HTTP Proxies require CONNECT tunnel for HTTPS #146

jaygen opened this Issue Oct 11, 2011 · 10 comments


None yet

6 participants

jaygen commented Oct 11, 2011

Regarding RFC 2817, https requests over HTTP proxies do not use a TLS handshake, instead they should create a tunnel using CONNECT. I notice that you previously had CONNECT for HTTP proxies and removed it completely, this feature is still required for https requests and should be added back in.




Hmm, but interestingly enough it does appear to work without the CONNECT step?

jaygen commented Oct 31, 2011

It works for http requests without CONNECT, not secure requests. For secure requests it is currently sending a TLS to the http proxy which responds with a 500-level error because it doesn't accept TLS handshakes. Instead, the http proxy can create a CONNECT tunnel, which allows the client to communicate with the target. The TLS handshake is then communicated through the tunnel and the proxy is ignorant to the content (which is now being communicated as if there were a direct TCP connection). In this way, the proxy does not act as a man-in-the-middle, but rather facilitates 'direct' communication.

I probably should have been more clear in my original post. Concretely, it needs to first create a CONNECT tunnel with the proxy before doing the TLS handshake.


Sure, I think we're on the same page there.. I understand the HTTP proxy CONNECT workflow.

To clear up my previous statement, I was thinking of the SOCKS5 case: https + socks5 works perfectly fine, so I was confusing that against the HTTP proxy case.


What status is the issue having now?


Needs to be (re)implemented. It was dropped during the march towards 1.0.


I'm having the same issue ...


While the pull request doesn't look correct, ConradIrwin@42de69f works for me!


Ok, I've updated pull request #236 so that it supports the Proxy-Authorization header, and also so that it defaults to using the CONNECT proxy mode for https:// requests.

@igrigorik igrigorik closed this in 42de69f Jun 17, 2013

HTTP + CONNECT support is in master (not released yet). Please give it a try, let me know if you run into any issues. Kudos to @ConradIrwin for the pull.

@psschroeter psschroeter added a commit to psschroeter/em-http-request that referenced this issue Feb 19, 2015
@ConradIrwin ConradIrwin IV-743 Add CONNECT proxy support [Fixes #146]
(cherry picked from commit 42de69f)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment