2_streams;
+  bool tls_grease;
+  char *tls_extension_order;
   long httpversion;
   bool http09_allowed;
   bool nobuffer;
@@ -192,6 +202,7 @@ struct OperationConfig {
   struct curl_slist *prequote;
   long ssl_version;
   long ssl_version_max;
+  bool ssl_permute_extensions;
   long proxy_ssl_version;
   long ip_version;
   long create_file_mode; /* CURLOPT_NEW_FILE_PERMS */
@@ -268,6 +279,8 @@ struct OperationConfig {
   bool proxy_ssl_auto_client_cert; /* proxy version of ssl_auto_client_cert */
   char *oauth_bearer;             /* OAuth 2.0 bearer token */
   bool noalpn;                    /* enable/disable TLS ALPN extension */
+  bool alps;                      /* enable/disable TLS ALPS extension */
+  bool noticket;                  /* enable/disable TLS session ticket */
   char *unix_socket_path;         /* path to Unix domain socket */
   bool abstract_unix_socket;      /* path to an abstract Unix domain socket */
   bool falsestart;
@@ -298,6 +311,11 @@ struct OperationConfig {
   struct State state;             /* for create_transfer() */
   bool rm_partial;                /* on error, remove partially written output
                                      files */
+#ifdef USE_ECH
+  char *ech;                      /* Config set by --ech keywords */
+  char *ech_config;               /* Config set by "--ech esl:" option */
+  char *ech_public;               /* Config set by "--ech pn:" option */
+#endif
 };
 
 struct GlobalConfig {
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index c6a9c9358..2234eb78d 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -77,6 +77,7 @@ static ParameterError getstr(char **str, const char *val, bool allowblank)
 typedef enum {
   C_ABSTRACT_UNIX_SOCKET,
   C_ALPN,
+  C_ALPS,
   C_ALT_SVC,
   C_ANYAUTH,
   C_APPEND,
@@ -87,6 +88,7 @@ typedef enum {
   C_CACERT,
   C_CAPATH,
   C_CERT,
+  C_CERT_COMPRESSION,
   C_CERT_STATUS,
   C_CERT_TYPE,
   C_CIPHERS,
@@ -123,6 +125,7 @@ typedef enum {
   C_DOH_INSECURE,
   C_DOH_URL,
   C_DUMP_HEADER,
+  C_ECH,
   C_EGD_FILE,
   C_ENGINE,
   C_EPRT,
@@ -166,6 +169,12 @@ typedef enum {
   C_HTTP1_1,
   C_HTTP2,
   C_HTTP2_PRIOR_KNOWLEDGE,
+  C_HTTP2_PSEUDO_HEADERS_ORDER,
+  C_HTTP2_SETTINGS,
+  C_HTTP2_WINDOW_UPDATE,
+  C_HTTP2_STREAM_EXCLUSIVE,
+  C_HTTP2_STREAM_WEIGHT,
+  C_HTTP2_STREAMS,
   C_HTTP3,
   C_HTTP3_ONLY,
   C_IGNORE_CONTENT_LENGTH,
@@ -283,6 +292,7 @@ typedef enum {
   C_SESSIONID,
   C_SHOW_ERROR,
   C_SILENT,
+  C_SIGNATURE_HASHES,
   C_SOCKS4,
   C_SOCKS4A,
   C_SOCKS5,
@@ -312,6 +322,10 @@ typedef enum {
   C_TFTP_NO_OPTIONS,
   C_TIME_COND,
   C_TLS_MAX,
+  C_TLS_SESSION_TICKET,
+  C_TLS_EXTENSION_ORDER,
+  C_TLS_PERMUTE_EXTENSIONS,
+  C_TLS_GREASE,
   C_TLS13_CIPHERS,
   C_TLSAUTHTYPE,
   C_TLSPASSWORD,
@@ -358,6 +372,7 @@ struct LongShort {
 static const struct LongShort aliases[]= {
   {"abstract-unix-socket",       ARG_FILE, ' ', C_ABSTRACT_UNIX_SOCKET},
   {"alpn",                       ARG_BOOL, ' ', C_ALPN},
+  {"alps",                       ARG_BOOL, ' ', C_ALPS},  // curl-impersonate
   {"alt-svc",                    ARG_STRG, ' ', C_ALT_SVC},
   {"anyauth",                    ARG_BOOL, ' ', C_ANYAUTH},
   {"append",                     ARG_BOOL, 'a', C_APPEND},
@@ -368,6 +383,7 @@ static const struct LongShort aliases[]= {
   {"cacert",                     ARG_FILE, ' ', C_CACERT},
   {"capath",                     ARG_FILE, ' ', C_CAPATH},
   {"cert",                       ARG_FILE, 'E', C_CERT},
+  {"cert-compression",           ARG_STRG, ' ', C_CERT_COMPRESSION},  // curl-impersonate
   {"cert-status",                ARG_BOOL, ' ', C_CERT_STATUS},
   {"cert-type",                  ARG_STRG, ' ', C_CERT_TYPE},
   {"ciphers",                    ARG_STRG, ' ', C_CIPHERS},
@@ -404,6 +420,9 @@ static const struct LongShort aliases[]= {
   {"doh-insecure",               ARG_BOOL, ' ', C_DOH_INSECURE},
   {"doh-url"        ,            ARG_STRG, ' ', C_DOH_URL},
   {"dump-header",                ARG_FILE, 'D', C_DUMP_HEADER},
+#ifdef USE_ECH
+  {"ech",                        ARG_STRG, ' ', C_ECH},  // curl-impersonate
+#endif
   {"egd-file",                   ARG_STRG, ' ', C_EGD_FILE},
   {"engine",                     ARG_STRG, ' ', C_ENGINE},
   {"eprt",                       ARG_BOOL, ' ', C_EPRT},
@@ -447,6 +466,12 @@ static const struct LongShort aliases[]= {
   {"http1.1",                    ARG_NONE, ' ', C_HTTP1_1},
   {"http2",                      ARG_NONE, ' ', C_HTTP2},
   {"http2-prior-knowledge",      ARG_NONE, ' ', C_HTTP2_PRIOR_KNOWLEDGE},
+  {"http2-pseudo-headers-order", ARG_STRG, ' ', C_HTTP2_PSEUDO_HEADERS_ORDER},  // curl-impersonate
+  {"http2-settings",             ARG_STRG, ' ', C_HTTP2_SETTINGS},  // curl-impersonate
+  {"http2-stream-exclusive",     ARG_STRG, ' ', C_HTTP2_STREAM_EXCLUSIVE},  // curl-impersonate
+  {"http2-stream-weight",        ARG_STRG, ' ', C_HTTP2_STREAM_WEIGHT},  // curl-impersonate
+  {"http2-streams",              ARG_STRG, ' ', C_HTTP2_STREAMS},  // curl-impersonate
+  {"http2-window-update",        ARG_STRG, ' ', C_HTTP2_WINDOW_UPDATE},  // curl-impersonate
   {"http3",                      ARG_NONE, ' ', C_HTTP3},
   {"http3-only",                 ARG_NONE, ' ', C_HTTP3_ONLY},
   {"ignore-content-length",      ARG_BOOL, ' ', C_IGNORE_CONTENT_LENGTH},
@@ -563,6 +588,7 @@ static const struct LongShort aliases[]= {
   {"service-name",               ARG_STRG, ' ', C_SERVICE_NAME},
   {"sessionid",                  ARG_BOOL, ' ', C_SESSIONID},
   {"show-error",                 ARG_BOOL, 'S', C_SHOW_ERROR},
+  {"signature-hashes",           ARG_STRG, ' ', C_SIGNATURE_HASHES}, // curl-impersonate
   {"silent",                     ARG_BOOL, 's', C_SILENT},
   {"socks4",                     ARG_STRG, ' ', C_SOCKS4},
   {"socks4a",                    ARG_STRG, ' ', C_SOCKS4A},
@@ -592,7 +618,11 @@ static const struct LongShort aliases[]= {
   {"tftp-blksize",               ARG_STRG, ' ', C_TFTP_BLKSIZE},
   {"tftp-no-options",            ARG_BOOL, ' ', C_TFTP_NO_OPTIONS},
   {"time-cond",                  ARG_STRG, 'z', C_TIME_COND},
+  {"tls-extension-order",        ARG_STRG, ' ', C_TLS_EXTENSION_ORDER},  // curl-impersonate
+  {"tls-grease",                 ARG_BOOL, ' ', C_TLS_GREASE},  // curl-impersonate
   {"tls-max",                    ARG_STRG, ' ', C_TLS_MAX},
