cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: HTTPS connection from libcurl client to proxy

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 26 Aug 2014 13:34:20 +0200 (CEST)

On Mon, 25 Aug 2014, Vijay Panghal wrote:

Thanks a lot for stepping forward and working on this!

> 3. location url is https and proxy url is https
> libCurl does not support this. This will be useful for creating encrypted
> tunnel between client to proxy (without HTTP CONNECT) which allow caching
> content.
> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection

Without CONNECT, really? This is a major thing as you no longer have end to
end security then. Which certificate would libcurl verify for the connection?

Do you actually have a use case/users who want this?

I would consider that use case very limited and crippled. I want 5) HTTPS to
the proxy, then CONNECT to the remote site and TLS over that. That's also what
the browsers support.

> 4. location url is http and proxy url is https
> libCurl does not support this.

> I want to add support for (3) and (4).

The case 4 is easy, and I would say case 5 is pretty straight forward (apart
from the two layers of TLS). The "fake" HTTPS in case 3 may be
straight-forward to implement but we need to consider how the SSL options are
used and to not trick users into using this in a way it doesn't work.

> From my initial investigation and
> prototyping, I see these changes are required:
> - Add another proxy type CURLPROXY_HTTPS in curl_proxytype

I think you need more than one to support both case 3 and case 5 as they are
both HTTPS-proxy HTTPS-remote but very different in nature.

> - Set connection boolean value httpsproxy in ConnectBits if proxy type is
> CURLPROXY_HTTPS

Why do you need a new boolean separate from the existing httpproxy? It is
still the proxy for http and https, exactly like before. The difference is how
the proxy works and how to use it.

> - Set the httpsproxy, if proxy url protocol is https in detect_proxy()
> - Then process httpsproxy bit per connection while connecting to Proxy

I would guess we also need CA cert and verification options for the proxy,
separate from the "peer", right?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-26