RE: SSL over proxy passthrough

[Daniel Stenberg]

On Fri, 28 Nov 2003, Hrvoje Niksic's patch:

 This patch implements a first attempt of using the CONNECT method to
 establish passthrough of SSL communication over non-SSL proxies.  This will
 require testing.

I find this wording a bit funny. What is a non-SSL proxy? CONNECT is the
defined way to speak SSL when using a http proxy...

 +  /*  This does not appear right.  Can't the proxy request,
 +  say, `Digest' authentication?  */

Right, the proxy can of course require Digest (or other kinds of)
authentication. The 'A2' encoded chunk needs the 'CONNECT' string then.

Also, I couldn't really tell from this patch, but make sure that you don't
accidentally pass on the proxy authentication in the following request to the
actual remote server as well.

-- 
 -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
  ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol

Re: SSL over proxy passthrough

[Daniel Stenberg]

On Fri, 28 Nov 2003, Hrvoje Niksic wrote:

  I find this wording a bit funny. What is a non-SSL proxy? CONNECT is the
  defined way to speak SSL when using a http proxy...

 What if someone explicitly uses http_proxy=https://...?  Or even
 https_proxy=https://...?

Ah, right! *That* is indeed a very-much-SSL proxy. I didn't consider that
case. I don't think it is ever used in practise.

  The 'A2' encoded chunk needs the 'CONNECT' string then.

 I'm not sure I understand this.

Sorry, I cut down a bit too much on my wording. I meant that since the Digest
authentication hash uses the HTTP method string, you need to make sure that
'CONNECT' is the method used when you use Digest for this case.

But as you said, Digest is rarely used for proxy authentication.

-- 
 -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
  ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol

Re: [patch] FTP --spider capability

[Hrvoje Niksic]

Karsten Hopp [EMAIL PROTECTED] writes:

 I'm working on it ;-) I'd like to put a CVS version into rawhide to
 get more feedback about the current status but that makes only sense
 when the next official version will be released before 'Fedora Core
 2' as I won't put a beta version into a Fedora release. When do you
 expect to tag wget-1.9.2 ?

There might not be a 1.9.2.  There are two branches of development:

* The main trunk, where new development happens.  When it is deemed
  mature and stable enough to release, or when we run out of features
  to add, it will become Wget 1.10.

* The stable 1.9 branch, from which all the 1.9.x releases come from.
  That branch is purely bugfix, *no* new features go in.  If serious
  bugs are discovered in 1.9.1, I'll release 1.9.2 with the fix, along
  with the other minor fixes that accumulated in the branch.

I don't think it makes sense to put a snapshot of the CVS trunk to any
distribution, be it Debian unstable or rawhide, because the CVS is
primarily meant for alpha-testing Wget.  Although Wget's CVS has
traditionally been quite stable, noone can guarantee that in general.
Furthermore, noone can tell exactly when 1.10 will be released.

Can you clarify why you considered including the CVS code in rawhide?

Re: SSL over proxy passthrough

[Daniel Stenberg]

On Fri, 28 Nov 2003, Hrvoje Niksic wrote:

 The bottom line is: should I even acknowledge `https' proxies?

I don't think you'll ever run into any.

 Do the browsers work with them?

I don't know. I've never seen anyone use a proxy like that.

 Does curl handle `https_proxy' or `http_proxy' being a https URL?

Nope. curl only speaks non-SSL HTTP with the proxy. (To be precise, it ignores
the protocol part of the given proxy and connects to it non-SSL.)

-- 
 -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
  ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol

RE: SSL over proxy passthrough

[Post, Mark K]

I tested the Windows binary against the only SSL-enabled web server outside
our firewall that I could think of at the moment, and it worked for me.

Mark Post

-Original Message-
From: Herold Heiko [mailto:[EMAIL PROTECTED]
Sent: Friday, November 28, 2003 3:18 AM
To: [EMAIL PROTECTED]
Cc: List Wget (E-mail)
Subject: RE: SSL over proxy passthrough


For who wants to test that from windows, MSVC binary at
http://xoomer.virgilio.it/hherold/
Heiko

-- 
-- PREVINET S.p.A. www.previnet.it
-- Heiko Herold [EMAIL PROTECTED]
-- +39-041-5907073 ph
-- +39-041-5907472 fax

 -Original Message-
 From: Hrvoje Niksic [mailto:[EMAIL PROTECTED]
 Sent: Friday, November 28, 2003 3:26 AM
 To: [EMAIL PROTECTED]
 Subject: SSL over proxy passthrough
 
 
 This patch implements a first attempt of using the CONNECT method to
 establish passthrough of SSL communication over non-SSL proxies.  This
 will require testing.
 
