GNU bug report logs - #25518
25.1.91; url-retrieve does not work with https over proxy

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25518 in the body.
You can then email your comments to 25518 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Andreas Schwab <schwab <at> linux-m68k.org>
To: bug-gnu-emacs <at> gnu.org
Subject: 25.1.91; url-retrieve does not work with https over proxy
Date: Tue, 24 Jan 2017 14:25:01 +0100

url-retrieve should use CONNECT when talking to a https URL over a proxy
and then talk over the connection as if not using a proxy.

;; use locally running privoxy as proxy
(setq url-proxy-services '(("https" . "localhost:8118")))
(with-current-buffer (url-retrieve-synchronously "https://www.heise.de")
  (buffer-string)) => "HTTP/1.1 200 Connection established\n\n"

Andreas.

-- 
Andreas Schwab, schwab <at> linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Message #8 received at 25518 <at> debbugs.gnu.org (full text, mbox):

From: David Engster <deng <at> randomsample.de>
To: Andreas Schwab <schwab <at> linux-m68k.org>
Cc: 25518 <at> debbugs.gnu.org
Subject: Re: bug#25518: 25.1.91;
 url-retrieve does not work with https over proxy
Date: Tue, 24 Jan 2017 21:33:04 +0100

Andreas Schwab writes:
> url-retrieve should use CONNECT when talking to a https URL over a proxy
> and then talk over the connection as if not using a proxy.
>
> ;; use locally running privoxy as proxy
> (setq url-proxy-services '(("https" . "localhost:8118")))
> (with-current-buffer (url-retrieve-synchronously "https://www.heise.de")
>   (buffer-string)) => "HTTP/1.1 200 Connection established\n\n"

Is this identical to #11788? If so, this is fixed only on master because
it was deemed too risky for emacs-25. I'm still of the opinion that this
is a serious security issue, because of the possible silent fallback to
http without the user noticing. I'm always running my Emacs with
3c623c26a manually backported.

-David

Message #11 received at 25518 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Andreas Schwab <schwab <at> linux-m68k.org>
Cc: 25518 <at> debbugs.gnu.org
Subject: Re: bug#25518: 25.1.91; url-retrieve does not work with https over
 proxy
Date: Tue, 24 Sep 2019 10:31:53 +0200

Andreas Schwab <schwab <at> linux-m68k.org> writes:

> url-retrieve should use CONNECT when talking to a https URL over a proxy
> and then talk over the connection as if not using a proxy.
>
> ;; use locally running privoxy as proxy
> (setq url-proxy-services '(("https" . "localhost:8118")))
> (with-current-buffer (url-retrieve-synchronously "https://www.heise.de")
>   (buffer-string)) => "HTTP/1.1 200 Connection established\n\n"

I tried this with tinyproxy and Emacs 27, and it worked for me, so I'm
guessing this has been fixed in the meantime, and I'm closing the bug
report.

Please reopen if this is still an issue.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.