On Wed, 24 Oct 2001, john lask wrote:

> As it turns out libcurl/curl can access TLSv1, the problem appears to be a
> very suttle one. In the sense of:
> curl+http proxy = OK
> curl+ssl/tls = OK
> curl+ssl/tls via http proxy = NOTOK

First let me congratulate you on a splendid report and good research!

> As soon as I tried downloading from outside the http proxy firewall, it came
> back with the standard error:
>
> Curl: (35) SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number
>
> So it appeared that the problem was not so much TLSv1 as SSL through a
> proxy firewall.
>
> To confirm this I set up the HTTP-Tunnel to respond on port 443 on the
> local machine and do the HTTP tunneling to the remote HTTPS server. i.e.
> from curls point of view the remote server looked like a local server.
>
> This worked.
>
> So it appears that it is the combination of HTTP proxy + SSL that is
> causing the problem? some subtle interaction?

Okay. So then one question of course arises: what's the difference between
using proxy and not? There's only one really. When we use a proxy, we issue
an initial request to the proxy to tunnel through all our traffic to the
remote host (SSL requires non-tampered peer-to-peer data) . This is done with
a CONNECT request in the http.c function named Curl_ConnectHTTPProxyTunnel().

When that is done, the rest is transparently dealt with. Proxy or not.

The problem/solution is therefor likely to be in this area. Maybe we read a
byte too much/too little at times? Maybe we don't follow/parse some odd
header/response from your proxy?

I'm grateful for any further piece of info regarding that, that you can dig
up from comparing working and non-working cases.

> I'd be interested to know if anyone can verify this? i.e. am I the only
> one experiencing this problem?

We've been using SSL over proxies in curl for over three years. I've not seen
this problem reported before.

-- 
    Daniel Stenberg -- curl groks URLs -- http://curl.haxx.se/