a little bit of glue to call openssl; mark@moxienet.com

4 files changed, 438 insertions, 0 deletions

diff --git a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAAUtil.c b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAAUtil.c
index a0312b49835..20463162247 100644
--- a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAAUtil.c
+++ b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAAUtil.c
@@ -49,6 +49,13 @@
 #include <HTAssoc.h>	/* Assoc list		*/
 #include <HTTCP.h>
 
+#ifdef USE_SSL
+#define free_func free__func
+#include <openssl/ssl.h>
+#undef free_func
+PRIVATE SSL * Handle = NULL;	/* The SSL Handle	*/
+#endif /* USE_SSL */
+
 #include <LYStrings.h>
 #include <LYLeaks.h>
 
@@ -554,7 +561,14 @@ PUBLIC char *HTAA_getUnfoldedLine NOARGS
 	/* Reading from socket */
 
 	if (start_pointer >= end_pointer) {/*Read the next block and continue*/
+#ifdef USE_SSL
+	    if (Handle)
+		count = SSL_read(Handle, buffer, BUFFER_SIZE);
+	    else
+		count = NETREAD(in_soc, buffer, BUFFER_SIZE);
+#else
 	    count = NETREAD(in_soc, buffer, BUFFER_SIZE);
+#endif /* USE_SSL */
 	    if (count <= 0) {
 		in_soc = -1;
 		return line;
diff --git a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTFormat.c b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTFormat.c
index f214b536966..ed309bf3796 100644
--- a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTFormat.c
+++ b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTFormat.c
@@ -16,6 +16,12 @@
 */
 #include <HTFormat.h>
 
+#ifdef USE_SSL
+#define free_func free__func
+#include <openssl/ssl.h>
+#undef free_func
+#endif /* USE_SSL */
+
 PUBLIC float HTMaxSecs = 1e10;		/* No effective limit */
 PUBLIC float HTMaxLength = 1e10;	/* No effective limit */
 PUBLIC long int HTMaxBytes  = 0;	/* No effective limit */
@@ -254,6 +260,39 @@ PUBLIC int HTGetCharacter NOARGS
     return FROMASCII((unsigned char)ch);
 }
 
+#ifdef USE_SSL
+PUBLIC char HTGetSSLCharacter ARGS1(void *, handle)
+{
+    char ch;
+    interrupted_in_htgetcharacter = 0;
+    if(!handle)
+	return (char)EOF;
+    do {
+	if (input_pointer >= input_limit) {
+	    int status = SSL_read((SSL *)handle,
+				 input_buffer, INPUT_BUFFER_SIZE);
+	    if (status <= 0) {
+		if (status == 0)
+		    return (char)EOF;
+		if (status == HT_INTERRUPTED) {
+		    CTRACE(tfp, "HTFormat: Interrupted in HTGetSSLCharacter\n");
+		    interrupted_in_htgetcharacter = 1;
+		    return (char)EOF;
+		}
+		CTRACE(tfp, "HTFormat: SSL_read error %d\n", status);
+		return (char)EOF; /* -1 is returned by UCX
+				     at end of HTTP link */
+	    }
+	    input_pointer = input_buffer;
+	    input_limit = input_buffer + status;
+	}
+	ch = *input_pointer++;
+    } while (ch == (char) 13); /* Ignore ASCII carriage return */
+
+    return FROMASCII(ch);
+}
+#endif /* USE_SSL */
+
 /*  Match maintype to any MIME type starting with maintype,
  *  for example:  image/gif should match image
  */
@@ -624,7 +663,14 @@ PUBLIC int HTCopy ARGS4(
 	    goto finished;
 	}
 
