tongsuo.patch

diff --git a/docs/libcurl/curl_easy_setopt.md b/docs/libcurl/curl_easy_setopt.md
index e0fe95cac..cc88339fd 100644
--- a/docs/libcurl/curl_easy_setopt.md
+++ b/docs/libcurl/curl_easy_setopt.md
@@ -1068,6 +1068,14 @@ Client cert type. See CURLOPT_SSLCERTTYPE(3)
 
 Client cert memory buffer. See CURLOPT_SSLCERT_BLOB(3)
 
+## CURLOPT_SSLENCCERT
+
+Encryption certificate. See CURLOPT_SSLENCCERT(3)
+
+## CURLOPT_SSLENCKEY
+
+Encryption key. See CURLOPT_SSLENCKEY(3)
+
 ## CURLOPT_SSLENGINE
 
 Use identifier with SSL engine. See CURLOPT_SSLENGINE(3)
@@ -1088,6 +1096,14 @@ Client key type. See CURLOPT_SSLKEYTYPE(3)
 
 Client key memory buffer. See CURLOPT_SSLKEY_BLOB(3)
 
+## CURLOPT_SSLSIGNCERT
+
+Signature certificate. See CURLOPT_SSLSIGNCERT(3)
+
+## CURLOPT_SSLSIGNKEY
+
+Signature key. See CURLOPT_SSLSIGNKEY(3)
+
 ## CURLOPT_SSLVERSION
 
 SSL version to use. See CURLOPT_SSLVERSION(3)
diff --git a/docs/libcurl/opts/CURLOPT_SSLENCCERT.md b/docs/libcurl/opts/CURLOPT_SSLENCCERT.md
new file mode 100644
index 000000000..bc833bee3
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_SSLENCCERT.md
@@ -0,0 +1,96 @@
+---
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Title: CURLOPT_SSLENCCERT
+Section: 3
+Source: libcurl
+See-also:
+  - CURLOPT_SSLCERTTYPE (3)
+  - CURLOPT_SSLENCKEY (3)
+  - CURLOPT_SSLSIGNCERT (3)
+  - CURLOPT_SSLSIGNKEY (3)
+  - CURLOPT_KEYPASSWD (3)
+Protocol:
+  - NTLS
+TLS-backend:
+  - Tongsuo
+Added-in: 7.80.0
+---
+
+# NAME
+
+CURLOPT_SSLENCCERT - SSL client encryption certificate
+
+# SYNOPSIS
+
+~~~c
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLENCCERT, char *cert);
+~~~
+
+# DESCRIPTION
+
+Pass a pointer to a null-terminated string as parameter. The string should be
+the filename of your client encryption certificate. The default format is `P12`
+on Secure Transport and `PEM` on other engines, and can be changed with
+CURLOPT_SSLCERTTYPE(3).
+
+With Secure Transport, this can also be the nickname of the certificate you
+wish to authenticate with as it is named in the security database. If you want
+to use a file from the current directory, please precede it with `./` prefix,
+in order to avoid confusion with a nickname.
+
+(Schannel only) Client certificates can be specified by a path expression to a
+certificate store. (You can import *PFX* to a store first). You can use
+"\<store location\>\\\<store name\>\\\<thumbprint\>" to refer to a certificate
+in the system certificates store, for example,
+**"CurrentUser\\MY\\934a7ac6f8a5d5"**. The thumbprint is usually a SHA-1 hex
+string which you can see in certificate details. Following store locations are
+supported: **CurrentUser**, **LocalMachine**, **CurrentService**,
+**Services**, **CurrentUserGroupPolicy**, **LocalMachineGroupPolicy**,
+**LocalMachineEnterprise**. Schannel also support P12 certificate file, with
+the string `P12` specified with CURLOPT_SSLCERTTYPE(3).
+
+When using a client encryption certificate, you most likely also need to provide
+a private key with CURLOPT_SSLENCKEY(3).
+
+The application does not have to keep the string around after setting this
+option.
+
+Using this option multiple times makes the last set string override the
+previous ones. Set it to NULL to disable its use again.
+
+# DEFAULT
+
+NULL
+
+# %PROTOCOLS%
+
+# EXAMPLE
+
+~~~c
+int main(void)
+{
+  CURL *curl = curl_easy_init();
+  if(curl) {
+    CURLcode res;
+    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1);
+    curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt");
+    curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key");
+    curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt");
+    curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key");
+    curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret");
+    res = curl_easy_perform(curl);
+    curl_easy_cleanup(curl);
+  }
+}
+~~~
+
+# %AVAILABILITY%
+
+# RETURN VALUE
+
+Returns CURLE_OK if NTLS enabled, CURLE_UNKNOWN_OPTION if not, or
+CURLE_OUT_OF_MEMORY if there was insufficient heap space.
diff --git a/docs/libcurl/opts/CURLOPT_SSLENCKEY.md b/docs/libcurl/opts/CURLOPT_SSLENCKEY.md
new file mode 100644
index 000000000..16a923230
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_SSLENCKEY.md
@@ -0,0 +1,78 @@
+---
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Title: CURLOPT_SSLENCKEY
+Section: 3
+Source: libcurl
+See-also:
+  - CURLOPT_SSLENCCERT (3)
+  - CURLOPT_SSLSIGNCERT (3)
+  - CURLOPT_SSLSIGNKEY (3)
+  - CURLOPT_SSLKEYTYPE (3)
+Protocol:
+  - NTLS
+TLS-backend:
+  - Tongsuo
+Added-in: 7.80.0
+---
+
+# NAME
+
+CURLOPT_SSLENCKEY - private key file for NTLS and SSL client encryption cert
+
+# SYNOPSIS
+
+~~~c
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLENCKEY, char *keyfile);
+~~~
+
+# DESCRIPTION
+
+Pass a pointer to a null-terminated string as parameter. The string should be
+the filename of your private key. The default format is "PEM" and can be
+changed with CURLOPT_SSLKEYTYPE(3).
+
+(Windows, iOS and macOS) This option is ignored by Secure Transport because
+they expect the private key to be already present in the key-chain or PKCS#12
+file containing the certificate.
+
+The application does not have to keep the string around after setting this
+option.
+
+Using this option multiple times makes the last set string override the
+previous ones. Set it to NULL to disable its use again.
+
+# DEFAULT
+
+NULL
+
+# %PROTOCOLS%
+
+# EXAMPLE
+
+~~~c
+int main(void)
+{
+  CURL *curl = curl_easy_init();
+  if(curl) {
+    CURLcode res;
+    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+    curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt");
+    curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key");
+    curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt");
+    curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key");
+    curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret");
+    res = curl_easy_perform(curl);
+    curl_easy_cleanup(curl);
+  }
+}
+~~~
+
+# %AVAILABILITY%
+
+# RETURN VALUE
+
+Returns CURLE_OK if NTLS is supported, CURLE_UNKNOWN_OPTION if not, or
+CURLE_OUT_OF_MEMORY if there was insufficient heap space.
diff --git a/docs/libcurl/opts/CURLOPT_SSLSIGNCERT.md b/docs/libcurl/opts/CURLOPT_SSLSIGNCERT.md
new file mode 100644
index 000000000..eca84f1c6
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_SSLSIGNCERT.md
@@ -0,0 +1,96 @@
+---
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Title: CURLOPT_SSLSIGNCERT
+Section: 3
+Source: libcurl
+See-also:
+  - CURLOPT_SSLCERTTYPE (3)
