On Wed, 13 Sep 2006, Daniel Stenberg wrote:

> Ok, I read the message about FTPS over HTTP-proxy from Robert Gonzalez
on the
> curl-users list and I now think I understand what you're saying.
>
> The actual CONNECT-request should be sent non-encrypted (which it
doesn't seem
> to be doing now), while it should then talk encrypted to the (FTPS)
server
> behind it.

Yes, that's it. The request sent to the proxy to setup a HTTP-tunnel
shouldn't be encrypted.

> Does your suggested patch really enable that? What version of libcurl
did you
> try that patch on?

Yes, it works fine with libcurl versions 7.15.3 and 7.15.5.

Immediatly after the SSL connection to the FTPS server is established
the data channel gets also encrypted as usual. So, I couldn't fine any
security issues related to this patch.

> So my suggestion on a proper fix would be something in this style:
>
> We add a new field in that struct called something like 'want' meaning
that it
> is true when the connection _wants_ SSL rather than it already uses it
since
> like in this case it clearly doesn't use it to start with.
>
> We keep the 'use' field and make sure it only is true when we truly
use SSL on
> the connection.
>
> Then all we need to fix is to make sure 'use' is FALSE as long as no
SSL
> negotiation has been performed, and if 'want' is TRUE it will SSL
negotiate
> and when that is completed 'use' is set TRUE and all is fine again.

This seems to be a better solution. However, until the more general fix
is provided, I think it should be ok to use my patch, if libcurl is used
with libssl.

Thanks a lot for the great support provided in this mailing list!

Regards,

Marcos Rocha
Received on 2006-09-13