+#ifdef USE_SSL
+	if (handle)
+	    status = SSL_read((SSL *)handle, input_buffer, INPUT_BUFFER_SIZE);
+	else
+	    status = NETREAD(file_number, input_buffer, INPUT_BUFFER_SIZE);
+#else
 	status = NETREAD(file_number, input_buffer, INPUT_BUFFER_SIZE);
+#endif /* USE_SSL */
 
 	if (status <= 0) {
 	    if (status == 0) {
diff --git a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTNews.c b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTNews.c
index 5b16ee3c90d..5d511904e52 100644
--- a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTNews.c
+++ b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTNews.c
@@ -35,9 +35,26 @@ PUBLIC int HTNewsMaxChunk = 40; /* Largest number of articles in one window */
 #define SERVER_FILE "/usr/local/lib/rn/server"
 #endif /* SERVER_FILE */
 
+#ifdef USE_SSL
+#define free_func free__func
+#include <openssl/ssl.h>
+#undef free_func
+extern SSL_CTX * ssl_ctx;
+extern SSL * HTGetSSLHandle NOPARAMS;
+PRIVATE SSL * Handle = NULL;
+PRIVATE int channel_s = 1;
+#define NEWS_NETWRITE(sock, buff, size) \
+	(Handle ? SSL_write(Handle, buff, size) : NETWRITE(sock, buff, size))
+#define NEWS_NETCLOSE(sock) \
+	{ (void)NETCLOSE(sock); if (Handle) SSL_free(Handle); Handle = NULL; }
+extern char HTGetSSLCharacter PARAMS((void *handle));
+PRIVATE char HTNewsGetCharacter NOPARAMS;
+#define NEXT_CHAR HTNewsGetCharacter()
+#else
 #define NEWS_NETWRITE  NETWRITE
 #define NEWS_NETCLOSE  NETCLOSE
 #define NEXT_CHAR HTGetCharacter()
+#endif /* USE_SSL */
 
 #include <HTML.h>
 #include <HTParse.h>
@@ -2121,11 +2138,13 @@ PRIVATE int HTLoadNews ARGS4(
 			  group_wanted) &&
 			strchr(arg, '@') == NULL) && (strchr(arg, '*') != NULL);
 
+#ifndef USE_SSL
 	if (!strncasecomp(arg, "snewspost:", 10) ||
 	    !strncasecomp(arg, "snewsreply:", 11)) {
 	    HTAlert(FAILED_CANNOT_POST_SSL);
 	    return HT_NOT_LOADED;
 	}
+#endif /* !USE_SSL */
 	if (post_wanted || reply_wanted || spost_wanted || sreply_wanted) {
 	    /*
 	    **	Make sure we have a non-zero path for the newsgroup(s). - FM
@@ -2213,8 +2232,43 @@ PRIVATE int HTLoadNews ARGS4(
 	    StrAllocCopy(NewsHREF, command);
 	}
 	else if (!strncasecomp(arg, "snews:", 6)) {
+#ifdef USE_SSL
+	    if (((*(arg + 6) == '\0') ||
+		 (!strcmp((arg + 6), "/") ||
+		  !strcmp((arg + 6), "//") ||
+		  !strcmp((arg + 6), "///"))) ||
+		((!strncmp((arg + 6), "//", 2)) &&
+		 (!(cp = strchr((arg + 8), '/')) || *(cp + 1) == '\0'))) {
+		p1 = "*";
+		group_wanted = FALSE;
+		list_wanted = TRUE;
+	    } else if (*(arg + 6) != '/') {
+		p1 = (arg + 6);
+	    } else if (*(arg + 6) == '/' && *(arg + 7) != '/') {
+		p1 = (arg + 7);
+	    } else {
+		p1 = (cp + 1);
+	    }
+	    if (!(cp = HTParse(arg, "", PARSE_HOST)) || *cp == '\0') {
+		if (s >= 0 && NewsHost && strcasecomp(NewsHost, HTNewsHost)) {
+		    NEWS_NETCLOSE(s);
+		    s = -1;
+		}
+		StrAllocCopy(NewsHost, HTNewsHost);
+	    } else {
+		if (s >= 0 && NewsHost && strcasecomp(NewsHost, cp)) {
+		    NEWS_NETCLOSE(s);
+		    s = -1;
+		}
+	    StrAllocCopy(NewsHost, cp);
+	    }
+	    FREE(cp);
+	    sprintf(command, "snews://%.250s/", NewsHost);
+	    StrAllocCopy(NewsHREF, command);
+#else
 	    HTAlert(gettext("This client does not contain support for SNEWS URLs."));
 	    return HT_NOT_LOADED;
+#endif /* USE_SSL */
 	}
 	else if (!strncasecomp (arg, "news:/", 6)) {
 	    if (((*(arg + 6) == '\0') ||
@@ -2426,7 +2480,18 @@ PRIVATE int HTLoadNews ARGS4(
 
