I tested the Windows binary against the only SSL-enabled web server outside
our firewall that I could think of at the moment, and it worked for me.
Mark Post
-Original Message-
From: Herold Heiko [mailto:[EMAIL PROTECTED]
Sent: Friday, November 28, 2003 3:18 AM
To: [EMAIL PROTECTED]
Cc: List Wget (E-mail)
Subject: RE: SSL over proxy passthrough
For who wants to test that from windows, MSVC binary at
http://xoomer.virgilio.it/hherold/
Heiko
--
-- PREVINET S.p.A. www.previnet.it
-- Heiko Herold [EMAIL PROTECTED]
-- +39-041-5907073 ph
-- +39-041-5907472 fax
-Original Message-
From: Hrvoje Niksic [mailto:[EMAIL PROTECTED]
Sent: Friday, November 28, 2003 3:26 AM
To: [EMAIL PROTECTED]
Subject: SSL over proxy passthrough
This patch implements a first attempt of using the CONNECT method to
establish passthrough of SSL communication over non-SSL proxies. This
will require testing.
2003-11-28 Hrvoje Niksic [EMAIL PROTECTED]
* http.c (gethttp): Use the CONNECT handle to establish SSL
passthrough through non-SSL proxies.
Index: src/http.c
===
RCS file: /pack/anoncvs/wget/src/http.c,v
retrieving revision 1.125
diff -u -r1.125 http.c
--- src/http.c2003/11/27 23:29:36 1.125
+++ src/http.c2003/11/28 02:22:00
@@ -804,7 +804,7 @@
authenticate_h = NULL;
auth_tried_already = 0;
- inhibit_keep_alive = !opt.http_keep_alive || proxy != NULL;
+ inhibit_keep_alive = !opt.http_keep_alive;
again:
/* We need to come back here when the initial attempt to retrieve
@@ -825,21 +825,72 @@
hs-remote_time = NULL;
hs-error = NULL;
- /* If we're using a proxy, we will be connecting to the proxy
- server. */
- conn = proxy ? proxy : u;
+ conn = u;
+ proxyauth = NULL;
+ if (proxy)
+{
+ char *proxy_user, *proxy_passwd;
+ /* For normal username and password, URL components override
+ command-line/wgetrc parameters. With proxy
+ authentication, it's the reverse, because proxy URLs are
+ normally the permanent ones, so command-line args
+ should take precedence. */
+ if (opt.proxy_user opt.proxy_passwd)
+ {
+ proxy_user = opt.proxy_user;
+ proxy_passwd = opt.proxy_passwd;
+ }
+ else
+ {
+ proxy_user = proxy-user;
+ proxy_passwd = proxy-passwd;
+ }
+ /* This does not appear right. Can't the proxy request,
+ say, `Digest' authentication? */
+ if (proxy_user proxy_passwd)
+ proxyauth = basic_authentication_encode (proxy_user,
proxy_passwd,
+ Proxy-Authorization);
+
+ /* If we're using a proxy, we will be connecting to the proxy
+ server. */
+ conn = proxy;
+}
+
host_lookup_failed = 0;
+ sock = -1;
/* First: establish the connection. */
- if (inhibit_keep_alive
- || !persistent_available_p (conn-host, conn-port,
+
+ if (!inhibit_keep_alive)
+{
+ /* Look for a persistent connection to target host, unless a
+ proxy is used. The exception is when SSL is in use, in which
+ case the proxy is nothing but a passthrough to the target
+ host, registered as a connection to the latter. */
+ struct url *relevant = conn;
#ifdef HAVE_SSL
- u-scheme == SCHEME_HTTPS
+ if (u-scheme == SCHEME_HTTPS)
+ relevant = u;
+#endif
+
+ if (persistent_available_p (relevant-host, relevant-port,
+#ifdef HAVE_SSL
+ relevant-scheme == SCHEME_HTTPS,
#else
- 0
+ 0,
#endif
- , host_lookup_failed))
+ host_lookup_failed))
+ {
+ sock = pconn.socket;
+ using_ssl = pconn.ssl;
+ logprintf (LOG_VERBOSE, _(Reusing existing
connection to %s:%d.\n),
+ pconn.host, pconn.port);
+ DEBUGP ((Reusing fd %d.\n, sock));
+ }
+}
+
+ if (sock 0)
{
/* In its current implementation, persistent_available_p will
look up conn-host in some cases. If that lookup failed, we
@@ -855,28 +906,75 @@
? CONERROR : CONIMPOSSIBLE);
#ifdef HAVE_SSL
- if (conn-scheme == SCHEME_HTTPS)
- {
- if (!ssl_connect (sock))
-{
- logputs (LOG_VERBOSE, \n);
- logprintf (LOG_NOTQUIET,
- _(Unable to establish SSL connection.\n));
- fd_close (sock);
- return CONSSLERR;
-}
- using_ssl = 1;
- }
+ if (proxy u-scheme == SCHEME_HTTPS)
+ {
+ /* When requesting SSL URLs through proxies, use the
+ CONNECT method to request passthrough. */
+ char *connect =
+ (char *) alloca (64