--- openssl-0.9.8y/apps/s_client.c.orig 2013-02-05 +++ openssl-0.9.8y/apps/s_client.c 2013-06-13 @@ -195,6 +195,7 @@ static void sc_usage(void) BIO_printf(bio_err," -host host - use -connect instead\n"); BIO_printf(bio_err," -port port - use -connect instead\n"); BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); + BIO_printf(bio_err," -http_proxy host:port - http proxy to use with CONNECT method\n"); BIO_printf(bio_err," -verify depth - turn on peer certificate verification\n"); BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); @@ -296,6 +298,7 @@ int MAIN(int argc, char **argv) int sbuf_len,sbuf_off; fd_set readfds,writefds; short port=PORT; + char *http_proxy_str=NULL, *connect_str=NULL; int full_log=1; char *host=SSL_HOST_NAME; char *cert_file=NULL,*key_file=NULL; @@ -391,11 +394,15 @@ int MAIN(int argc, char **argv) if (port == 0) goto bad; } else if (strcmp(*argv,"-connect") == 0) - { - if (--argc < 1) goto bad; - if (!extract_host_port(*(++argv),&host,NULL,&port)) - goto bad; - } + { + if (--argc < 1) goto bad; + connect_str = *(++argv); + } + else if (strcmp(*argv,"-http_proxy") == 0) + { + if (--argc < 1) goto bad; + http_proxy_str = *(++argv); + } else if (strcmp(*argv,"-verify") == 0) { verify=SSL_VERIFY_PEER; @@ -604,6 +611,18 @@ int MAIN(int argc, char **argv) argc--; argv++; } + + if (http_proxy_str) + { + if (!extract_host_port(http_proxy_str,&host,NULL,&port)) + goto bad; + } + else if (connect_str) + { + if (!extract_host_port(connect_str,&host,NULL,&port)) + goto bad; + } + if (badop) { bad: @@ -1034,6 +1052,31 @@ SSL_set_tlsext_status_ids(con, ids); goto shut; mbuf[0] = 0; } + if (http_proxy_str) + { + int foundit=0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + BIO_printf(fbio,"CONNECT %s HTTP/1.1\r\n\r\n", connect_str); + (void)BIO_flush(fbio); + /* wait for multi-line response to end CONNECT response */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + if (strstr(mbuf,"200") && + strstr(mbuf,"established")) + foundit++; + } + while (mbuf_len>3 && foundit == 0); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + { + BIO_printf(bio_err, "HTTP CONNECT failed\n"); + goto shut; + } + } for (;;) { --- openssl-0.9.8y/doc/apps/s_client.pod.orig 2013-02-05 +++ openssl-0.9.8y/doc/apps/s_client.pod 2013-06-13 @@ -37,6 +37,7 @@ B B [B<-bugs>] [B<-cipher cipherlist>] [B<-starttls protocol>] +[B<-proxy host:port>] [B<-engine id>] [B<-tlsextdebug>] [B<-no_ticket>] @@ -190,6 +191,12 @@ send the protocol-specific message(s) to B is a keyword for the intended protocol. Currently, the only supported keywords are "smtp", "pop3", "imap", and "ftp". +=item B<-http_proxy host:port> + +connect over HTTP proxy via CONNECT method. TCP connection is established +with host:port from -http_proxy option and the CONNECT method is used to +establish a tunneled connection to host:port from -connect option. + =item B<-tlsextdebug> print out a hex dump of any TLS extensions received from the server. Note: this