<?xml version="1.0" encoding="US-ASCII"?>
<testcase>
<info>
<keywords>
HTTP
HTTP proxy
HSTS
curl_easy_duphandle
</keywords>
</info>

<reply>
<!-- Response to the original handle's direct HTTP request.
     Strict-Transport-Security header populates the live HSTS cache. -->
<data nocheck="yes" crlf="headers">
HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Content-Type: text/plain
Content-Length: 5
Strict-Transport-Security: max-age=31536000

Hello
</data>

<!-- Response to the dup handle's proxy CONNECT attempt.
     The CONNECT to port 443 proves the copied
     HSTS cache upgraded the dup's HTTP URL to HTTPS. -->
<connect crlf="headers">
HTTP/1.1 403 Forbidden
Content-Length: 0
Connection: close

</connect>
</reply>

<client>
<features>
HSTS
https
Debug
proxy
</features>
<server>
http
http-proxy
</server>
<setenv>
CURL_HSTS_HTTP=yes
</setenv>
<name>
curl_easy_duphandle copies HSTS cache, auto upgrading HTTP to HTTPS.
</name>
<tool>
lib%TESTNUMBER
</tool>
<command>
- %HOSTIP %HTTPPORT %PROXYPORT
</command>
</client>

<verify>
# First request: original handle GETs from the http server; the response
# carries Strict-Transport-Security, populating the live HSTS cache that
# the dup inherits.
<protocol crlf="headers">
GET /%TESTNUMBER HTTP/1.1
Host: hsts.example.com:%HTTPPORT
Accept: */*

</protocol>
# Second request: dup handle upgraded HTTP to HTTPS by copied HSTS cache,
# proxy receives CONNECT to port 443 proving the upgrade happened
<proxy crlf="headers">
CONNECT hsts.example.com:443 HTTP/1.1
Host: hsts.example.com:443
Proxy-Connection: Keep-Alive

</proxy>
<stdout>
First request: HTTPS cache populated
Dup effective URL: https://hsts.example.com/%TESTNUMBER
</stdout>
# CURLE_COULDNT_CONNECT (7) is intentional: The proxy rejects the CONNECT
# to port 443, collapsing the tunnel. All that is being validated is the
# CONNECT to port 443 itself.
<errorcode>
7
</errorcode>
</verify>
</testcase>
