John, The connection between the client (the agent) and the proxy is always unencrypted regardless of the transport mechanism used to access the target server (plain or SSL). Therefore, when the Basic authentication scheme is used to authenticate with the proxy, the credentials are transmitted in clear case. To my knowledge none of the mainstream proxy servers currently implements transport security between the client (the agent) and the proxy.
The HTTPS + Proxy + BASIC Authentication bug has been fixed in the 3.0-prealpha-nightly version of HttpClient. Please note that this is unstable development version and it is incompatible with 2.0 API. If things progress well, we may have the first official alpha out by the of May for the public review of the new 3.0 API. <http://jakarta.apache.org/commons/httpclient/downloads.html> Cheers, Oleg -----Original Message----- From: John Melody [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 13:36 To: [EMAIL PROTECTED] Subject: Httpclient + HTTPS + Proxy + BASIC Authentication Hi, I have read the notes on the bug in Httpclient V2.0 to do with using Basic Authentication with a HTTPS Url through a proxy. One workaround proposed is to use preemptive authentication. Are the credentials i.e. username, password sent unencrypted to the target server when Preemptive Authentication is used even through the URL is a https URL. There are some notes about a PATCH being available for this problem. If so, how do I get it - I am currently using HttpCLient V2.0. Can this version be patched to fix the problem or must I move to a newer version of httpclient to avail of the patch. thanks for any help, John. regards, John. John Melody SyberNet Ltd. Galway Business Park, Dangan, Galway. Tel. No. +353 91 514400 Fax. NO. +353 91 514409 Mobile - 087-2345847 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] *************************************************************************************************** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. *************************************************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]