[bug #68250] wget doesn't honor TLS URL in http_proxy

Fri, 17 Apr 2026 01:15:15 -0700 

URL:
  <https://savannah.gnu.org/bugs/?68250>

                 Summary: wget doesn't honor TLS URL in http_proxy
                   Group: GNU Wget
               Submitter: None
               Submitted: Fri 17 Apr 2026 08:14:31 AM UTC
                Category: Protocol Issue
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: aeris
        Originator Email: [email protected]
             Open/Closed: Open
         Discussion Lock: Unlocked
                 Release: None
        Operating System: GNU/Linux
         Reproducibility: Every Time
           Fixed Release: None
         Planned Release: None
              Regression: None
           Work Required: None
          Patch Included: No


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Fri 17 Apr 2026 08:14:31 AM UTC By: Anonymous
Hello

I try to use a squid proxy available on HTTPS only (not plain HTTP)
So I define a http_proxy with a https://proxy URL (not http://)

wget just ignore the scheme and try to communicate in plain text with the
proxy, with no TLS session

```
$ https_proxy=https://proxy wget https://imirhil.fr/ --debug  
DEBUG output created by Wget 1.25.0 on linux-gnu.

Certificates loaded: 151
Resolving proxy (proxy)... fd00:10::80
Caching proxy => fd00:10::80
Connecting to proxy (proxy)|fd00:10::80|:443... connected.
Created socket 3.
Releasing 0x0000559b7af6b420 (new refcount 1).

---request begin---
CONNECT imirhil.fr:443 HTTP/1.1
User-Agent: Wget/1.25.0
Host: imirhil.fr:443

---request end---
Proxy tunneling failed: ?Unable to establish SSL connection.
``` 

```
$ tcpdump -Ani lan ip6 host fd00:10::80 and tcp port 443

IP6 fd00:10::3:6.39922 > fd00:10::80.443: Flags [P.], length 82
CONNECT imirhil.fr:443 HTTP/1.1
User-Agent: Wget/1.25.0
Host: imirhil.fr:443
```

cURL hasn't this trouble and initiate a first TLS session to the proxy server
before trying to CONNECT on the proxy to the targeted URL

```
$ https_proxy=https://proxy curl --verbose https://imirhil.fr/ -I

* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  subjectAltName: host "proxy" matched cert's "proxy"
*  SSL certificate verify ok.
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to imirhil.fr:443
> CONNECT imirhil.fr:443 HTTP/1.1
> Host: imirhil.fr:443
> User-Agent: curl/8.14.1
> Proxy-Connection: Keep-Alive
*  subjectAltName: host "imirhil.fr" matched cert's "imirhil.fr"
*  SSL certificate verify ok.
> HEAD / HTTP/2
> Host: imirhil.fr
> User-Agent: curl/8.14.1
> Accept: */*
* Request completely sent off
< HTTP/2 200 
HTTP/2 200 
```








    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?68250>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Attachment: signature.asc
Description: PGP signature

Reply via email to