+  {"tls-permute-extensions",     ARG_BOOL, ' ', C_TLS_PERMUTE_EXTENSIONS},  // curl-impersonate
+  {"tls-session-ticket",         ARG_BOOL, ' ', C_TLS_SESSION_TICKET},  // curl-impersonate
   {"tls13-ciphers",              ARG_STRG, ' ', C_TLS13_CIPHERS},
   {"tlsauthtype",                ARG_STRG, ' ', C_TLSAUTHTYPE},
   {"tlspassword",                ARG_STRG, ' ', C_TLSPASSWORD},
@@ -1434,6 +1464,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
     case C_ALPN: /* --alpn */
       config->noalpn = (!toggle)?TRUE:FALSE;
       break;
+    case C_ALPS:  /* --alps curl-impersonate */
+      config->alps = toggle;
+      break;
     case C_LIMIT_RATE: /* --limit-rate */
       err = GetSizeParameter(global, nextarg, "rate", &value);
       if(!err) {
@@ -1865,6 +1898,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
     case C_TLS_MAX: /* --tls-max */
       err = str2tls_max(&config->ssl_version_max, nextarg);
       break;
+    case C_TLS_SESSION_TICKET:  /* --tls-session-ticket curl-impersonate */
+      config->noticket = (!toggle)?TRUE:FALSE;
+      break;
+    case C_TLS_PERMUTE_EXTENSIONS:  /* --tls-permute-extensions curl-impersonate */
+      config->ssl_permute_extensions = toggle;
+      break;
+    case C_TLS_EXTENSION_ORDER:  /* --tls-extension-order curl-impersonate */
+      err = getstr(&config->tls_extension_order, nextarg, ALLOW_BLANK);
+      break;
+    case C_TLS_GREASE:  /* --tls-grease curl-impersonate */
+      config->tls_grease = toggle;
+      break;
     case C_SUPPRESS_CONNECT_HEADERS: /* --suppress-connect-headers */
       config->suppress_connect_headers = toggle;
       break;
@@ -1914,6 +1959,39 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
         return PARAM_LIBCURL_DOESNT_SUPPORT;
       sethttpver(global, config, CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE);
       break;
+    case C_HTTP2_PSEUDO_HEADERS_ORDER: /* --http2-pseudo-headers-order curl-impersonate */
+      if(!feature_http2)
+        return PARAM_LIBCURL_DOESNT_SUPPORT;
+      err = getstr(&config->http2_pseudo_headers_order, nextarg, ALLOW_BLANK);
+      break;
+    case C_HTTP2_SETTINGS:  /* --http2-settings curl-impersonate */
+      if(!feature_http2)
+        return PARAM_LIBCURL_DOESNT_SUPPORT;
+      err = getstr(&config->http2_settings, nextarg, ALLOW_BLANK);
+      break;
+    case C_HTTP2_STREAM_EXCLUSIVE:
+      if(!feature_http2)
+        return PARAM_LIBCURL_DOESNT_SUPPORT;
+      err = str2num(&config->http2_stream_exclusive, nextarg);
+      if(config->http2_stream_exclusive < 0) return PARAM_BAD_NUMERIC;
+      break;
+    case C_HTTP2_STREAM_WEIGHT:
+      if(!feature_http2)
+        return PARAM_LIBCURL_DOESNT_SUPPORT;
+      err = str2num(&config->http2_stream_weight, nextarg);
+      if(config->http2_stream_weight < 0) return PARAM_BAD_NUMERIC;
+      break;
+    case C_HTTP2_WINDOW_UPDATE:  /* --http2-window-update curl-impersonate */
+      if(!feature_http2)
+        return PARAM_LIBCURL_DOESNT_SUPPORT;
+      err = str2num(&config->http2_window_update, nextarg);
+      if(config->http2_window_update < -1) return PARAM_BAD_NUMERIC;
+      break;
+    case C_HTTP2_STREAMS:  /* --http2-streams curl-impersonate */
+      if(!feature_http2)
+        return PARAM_LIBCURL_DOESNT_SUPPORT;
+      err = getstr(&config->http2_streams, nextarg, ALLOW_BLANK);
+      break;
     case C_HTTP3: /* --http3: */
       /* Try HTTP/3, allow fallback */
       if(!feature_http3)
@@ -2033,6 +2111,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
     case C_DUMP_HEADER: /* --dump-header */
       err = getstr(&config->headerfile, nextarg, DENY_BLANK);
       break;
+#ifdef USE_ECH
+    case C_ECH:  /* --ech curl-impersonate */
+      if(strlen(nextarg) != 6 || !strncasecompare("GREASE", nextarg, 6)) {
+        warnf(global, "Only GREASE is supported for --ech.");
+        return PARAM_BAD_USE; /*  */
+      }
+      else {
+        /* Simple case: just a string, with a keyword */
+        getstr(&config->ech, nextarg, ALLOW_BLANK);
+      }
+      break;
+#endif
     case C_REFERER: { /* --referer */
       char *ptr = strstr(nextarg, ";auto");
       if(ptr) {
@@ -2051,6 +2141,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
       cleanarg(clearthis);
       GetFileAndPassword(nextarg, &config->cert, &config->key_passwd);
       break;
+    case C_CERT_COMPRESSION:  /* --cert-compression curl-impersonate */
+      err = getstr(&config->ssl_cert_compression, nextarg, ALLOW_BLANK);
+      break;
     case C_CACERT: /* --cacert */
       err = getstr(&config->cacert, nextarg, DENY_BLANK);
       break;
@@ -2555,6 +2648,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
     case C_SILENT: /* --silent */
       global->silent = toggle;
       break;
+    case C_SIGNATURE_HASHES: /* --signature-hashes */
+      err = getstr(&config->ssl_sig_hash_algs, nextarg, ALLOW_BLANK);
+      break;
     case C_SHOW_ERROR: /* --show-error */
       global->showerror = toggle;
       break;
diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c
index 5d9364405..f346f8e0c 100644
--- a/src/tool_listhelp.c
+++ b/src/tool_listhelp.c
@@ -111,6 +111,27 @@ const struct helptxt helptext[] = {
   {"    --curves <list>",
    "(EC) TLS key exchange algorithms to request",
    CURLHELP_TLS},
+  {"    --signature-hashes <algorithm list>",
+   "TLS signature hash algorithm(s) to use",
+   CURLHELP_TLS},
+  {"    --cert-compression <algorithm list>",
+   "TLS cert compressions algorithm(s) to use",
+   CURLHELP_TLS},
+  {"    --no-tls-session-ticket",
+   "Disable the TLS session ticket extension",
+   CURLHELP_TLS},
+  {"    --http2-pseudo-headers-order",
+   "Change the order of the HTTP2 pseudo headers",
+   CURLHELP_HTTP},
+  {"    --http2-settings",
+   "Change the order and values of the HTTP2 settings frame, e.g. 1:65536;2:0;4:6291456;6:262144",
+   CURLHELP_HTTP},
+  {"    --http2-window-update",
+   "Change the initial value for window update",
+   CURLHELP_HTTP},
+  {"    --tls-permute-extensions",
+   "Enable BoringSSL TLS extensions permutations on client hello",
+   CURLHELP_TLS},
   {"-d, --data <data>",
    "HTTP POST data",
    CURLHELP_IMPORTANT | CURLHELP_HTTP | CURLHELP_POST | CURLHELP_UPLOAD},
@@ -168,6 +189,11 @@ const struct helptxt helptext[] = {
   {"-D, --dump-header <filename>",
    "Write the received headers to <filename>",
    CURLHELP_HTTP | CURLHELP_FTP},
+#ifdef USE_ECH
+  {"    --ech <config>",
+   "Encrypted Client Hello controls",
+  CURLHELP_TLS},
+#endif
   {"    --egd-file <file>",
    "EGD socket path for random data",
    CURLHELP_TLS},
@@ -396,6 +422,9 @@ const struct helptxt helptext[] = {
   {"    --no-alpn",
    "Disable the ALPN TLS extension",
    CURLHELP_TLS | CURLHELP_HTTP},
+  {"    --alps",
+   "Enable the ALPS TLS extension",
+   CURLHELP_TLS | CURLHELP_HTTP},
   {"-N, --no-buffer",
    "Disable buffering of the output stream",
    CURLHELP_CURL},
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 7e2c1eefe..8f96c7b08 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1510,6 +1510,36 @@ static CURLcode single_transfer(struct GlobalConfig *global,
             return result;
           }
 
+          if(config->http2_pseudo_headers_order)
+            my_setopt_str(curl,
+                          CURLOPT_HTTP2_PSEUDO_HEADERS_ORDER,
+                          config->http2_pseudo_headers_order);
+
+          if(config->http2_settings)
+            my_setopt_str(curl,
+                          CURLOPT_HTTP2_SETTINGS,
+                          config->http2_settings);
+
+          if(config->http2_window_update)
+            my_setopt(curl,
+                      CURLOPT_HTTP2_WINDOW_UPDATE,
+                      config->http2_window_update);
+
+          if(config->http2_stream_exclusive)
+            my_setopt(curl,
+                      CURLOPT_STREAM_EXCLUSIVE,
+                      config->http2_stream_exclusive);
+
+          if(config->http2_stream_weight)
+            my_setopt(curl,
+                      CURLOPT_STREAM_WEIGHT,
+                      config->http2_stream_weight);
+
+          if(config->http2_streams)
+            my_setopt_str(curl,
+                          CURLOPT_HTTP2_STREAMS,
+                          config->http2_streams);
+
         } /* (proto_http) */
 
         if(proto_ftp)
@@ -1598,6 +1628,14 @@ static CURLcode single_transfer(struct GlobalConfig *global,
         if(config->ssl_ec_curves)
           my_setopt_str(curl, CURLOPT_SSL_EC_CURVES, config->ssl_ec_curves);
 
+        if(config->ssl_sig_hash_algs)
+          my_setopt_str(curl, CURLOPT_SSL_SIG_HASH_ALGS,
+                        config->ssl_sig_hash_algs);
+
+        if(config->ssl_cert_compression)
+          my_setopt_str(curl, CURLOPT_SSL_CERT_COMPRESSION,
+                        config->ssl_cert_compression);
+
         if(config->writeout)
           my_setopt_str(curl, CURLOPT_CERTINFO, 1L);
 
@@ -1930,6 +1968,19 @@ static CURLcode single_transfer(struct GlobalConfig *global,
           my_setopt_str(curl, CURLOPT_PROXY_TLS13_CIPHERS,
                         config->proxy_cipher13_list);
 
+        /* curl-impersonate */
+        if(config->ssl_permute_extensions)
+          my_setopt(curl, CURLOPT_SSL_PERMUTE_EXTENSIONS, 1L);
+
+        /* curl-impersonate */
+        if (config->tls_grease)
+          my_setopt(curl, CURLOPT_TLS_GREASE, 1L);
+
+        /* curl-impersonate */
+        if(config->tls_extension_order)
+          // printf("setting is %s\n", config->tls_extension_order);
+          my_setopt_str(curl, CURLOPT_TLS_EXTENSION_ORDER, config->tls_extension_order);
+
         /* new in libcurl 7.9.2: */
         if(config->disable_epsv)
           /* disable it */
@@ -2139,6 +2190,18 @@ static CURLcode single_transfer(struct GlobalConfig *global,
           my_setopt(curl, CURLOPT_SSL_ENABLE_ALPN, 0L);
         }
 
+        if(config->alps) {
+          my_setopt(curl, CURLOPT_SSL_ENABLE_ALPS, 1L);
+        }
+
+        if (config->noticket) {
+          my_setopt(curl, CURLOPT_SSL_ENABLE_TICKET, 0L);
+        }
+
+        // curl-impersonate: always enable thess two for browsers
+        my_setopt(curl, CURLOPT_TLS_SIGNED_CERT_TIMESTAMPS, 1L);
+        my_setopt(curl, CURLOPT_TLS_STATUS_REQUEST, 1L);
+
         /* new in 7.40.0, abstract support added in 7.53.0 */
         if(config->unix_socket_path) {
           if(config->abstract_unix_socket) {
@@ -2187,6 +2250,16 @@ static CURLcode single_transfer(struct GlobalConfig *global,
         if(config->hsts)
           my_setopt_str(curl, CURLOPT_HSTS, config->hsts);
 
+#ifdef USE_ECH
+        /* only if enabled in configure */
+        if(config->ech) /* only if set (optional) */
+          my_setopt_str(curl, CURLOPT_ECH, config->ech);
+        if(config->ech_public) /* only if set (optional) */
+          my_setopt_str(curl, CURLOPT_ECH, config->ech_public);
+        if(config->ech_config) /* only if set (optional) */
+          my_setopt_str(curl, CURLOPT_ECH, config->ech_config);
+#endif
+
         /* initialize retry vars for loop below */
         per->retry_sleep_default = (config->retry_delay) ?
           config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
index 656adbda8..d149ae238 100644
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@@ -163,6 +163,10 @@ static const struct NameValue setopt_nv_CURLNONZERODEFAULTS[] = {
   NV1(CURLOPT_SSL_VERIFYHOST, 1),
   NV1(CURLOPT_SSL_ENABLE_NPN, 1),
   NV1(CURLOPT_SSL_ENABLE_ALPN, 1),
+  NV1(CURLOPT_SSL_ENABLE_TICKET, 1),
+  NV1(CURLOPT_SSL_PERMUTE_EXTENSIONS, 1),
+  NV1(CURLOPT_TLS_SIGNED_CERT_TIMESTAMPS, 1),
+  NV1(CURLOPT_TLS_STATUS_REQUEST, 1),
   NV1(CURLOPT_TCP_NODELAY, 1),
   NV1(CURLOPT_PROXY_SSL_VERIFYPEER, 1),
   NV1(CURLOPT_PROXY_SSL_VERIFYHOST, 1),
diff --git a/tests/http/test_02_download.py b/tests/http/test_02_download.py
index 4db9c9d36..395fc862f 100644
--- a/tests/http/test_02_download.py
+++ b/tests/http/test_02_download.py
@@ -394,6 +394,19 @@ class TestDownload:
         r = client.run(args=[url])
         r.check_exit_code(0)
 
+    @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
+    def test_02_28_get_compressed(self, env: Env, httpd, nghttpx, repeat, proto):
+        if proto == 'h3' and not env.have_h3():
+            pytest.skip("h3 not supported")
+        count = 1
+        urln = f'https://{env.authority_for(env.domain1brotli, proto)}/data-100k?[0-{count-1}]'
+        curl = CurlClient(env=env)
+        r = curl.http_download(urls=[urln], alpn_proto=proto, extra_args=[
+            '--compressed'
+        ])
+        r.check_exit_code(code=0)
+        r.check_response(count=count, http_status=200)
+
