HTTP Proxies require CONNECT tunnel for HTTPS #146

Closed
jaygen opened this Issue Oct 11, 2011 · 10 comments

Projects

None yet

6 participants

@jaygen
jaygen commented Oct 11, 2011

Regarding RFC 2817, https requests over HTTP proxies do not use a TLS handshake, instead they should create a tunnel using CONNECT. I notice that you previously had CONNECT for HTTP proxies and removed it completely, this feature is still required for https requests and should be added back in.

@paulbellamy

+1

@igrigorik
Owner

Hmm, but interestingly enough it does appear to work without the CONNECT step?

@jaygen
jaygen commented Oct 31, 2011

It works for http requests without CONNECT, not secure requests. For secure requests it is currently sending a TLS to the http proxy which responds with a 500-level error because it doesn't accept TLS handshakes. Instead, the http proxy can create a CONNECT tunnel, which allows the client to communicate with the target. The TLS handshake is then communicated through the tunnel and the proxy is ignorant to the content (which is now being communicated as if there were a direct TCP connection). In this way, the proxy does not act as a man-in-the-middle, but rather facilitates 'direct' communication.

I probably should have been more clear in my original post. Concretely, it needs to first create a CONNECT tunnel with the proxy before doing the TLS handshake.

@igrigorik
Owner

Sure, I think we're on the same page there.. I understand the HTTP proxy CONNECT workflow.

To clear up my previous statement, I was thinking of the SOCKS5 case: https + socks5 works perfectly fine, so I was confusing that against the HTTP proxy case.

@ancheremukhin

What status is the issue having now?

@igrigorik
Owner

Needs to be (re)implemented. It was dropped during the march towards 1.0.

@berlincount

I'm having the same issue ...

@berlincount

While the pull request doesn't look correct, ConradIrwin@42de69f works for me!

@ConradIrwin

Ok, I've updated pull request #236 so that it supports the Proxy-Authorization header, and also so that it defaults to using the CONNECT proxy mode for https:// requests.

@igrigorik igrigorik closed this in 42de69f Jun 17, 2013
@igrigorik
Owner

HTTP + CONNECT support is in master (not released yet). Please give it a try, let me know if you run into any issues. Kudos to @ConradIrwin for the pull.

@psschroeter psschroeter added a commit to psschroeter/em-http-request that referenced this issue Feb 19, 2015
@ConradIrwin ConradIrwin IV-743 Add CONNECT proxy support [Fixes #146]
(cherry picked from commit 42de69f)
cd2aea5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment