On Sat, Dec 23 2017, Wei Shuyu jotted: > Git has been taught to support an https:// used for http.proxy when > using recent versions of libcurl. > > To use https proxy with self-signed certs, we need a way to > unset CURLOPT_PROXY_SSL_VERIFYPEER and CURLOPT_PROXY_SSL_VERIFYHOST > just like direct SSL connection. This is required if we want > use t/lib-httpd to test proxy. > > In this patch I reuse http.sslverify to do this, do we need an > independent option like http.sslproxyverify? > > To fully support https proxy, we also need ways to set more options > such as CURLOPT_PROXY_SSLCERT. However, I'm not sure if we need to > support them. It would be good to add a link to https://daniel.haxx.se/blog/2016/11/26/https-proxy-with-curl/ to the commit message, since it explains in great detail what this is for and how it compares to what we were doing before. > Signed-off-by: Wei Shuyu <wsy@xxxxxxxxxx> > --- > http.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/http.c b/http.c > index 215bebef1..d8a5e48f0 100644 > --- a/http.c > +++ b/http.c > @@ -708,6 +708,10 @@ static CURL *get_curl_handle(void) > if (!curl_ssl_verify) { > curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 0); > curl_easy_setopt(result, CURLOPT_SSL_VERIFYHOST, 0); > +#if LIBCURL_VERSION_NUM >= 0x073400 > + curl_easy_setopt(result, CURLOPT_PROXY_SSL_VERIFYPEER, 0); > + curl_easy_setopt(result, CURLOPT_PROXY_SSL_VERIFYHOST, 0); > +#endif > } else { > /* Verify authenticity of the peer's certificate */ > curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 1); > @@ -865,6 +869,11 @@ static CURL *get_curl_handle(void) > else if (starts_with(curl_http_proxy, "socks")) > curl_easy_setopt(result, > CURLOPT_PROXYTYPE, CURLPROXY_SOCKS4); > +#endif > +#if LIBCURL_VERSION_NUM >= 0x073400 > + else if (starts_with(curl_http_proxy, "https")) > + curl_easy_setopt(result, > + CURLOPT_PROXYTYPE, CURLPROXY_HTTPS); > #endif > if (strstr(curl_http_proxy, "://")) > credential_from_url(&proxy_auth, curl_http_proxy);
