Hi Alan, Yes, great point!
Here are the output for the latest recommandations *$ curl -H "Host: httbin.org:443 <http://httbin.org:443>" > https://127.0.0.1:8443 <https://127.0.0.1:8443> -vv* > * Rebuilt URL to: https://127.0.0.1:8443/ > * Trying 127.0.0.1... > * TCP_NODELAY set > * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * Cipher selection: > ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH > * successfully set certificate verify locations: > * CAfile: /etc/ssl/cert.pem > CApath: none > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > * TLSv1.2 (IN), TLS handshake, Server hello (2): > * TLSv1.2 (IN), TLS handshake, Certificate (11): > * TLSv1.2 (OUT), TLS alert, Server hello (2): > * SSL certificate problem: self signed certificate > * stopped the pause stream! > * Closing connection 0 > curl: (60) SSL certificate problem: self signed certificate > More details here: https://curl.haxx.se/docs/sslcerts.html > curl performs SSL certificate verification by default, using a "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure. Then I tried > $ *curl -k -H "Host: httbin.org:443 <http://httbin.org:443>" > https://127.0.0.1:8443 <https://127.0.0.1:8443> -vv* > * Rebuilt URL to: https://127.0.0.1:8443/ > * Trying 127.0.0.1... > * TCP_NODELAY set > * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * Cipher selection: > ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH > * successfully set certificate verify locations: > * CAfile: /etc/ssl/cert.pem > CApath: none > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > * TLSv1.2 (IN), TLS handshake, Server hello (2): > * TLSv1.2 (IN), TLS handshake, Certificate (11): > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > * TLSv1.2 (IN), TLS handshake, Server finished (14): > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > * TLSv1.2 (OUT), TLS change cipher, Client hello (1): > * TLSv1.2 (OUT), TLS handshake, Finished (20): > * TLSv1.2 (IN), TLS change cipher, Client hello (1): > * TLSv1.2 (IN), TLS handshake, Finished (20): > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 > * ALPN, server accepted to use h2 > * Server certificate: > * subject: C=US > * start date: Dec 5 04:41:08 2020 GMT > * expire date: Dec 3 04:41:08 2030 GMT > * issuer: C=US > * SSL certificate verify result: self signed certificate (18), continuing > anyway. > * Using HTTP2, server supports multi-use > * Connection state changed (HTTP/2 confirmed) > * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: > len=0 > * Using Stream ID: 1 (easy handle 0x7f9cf9006600) > > GET / HTTP/2 > > Host: httbin.org:443 > > User-Agent: curl/7.54.0 > > Accept: */* > > > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! > < HTTP/2 502 > < date: Sat, 05 Dec 2020 20:16:39 GMT > < server: ATS/10.0.0 > < cache-control: no-store > < content-type: text/html > < content-language: en > < content-length: 247 > < > <HTML> > <HEAD> > <TITLE>Could Not Connect</TITLE> > </HEAD> > <BODY BGCOLOR="white" FGCOLOR="black"> > <H1>Could Not Connect</H1> > <HR> > <FONT FACE="Helvetica,Arial"><B> > Description: Could not connect to the requested server host. > </B></FONT> > <HR> > </BODY> > * Connection #0 to host 127.0.0.1 left intact $ *curl -k --proxy-insecure --proxy https://127.0.0.1:8443 > <https://127.0.0.1:8443> https://httpbin.org:8443/get?answer=42 > <https://httpbin.org:8443/get?answer=42> -v* > * Trying 127.0.0.1... > * TCP_NODELAY set > * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * Cipher selection: > ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH > * successfully set certificate verify locations: > * CAfile: /etc/ssl/cert.pem > CApath: none > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > * TLSv1.2 (IN), TLS handshake, Server hello (2): > * TLSv1.2 (IN), TLS handshake, Certificate (11): > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > * TLSv1.2 (IN), TLS handshake, Server finished (14): > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > * TLSv1.2 (OUT), TLS change cipher, Client hello (1): > * TLSv1.2 (OUT), TLS handshake, Finished (20): > * TLSv1.2 (IN), TLS change cipher, Client hello (1): > * TLSv1.2 (IN), TLS handshake, Finished (20): > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 > * ALPN, server accepted to use h2 > * Proxy certificate: > * subject: C=US > * start date: Dec 5 04:41:08 2020 GMT > * expire date: Dec 3 04:41:08 2030 GMT > * issuer: C=US > * SSL certificate verify result: self signed certificate (18), continuing > anyway. > * Establish HTTP proxy tunnel to httpbin.org:8443 > > CONNECT httpbin.org:8443 HTTP/1.1 > > Host: httpbin.org:8443 > > User-Agent: curl/7.54.0 > > Proxy-Connection: Keep-Alive > > > * TLSv1.2 (IN), TLS alert, Client hello (1): > * Proxy CONNECT aborted > * Connection #0 to host 127.0.0.1 left intact > curl: (56) Proxy CONNECT aborted Hi Guys, if anyone has a few minutes, happy to hop on a zoom, and share my screen, where we can quickly try out different options? Thanks, Lei
