• tls, http with a proxy

    From Robert Karen@21:1/5 to All on Fri Jan 7 11:25:50 2022
    Hi, I am trying to get tcltls to tunnel through a squid proxy with https
    using ::http version 2.8.11 and tls version 1.7.22. Without the proxy
    I can retrieve web sites via https and with the proxy I can retrieve
    web sites over port 80, but when I try https w/ the proxy I get error:
    wrong version.

    Maybe the problem is how I run http::register. I tried different combinations. Which register command do I need, or do I need both of these:
    ::http::register https 443 ::tls::socket
    ::http::register https 3128 ::tls::socket
    3182 is the proxy port.

    I configured proxyhost and proxy port only. the current config values are:

    (EzTAB) 4 % ::http::config
    -accept */* -proxyfilter http::ProxyRequired -proxyhost 192.168.1.151 -proxyport 3128 -urlencoding utf-8 -useragent {Mozilla/5.0 (Windows; U; Windows NT 6.3) http/2.8.11 Tcl/8.6.7}

    Thanks for any help.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Harald Oehlmann@21:1/5 to All on Sun Jan 9 14:22:25 2022
    Am 07.01.2022 um 20:25 schrieb Robert Karen:
    Hi, I am trying to get tcltls to tunnel through a squid proxy with https using ::http version 2.8.11 and tls version 1.7.22. Without the proxy
    I can retrieve web sites via https and with the proxy I can retrieve
    web sites over port 80, but when I try https w/ the proxy I get error:
    wrong version.

    Maybe the problem is how I run http::register. I tried different combinations.
    Which register command do I need, or do I need both of these: ::http::register https 443 ::tls::socket
    ::http::register https 3128 ::tls::socket
    3182 is the proxy port.

    I configured proxyhost and proxy port only. the current config values are:

    (EzTAB) 4 % ::http::config
    -accept */* -proxyfilter http::ProxyRequired -proxyhost 192.168.1.151 -proxyport 3128 -urlencoding utf-8 -useragent {Mozilla/5.0 (Windows; U; Windows NT 6.3) http/2.8.11 Tcl/8.6.7}

    Thanks for any help.



    Robert,
    just two thoughts on travel without check which may or may not help:
    did you check-out the tcllib package "autoproxy" ?
    I slightly remeber that there was work done to support TLS via TWAPI. I
    think, the TCLTLS support was already there.

    Unrelated note: if you are on Windows operating system, I wuld recomment
    TWAPI instead TCLTLS.

    Thank you and take care,
    Harald

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alexandru@21:1/5 to All on Mon Jan 10 11:27:14 2022
    Here is my code (almost direct cut/paste from my source code, so maybe not fully self contained). Hope it helps.

    package require autoproxy
    package require twapi
    set ::proxy_host ""
    set ::proxy_port ""
    set ::proxy_prot "HTTP"
    set ::proxy_user ""
    set ::proxy_pass ""
    set ::proxy_CAfile ""
    set ::proxy_ssl2 0
    set ::proxy_ssl3 0
    set ::proxy_tls1 1
    set ::proxy_tls1.1 1
    set ::proxy_tls1.2 1
    proc NumberIsInteger {x} {
    if {[string is double -strict $x]} {
    if {[regexp {^[0-9]{1,}$} $x]} {
    if {[string length $x]>1} {
    if {[string index $x 0]!=0} {
    return 1
    } else {
    return 0
    }
    } else {
    return 1
    }
    } else {
    return 0
    }
    } else {
    return 0
    }
    }
    proc IsURL {path} {
    if {[string match -nocase [string range $path 0 4] "http:"] || [string match -nocase [string range $path 0 5] "https:"]} {
    return 1
    } else {
    return 0
    }
    }
    proc PathSplit {path} {
    set atoms [file split $path]
    set root [lindex $atoms 0]
    if {[string range $root 0 1]=="//"} {
    foreach share [::twapi::wnet_connected_resources] {
    lassign $share drive netdrive
    set netdrive [file normalize $netdrive]
    if {[string equal -nocase $netdrive $root]} {
    if {[string index $drive end]!="/"} {
    set drive $drive/
    }
    set atoms [lreplace $atoms 0 0 $drive]
    break
    }
    }
    } elseif {[IsURL $path]} {
    lassign $atoms tp domain
    if {[string range $tp 0 4]=="https"} {
    lset atoms 0 https://
    } elseif {[string range $tp 0 3]=="http"} {
    lset atoms 0 http://
    }
    }
    return $atoms
    }
    proc ProxyApply {} {
    variable proxy_host
    variable proxy_port
    variable proxy_prot
    variable proxy_user
    variable proxy_pass
    variable proxy_CAfile
    variable proxy_pass_enc ""
    if {$proxy_user!=""} {
    variable proxy_pass_enc [base64::encode $proxy_user:$proxy_pass]
    }
    variable threadsuse
    set url [::autoproxy::init]
    if {$proxy_host=="" || $proxy_port==""} {
    # ::autoproxy::configure
    lassign [PathSplit $url] prot host_and_port
    if {$prot in [list "http://" "https://"]} {
    lassign [split $host_and_port ":"] host port
    if {[NumberIsInteger $port]} {
    set proxy_prot $prot
    set proxy_host $host
    set proxy_port $port
    }
    }
    }
    if {$proxy_host=="" || $proxy_port==""} {
    } else {
    ::autoproxy::configure -host $proxy_host -port $proxy_port
    if {$proxy_prot=="https://"} {
    ::autoproxy::configure -tls_package twapi; # Use twapi instead of tls
    }
    if {$proxy_user!=""} {
    ::autoproxy::configure -basic -username $proxy_user -password $proxy_pass
    }
    }
    http::config -proxyfilter ProxyFilter
    }
    proc ProxyFilter {host} {
    variable proxy_host
    variable proxy_port
    variable proxy_prot
    variable proxy_user
    variable proxy_pass
    variable proxy_CAfile
    variable proxy_pass_enc

    if {$proxy_host=="" || $proxy_port==""} {
    return
    }
    # Add authorisation header to the request (by Anders Ramdahl)
    if {$proxy_user!=""} {
    catch {
    upvar state State
    set State(-headers) [concat [list "Proxy-Authorization" [concat "Basic" $proxy_pass_enc]] $State(-headers)]
    }
    }
    return [list $proxy_host $proxy_port]
    }
    proc TLSInit {} {
    variable noexe
    variable sourcedir
    variable proxy_host
    variable proxy_port
    variable proxy_prot
    variable proxy_CAfile
    variable proxy_ssl2
    variable proxy_ssl3
    variable proxy_tls1
    variable proxy_tls1.1
    variable proxy_tls1.2
    variable timeout
    # tls help on http://www.sensus.org/tcl/tls.htm
    catch {::http::unregister https}
    # Apply proxy settings if available
    ProxyApply
    # If proxy is not set
    if {$proxy_host=="" || $proxy_port==""} {
    # Use twapi (CA file is not needed)
    set code [catch {set tlssocket [http::register https 443 twapi::tls_socket]} err]
    if {$code} {
    set tlssocket ""
    }
    # If proxy is set
    } else {
    set timeout [expr {$timeout*10}]
    set options [list]
    set cafile [string map {\\ /} $proxy_CAfile]
    if {$cafile!=""} {
    lappend options -request 1
    lappend options -require 1
    }
    if {$proxy_prot=="HTTPS"} {
    if {$proxy_ssl2==1} {
    lappend options -ssl2 $proxy_ssl2
    }
    if {$proxy_ssl3==1} {
    lappend options -ssl3 $proxy_ssl3
    }
    if {$proxy_tls1==1} {
    lappend options -tls1 $proxy_tls1
    }
    if {${proxy_tls1.1}==1} {
    lappend options -tls1.1 ${proxy_tls1.1}
    }
    if {${proxy_tls1.2}==1} {
    lappend options -tls1.2 ${proxy_tls1.2}
    }
    }
    set tlssocket [::http::register https 443 [list autoproxy::tls_socket {*}$options]]
    }
    return $tlssocket
    }
    TLSInit

