cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Disabling CONNECT tunnels for HTTPS connections when using a proxy.

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 12 Dec 2015 15:15:22 +0100 (CET)

On Fri, 11 Dec 2015, Simon wrote:

> Is there a way to disable CONNECT proxy tunneling for HTTPS connections? If
> not, could it be a sensible evolution request to add such feature?

No there isn't, and sure I wouldn't mind such an ability getting merged.

> For security reasons, some proxies offer the possibility to completely

Not for the _user's_ security though and I think that's important to realize.
HTTPS was meant to be end to end security and if you hand it over to the proxy
you've effectively put your traffic into someone else's hands, hoping they
will be nice. Not to mention that it is then probably even clear text HTTP to
the proxy... (we have HTTPS proxy support in a separate branch, hopefullly we
can land that in a not too distant future, but more about that in a separate
mail on the curl-library list soon)

> Curl manpage about the -x, --proxy argument seems to explain that all
> operations are made through HTTP and recommends to use -p, --proxytunnel to
> enable tunneling. However, I saw that tunneling is automatically enabled
> when retrieving an https:// URL.

Yes, because that's how HTTPS is defined to work through a HTTP proxy. Sending
"GET https://" to the proxy is not any standard and while it has been
discussed in the IETF it has never taken off (due to its inherent security
problems for the user).

> The beginning of the manpage also indicates the possibility to disable
> boolean parameters either by duplicating them or using a syntax such as
> --no-option. I tried to play with -p, --no-proxytunnel, --ssl, --no-ssl with
> no luck: Curl systematically tries to create a CONNECT tunnel for https://
> URL's.

Yeah, we (I) don't consider HTTPS to be a "proxytunnel" (even if it strictly
speaking is) so that option doesn't do much for HTTPS but is for other
protocols.

> I understand that Curl by default create a CONNECT tunnel since it is the
> most common expected behavior.

It is the defined STANDARD behavior even.

> However, wouldn't it make sense for Curl to honor a --no-proxytunnel
> argument disabling CONNECT tunneling even for https:// URL's so it can be
> used natively in such circumstances?

I don't think we can use that option for this that easily: The proxytunnel
option is just a boolean and nothing sets it true for HTTPS today. If setting
it to false would get this new meaning, there needs to be something that sets
it to true for the default action. And we don't want it true by default for
all the other protocols...

I think it needs a new option.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2015-12-12