 	    _HTProgress(gettext("Connecting to NewsHost ..."));
 
+#ifdef USE_SSL
+	    if (!using_proxy &&
+		(!strncmp(arg, "snews:", 6) ||
+		 !strncmp(arg, "snewspost:", 10) ||
+		 !strncmp(arg, "snewsreply:", 11)))
+		status = HTDoConnect (url, "NNTPS", SNEWS_PORT, &s);
+	    else
+		status = HTDoConnect (url, "NNTP", NEWS_PORT, &s);
+#else
 	    status = HTDoConnect (url, "NNTP", NEWS_PORT, &s);
+#endif /* USE_SSL */
+
 	    if (status == HT_INTERRUPTED) {
 		/*
 		**  Interrupt cleanly.
@@ -2442,6 +2507,12 @@ PRIVATE int HTLoadNews ARGS4(
 		FREE(ProxyHost);
 		FREE(ProxyHREF);
 		FREE(ListArg);
+#ifdef USE_SSL
+		if (Handle) {
+		    SSL_free(Handle);
+		    Handle = NULL;
+		}
+#endif /* USE_SSL */
 		if (postfile) {
 		    HTSYS_remove(postfile);
 		    FREE(postfile);
@@ -2472,6 +2543,49 @@ PRIVATE int HTLoadNews ARGS4(
 	    } else {
 		CTRACE(tfp, "HTNews: Connected to news host %s.\n",
 			    NewsHost);
+#ifdef USE_SSL
+		/*
+		**  If this is an snews url,
+		**  then do the SSL stuff here
+		*/
+		if (!using_proxy &&
+		    (!strncmp(url, "snews", 5) ||
+		     !strncmp(url, "snewspost:", 10) ||
+		     !strncmp(url, "snewsreply:", 11))) {
+		    Handle = HTGetSSLHandle();
+		    SSL_set_fd(Handle, s);
+		    status = SSL_connect(Handle);
+
+		    if (status <= 0) {
+			CTRACE(tfp,
+"HTNews: Unable to complete SSL handshake for remote host '%s' (SSLerror = %d)\n",
+			       url, status);
+			HTAlert(
+			    "Unable to make secure connection to remote host.");
+			NEWS_NETCLOSE(s);
+			s = -1;
+			if (!(post_wanted || reply_wanted ||
+			      spost_wanted || sreply_wanted))
+			    (*targetClass._abort)(target, NULL);
+			FREE(NewsHost);
+			FREE(NewsHREF);
+			FREE(ProxyHost);
+			FREE(ProxyHREF);
+			FREE(ListArg);
+			if (postfile) {
+#ifdef VMS
+			    while (remove(postfile) == 0)
+			    ; /* loop through all versions */
+#else
+			    remove(postfile);
+#endif /* VMS */
+			    FREE(postfile);
+			}
+			return HT_NOT_LOADED;
+		    }
+		    _HTProgress(SSL_get_cipher(Handle));
+		}
+#endif /* USE_SSL */
 		HTInitInput(s); 	/* set up buffering */
 		if (proxycmd[0]) {
 		    status = NEWS_NETWRITE(s, proxycmd, strlen(proxycmd));
@@ -2804,6 +2918,45 @@ PUBLIC void HTClearNNTPAuthInfo NOARGS
     free_NNTP_AuthInfo();
 }
 