+  - CURLOPT_SSLENCKEY (3)
+  - CURLOPT_SSLENCCERT (3)
+  - CURLOPT_SSLSIGNKEY (3)
+  - CURLOPT_KEYPASSWD (3)
+Protocol:
+  - NTLS
+TLS-backend:
+  - Tongsuo
+Added-in: 7.80.0
+---
+
+# NAME
+
+CURLOPT_SSLSIGNCERT - SSL client signature certificate
+
+# SYNOPSIS
+
+~~~c
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLSIGNCERT, char *cert);
+~~~
+
+# DESCRIPTION
+
+Pass a pointer to a null-terminated string as parameter. The string should be
+the filename of your client signature certificate. The default format is `P12`
+on Secure Transport and `PEM` on other engines, and can be changed with
+CURLOPT_SSLCERTTYPE(3).
+
+With Secure Transport, this can also be the nickname of the certificate you
+wish to authenticate with as it is named in the security database. If you want
+to use a file from the current directory, please precede it with `./` prefix,
+in order to avoid confusion with a nickname.
+
+(Schannel only) Client certificates can be specified by a path expression to a
+certificate store. (You can import *PFX* to a store first). You can use
+"\<store location\>\\\<store name\>\\\<thumbprint\>" to refer to a certificate
+in the system certificates store, for example,
+**"CurrentUser\\MY\\934a7ac6f8a5d5"**. The thumbprint is usually a SHA-1 hex
+string which you can see in certificate details. Following store locations are
+supported: **CurrentUser**, **LocalMachine**, **CurrentService**,
+**Services**, **CurrentUserGroupPolicy**, **LocalMachineGroupPolicy**,
+**LocalMachineEnterprise**. Schannel also support P12 certificate file, with
+the string `P12` specified with CURLOPT_SSLCERTTYPE(3).
+
+When using a client signature certificate, you most likely also need to provide
+a private key with CURLOPT_SSLSIGNKEY(3).
+
+The application does not have to keep the string around after setting this
+option.
+
+Using this option multiple times makes the last set string override the
+previous ones. Set it to NULL to disable its use again.
+
+# DEFAULT
+
+NULL
+
+# %PROTOCOLS%
+
+# EXAMPLE
+
+~~~c
+int main(void)
+{
+  CURL *curl = curl_easy_init();
+  if(curl) {
+    CURLcode res;
+    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1);
+    curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt");
+    curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key");
+    curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt");
+    curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key");
+    curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret");
+    res = curl_easy_perform(curl);
+    curl_easy_cleanup(curl);
+  }
+}
+~~~
+
+# %AVAILABILITY%
+
+# RETURN VALUE
+
+Returns CURLE_OK if NTLS enabled, CURLE_UNKNOWN_OPTION if not, or
+CURLE_OUT_OF_MEMORY if there was insufficient heap space.
diff --git a/docs/libcurl/opts/CURLOPT_SSLSIGNKEY.md b/docs/libcurl/opts/CURLOPT_SSLSIGNKEY.md
new file mode 100644
index 000000000..81b7a9d00
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_SSLSIGNKEY.md
@@ -0,0 +1,78 @@
+---
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Title: CURLOPT_SSLSIGNKEY
+Section: 3
+Source: libcurl
+See-also:
+  - CURLOPT_SSLSIGNCERT (3)
+  - CURLOPT_SSLENCCERT (3)
+  - CURLOPT_SSLENCKEY (3)
+  - CURLOPT_SSLKEYTYPE (3)
+Protocol:
+  - NTLS
+TLS-backend:
+  - Tongsuo
+Added-in: 7.80.0
+---
+
+# NAME
+
+CURLOPT_SSLSIGNKEY - private key file for NTLS and SSL client signature cert
+
+# SYNOPSIS
+
+~~~c
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLSIGNKEY, char *keyfile);
+~~~
+
+# DESCRIPTION
+
+Pass a pointer to a null-terminated string as parameter. The string should be
+the filename of your private key. The default format is "PEM" and can be
+changed with CURLOPT_SSLKEYTYPE(3).
+
+(Windows, iOS and macOS) This option is ignored by Secure Transport because
+they expect the private key to be already present in the key-chain or PKCS#12
+file containing the certificate.
+
+The application does not have to keep the string around after setting this
+option.
+
+Using this option multiple times makes the last set string override the
+previous ones. Set it to NULL to disable its use again.
+
+# DEFAULT
+
+NULL
+
+# %PROTOCOLS%
+
+# EXAMPLE
+
+~~~c
+int main(void)
+{
+  CURL *curl = curl_easy_init();
+  if(curl) {
+    CURLcode res;
+    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+    curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt");
+    curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key");
+    curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt");
+    curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key");
+    curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret");
+    res = curl_easy_perform(curl);
+    curl_easy_cleanup(curl);
+  }
+}
+~~~
+
+# %AVAILABILITY%
+
+# RETURN VALUE
+
+Returns CURLE_OK if NTLS is supported, CURLE_UNKNOWN_OPTION if not, or
+CURLE_OUT_OF_MEMORY if there was insufficient heap space.
diff --git a/docs/libcurl/opts/Makefile.inc b/docs/libcurl/opts/Makefile.inc
index 9d8606dd0..890d4328a 100644
--- a/docs/libcurl/opts/Makefile.inc
+++ b/docs/libcurl/opts/Makefile.inc
@@ -428,4 +428,8 @@ man_MANS =                                      \
   CURLSHOPT_SHARE.3                             \
   CURLSHOPT_UNLOCKFUNC.3                        \
   CURLSHOPT_UNSHARE.3                           \
-  CURLSHOPT_USERDATA.3
+  CURLSHOPT_USERDATA.3                          \
+  CURLOPT_SSLENCCERT.3                          \
+  CURLOPT_SSLENCKEY.3                           \
+  CURLOPT_SSLSIGNCERT.3                         \
+  CURLOPT_SSLSIGNKEY.3
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 0fd02ff09..643025d44 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -12,6 +12,12 @@
 
  Name                           Introduced  Deprecated  Last
 
+CURLOPT_SSLENCCERT              7.80.0
+CURLOPT_SSLENCKEY               7.80.0
+CURLOPT_SSLSIGNCERT             7.80.0
+CURLOPT_SSLSIGNKEY              7.80.0
+CURL_SSLVERSION_NTLSv1_1        7.80.0
+CURL_SSLVERSION_MAX_NTLSv1_1    7.80.0
 CURL_AT_LEAST_VERSION           7.43.0
 CURL_BLOB_COPY                  7.71.0
 CURL_BLOB_NOCOPY                7.71.0
diff --git a/include/curl/curl.h b/include/curl/curl.h
index fae168966..0788bab69 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -2228,6 +2228,18 @@ typedef enum {
   /* maximum number of keepalive probes (Linux, *BSD, macOS, etc.) */
   CURLOPT(CURLOPT_TCP_KEEPCNT, CURLOPTTYPE_LONG, 326),
 
+  /* name of the file keeping your SSL sign certificate */
+  CURLOPT(CURLOPT_SSLSIGNCERT, CURLOPTTYPE_STRINGPOINT, 327),
+
+  /* name of the file keeping your SSL sign key */
+  CURLOPT(CURLOPT_SSLSIGNKEY, CURLOPTTYPE_STRINGPOINT, 328),
+
+  /* name of the file keeping your SSL enc certificate */
+  CURLOPT(CURLOPT_SSLENCCERT, CURLOPTTYPE_STRINGPOINT, 329),
+
+  /* name of the file keeping your SSL enc key */
+  CURLOPT(CURLOPT_SSLENCKEY, CURLOPTTYPE_STRINGPOINT, 330),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
@@ -2341,8 +2353,9 @@ enum CURL_NETRC_OPTION {
 #define CURL_SSLVERSION_TLSv1_1 5
 #define CURL_SSLVERSION_TLSv1_2 6
 #define CURL_SSLVERSION_TLSv1_3 7
+#define CURL_SSLVERSION_NTLSv1_1 8
 
-#define CURL_SSLVERSION_LAST 8 /* never use, keep last */
+#define CURL_SSLVERSION_LAST 9 /* never use, keep last */
 
 #define CURL_SSLVERSION_MAX_NONE 0
 #define CURL_SSLVERSION_MAX_DEFAULT (CURL_SSLVERSION_TLSv1   << 16)
@@ -2350,7 +2363,7 @@ enum CURL_NETRC_OPTION {
 #define CURL_SSLVERSION_MAX_TLSv1_1 (CURL_SSLVERSION_TLSv1_1 << 16)
 #define CURL_SSLVERSION_MAX_TLSv1_2 (CURL_SSLVERSION_TLSv1_2 << 16)
 #define CURL_SSLVERSION_MAX_TLSv1_3 (CURL_SSLVERSION_TLSv1_3 << 16)
-
+#define CURL_SSLVERSION_MAX_NTLSv1_1 (CURL_SSLVERSION_NTLSv1_1 << 16)
   /* never use, keep last */
 #define CURL_SSLVERSION_MAX_LAST    (CURL_SSLVERSION_LAST    << 16)
 
diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h
index e532e6997..e1d1555c4 100644
--- a/include/curl/typecheck-gcc.h
+++ b/include/curl/typecheck-gcc.h
@@ -349,6 +349,10 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t,
    (option) == CURLOPT_USERPWD ||                                             \
    (option) == CURLOPT_XOAUTH2_BEARER ||                                      \
    (option) == CURLOPT_SSL_EC_CURVES ||                                       \
+   (option) == CURLOPT_SSLSIGNCERT ||                                         \
+   (option) == CURLOPT_SSLSIGNKEY ||                                          \
+   (option) == CURLOPT_SSLENCCERT ||                                          \
+   (option) == CURLOPT_SSLENCKEY ||                                           \
    0)
 
 /* evaluates to true if option takes a curl_write_callback argument */
diff --git a/lib/config-win32.h b/lib/config-win32.h
index 1f280a96c..167ccfb5b 100644
--- a/lib/config-win32.h
+++ b/lib/config-win32.h
@@ -497,4 +497,8 @@ Vista
 /* If you want to build curl with the built-in manual */
 #define USE_MANUAL 1
 
+#ifdef USE_NTLS
+# define HAVE_NTLS 1
+#endif
+
 #endif /* HEADER_CURL_CONFIG_WIN32_H */
diff --git a/lib/easyoptions.c b/lib/easyoptions.c
index 81091c405..ab864f7de 100644
--- a/lib/easyoptions.c
+++ b/lib/easyoptions.c
@@ -301,12 +301,16 @@ struct curl_easyoption Curl_easyopts[] = {
   {"SSLCERTPASSWD", CURLOPT_KEYPASSWD, CURLOT_STRING, CURLOT_FLAG_ALIAS},
   {"SSLCERTTYPE", CURLOPT_SSLCERTTYPE, CURLOT_STRING, 0},
   {"SSLCERT_BLOB", CURLOPT_SSLCERT_BLOB, CURLOT_BLOB, 0},
+  {"SSLENCCERT", CURLOPT_SSLENCCERT, CURLOT_STRING, 0},
+  {"SSLENCKEY", CURLOPT_SSLENCKEY, CURLOT_STRING, 0},
   {"SSLENGINE", CURLOPT_SSLENGINE, CURLOT_STRING, 0},
   {"SSLENGINE_DEFAULT", CURLOPT_SSLENGINE_DEFAULT, CURLOT_LONG, 0},
   {"SSLKEY", CURLOPT_SSLKEY, CURLOT_STRING, 0},
   {"SSLKEYPASSWD", CURLOPT_KEYPASSWD, CURLOT_STRING, CURLOT_FLAG_ALIAS},
   {"SSLKEYTYPE", CURLOPT_SSLKEYTYPE, CURLOT_STRING, 0},
   {"SSLKEY_BLOB", CURLOPT_SSLKEY_BLOB, CURLOT_BLOB, 0},
+  {"SSLSIGNCERT", CURLOPT_SSLSIGNCERT, CURLOT_STRING, 0},
+  {"SSLSIGNKEY", CURLOPT_SSLSIGNKEY, CURLOT_STRING, 0},
   {"SSLVERSION", CURLOPT_SSLVERSION, CURLOT_VALUES, 0},
   {"SSL_CIPHER_LIST", CURLOPT_SSL_CIPHER_LIST, CURLOT_STRING, 0},
   {"SSL_CTX_DATA", CURLOPT_SSL_CTX_DATA, CURLOT_CBPTR, 0},
@@ -377,6 +381,6 @@ struct curl_easyoption Curl_easyopts[] = {
  */
 int Curl_easyopts_check(void)
 {
-  return ((CURLOPT_LASTENTRY%10000) != (326 + 1));
+  return ((CURLOPT_LASTENTRY%10000) != (330 + 1));
 }
 #endif
diff --git a/lib/setopt.c b/lib/setopt.c
index 7366d4a3e..d3fa1aa52 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -1663,6 +1663,16 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option,
 {
   CURLcode result = CURLE_OK;
   switch(option) {
+#ifdef HAVE_NTLS
+  case CURLOPT_SSLSIGNCERT:
+    return Curl_setstropt(&data->set.str[STRING_SIGN_CERT], ptr);
+  case CURLOPT_SSLSIGNKEY:
+    return Curl_setstropt(&data->set.str[STRING_SIGN_KEY], ptr);
+  case CURLOPT_SSLENCCERT:
+    return Curl_setstropt(&data->set.str[STRING_ENC_CERT], ptr);
+  case CURLOPT_SSLENCKEY:
+    return Curl_setstropt(&data->set.str[STRING_ENC_KEY], ptr);
+#endif
   case CURLOPT_SSL_CIPHER_LIST:
     if(Curl_ssl_supports(data, SSLSUPP_CIPHER_LIST))
       /* set a list of cipher we want to use in the SSL connection */
diff --git a/lib/urldata.h b/lib/urldata.h
index fc09efad6..6966495d8 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -301,6 +301,12 @@ struct ssl_config_data {
   struct curl_blob *key_blob;
   char *key_type; /* format for private key (default: PEM) */
   char *key_passwd; /* plain text private key password */
+#ifdef HAVE_NTLS
+  char *sign_cert;
+  char *sign_key;
+  char *enc_cert;
+  char *enc_key;
+#endif
   BIT(certinfo);     /* gather lots of certificate info */
   BIT(falsestart);
   BIT(earlydata);    /* use tls1.3 early data */
@@ -1484,6 +1490,12 @@ enum dupstring {
 #endif
 #ifndef CURL_DISABLE_PROXY
   STRING_HAPROXY_CLIENT_IP,     /* CURLOPT_HAPROXY_CLIENT_IP */
+#endif
+#ifdef HAVE_NTLS
+  STRING_SIGN_CERT,
+  STRING_SIGN_KEY,
+  STRING_ENC_CERT,
+  STRING_ENC_KEY,
 #endif
   STRING_ECH_CONFIG,            /* CURLOPT_ECH_CONFIG */
   STRING_ECH_PUBLIC,            /* CURLOPT_ECH_PUBLIC */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index f253674b2..d9b0e6386 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3498,6 +3498,11 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
   case TRNSPRT_TCP:
     /* check to see if we have been told to use an explicit SSL/TLS version */
     switch(ssl_version_min) {
+#ifdef HAVE_NTLS
+    case CURL_SSLVERSION_NTLSv1_1:
+      req_method = NTLS_client_method();
+      break;
+#endif
     case CURL_SSLVERSION_DEFAULT:
     case CURL_SSLVERSION_TLSv1:
     case CURL_SSLVERSION_TLSv1_0:
@@ -3628,7 +3633,11 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
   case CURL_SSLVERSION_SSLv2:
   case CURL_SSLVERSION_SSLv3:
     return CURLE_NOT_BUILT_IN;
-
+#ifdef HAVE_NTLS
+  case CURL_SSLVERSION_NTLSv1_1:
+    SSL_CTX_enable_ntls(octx->ssl_ctx);
+    break;
+#endif
     /* "--tlsv<x.y>" options mean TLS >= version <x.y> */
   case CURL_SSLVERSION_DEFAULT:
   case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */
@@ -3683,6 +3692,51 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
       return result;
   }
 
+#ifdef HAVE_NTLS
+  if(ssl_version_min == CURL_SSLVERSION_NTLSv1_1) {
+    char *sign_cert = ssl_config->sign_cert;
+    char *sign_key = ssl_config->sign_key;
+    char *enc_cert = ssl_config->enc_cert;
+    char *enc_key = ssl_config->enc_key;
+
+    if(sign_cert
+       && !SSL_CTX_use_sign_certificate_file(octx->ssl_ctx, sign_cert,
+                                             SSL_FILETYPE_PEM)) {
+      failf(data, "SSL: failed settting sign certificate file: %s",
+            ossl_strerror(ERR_get_error(), error_buffer,
+                          sizeof(error_buffer)));
+      return CURLE_SSL_CERTPROBLEM;
+    }
+
+    if(sign_key
+       && !SSL_CTX_use_sign_PrivateKey_file(octx->ssl_ctx, sign_key,
+                                            SSL_FILETYPE_PEM)) {
+      failf(data, "SSL: failed settting sign key file: %s",
+            ossl_strerror(ERR_get_error(), error_buffer,
+                          sizeof(error_buffer)));
+      return CURLE_SSL_CERTPROBLEM;
+    }
+
+    if(enc_cert
+       && !SSL_CTX_use_enc_certificate_file(octx->ssl_ctx, enc_cert,
+                                             SSL_FILETYPE_PEM)) {
+      failf(data, "SSL: failed settting enc certificate file: %s",
+            ossl_strerror(ERR_get_error(), error_buffer,
+                          sizeof(error_buffer)));
+      return CURLE_SSL_CERTPROBLEM;
+    }
+
+    if(enc_key
+       && !SSL_CTX_use_enc_PrivateKey_file(octx->ssl_ctx, enc_key,
+                                           SSL_FILETYPE_PEM)) {
+      failf(data, "SSL: failed settting enc key file: %s",
+            ossl_strerror(ERR_get_error(), error_buffer,
+                          sizeof(error_buffer)));
+      return CURLE_SSL_CERTPROBLEM;
+    }
+  }
+#endif
+
   ciphers = conn_config->cipher_list;
   if(!ciphers && (peer->transport != TRNSPRT_QUIC))
     ciphers = DEFAULT_CIPHER_SELECTION;
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 02085f412..effdeeb6a 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -313,6 +313,13 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
   data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
 
+#ifdef HAVE_NTLS
+  data->set.ssl.sign_cert = data->set.str[STRING_SIGN_CERT];
+  data->set.ssl.sign_key = data->set.str[STRING_SIGN_KEY];
+  data->set.ssl.enc_cert = data->set.str[STRING_ENC_CERT];
+  data->set.ssl.enc_key = data->set.str[STRING_ENC_KEY];
+#endif
+
 #ifndef CURL_DISABLE_PROXY
   data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
   data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
diff --git a/m4/curl-openssl.m4 b/m4/curl-openssl.m4
index de20a64f7..f4868f1bf 100644
--- a/m4/curl-openssl.m4
+++ b/m4/curl-openssl.m4
@@ -401,4 +401,24 @@ if test "$OPENSSL_ENABLED" = "1"; then
     AC_MSG_RESULT([no])
   ])
 fi
+
+dnl ---
+dnl Check for NTLS provided by Tongsuo
+dnl ---
+if test "$OPENSSL_ENABLED" = "1"; then
+  AC_MSG_CHECKING([for NTLS support in Tongsuo])
+  AC_LINK_IFELSE([
+    AC_LANG_PROGRAM([[
+      #include <openssl/ssl.h>
+    ]],[[
+      const SSL_METHOD *meth = NTLS_method();
+    ]])
+  ],[
+    AC_MSG_RESULT([yes])
+    AC_DEFINE(HAVE_NTLS, 1, [if you have the functions NTLS_method])
+    AC_SUBST(HAVE_NTLS, [1])
+  ],[
+    AC_MSG_RESULT([no])
+  ])
+fi
 ])
diff --git a/packages/OS400/ccsidcurl.c b/packages/OS400/ccsidcurl.c
index 48f7f6d4a..ee1855def 100644
--- a/packages/OS400/ccsidcurl.c
+++ b/packages/OS400/ccsidcurl.c
@@ -1157,9 +1157,13 @@ curl_easy_setopt_ccsid(CURL *easy, CURLoption tag, ...)
   case CURLOPT_SSH_PUBLIC_KEYFILE:
   case CURLOPT_SSLCERT:
   case CURLOPT_SSLCERTTYPE:
+  case CURLOPT_SSLENCCERT:
+  case CURLOPT_SSLENCKEY:
   case CURLOPT_SSLENGINE:
   case CURLOPT_SSLKEY:
   case CURLOPT_SSLKEYTYPE:
+  case CURLOPT_SSLSIGNCERT:
+  case CURLOPT_SSLSIGNKEY:
   case CURLOPT_SSL_CIPHER_LIST:
   case CURLOPT_SSL_EC_CURVES:
   case CURLOPT_TLS13_CIPHERS:
diff --git a/scripts/cd2nroff b/scripts/cd2nroff
index 86cae2137..9c16dbee8 100755
--- a/scripts/cd2nroff
+++ b/scripts/cd2nroff
@@ -182,7 +182,8 @@ my %knownprotos = (
     'TLS' => 1,
     'TCP' => 1,
     'QUIC' => 1,
-    'All' => 1
+    'All' => 1,
+    'NTLS' => 1,
     );
 
 my %knowntls = (
diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
index d7ee7b1b2..1165d0aa8 100644
--- a/src/tool_cfgable.c
+++ b/src/tool_cfgable.c
@@ -181,6 +181,12 @@ static void free_config_fields(struct OperationConfig *config)
   Curl_safefree(config->ech);
   Curl_safefree(config->ech_config);
   Curl_safefree(config->ech_public);
+#ifdef HAVE_NTLS
+  Curl_safefree(config->sign_cert);
+  Curl_safefree(config->sign_key);
+  Curl_safefree(config->enc_cert);
+  Curl_safefree(config->enc_key);
+#endif
 }
 
 void config_free(struct OperationConfig *config)
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index 62f0e58cc..83a4043f7 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -310,6 +310,12 @@ struct OperationConfig {
   char *ech;                      /* Config set by --ech keywords */
   char *ech_config;               /* Config set by "--ech esl:" option */
   char *ech_public;               /* Config set by "--ech pn:" option */
+#ifdef HAVE_NTLS
+  char *sign_cert;
+  char *sign_key;
+  char *enc_cert;
+  char *enc_key;
+#endif
 };
 
 struct GlobalConfig {
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 81dbbb883..eac91ddb6 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -118,6 +118,10 @@ static const struct LongShort aliases[]= {
   {"dump-header",                ARG_FILE, 'D', C_DUMP_HEADER},
   {"ech",                        ARG_STRG, ' ', C_ECH},
   {"egd-file",                   ARG_STRG, ' ', C_EGD_FILE},
+#ifdef HAVE_NTLS
+  {"enc-cert",                   ARG_FILE, ' ', C_ENC_CERT},
+  {"enc-key",                    ARG_FILE, ' ', C_ENC_KEY},
+#endif
   {"engine",                     ARG_STRG, ' ', C_ENGINE},
   {"eprt",                       ARG_BOOL, ' ', C_EPRT},
   {"epsv",                       ARG_BOOL, ' ', C_EPSV},
@@ -282,6 +286,10 @@ static const struct LongShort aliases[]= {
   {"sessionid",                  ARG_BOOL|ARG_NO, ' ', C_SESSIONID},
   {"show-error",                 ARG_BOOL, 'S', C_SHOW_ERROR},
   {"show-headers",               ARG_BOOL, 'i', C_SHOW_HEADERS},
+#ifdef HAVE_NTLS
+  {"sign-cert",                  ARG_FILE, ' ', C_SIGN_CERT},
+  {"sign-key",                   ARG_FILE, ' ', C_SIGN_KEY},
+#endif
   {"silent",                     ARG_BOOL, 's', C_SILENT},
   {"skip-existing",              ARG_BOOL, ' ', C_SKIP_EXISTING},
   {"socks4",                     ARG_STRG, ' ', C_SOCKS4},
@@ -315,6 +323,9 @@ static const struct LongShort aliases[]= {
   {"tftp-blksize",               ARG_STRG, ' ', C_TFTP_BLKSIZE},
   {"tftp-no-options",            ARG_BOOL, ' ', C_TFTP_NO_OPTIONS},
   {"time-cond",                  ARG_STRG, 'z', C_TIME_COND},
+#ifdef HAVE_NTLS
+  {"tlcp",                       ARG_BOOL, ' ', C_TLCP},
+#endif
   {"tls-earlydata",              ARG_BOOL, ' ', C_TLS_EARLYDATA},
   {"tls-max",                    ARG_STRG, ' ', C_TLS_MAX},
   {"tls13-ciphers",              ARG_STRG, ' ', C_TLS13_CIPHERS},
@@ -1703,6 +1714,23 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
       nextarg = (char *)"";
 
     switch(cmd) {
+#ifdef HAVE_NTLS
+    case C_TLCP:
+      config->ssl_version = CURL_SSLVERSION_NTLSv1_1;
+      break;
+    case C_ENC_CERT:
+      err = getstr(&config->enc_cert, nextarg, DENY_BLANK);
+      break;
+    case C_ENC_KEY:
+      err = getstr(&config->enc_key, nextarg, DENY_BLANK);
+      break;
+    case C_SIGN_CERT:
+      err = getstr(&config->sign_cert, nextarg, DENY_BLANK);
+      break;
+    case C_SIGN_KEY:
+      err = getstr(&config->sign_key, nextarg, DENY_BLANK);
+      break;
+#endif
     case C_RANDOM_FILE: /* --random-file */
     case C_EGD_FILE: /* --egd-file */
     case C_NTLM_WB: /* --ntlm-wb */
diff --git a/src/tool_getparam.h b/src/tool_getparam.h
index 90708e001..b1685b5f1 100644
--- a/src/tool_getparam.h
+++ b/src/tool_getparam.h
@@ -80,6 +80,10 @@ typedef enum {
   C_DUMP_HEADER,
   C_ECH,
   C_EGD_FILE,
+#ifdef HAVE_NTLS
+  C_ENC_CERT,
+  C_ENC_KEY,
+#endif
   C_ENGINE,
   C_EPRT,
   C_EPSV,
@@ -241,6 +245,10 @@ typedef enum {
   C_SESSIONID,
   C_SHOW_ERROR,
   C_SHOW_HEADERS,
+#ifdef HAVE_NTLS
+  C_SIGN_CERT,
+  C_SIGN_KEY,
+#endif
   C_SILENT,
   C_SKIP_EXISTING,
   C_SOCKS4,
@@ -271,6 +279,9 @@ typedef enum {
   C_TEST_EVENT,
   C_TFTP_BLKSIZE,
   C_TFTP_NO_OPTIONS,
+#ifdef HAVE_NTLS
+  C_TLCP,
+#endif
   C_TIME_COND,
   C_TLS_EARLYDATA,
   C_TLS_MAX,
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 1bba71f82..7496e281f 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1285,6 +1285,12 @@ static CURLcode config2setopts(struct GlobalConfig *global,
     my_setopt_str(curl, CURLOPT_SSLKEYTYPE, config->key_type);
     my_setopt_str(curl, CURLOPT_PROXY_SSLKEYTYPE,
                   config->proxy_key_type);
+#ifdef HAVE_NTLS
+    my_setopt_str(curl, CURLOPT_SSLSIGNCERT, config->sign_cert);
+    my_setopt_str(curl, CURLOPT_SSLSIGNKEY, config->sign_key);
+    my_setopt_str(curl, CURLOPT_SSLENCCERT, config->enc_cert);
+    my_setopt_str(curl, CURLOPT_SSLENCKEY, config->enc_key);
+#endif
 
     /* libcurl default is strict verifyhost -> 1L, verifypeer -> 1L */
     if(config->insecure_ok) {
diff --git a/tests/test1139.pl b/tests/test1139.pl
index 0c99ab6f3..7f9a12e11 100755
--- a/tests/test1139.pl
+++ b/tests/test1139.pl
@@ -183,6 +183,13 @@ my %opts = (
     '--test-duphandle' => 6,
     '--test-event' => 6,
     '--wdebug' => 6,
+
+    # ignore
+    '--enc-key' => 7,
+    '--sign-cert' => 7,
+    '--enc-cert' => 7,
+    '--sign-key' => 7,
+    '--tlcp' => 7,
     );
 
 
diff --git a/winbuild/Makefile.vc b/winbuild/Makefile.vc
index bc20d05d8..090a425d3 100644
--- a/winbuild/Makefile.vc
+++ b/winbuild/Makefile.vc
@@ -124,6 +124,14 @@ USE_UNICODE = true
 USE_UNICODE = false
 !ENDIF
 
