curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: HTTPS proxy, another take

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 24 Nov 2016 12:34:16 +0100 (CET)

On Thu, 24 Nov 2016, Thomas Glanzmann wrote:

> - If I specify the proxy as
> https://daniel:password@proxy.glanzmann.de/ it assumes port
> 1080 (socks). I think we should change the default port number
> to 443. Or is there another reasonable port number for https
> proxies?

I think HTTPS in the URL will make people assume port 443 by default so I
think we should use that for HTTPS proxies like we already for "normal" HTTPS
URLs.

> - If curl does not trust the https proxy cert, it tells me:
> (infra) [~/work/vlconnect] local/linux/bin/curl --cacert /etc/ssl/certs/ca-certificates.crt --insecure --proxy https://daniel:aa3ge5Ai@proxy.glanzmann.de:443/ http://blog.fefe.de
> curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED
>
> Maybe we should make clear to the user that the ssl cert of the
> proxy is not trusted. Because that might be confusing for users
> who have for example an environment variable set and forgot
> about it, as I did.

Yes! In general I think we should make an effort to clarify when the error
concern the proxy HTTPS connection as separate from the server HTTPS
connection. It is already complicated, we need to help users as much as
possible here.

I'm also guessing that we will get future users asking why -k (--insecure)
isn't enough to have curl work with the HTTPS proxy of choice.

> Daniel, where should we track the issues with https proxy? In github once it
> is merged?

Yes, that'd be great. And as I plan to merge this within 24 hours or so, feel
free to start creating issues already now, or even better start working on
pull requests that fix the issues! =)

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-24