On Thursday 30 October 2014 10:55:49 Daniel Stenberg wrote: > On Thu, 30 Oct 2014, Tim Ruehsen wrote: > > How the test should work: > > - client open plain connection to proxy > > - client sends CONNECT request > > - server answers 200 OK > > - client/server change to SSL on the existing connection (in the real > > world > > the proxy does this when it established the requested connection to the > > outer world) > > Not exactly. The proxy can't do it on its own. HTTPS is designed[*] to work > peer to peer so it has to be the client to the server and the proxy is only > setting up the tunnel but can't do the SSL stuff.
Thanks for clarification (sorry for my sloppy writing). > > Of course the proxy could send a 'Proxy-Connection: close' with the first > > 401 answer and close the connection. For this case I create a second test > > case later. > > A proxy won't be able to show you anything in the SSL connection as that is > a tunnel to the server. If the proxy wants authentication it sends a 407 > instead of the initial 200, and that connection can of course get closed as > well. That's a good point for another test to set up (or maybe Test-proxy-auth- basic.px is doing that, I have to look at it). > [*] = at least originally, until the MITM-ing proxies entered the scheme and > complicated matters, but I prefer to view that as messed up SSL and not > "real" SSL =) Yes, however, Wget has to be able to work with these (if users request it). Thanks for sharing your well-founded knowledge. Tim
signature.asc
Description: This is a digitally signed message part.