|
| From: | Daniel Stenberg |
| Subject: | Re: [Bug-wget] [Bug-Wget] Patch Test-proxied-https-auth.px |
| Date: | Thu, 30 Oct 2014 10:55:49 +0100 (CET) |
| User-agent: | Alpine 2.00 (DEB 1167 2008-08-23) |
On Thu, 30 Oct 2014, Tim Ruehsen wrote:
How the test should work: - client open plain connection to proxy - client sends CONNECT request - server answers 200 OK - client/server change to SSL on the existing connection (in the real world the proxy does this when it established the requested connection to the outer world)
Not exactly. The proxy can't do it on its own. HTTPS is designed[*] to work peer to peer so it has to be the client to the server and the proxy is only setting up the tunnel but can't do the SSL stuff.
Of course the proxy could send a 'Proxy-Connection: close' with the first 401 answer and close the connection. For this case I create a second test case later.
A proxy won't be able to show you anything in the SSL connection as that is a tunnel to the server. If the proxy wants authentication it sends a 407 instead of the initial 200, and that connection can of course get closed as well.
[*] = at least originally, until the MITM-ing proxies entered the scheme and complicated matters, but I prefer to view that as messed up SSL and not "real" SSL =)
-- / daniel.haxx.se
| [Prev in Thread] | Current Thread | [Next in Thread] |