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alexandru@21:1/5 to Robert Karen on Mon Jan 10 11:19:01 2022
    Robert Karen schrieb am Freitag, 7. Januar 2022 um 20:25:52 UTC+1:
    Hi, I am trying to get tcltls to tunnel through a squid proxy with https using ::http version 2.8.11 and tls version 1.7.22. Without the proxy
    I can retrieve web sites via https and with the proxy I can retrieve
    web sites over port 80, but when I try https w/ the proxy I get error:
    wrong version.

    Maybe the problem is how I run http::register. I tried different combinations.
    Which register command do I need, or do I need both of these: ::http::register https 443 ::tls::socket
    ::http::register https 3128 ::tls::socket
    3182 is the proxy port.

    I configured proxyhost and proxy port only. the current config values are:

    (EzTAB) 4 % ::http::config
    -accept */* -proxyfilter http::ProxyRequired -proxyhost 192.168.1.151 -proxyport 3128 -urlencoding utf-8 -useragent {Mozilla/5.0 (Windows; U; Windows NT 6.3) http/2.8.11 Tcl/8.6.7}

    Thanks for any help.

    Harald is wright. I could naver make it work using the standard tcl tls package. Use Twapi. Also autoproxy helps alot.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Robert Karen@21:1/5 to Alexandru on Mon Jan 10 15:00:15 2022
    Thanks to both of you for answering. I wasn't able to get either tls, nor twapi to work with autoproxy. it just
    timed out each time. I was not sure what to do next and decided to try tclcurl and it worked:
    curl::transfer -url https://www.mytargetsite.com -file index.html -httpproxytunnel 1 -proxy 192.168.1.151:3128

    Interestingly, this worked in brief (from console) testing with the server I am trying to connect to (FWIW an Apache server) and but
    when I tried connecting to a couple of other sites ibm.com, yahoo.com I got only sporadic successes.

    I didn't see your post until after I tried this. will take a look tomorrow. thanks.

    On Monday, 10 January 2022 at 14:27:16 UTC-5, Alexandru wrote:
    Here is my code (almost direct cut/paste from my source code, so maybe not fully self contained). Hope it helps.

