Using an HTTPS proxy hangs curl

[ljwagerfield]

I did this

curl -v --proxy-insecure -x https://localhost:8080 http://google.com/

I expected the following

<response from http://google.com>

What actually happened

*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl/cert.pem
  CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Proxy certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  start date: Dec  7 19:02:52 2016 GMT
*  expire date: Dec  7 19:02:52 2017 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  SSL certificate verify result: self signed certificate (18), continuing anyway.

...hangs at this point

curl/libcurl version

curl 7.55.1 (x86_64-apple-darwin16.7.0) libcurl/7.55.1 OpenSSL/1.0.2l zlib/1.2.8 nghttp2/1.25.0
Release-Date: 2017-08-14
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy

operating system

macOS Sierra 10.12.6

---

This is the same behaviour as: #1156

I am using the same gist to run a basic HTTPS proxy.

[bagder]

So you truly want HTTPS to the proxy? (The title says HTTP...)

[jay]

Bisected to 5113ad0, only affects http without proxytunnel. I didn't use the gist script for reasons noted below, instead I manually monitored socat output to see when the CONNECT GET lines would show (if they did bisect good, if they didn't bisect bad).
socat openssl-listen:4433,reuseaddr,fork,cert=yourcerthere.pem,verify=0 -

The reason I didn't use the gist script is because that was a very narrow example written to help us reproduce an issue with a proxytunnel to google's server. if you look in the script you'll see that. Technically you could repurpose it by changing the line in the script to net.Dial("tcp", "www.google.com:80") and then add curl option --proxytunnel since curl by default won't tunnel http connections, but the bug is not reproducible then.

[ljwagerfield]

@bagder yes I mean't HTTPS proxy (title updated, sorry!).

In this very specific case, the gist script represents the problem quite well. I'm actually hitting the issue with a different HTTP proxy implementation, so it's not specific to the gist script. More specifically, it seems to be:

• HTTPS proxy
• HTTP origin
• GET instead of CONNECT (i.e. no --proxytunnel option)

[bagder]

Please try the fix in #1862 and see if it helps your case. I could reproduce and this change made the problem go away for me.

[ljwagerfield]

Have tried building curl for the first time using --with-darwinssl -- but HTTPS Proxy does not get listed in the feature set.

Does it only work with --with-ssl?

[bagder]

Only with OpenSSL, GnuTLS and NSS.

I think the limitation for darwinssl is mostly that nobody has worked on actually adapting that backend for HTTPS proxy.