On Mon, 25 Aug 2014, Vijay Panghal wrote:
>Thanks a lot for stepping forward and working on this!
>
>> 3. location url is https and proxy url is https
>> libCurl does not support this. This will be useful for creating encrypted
>> tunnel between client to proxy (without HTTP CONNECT) which allow caching
>> content.
>> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
.
>Without CONNECT, really? This is a major thing as you no longer have end to
>end security then. Which certificate would libcurl verify for the connection?
>
>Do you actually have a use case/users who want this?
I haven't thought much about the curl use case for this, but some teams use
similar functions with other clients when building functional/performance test
scenarios with TLS protected web services when we don't have a strong
understanding of the protocol implementation. Set up a proxy server that
effectively MITMs the TLS session, give the proxy a certificate from a local
CA that the client can trust, and let the proxy break the TLS tunnel. The BURP
scanner provides a similar function. I can't imagine wide use, but the
services under test usually don't want to share their SSL cert/key with an
outside test tesm so they can't just wireshark from the end. sometimes this is
easier than getting the service side to run the wireshark in the right location.
It does require trusting both the public PKI chain and the local PKI chain.
This usually occurs when having to build one's own client for testing the
service. Sometimes libcurl is handy for that work.
>I would consider that use case very limited and crippled. I want 5) HTTPS to
>the proxy, then CONNECT to the remote site and TLS over that. That's also what
>the browsers support.
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
