Hello,
I try to use CURLOPT_CONNECT_ONLY to connect through a http proxy using
NTLM_SSP authentication to a HTTP/TLS server. This fails reproducible in
two setups when using two proprietary proxy servers (bluecoat and
TMG/websense) directly after finishing the SSL handshake successful with
'* Closing connection 2'. When I setup a Debian Jessie based squid with
the same authentication method it works. I used wireshark to get a pcap
and found out that libcurl is closing the connection, not the proxy.
Because the 'FIN, ACK' packet is coming from the client, not from the
proxy. I tried this with mbedtls and winssl. When I use curl to issue a
GET request, it does not fail. I striped down the code but did not yet
had a chance to test the striped down code. Tomorrow I'll try the
following things:

        - Hypothesis: Test with OpenSSL
        - Hypothesis: Test strip down example
        - Hypothesis: Test with older libcurl

Because I have only tomorrow and the day after tomorrow to track that
down because afterwards I won't have access to the environment, I wonder
if someone has some tricks to add the verbosity on the SSL backend to
give me a hint why libcurl closes the connection or sees some obvious
mistakes in my stripped down code example. The last message I see is:

< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* mbedTLS: Connecting to gmvl.de:443
* mbedTLS: Set min SSL version to TLS 1.0
* mbedTLS: Handshake complete, cipher is TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
* Dumping cert info:
* cert. version : 3
* serial number : 02:BE:92
* issuer name : C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
* subject name : C=DE, ST=Bayern, L=Erlangen, O=Thomas Glanzmann, CN=infra.glanzmann.de, emailAddress=postmaster_at_glanzmann.de
* issued on : 2014-12-28 09:59:17
* expires on : 2016-12-27 11:20:28
* signed using : RSA with SHA-256
* RSA key size : 2048 bits
* basic constraints : CA=false
* subject alt name : infra.glanzmann.de, glanzmann.de, gmvl.de, *.glanzmann.de, campusvl.de, *.gmvl.de, hpvl.org, *.campusvl.de, holzapfel-glanzmann.de, *.hpvl.org, *.holzapfel-glanzmann.de
* key usage : Digital Signature, Key Encipherment, Key Agreement
* ext key usage : TLS Web Client Authentication, TLS Web Server Authentication

* public key hash: sha256//BVas8dKGCWxH57HW3+O8dZsfmKqJ63e0XEctrB3xyv8=
* SSL connected
* Closing connection 2

The problem is the 'Closing connection 2'. When I do this in my lab, I
get '* Connection #0 to host 10.102.236.245 left intact'.

Find attached my stripped down example. I use libcurl and mbedtls from
git HEAD and used the code since October at least one a day with various
proxies from different vendors.

Cheers,
        Thomas

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html