+#ifdef USE_SSL
+PRIVATE char HTNewsGetCharacter NOARGS
+{
+    if (!Handle)
+        return HTGetCharacter();
+    else
+        return HTGetSSLCharacter((void *)Handle);
+}
+
+PUBLIC int HTNewsProxyConnect ARGS5 (int, sock, CONST char *, url, 
+				     HTParentAnchor *, anAnchor,
+				     HTFormat, format_out,
+				     HTStream *, sink)
+{
+    int status;
+    CONST char * arg = url;
+
+    s = channel_s = sock;
+    Handle = HTGetSSLHandle();
+    SSL_set_fd(Handle, s);
+    status = SSL_connect(Handle);
+
+    if (status <= 0) {
+        channel_s = -1;
+	CTRACE(tfp,
+"HTTP: Unable to complete SSL handshake for remote host '%s' (SSLerror = %d)\n",
+		   url, status);
+	HTAlert("Unable to make secure connection to remote host.");
+	NEWS_NETCLOSE(s);
+	s = -1;
+	return HT_NOT_LOADED;
+    }
+    _HTProgress(SSL_get_cipher(Handle));
+    status = HTLoadNews(arg, anAnchor, format_out, sink);
+    channel_s = -1;
+    return status;
+}
+#endif /* USE_SSL */
+
 #ifdef GLOBALDEF_IS_MACRO
 #define _HTNEWS_C_1_INIT { "news", HTLoadNews, NULL }
 GLOBALDEF (HTProtocol,HTNews,_HTNEWS_C_1_INIT);
diff --git a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c
index 96067a51750..7bad3c773f9 100644
--- a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c
+++ b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c
@@ -10,6 +10,13 @@
 #include <HTTP.h>
 #include <LYUtils.h>
 
+#ifdef USE_SSL
+#define free_func free__func
+#include <openssl/ssl.h>
+#include <openssl/crypto.h>
+#undef free_func
+#endif /* USE_SSL */
+
 #define HTTP_VERSION	"HTTP/1.0"
 
 #define HTTP_PORT   80
@@ -64,9 +71,51 @@ extern char *http_error_file;	 /* Store HTTP status code in this file */
 extern BOOL traversal;		 /* TRUE if we are doing a traversal */
 extern BOOL dump_output_immediately;  /* TRUE if no interactive user */
 
+#ifdef USE_SSL
+PUBLIC SSL_CTX * ssl_ctx = NULL;	/* SSL ctx */
+
+PRIVATE void free_ssl_ctx NOARGS
+{
+    if (ssl_ctx != NULL)
+        SSL_CTX_free(ssl_ctx);
+}
+
+PUBLIC SSL * HTGetSSLHandle NOARGS
+{
+    if (ssl_ctx == NULL) {
+        /*
+	 *  First time only.
+	 */
+#if SSLEAY_VERSION_NUMBER < 0x0800
+        ssl_ctx = SSL_CTX_new();
+	X509_set_default_verify_paths(ssl_ctx->cert);
+#else
+	SSLeay_add_ssl_algorithms();
+	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
+	SSL_CTX_set_default_verify_paths(ssl_ctx);
+#endif /* SSLEAY_VERSION_NUMBER < 0x0800 */
+	atexit(free_ssl_ctx);
+    }
+    return(SSL_new(ssl_ctx));
+}
+
+#define HTTP_NETREAD(sock, buff, size, handle) \
+	(handle ? SSL_read(handle, buff, size) : NETREAD(sock, buff, size))
+#define HTTP_NETWRITE(sock, buff, size, handle) \
+	(handle ? SSL_write(handle, buff, size) : NETWRITE(sock, buff, size))
+#define HTTP_NETCLOSE(sock, handle)  \
+	{ (void)NETCLOSE(sock); if (handle) SSL_free(handle); handle = NULL; }
+
+extern int HTNewsProxyConnect PARAMS (( int sock, CONST char *url, 
+					HTParentAnchor *anAnchor,
+					HTFormat format_out,
+					HTStream *sink ));
+#else
 #define HTTP_NETREAD(a, b, c, d)   NETREAD(a, b, c)
 #define HTTP_NETWRITE(a, b, c, d)  NETWRITE(a, b, c)
 #define HTTP_NETCLOSE(a, b)  (void)NETCLOSE(a)
+#endif /* USE_SSL */
 
