Proxy authentication with s_client

Question

_{Note: this is not a duplicate of openssl s_client using a proxy, as I am specifically interested in proxy authentication, not the ability to use proxy.}

I'm using openssl s_client to inspect certificates of the target server to understand how/where the connection works or not. As I'm behind a corporate proxy, I can specify the proxy server with -proxy flag, however I need to pass authentication details (username/password) to this proxy - and I haven't figured out how to do that.

openssl s_client -proxy my.proxy.server:8080 -connect my.target.host

successfully connect to the proxy server, however, understandably, results in error s_client: HTTP CONNECT failed: 407 Unauthorized.

Passing proxy server in the form of user:pass@my.proxy.server or http://user:pass@my.proxy.server both result in error s_client: -proxy argument malformed or ambiguous.

How can I pass proxy authentication to s_client? I would find it hard to believe that it supports proxy but not authenticated proxy.

I'm using openssl version 1.1.1a.

justdan96 · Answer 1 · 2022-09-11T16:14:34.910

Just to follow up on @Arnaud Grandville's answer: OpenSSL v3 beta 1 has now been released, and it includes proxy authentication options. You have to compile it yourself, however.

Unfortunately in v3 beta 1 the HTTP code had some issues so you can't use the code from their website as-is. Anyone looking to compile from source can use the commands below to get an OpenSSL installation with working proxy authentication:

git clone --branch openssl-3.0.0-beta1 https://github.com/openssl/openssl.git
cd openssl
git fetch
git checkout 6a1f9cd -- crypto/http/http_client.c
./Configure
make
make install

Edit: For later versions this is no longer necessary as the bug was fixed. For example for version 3.0.5 you can simply run:

git clone --branch openssl-3.0.5 https://github.com/openssl/openssl.git
cd openssl
./Configure
make
make install

score 0 · Answer 2 · answered Dec 21 '20 at 12:08

You can use escape-from-intranet https://github.com/quaddy-services/escape-from-intranet#introduction

and specify

host=my.proxy.server
port=8080

in the app and use

openssl s_client -proxy localhost:3128 -connect my.target.host

and your local running application will enrich the real proxy call with your credentials.

(In case you have a transparent proxy you need to switch the default proxy decision to "PROXY" in the "Decision" Menu)

score 0 · Answer 3 · answered Jun 22 '21 at 06:20

0

openssl v3.0 will supports proxy_user and proxy_pass options.

no solution for now, the syntax after proxy is

 host + ':' + service
 host + ':' + '*'
 host + ':'
        ':' + service  
 '*'  + ':' + service
 host
 service

cf. BIO_parse_hostserv

answered Jun 22 '21 at 06:20

Arnaud Grandville

859
8
10

Proxy authentication with s_client

3 Answers3