Re: HTTPS connection from libcurl client to proxy

Tue, 26 Aug 2014 04:36:24 -0700 

On Mon, 25 Aug 2014, Vijay Panghal wrote:

Thanks a lot for stepping forward and working on this!


3. location url is https and proxy url is https
libCurl does not support this. This will be useful for creating encrypted
tunnel between client to proxy (without HTTP CONNECT) which allow caching
content.
http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
Without CONNECT, really? This is a major thing as you no longer have end to end security then. Which certificate would libcurl verify for the connection? 

Do you actually have a use case/users who want this?
I would consider that use case very limited and crippled. I want 5) HTTPS to the proxy, then CONNECT to the remote site and TLS over that. That's also what the browsers support. 


4. location url is http and proxy url is https
libCurl does not support this.



I want to add support for (3) and (4).
The case 4 is easy, and I would say case 5 is pretty straight forward (apart from the two layers of TLS). The "fake" HTTPS in case 3 may be straight-forward to implement but we need to consider how the SSL options are used and to not trick users into using this in a way it doesn't work. 


From my initial investigation and
prototyping, I see these changes are required:
- Add another proxy type CURLPROXY_HTTPS in curl_proxytype
I think you need more than one to support both case 3 and case 5 as they are both HTTPS-proxy HTTPS-remote but very different in nature. 


- Set connection boolean value httpsproxy in ConnectBits if proxy type is
CURLPROXY_HTTPS
Why do you need a new boolean separate from the existing httpproxy? It is still the proxy for http and https, exactly like before. The difference is how the proxy works and how to use it. 


- Set the httpsproxy, if proxy url protocol is https in detect_proxy()
- Then process httpsproxy bit per connection while connecting to Proxy
I would guess we also need CA cert and verification options for the proxy, separate from the "peer", right? 

--

 / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to