 2003-11-28  Hrvoje Niksic  [EMAIL PROTECTED]
 
   * http.c (gethttp): Use the CONNECT handle to establish SSL
   passthrough through non-SSL proxies.
 
 Index: src/http.c
 ===
 RCS file: /pack/anoncvs/wget/src/http.c,v
 retrieving revision 1.125
 diff -u -r1.125 http.c
 --- src/http.c2003/11/27 23:29:36 1.125
 +++ src/http.c2003/11/28 02:22:00
 @@ -804,7 +804,7 @@
authenticate_h = NULL;
auth_tried_already = 0;
  
 -  inhibit_keep_alive = !opt.http_keep_alive || proxy != NULL;
 +  inhibit_keep_alive = !opt.http_keep_alive;
  
   again:
/* We need to come back here when the initial attempt to retrieve
 @@ -825,21 +825,72 @@
hs-remote_time = NULL;
hs-error = NULL;
  
 -  /* If we're using a proxy, we will be connecting to the proxy
 - server. */
 -  conn = proxy ? proxy : u;
 +  conn = u;
  
 +  proxyauth = NULL;
 +  if (proxy)
 +{
 +  char *proxy_user, *proxy_passwd;
 +  /* For normal username and password, URL components override
 +  command-line/wgetrc parameters.  With proxy
 +  authentication, it's the reverse, because proxy URLs are
 +  normally the permanent ones, so command-line args
 +  should take precedence.  */
 +  if (opt.proxy_user  opt.proxy_passwd)
 + {
 +   proxy_user = opt.proxy_user;
 +   proxy_passwd = opt.proxy_passwd;
 + }
 +  else
 + {
 +   proxy_user = proxy-user;
 +   proxy_passwd = proxy-passwd;
 + }
 +  /*  This does not appear right.  Can't the proxy request,
 +  say, `Digest' authentication?  */
 +  if (proxy_user  proxy_passwd)
 + proxyauth = basic_authentication_encode (proxy_user, 
 proxy_passwd,
 +  Proxy-Authorization);
 +
 +  /* If we're using a proxy, we will be connecting to the proxy
 +  server.  */
 +  conn = proxy;
 +}
 +
host_lookup_failed = 0;
 +  sock = -1;
  
/* First: establish the connection.  */
 -  if (inhibit_keep_alive
 -  || !persistent_available_p (conn-host, conn-port,
 +
 +  if (!inhibit_keep_alive)
 +{
 +  /* Look for a persistent connection to target host, unless a
 +  proxy is used.  The exception is when SSL is in use, in which
 +  case the proxy is nothing but a passthrough to the target
 +  host, registered as a connection to the latter.  */
 +  struct url *relevant = conn;
  #ifdef HAVE_SSL
 -   u-scheme == SCHEME_HTTPS
 +  if (u-scheme == SCHEME_HTTPS)
 + relevant = u;
 +#endif
 +
 +  if (persistent_available_p (relevant-host, relevant-port,
 +#ifdef HAVE_SSL
 +   relevant-scheme == SCHEME_HTTPS,
  #else
 -   0
 +   0,
  #endif
 -   , host_lookup_failed))
 +   host_lookup_failed))
 + {
 +   sock = pconn.socket;
 +   using_ssl = pconn.ssl;
 +   logprintf (LOG_VERBOSE, _(Reusing existing 
 connection to %s:%d.\n),
 +  pconn.host, pconn.port);
 +   DEBUGP ((Reusing fd %d.\n, sock));
 + }
 +}
 +
 +  if (sock  0)
  {
/* In its current implementation, persistent_available_p will
look up conn-host in some cases.  If that lookup failed, we
 @@ -855,28 +906,75 @@
   ? CONERROR : CONIMPOSSIBLE);
  
  #ifdef HAVE_SSL
 - if (conn-scheme == SCHEME_HTTPS)
 -   {
 -  if (!ssl_connect (sock))
 -{
 -  logputs (LOG_VERBOSE, \n);
 -  logprintf (LOG_NOTQUIET,
 - _(Unable to establish SSL connection.\n));
 -  fd_close (sock);
 -  return CONSSLERR;
 -}
 -  using_ssl = 1;
 -   }
 +  if (proxy  u-scheme == SCHEME_HTTPS)
 + {
 +   /* When requesting SSL URLs through proxies, use the
 +  CONNECT method to request passthrough.  */
 +   char *connect =
 + (char *) alloca (64
 +  +