+!IFNDEF ENABLE_NTLS
+USE_NTLS = false
+!ELSEIF "$(ENABLE_NTLS)"=="yes"
+USE_NTLS = true
+!ELSEIF "$(ENABLE_NTLS)"=="no"
+USE_NTLS = false
+!ENDIF
+
 CONFIG_NAME_LIB = libcurl
 
 !IF "$(WITH_SSL)"=="dll"
@@ -303,6 +311,7 @@ $(MODE):
 	@SET USE_UNICODE=$(USE_UNICODE)
 # compatibility bit
 	@SET WITH_NGHTTP2=$(WITH_NGHTTP2)
+	@SET USE_NTLS=$(USE_NTLS)
 
 	@$(MAKE) /NOLOGO /F MakefileBuild.vc
 
diff --git a/winbuild/MakefileBuild.vc b/winbuild/MakefileBuild.vc
index aee03d564..006a963f9 100644
--- a/winbuild/MakefileBuild.vc
+++ b/winbuild/MakefileBuild.vc
@@ -141,6 +141,11 @@ SSL_CFLAGS   = $(SSL_CFLAGS) /DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
 !ENDIF
 !ENDIF
 
+!IF "$(USE_NTLS)"=="true"
+SSL_CFLAGS = $(SSL_CFLAGS) /DUSE_NTLS
+CURL_CFLAGS = $(CURL_CFLAGS) /DUSE_NTLS
+!ENDIF
+
 !IF "$(DISABLE_WEBSOCKETS)"=="true"
 CFLAGS  = $(CFLAGS) /DCURL_DISABLE_WEBSOCKETS=1
 !ENDIF
diff --git a/docs/cmdline-opts/enc-key.md b/docs/cmdline-opts/enc-key.md
new file mode 100644
index 000000000..f16705980
--- /dev/null
+++ b/docs/cmdline-opts/enc-key.md
@@ -0,0 +1,21 @@
+---
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Long: enc-key
+Arg: <key>
+Protocols: NTLS
+Help: Client encryption private key file
+Category: tls
+Added: 7.80.0
+Multi: single
+See-also:
+  - enc-cert
+  - sign-cert
+  - sign-key
+Example:
+  - --enc-cert certificate --enc-key key here $URL
+---
+
+# `--enc-key`
+
+Client encryption private key file.
diff --git a/docs/cmdline-opts/sign-key.md b/docs/cmdline-opts/sign-key.md
new file mode 100644
index 000000000..6658e60ef
--- /dev/null
+++ b/docs/cmdline-opts/sign-key.md
@@ -0,0 +1,21 @@
+---
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Long: sign-key
+Arg: <key>
+Protocols: NTLS
+Help: Client signature private key file
+Category: tls
+Added: 7.80.0
+Multi: single
+See-also:
+  - sign-cert
+  - enc-cert
+  - enc-key
+Example:
+  - --sign-cert certificate --sign-key key here $URL
+---
+
+# `--sign-key`
+
+Client signature private key file.
diff --git a/docs/cmdline-opts/tlcp.md b/docs/cmdline-opts/tlcp.md
new file mode 100644
index 000000000..c2ab8e690
--- /dev/null
+++ b/docs/cmdline-opts/tlcp.md
@@ -0,0 +1,20 @@
+---
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Long: tlcp
+Help: TLCP
+Protocols: TLCP
+Added: 7.80.0
+Category: tls
+Multi: mutex
+See-also:
+  - tls-max
+Example:
+  - --tlcp $URL
+---
+
+# `--tlcp`
+
+Forces curl to use TLCP version 1.1 when connecting to a remote server.
+
+Note that TLCP is only supported by Tongsuo backend.
diff --git a/docs/options-in-versions b/docs/options-in-versions
index a7a11630d..872509f0a 100644
--- a/docs/options-in-versions
+++ b/docs/options-in-versions
@@ -58,6 +58,8 @@
 --dump-header (-D)                   5.7
 --ech                                8.8.0
 --egd-file                           7.7
+--enc-cert                           7.80.0
+--enc-key                            7.80.0
 --engine                             7.9.3
 --etag-compare                       7.68.0
 --etag-save                          7.68.0
@@ -217,6 +219,8 @@
 --service-name                       7.43.0
 --show-error (-S)                    5.9
 --show-headers (-i)                  4.8
+--sign-cert                          7.80.0
+--sign-key                           7.80.0
 --silent (-s)                        4.0
 --skip-existing                      8.10.0
 --socks4                             7.15.2
@@ -246,6 +250,7 @@
 --tftp-blksize                       7.20.0
 --tftp-no-options                    7.48.0
 --time-cond (-z)                     5.8
+--tlcp                               7.80.0
 --tls-earlydata                      8.11.0
 --tls-max                            7.54.0
 --tls13-ciphers                      7.61.0
diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc
index 3bcffa49f..6bcaa092b 100644
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@@ -93,6 +93,8 @@ DPAGES = \
   dump-header.md \
   ech.md \
   egd-file.md \
+  enc-cert.md \
+  enc-key.md \
   engine.md \
   etag-compare.md \
   etag-save.md \
@@ -252,6 +254,8 @@ DPAGES = \
   service-name.md \
   show-error.md \
   show-headers.md \
+  sign-cert.md \
+  sign-key.md \
   silent.md \
   skip-existing.md \
   socks4.md \
@@ -281,6 +285,7 @@ DPAGES = \
   tftp-blksize.md \
   tftp-no-options.md \
   time-cond.md \
+  tlcp.md \
   tls-earlydata.md \
   tls-max.md \
   tls13-ciphers.md \
diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c
index 2d5f2b3ab..38d64cbb5 100644
--- a/src/tool_listhelp.c
+++ b/src/tool_listhelp.c
@@ -177,6 +177,12 @@ const struct helptxt helptext[] = {
   {"    --egd-file <file>",
    "EGD socket path for random data",
    CURLHELP_DEPRECATED},
+  {"    --enc-cert <certificate>",
+   "Client encryption certificate file",
+   CURLHELP_TLS},
+  {"    --enc-key <key>",
+   "Client encryption private key file",
+   CURLHELP_TLS},
   {"    --engine <name>",
    "Crypto engine to use",
    CURLHELP_TLS},
@@ -659,6 +665,12 @@ const struct helptxt helptext[] = {
   {"-i, --show-headers",
    "Show response headers in output",
    CURLHELP_IMPORTANT | CURLHELP_VERBOSE | CURLHELP_OUTPUT},
+  {"    --sign-cert <certificate>",
+   "Client signature certificate file",
+   CURLHELP_TLS},
+  {"    --sign-key <key>",
+   "Client signature private key file",
+   CURLHELP_TLS},
   {"-s, --silent",
    "Silent mode",
    CURLHELP_IMPORTANT | CURLHELP_VERBOSE},
@@ -748,6 +760,9 @@ const struct helptxt helptext[] = {
   {"-z, --time-cond <time>",
    "Transfer based on a time condition",
    CURLHELP_HTTP | CURLHELP_FTP},
+  {"    --tlcp",
+   "TLCP",
+   CURLHELP_TLS},
   {"    --tls-earlydata",
    "Allow use of TLSv1.3 early data (0RTT)",
    CURLHELP_TLS},
diff --git a/docs/cmdline-opts/enc-cert.md b/docs/cmdline-opts/enc-cert.md
new file mode 100644
index 000000000..cf8f35bcb
--- /dev/null
+++ b/docs/cmdline-opts/enc-cert.md
@@ -0,0 +1,20 @@
+---
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Long: enc-cert
+Arg: <certificate>
+Help: Client encryption certificate file
+Protocols: NTLS
+Category: tls
+Added: 7.80.0
+Multi: single
+See-also:
+  - sign-cert
+  - enc-key
+Example:
+  - --enc-cert certfile --enc-key keyfile $URL
+---
+
+# `--enc-cert`
+
+Client encryption certificate file.
diff --git a/docs/cmdline-opts/sign-cert.md b/docs/cmdline-opts/sign-cert.md
new file mode 100644
index 000000000..befa9cd04
--- /dev/null
+++ b/docs/cmdline-opts/sign-cert.md
@@ -0,0 +1,20 @@
+---
+c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+SPDX-License-Identifier: curl
+Long: sign-cert
+Arg: <certificate>
+Help: Client signature certificate file
+Protocols: NTLS
+Category: tls
+Added: 7.80.0
+Multi: single
+See-also:
+  - sign-cert
+  - enc-key
+Example:
+  - --sign-cert certfile --sign-key keyfile $URL
+---
+
+# `--sign-cert`
+
+Client signature certificate file.
diff --git a/docs/examples/Makefile.inc b/docs/examples/Makefile.inc
index 5c03ab865..537007dbc 100644
--- a/docs/examples/Makefile.inc
+++ b/docs/examples/Makefile.inc
@@ -62,6 +62,8 @@ check_PROGRAMS = \
   httpcustomheader \
   httpput \
   httpput-postfields \
+  https-tlcp-doublecerts \
+  https-tlcp \
   https \
   imap-append \
   imap-authzid \
diff --git a/docs/examples/https-tlcp-doublecerts.c b/docs/examples/https-tlcp-doublecerts.c
new file mode 100644
index 000000000..1c767afec
--- /dev/null
+++ b/docs/examples/https-tlcp-doublecerts.c
@@ -0,0 +1,67 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2022
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+/* <DESC>
+ * HTTP over TLCP with double certificates
+ * </DESC>
+ */
+#include <stdio.h>
+#include <curl/curl.h>
+
+int main(void)
+{
+  CURL *curl;
+  CURLcode res;
+
+  curl = curl_easy_init();
+  if(curl) {
+    curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443");
+    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1);
+    curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST,
+                     "ECDHE-SM2-SM4-CBC-SM3");
+
+    curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sm2_sign.crt");
+    curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sm2_sign.key");
+    curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "sm2_enc.crt");
+    curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "sm2_enc.key");
+
+    /* optional */
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
+
+    res = curl_easy_perform(curl);
+
+    if(res != CURLE_OK)
+      fprintf(stderr, "curl_easy_perform() failed: %s\n",
+        curl_easy_strerror(res));
+
+    curl_easy_cleanup(curl);
+  }
+
+  return 0;
+}
+/*
+gcc https-tlcp-doublecerts.c -o https-tlcp-doublecerts \
+-I/usr/local/curl/include -lcurl -L/usr/local/curl/lib \
+-Wl,-rpath=/usr/local/curl/lib
+*/
diff --git a/docs/examples/https-tlcp.c b/docs/examples/https-tlcp.c
new file mode 100644
index 000000000..5099c8dbe
--- /dev/null
+++ b/docs/examples/https-tlcp.c
@@ -0,0 +1,60 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2022
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+/* <DESC>
+ * HTTP over TLCP
+ * </DESC>
+ */
+#include <stdio.h>
+#include <curl/curl.h>
+
+int main(void)
+{
+  CURL *curl;
+  CURLcode res;
+
+  curl = curl_easy_init();
+  if(curl) {
+    curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443");
+    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1);
+    curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "ECC-SM2-SM4-CBC-SM3");
+
+    /* optional */
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
+
+    res = curl_easy_perform(curl);
+
+    if(res != CURLE_OK)
+      fprintf(stderr, "curl_easy_perform() failed: %s\n",
+              curl_easy_strerror(res));
+
+    curl_easy_cleanup(curl);
+  }
+
+  return 0;
+}
+/*
+gcc https-tlcp.c -o https-tlcp -I/usr/local/curl/include -lcurl \
+-L/usr/local/curl/lib -Wl,-rpath=/usr/local/curl/lib
+*/