    package require autoproxy
    package require twapi
    set ::proxy_host ""
    set ::proxy_port ""
    set ::proxy_prot "HTTP"
    set ::proxy_user ""
    set ::proxy_pass ""
    set ::proxy_CAfile ""
    set ::proxy_ssl2 0
    set ::proxy_ssl3 0
    set ::proxy_tls1 1
    set ::proxy_tls1.1 1
    set ::proxy_tls1.2 1
    proc NumberIsInteger {x} {
    if {[string is double -strict $x]} {
    if {[regexp {^[0-9]{1,}$} $x]} {
    if {[string length $x]>1} {
    if {[string index $x 0]!=0} {
    return 1
    } else {
    return 0
    }
    } else {
    return 1
    }
    } else {
    return 0
    }
    } else {
    return 0
    }
    }
    proc IsURL {path} {
    if {[string match -nocase [string range $path 0 4] "http:"] || [string match -nocase [string range $path 0 5] "https:"]} {
    return 1
    } else {
    return 0
    }
    }
    proc PathSplit {path} {
    set atoms [file split $path]
    set root [lindex $atoms 0]
    if {[string range $root 0 1]=="//"} {
    foreach share [::twapi::wnet_connected_resources] {
    lassign $share drive netdrive
    set netdrive [file normalize $netdrive]
    if {[string equal -nocase $netdrive $root]} {
    if {[string index $drive end]!="/"} {
    set drive $drive/
    }
    set atoms [lreplace $atoms 0 0 $drive]
    break
    }
    }
    } elseif {[IsURL $path]} {
    lassign $atoms tp domain
    if {[string range $tp 0 4]=="https"} {
    lset atoms 0 https://
    } elseif {[string range $tp 0 3]=="http"} {
    lset atoms 0 http://
    }
    }
    return $atoms
    }
    proc ProxyApply {} {
    variable proxy_host
    variable proxy_port
    variable proxy_prot
    variable proxy_user
    variable proxy_pass
    variable proxy_CAfile
    variable proxy_pass_enc ""
    if {$proxy_user!=""} {
    variable proxy_pass_enc [base64::encode $proxy_user:$proxy_pass]
    }
    variable threadsuse
    set url [::autoproxy::init]
    if {$proxy_host=="" || $proxy_port==""} {
    # ::autoproxy::configure
    lassign [PathSplit $url] prot host_and_port
    if {$prot in [list "http://" "https://"]} {
    lassign [split $host_and_port ":"] host port
    if {[NumberIsInteger $port]} {
    set proxy_prot $prot
    set proxy_host $host
    set proxy_port $port
    }
    }
    }
    if {$proxy_host=="" || $proxy_port==""} {
    } else {
    ::autoproxy::configure -host $proxy_host -port $proxy_port
    if {$proxy_prot=="https://"} {
    ::autoproxy::configure -tls_package twapi; # Use twapi instead of tls
    }
    if {$proxy_user!=""} {
    ::autoproxy::configure -basic -username $proxy_user -password $proxy_pass
    }
    }
    http::config -proxyfilter ProxyFilter
    }
    proc ProxyFilter {host} {
    variable proxy_host
    variable proxy_port
    variable proxy_prot
    variable proxy_user
    variable proxy_pass
    variable proxy_CAfile
    variable proxy_pass_enc

    if {$proxy_host=="" || $proxy_port==""} {
    return
    }
    # Add authorisation header to the request (by Anders Ramdahl)
    if {$proxy_user!=""} {
    catch {
    upvar state State
    set State(-headers) [concat [list "Proxy-Authorization" [concat "Basic" $proxy_pass_enc]] $State(-headers)]
    }
    }
    return [list $proxy_host $proxy_port]
    }
    proc TLSInit {} {
    variable noexe
    variable sourcedir
    variable proxy_host
    variable proxy_port
    variable proxy_prot
    variable proxy_CAfile
    variable proxy_ssl2
    variable proxy_ssl3
    variable proxy_tls1
    variable proxy_tls1.1
    variable proxy_tls1.2
    variable timeout
    # tls help on http://www.sensus.org/tcl/tls.htm
    catch {::http::unregister https}
    # Apply proxy settings if available
    ProxyApply
    # If proxy is not set
    if {$proxy_host=="" || $proxy_port==""} {
    # Use twapi (CA file is not needed)
    set code [catch {set tlssocket [http::register https 443 twapi::tls_socket]} err]
    if {$code} {
    set tlssocket ""
    }
    # If proxy is set
    } else {
    set timeout [expr {$timeout*10}]
    set options [list]
    set cafile [string map {\\ /} $proxy_CAfile]
    if {$cafile!=""} {
    lappend options -request 1
    lappend options -require 1
    }
    if {$proxy_prot=="HTTPS"} {
    if {$proxy_ssl2==1} {
    lappend options -ssl2 $proxy_ssl2
    }
    if {$proxy_ssl3==1} {
    lappend options -ssl3 $proxy_ssl3
    }
    if {$proxy_tls1==1} {
    lappend options -tls1 $proxy_tls1
    }
    if {${proxy_tls1.1}==1} {
    lappend options -tls1.1 ${proxy_tls1.1}
    }
    if {${proxy_tls1.2}==1} {
    lappend options -tls1.2 ${proxy_tls1.2}
    }
    }
    set tlssocket [::http::register https 443 [list autoproxy::tls_socket {*}$options]]
    }
    return $tlssocket
    }
    TLSInit

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)