HTTP HTTP proxy HSTS curl_easy_duphandle HTTP/1.1 200 OK Date: Tue, 09 Nov 2010 14:49:00 GMT Server: test-server/fake Content-Type: text/plain Content-Length: 5 Strict-Transport-Security: max-age=31536000 Hello HTTP/1.1 403 Forbidden Content-Length: 0 Connection: close HSTS https Debug proxy http http-proxy CURL_HSTS_HTTP=yes curl_easy_duphandle copies HSTS cache, auto upgrading HTTP to HTTPS. lib%TESTNUMBER - %HOSTIP %HTTPPORT %PROXYPORT # First request: original handle GETs from the http server; the response # carries Strict-Transport-Security, populating the live HSTS cache that # the dup inherits. GET /%TESTNUMBER HTTP/1.1 Host: hsts.example.com:%HTTPPORT Accept: */* # Second request: dup handle upgraded HTTP to HTTPS by copied HSTS cache, # proxy receives CONNECT to port 443 proving the upgrade happened CONNECT hsts.example.com:443 HTTP/1.1 Host: hsts.example.com:443 Proxy-Connection: Keep-Alive First request: HSTS cache populated Dup effective URL: https://hsts.example.com/%TESTNUMBER # CURLE_COULDNT_CONNECT (7) is intentional: The proxy rejects the CONNECT # to port 443, collapsing the tunnel. All that is being validated is the # CONNECT to port 443 itself. 7