How can I make my Windows C++/OpenSSL application proxy-aware?

Question

I'm working on a desktop C++ application which uses OpenSSL sockets (a raw TLS socket, not HTTPS) to communicate with our server.

One of our clients are required to route their traffic through a proxy. The client is using ZScaler in Tunnel with Local Proxy mode.

In theory, it's possible to reconfigure ZScaler to force our traffic through a proxy chosen by ZScaler. However, I want to investigate solutions where our application uses the Windows OS-level proxy settings rather than relying on ZScaler configuration.

I've read this post: openssl s_client using a proxy

But I'm uncertain whether those answers apply to my situation, because that user didn't mention whether they're using Windows or Linux, and they appear to be talking about an HTTP/HTTPS proxy. Also, that question appears to be asking about the s_client function, rather than simply creating a TLS socket to my server through a "Tunnel with Local Proxy" on Windows.

So, my questions are:
Can OpenSSL be used to open an SSL socket to a server through Tunnel with Local Proxy?

Can we make an OS call to determine the IP/socket for the Tunnel with Local Proxy configuration?

If this is possible, then I have another question: suppose we have a single proxy at 10.100.10.0:5000.

If one user in our client's office opens a socket to our server via their proxy, will a 2nd user be unable to connect from their office because they're bottlenecked at single proxy socket?

Put another way: what is the standard way of implementing proxy-awareness for a Windows application using OpenSSL?

Note: This question was originally posted to Network Engineering stack exchange, but it was closed because it refers to an issue above OSI layer 4.

Note: I'm looking for a solution that does not require administrator permissions on the user PC. I would prefer for our application to discover and use OS-level proxy settings without making any administrative changes to the machine, i.e. by calling netsh.

Answer 1

Can OpenSSL be used to open an SSL socket to a server through Tunnel with Local Proxy?

OpenSSL doesn't do it for you but OpenSSL does not prevent it either. The tunnel has to be established before you do the TLS handshake to the endpoint. Depending on what kind of proxy this is you might need to use a HTTP CONNECT method for this or might need to use the SOCKS protocol or whatever your proxy requires. In case of ZScaler this is likely the HTTP CONNECT method but you need to make sure that the connection to the target IP and port is actually allowed by the security policy.

Once you've established the tunnel to the endpoint using the proxy you can just build the SSL socket on top of the TCP socket for the tunnel. Just do the usual SSL setup (i.e. SSL_new etc) and then associate the SSL object with the existing socket using SSL_set_fd. Then proceed as usual with the handshake, i.e. SSL_connect or similar.

Can we make an OS call to determine the IP/socket for the Tunnel with Local Proxy configuration?

I don't know but Winsock use system proxy settings might answer this part.

If one user in our client's office opens a socket to our server via their proxy, will a 2nd user be unable to connect from their office because they're bottlenecked at single proxy socket?

This should not be a problem. It is perfectly normal to have multiple connections through the proxy.