 
 /*		Load Document from HTTP Server			HTLoadHTTP()
@@ -121,7 +170,18 @@ PRIVATE int HTLoadHTTP ARGS4 (
   BOOL doing_redirect, already_retrying = FALSE, bad_location = FALSE;
   int len = 0;
 
+#ifdef USE_SSL
+  BOOL do_connect = FALSE;    /* ARE WE going to use a proxy tunnel ? */
+  BOOL did_connect = FALSE;   /* ARE WE actually using a proxy tunnel ? */
+  CONST char *connect_url = NULL; /* The URL being proxied */
+  char *connect_host = NULL;  /* The host being proxied */
+  SSL * handle = NULL;                /* The SSL handle */
+#if SSLEAY_VERSION_NUMBER >= 0x0900
+  BOOL try_tls = TRUE;
+#endif /* SSLEAY_VERSION_NUMBER >= 0x0900 */
+#else
   void * handle = NULL;
+#endif /* USE_SSL */
 
   if (anAnchor->isHEAD)
       do_head = TRUE;
@@ -139,6 +199,30 @@ PRIVATE int HTLoadHTTP ARGS4 (
       goto done;
   }
 
+#ifdef USE_SSL
+  if (using_proxy && !strncmp(url, "http://", 7)) {
+      if (connect_url = strstr((url+7), "https://")) {
+	  do_connect = TRUE;
+	  connect_host = HTParse(connect_url, "https", PARSE_HOST);
+	  if (!strchr(connect_host, ':')) {
+	      sprintf(temp, ":%d", HTTPS_PORT);
+	      StrAllocCat(connect_host, temp);
+	  }
+	  CTRACE(tfp, "HTTP: connect_url = '%s'\n", connect_url);
+	  CTRACE(tfp, "HTTP: connect_host = '%s'\n", connect_host);
+      } else if (connect_url = strstr((url+7), "snews://")) {
+	  do_connect = TRUE;
+	  connect_host = HTParse(connect_url, "snews", PARSE_HOST);
+	  if (!strchr(connect_host, ':')) {
+	      sprintf(temp, ":%d", SNEWS_PORT);
+	      StrAllocCat(connect_host, temp);
+	  }
+	  CTRACE(tfp, "HTTP: connect_url = '%s'\n", connect_url);
+	  CTRACE(tfp, "HTTP: connect_host = '%s'\n", connect_host);
+      }
+  }
+#endif /* USE_SSL */
+
   sprintf(crlf, "%c%c", CR, LF);
 
   /*
@@ -162,12 +246,18 @@ try_again:
   line_kept_clean = NULL;
 
   if (!strncmp(url, "https", 5))
+#ifdef USE_SSL
+    status = HTDoConnect (url, "HTTPS", HTTPS_PORT, &s);
+  else
+    status = HTDoConnect (url, "HTTP", HTTP_PORT, &s);
+#else
     {
       HTAlert(gettext("This client does not contain support for HTTPS URLs."));
       status = HT_NOT_LOADED;
       goto done;
     }
   status = HTDoConnect (arg, "HTTP", HTTP_PORT, &s);
+#endif /* USE_SSL */
   if (status == HT_INTERRUPTED) {
       /*
       **  Interrupt cleanly.
@@ -185,12 +275,79 @@ try_again:
       goto done;
   }
 
