I had to test a couple of proxy servers lately which had problems passing
CONNECT connections. I was missing a tool "like s_client but using a
proxy", so I added a quick hack to s_client. This patch adds a switch
$ openssl s_client -proxy myproxy:8080 -connect remoteserver:443
---------------------^^^^^^^^^^^^^^^^^^^
which tunnels the secure connection over an HTTP proxy tunnel.
I call it a "hack" because
a) I think there must be better ways to receive the response
"HTTP/1.x 200 OK" from the proxy but read()ing it directly
b) the echo of the proxy response should be filtered to display
only for the appropriate -verbosity level.
c) no attempt is made to catch connection errors or responses
other than "200 OK" from the proxy (think of -proxyauth user:pass)
Anyway, I thought someone might find this useful, so feel free to improve!
Martin
--
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
? apps/cscope.out
Index: apps/s_client.c
===================================================================
RCS file: /home/cvs/OpenSSL/openssl/apps/s_client.c,v
retrieving revision 1.56
diff -u -r1.56 s_client.c
--- apps/s_client.c 16 Jul 2002 06:52:03 -0000 1.56
+++ apps/s_client.c 3 Sep 2002 13:26:49 -0000
@@ -182,6 +182,7 @@
BIO_printf(bio_err," -host host - use -connect instead\n");
BIO_printf(bio_err," -port port - use -connect instead\n");
BIO_printf(bio_err," -connect host:port - who to connect to (default is
%s:%s)\n",SSL_HOST_NAME,PORT_STR);
+ BIO_printf(bio_err," -proxy pxhost:pxport - use this proxy to access the
+host:port server\n");
BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
BIO_printf(bio_err," -cert arg - certificate file to use, PEM format
assumed\n");
@@ -232,8 +233,10 @@
int sbuf_len,sbuf_off;
fd_set readfds,writefds;
short port=PORT;
+ short pxport=0;
int full_log=1;
char *host=SSL_HOST_NAME;
+ char *pxhost=NULL;
char *cert_file=NULL,*key_file=NULL;
char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
@@ -309,6 +312,12 @@
if (!extract_host_port(*(++argv),&host,NULL,&port))
goto bad;
}
+ else if (strcmp(*argv,"-proxy") == 0)
+ {
+ if (--argc < 1) goto bad;
+ if (!extract_host_port(*(++argv),&pxhost,NULL,&pxport))
+ goto bad;
+ }
else if (strcmp(*argv,"-verify") == 0)
{
verify=SSL_VERIFY_PEER;
@@ -510,7 +519,37 @@
re_start:
- if (init_client(&s,host,port) == 0)
+ if (pxhost && pxport)
+ {
+ char *hdr_str = NULL;
+ char buf[1024];
+ int rx;
+ if (init_client(&s,pxhost,pxport) == 0)
+ {
+ BIO_printf(bio_err,"proxy:errno=%d\n",get_last_socket_error());
+ SHUTDOWN(s);
+ goto end;
+ }
+ if ((hdr_str =
+OPENSSL_malloc(2*strlen(host)+strlen(pxhost)+sizeof("CONNECT :65535 HTTP/1.0\r\nVia:
+\r\nHost: :65535\r\n\r\n"))) == NULL)
+ {
+ BIO_printf(bio_err,"proxy:out of memory\n");
+ goto end;
+ }
+ sprintf(hdr_str,"CONNECT %s:%u HTTP/1.0\r\n"
+ "Via: %s\r\n"
+ "Host: %s:%u\r\n\r\n",
+ host,port, pxhost, host,port);
+ write(s, hdr_str, strlen(hdr_str));
+ OPENSSL_free(hdr_str);
+ if ((rx = read(s,buf,sizeof buf - 1)) < 1)
+ {
+ BIO_printf(bio_err,"proxy:no response from proxy\n");
+ goto end;
+ }
+ buf[rx] = '\0';
+ BIO_printf(bio_err, "%s", buf);
+ }
+ else if (init_client(&s,host,port) == 0)
{
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
SHUTDOWN(s);
