cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Certificate required despite -k

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 21 Oct 2009 16:28:14 +0200 (CEST)

On Sun, 18 Oct 2009, Michel RIGAUD wrote:

> ok, considering that when using a browser (IE or Firefox) the proxy does not
> block https request (except for a window alert on the first use), would you
> have any advices on how I can proceed to check what are the differences
> betwwen curl queries and browser queries.

There shouldn't be any differences in that aspect. When traversing a proxy to
connect to a HTTPS site, curl and browsers all send a CONNECT to the proxy to
"tunnel" through it and then it connects for real against the remote server
and then the client (curl or browser) verifies the peer's certificate.

The proxy is never involved in any SSL activities as it only moves traffic
through and has no idea of what specifics that are handled.

In some (dubious) situations proxies are made to transparantly terminate HTTPS
connections and then send off its own HTTPS connections to the remote server
and then send that back to the client with a faked cert that makes the client
think it speaks to the server while it in fact speaks to the proxy. It does
require that your browser(s) have been told to accept the certificate your
proxy inserts when it sends back "faked" HTTPS contents.

But really, I don't know what kind of problem you see as I don't understand
exactly what's going on. Can you show us a full "curl --trace-ascii - -k
[remote]" output? What curl version on what operating system? Do you have any
idea what proxy (software) that's in use?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2009-10-21