Problem connecting to HTTPS site via HTTPS proxy
Date: Wed, 29 Jan 2020 18:21:07 +0100
Hi,
Using an HTTPS proxy throws an SSL error:
# curl -vv --proxy https://192.168.1.12:443 --proxy-insecure --insecure
https://www.cnn.com/
* Trying 192.168.1.12...
* TCP_NODELAY set
* Connected to 192.168.1.12 (192.168.1.12) port 443 (#0)
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Proxy certificate:
* subject: C=US; ST=CA; O=Blue Coat Systems, Inc.; OU=Blue Coat SG-S200
Series; CN=4615330182
* start date: Jan 1 10:46:49 2020 GMT
* expire date: Jan 1 10:46:49 2025 GMT
* issuer: C=US; ST=California; L=Sunnyvale; O=Blue Coat Systems, Inc.;
OU=Blue Coat, ABRCA; CN=abrca.bluecoat.com;
emailAddress=sysadmin_at_bluecoat.com
* SSL certificate verify result: self signed certificate in certificate
chain (19), continuing anyway.
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.cnn.com:443
> CONNECT www.cnn.com:443 HTTP/1.1
> Host: www.cnn.com:443
> User-Agent: curl/7.60.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
www.cnn.com:443
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
www.cnn.com:443
Using HTTP proxy with HTTPS site works ok:
# curl -vv --proxy http://192.168.1.12:80 --insecure
https://www.cnn.com/
* Trying 192.168.1.12...
* TCP_NODELAY set
* Connected to 192.168.1.12 (192.168.1.12) port 80 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.cnn.com:443
> CONNECT www.cnn.com:443 HTTP/1.1
> Host: www.cnn.com:443
> User-Agent: curl/7.60.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.;
CN=turner-tls.map.fastly.net
* start date: May 7 21:26:23 2019 GMT
* expire date: Mar 28 04:34:44 2020 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign CloudSSL CA - SHA256
- G3
* SSL certificate verify result: unable to get local issuer certificate
(20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after
upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55897a67aeb0)
> GET / HTTP/2
> Host: www.cnn.com
> User-Agent: curl/7.60.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 302
< server: Varnish
Conversely, access to an HTTP site using HTTPS proxy and vice-versa also
works well. It's the "double SSL" case that seems to pose.
All we see on the remote end (the webserver) is this: (when we try with
one of our webservers)
98 16:47:41.913409959 1.1.1.1 → 2.2.2.2 TCP 74 53656 → 443 [SYN]
Seq=0 Win=65535 Len=0 MSS=1380 SACK_PERM=1 TSval=4144667785 TSecr=0
WS=64
99 16:47:41.913463623 2.2.2.2 → 1.1.1.1 TCP 74 443 → 53656 [SYN, ACK]
Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=3089349285
TSecr=4144667785 WS=128
100 16:47:41.925293814 1.1.1.1 → 2.2.2.2 TCP 66 53656 → 443 [ACK]
Seq=1 Ack=1 Win=262848 Len=0 TSval=4144667797 TSecr=3089349285
101 16:47:41.925490666 1.1.1.1 → 2.2.2.2 TCP 66 53656 → 443 [FIN, ACK]
Seq=1 Ack=1 Win=262848 Len=0 TSval=4144667797 TSecr=3089349285
102 16:47:41.925529264 2.2.2.2 → 1.1.1.1 TCP 66 443 → 53656 [FIN, ACK]
Seq=1 Ack=2 Win=29056 Len=0 TSval=3089349288 TSecr=4144667797
103 16:47:41.937479029 1.1.1.1 → 2.2.2.2 TCP 66 53656 → 443 [ACK]
Seq=2 Ack=2 Win=262848 Len=0 TSval=4144667809 TSecr=3089349288
BTW the proxy is a Bluecoat/Symantec/Broadcom ProxySG
Curl is curl 7.60.0 (x86_64-suse-linux-gnu) on SLES15-SP1
Thanks.
Jim
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-01-29