-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix error message when trying to use a self-signed HTTPS-proxy #1331
Comments
We've explicitly worked on phrasing the man page for |
Agreed, but if that's the case, shouldn't the error message be corrected to state that, instead of the misleading option? |
It should! |
Just to clear this up so we're all on the same page, when you use
So is that what you are trying to do, use https_proxy only for https URLs? Also we added an error message for this to help, see #1258 and e1187c4. I did not realize though it doesn't handle https proxies set via environment variables. We could show that error all the time, I guess. |
@jay We are indeed on the same page. I wanted to raise this issue only to correct the output message. That's all. Rest works as expected. |
To answer your other question, no, I am not trying to use
|
Well as I said it's supposed to show "HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure" it's just not doing that because I didn't think of this scenario. In order to detect this I would have to add a CURLINFO to get the proxy that was used for the connection, which may be useful in its own right. A simpler alternative would be just make the message appear all the time. For example the extra line could show always:
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 8f76715..ff533ea 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -109,6 +109,9 @@ CURLcode curl_easy_perform_ev(CURL *easy);
"If you'd like to turn off curl's verification of the certificate, use\n" \
" the -k (or --insecure) option.\n"
+#define CURL_CA_CERT_ERRORMSG3 \
+ "HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.\n"
+
static bool is_fatal_error(CURLcode code)
{
switch(code) {
@@ -1695,13 +1698,8 @@ static CURLcode operate_do(struct GlobalConfig *global,
fprintf(global->errors, "curl: (%d) %s\n", result, (errorbuffer[0]) ?
errorbuffer : curl_easy_strerror(result));
if(result == CURLE_SSL_CACERT)
- fprintf(global->errors, "%s%s%s",
- CURL_CA_CERT_ERRORMSG1, CURL_CA_CERT_ERRORMSG2,
- ((config->proxy &&
- curl_strnequal(config->proxy, "https://", 8)) ?
- "HTTPS proxy has similar options --proxy-cacert "
- "and --proxy-insecure.\n" :
- ""));
+ fprintf(global->errors, "%s%s%s", CURL_CA_CERT_ERRORMSG1,
+ CURL_CA_CERT_ERRORMSG2, CURL_CA_CERT_ERRORMSG3);
}
/* Fall through comment to 'quit_urls' label */ |
IMO, from a developer's point of view, detection would be awesome! But from a user's point of view, having the additional message print always is better than having nothing or a misleading message. |
Here is a simpler change that will only show it if libcurl was built with HTTPS-proxy support: diff --git a/src/tool_operate.c b/src/tool_operate.c
index 8f76715..572c8d0 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1697,9 +1697,8 @@ static CURLcode operate_do(struct GlobalConfig *global,
if(result == CURLE_SSL_CACERT)
fprintf(global->errors, "%s%s%s",
CURL_CA_CERT_ERRORMSG1, CURL_CA_CERT_ERRORMSG2,
- ((config->proxy &&
- curl_strnequal(config->proxy, "https://", 8)) ?
- "HTTPS proxy has similar options --proxy-cacert "
+ ((curlinfo->features & CURL_VERSION_HTTPS_PROXY) ?
+ "HTTPS-proxy has similar options --proxy-cacert "
"and --proxy-insecure.\n" :
""));
} If I can get a +1 I'll land it |
I'm 👍 on that! |
- Show the HTTPS-proxy options on CURLE_SSL_CACERT if libcurl was built with HTTPS-proxy support. Prior to this change those options were shown only if an HTTPS-proxy was specified by --proxy, but that did not take into account environment variables such as http_proxy, https_proxy, etc. Follow-up to e1187c4. Bug: #1331 Reported-by: Nehal J Wani
Thanks guys, landed in 98afec0. |
Use curl to fetch google.com via https-proxy
To setup https-proxy, I configured squid with the option:
https_port 3127 cert=/etc/squid/ssl_cert/myCA.pem
Now, I try to send a request, and it tells me that it is a self-signed certificate, which is expected. There is a hint in the output, which suggests that I should use --cacert to point to the CA certificate , or use -k to override this and go ahead with an insecure connection, all of this is expected.
I follow by the book, and provide the path to cacert using the flag and curl still throws the same error at me:
Then, I try to pass the --insecure flag to override the self-signed warning, but curl is still not happy and throws the same message at me:
I give up, and add the self-signed certificate to the trust store:
And now curl is happy:
curl/libcurl version
operating system
Fedora 25
The text was updated successfully, but these errors were encountered: