Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: HTTPS proxy, another take

From: Thomas Glanzmann <thomas_at_glanzmann.de>
Date: Thu, 24 Nov 2016 06:47:23 +0100

Hello Daniel,

> Right. Focus should first be to make sure everything *existing*
> remains functional but then we should just start working on fixing the
> bugs in the HTTPS proxy functionality. Having the code in the master
> branch will make it easier to do that I think.

I tested it during the last week. And least for me no issues came up.

> You mean you can access a HTTP site over the HTTPS proxy?

that is true.

> In issue #1127 they do state: "Supported backends: OpenSSL, GnuTLS, and
> NSS". I suppose that might mean that those are the only backends that
> support HTTPS over HTTPS. Maybe they could help clarify that?

I see. I tried with openssl.

> Since we have this "only supported with" - situation, I think we should
> expose that with a feature bit for the curl_version_info() function so that
> applications can actually figure out if it is supposed to work or not.

That would be helpful.

> I would love to get access to let me try out HTTPS proxy stuff easier.
> I'll shoot you an email privately about it.

I send you an email offlist with credentials.

I found two other issues:

        - If I specify the proxy as
          https://daniel:password@proxy.glanzmann.de/ it assumes port
          1080 (socks). I think we should change the default port number
          to 443. Or is there another reasonable port number for https
          proxies?

        - If curl does not trust the https proxy cert, it tells me:
        (infra) [~/work/vlconnect] local/linux/bin/curl --cacert /etc/ssl/certs/ca-certificates.crt --insecure --proxy https://daniel:aa3ge5Ai@proxy.glanzmann.de:443/ http://blog.fefe.de
        curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED

        Maybe we should make clear to the user that the ssl cert of the
        proxy is not trusted. Because that might be confusing for users
        who have for example an environment variable set and forgot
        about it, as I did.

Daniel, where should we track the issues with https proxy? In github
once it is merged?

Cheers,
        Thomas
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-24