     def check_downloads(self, client, srcfile: str, count: int,
                         complete: bool = True):
         for i in range(count):
diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py
index a207059dc..13c5d6bd4 100644
--- a/tests/http/testenv/env.py
+++ b/tests/http/testenv/env.py
@@ -129,10 +129,11 @@ class EnvConfig:
         self.htdocs_dir = os.path.join(self.gen_dir, 'htdocs')
         self.tld = 'http.curl.se'
         self.domain1 = f"one.{self.tld}"
+        self.domain1brotli = f"brotli.one.{self.tld}"
         self.domain2 = f"two.{self.tld}"
         self.proxy_domain = f"proxy.{self.tld}"
         self.cert_specs = [
-            CertificateSpec(domains=[self.domain1, 'localhost'], key_type='rsa2048'),
+            CertificateSpec(domains=[self.domain1, self.domain1brotli, 'localhost'], key_type='rsa2048'),
             CertificateSpec(domains=[self.domain2], key_type='rsa2048'),
             CertificateSpec(domains=[self.proxy_domain, '127.0.0.1'], key_type='rsa2048'),
             CertificateSpec(name="clientsX", sub_specs=[
@@ -376,6 +377,10 @@ class Env:
     def domain1(self) -> str:
         return self.CONFIG.domain1
 
+    @property
+    def domain1brotli(self) -> str:
+        return self.CONFIG.domain1brotli
+
     @property
     def domain2(self) -> str:
         return self.CONFIG.domain2
diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py
index c04c22699..b8615875a 100644
--- a/tests/http/testenv/httpd.py
+++ b/tests/http/testenv/httpd.py
@@ -50,6 +50,7 @@ class Httpd:
         'alias', 'env', 'filter', 'headers', 'mime', 'setenvif',
         'socache_shmcb',
         'rewrite', 'http2', 'ssl', 'proxy', 'proxy_http', 'proxy_connect',
+        'brotli',
         'mpm_event',
     ]
     COMMON_MODULES_DIRS = [
@@ -203,6 +204,7 @@ class Httpd:
 
     def _write_config(self):
         domain1 = self.env.domain1
+        domain1brotli = self.env.domain1brotli
         creds1 = self.env.get_credentials(domain1)
         domain2 = self.env.domain2
         creds2 = self.env.get_credentials(domain2)
@@ -285,6 +287,24 @@ class Httpd:
                 f'</VirtualHost>',
                 f'',
             ])
+            # Alternate to domain1 with BROTLI compression
+            conf.extend([  # https host for domain1, h1 + h2
+                f'<VirtualHost *:{self.env.https_port}>',
+                f'    ServerName {domain1brotli}',
+                f'    Protocols h2 http/1.1',
+                f'    SSLEngine on',
+                f'    SSLCertificateFile {creds1.cert_file}',
+                f'    SSLCertificateKeyFile {creds1.pkey_file}',
+                f'    DocumentRoot "{self._docs_dir}"',
+                f'    SetOutputFilter BROTLI_COMPRESS',
+            ])
+            conf.extend(self._curltest_conf(domain1))
+            if domain1 in self._extra_configs:
+                conf.extend(self._extra_configs[domain1])
+            conf.extend([
+                f'</VirtualHost>',
+                f'',
+            ])
             conf.extend([  # https host for domain2, no h2
                 f'<VirtualHost *:{self.env.https_port}>',
                 f'    ServerName {domain2}',