Re: TLS handshake failures on socks proxy

On Tue, 14 Apr 2020, Anand Sridharan via curl-library wrote:

> Method 1 - use existing api's used for http proxy but remove any conditions
> specific for HTTPS proxy.(wireshark: lo_sslversion.pcap)
>
> - SSL upgrade of existing socket using curl API’s
> curl_ssl_connect_nonblocking and curl_ssl_init_proxy for TLS handshake
> - Fatal alert: protocol version

Sounds like the client and server didn't agreee on TLS version?

> Method 2- use new SSL context init and add certificates/key manually, do
> simple ssl_connect on sockfd (wireshark: inverse_server_client_l0.pcap)
>
> - SSL_set_fd(ssl, sockfd) and SSL_connect(ssl) are used.
> - Fatal alert illegal parameter.

Sounds like you're not passing the right things to these functions?

Perhaps a more "winning" approach is to run stunnel in front of a "real" socks
proxy so that you can actually verify the whole thing once the TLS handshake
works. It would even be a way to setup and create test cases to use in the
curl test suite.

If you take it in that direction, then you'd also be closer to something you
could share with other curl hackers here and we might be able to help out!

-- 
  / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-04-15