+#ifdef USE_SSL
+use_tunnel:
+  /*
+  ** If this is an https document
+  ** then do the SSL stuff here
+  */
+  if (did_connect || !strncmp(url, "https", 5)) {
+      handle = HTGetSSLHandle();
+      SSL_set_fd(handle, s);
+#if SSLEAY_VERSION_NUMBER >= 0x0900
+      if (!try_tls)
+          handle->options|=SSL_OP_NO_TLSv1;
+#endif /* SSLEAY_VERSION_NUMBER >= 0x0900 */
+      status = SSL_connect(handle);
+
+      if (status <= 0) {
+#if SSLEAY_VERSION_NUMBER >= 0x0900
+	  if (try_tls) {
+              CTRACE(tfp, "HTTP: Retrying connection without TLS\n");
+	      _HTProgress("Retrying connection.");
+	      try_tls = FALSE;
+	      if (did_connect)
+	          HTTP_NETCLOSE(s, handle);
+      	      goto try_again;
+	  } else {
+              CTRACE(tfp,
+"HTTP: Unable to complete SSL handshake for remote host '%s' (SSLerror = %d)\n",
+				url, status);
+      	      HTAlert("Unable to make secure connection to remote host.");
+	      if (did_connect)
+	          HTTP_NETCLOSE(s, handle);
+      	      status = HT_NOT_LOADED;
+      	      goto done;
+	  }
+#else
+              CTRACE(tfp,
+"HTTP: Unable to complete SSL handshake for remote host '%s' (SSLerror = %d)\n",
+				url, status);
+      	  HTAlert("Unable to make secure connection to remote host.");
+	  if (did_connect)
+	      HTTP_NETCLOSE(s, handle);
+      	  status = HT_NOT_LOADED;
+      	  goto done;
+#endif /* SSLEAY_VERSION_NUMBER >= 0x0900 */
+      }
+      _HTProgress (SSL_get_cipher(handle));
+
+#ifdef NOTDEFINED
+      if (strcmp(HTParse(url, "", PARSE_HOST),
+      		 strstr(X509_NAME_oneline(
+		 	X509_get_subject_name(
+				handle->session->peer)),"/CN=")+4)) {
+	  HTAlert("Certificate is for different host name");
+	  HTAlert(strstr(X509_NAME_oneline(
+	  		 X509_get_subject_name(
+			 	handle->session->peer)),"/CN=")+4);
+      }
+#endif /* NOTDEFINED */
+  }
+#endif /* USE_SSL */
+
   /*	Ask that node for the document,
   **	omitting the host name & anchor
   */
   {
     char * p1 = (HTParse(url, "", PARSE_PATH|PARSE_PUNCTUATION));
 
+#ifdef USE_SSL
+    if (do_connect) {
+	METHOD = "CONNECT";
+	StrAllocCopy(command, "CONNECT ");
+    } else
+#endif /* USE_SSL */
     if (do_post) {
 	METHOD = "POST";
 	StrAllocCopy(command, "POST ");
@@ -207,8 +364,17 @@ try_again:
     **	of say: /gopher://a;lkdjfl;ajdf;lkj/;aldk/adflj
     **	so that just gopher://.... is sent.
     */
+#ifdef USE_SSL
+    if (using_proxy && !did_connect) {
+	if (do_connect)
+	    StrAllocCat(command, connect_host);
+      else
+	StrAllocCat(command, p1+1);
+    }
+#else
     if (using_proxy)
 	StrAllocCat(command, p1+1);
+#endif /* USE_SSL */
     else
 	StrAllocCat(command, p1);
     FREE(p1);
@@ -455,6 +621,10 @@ try_again:
 		} else {
 		    if (traversal || dump_output_immediately)
 			HTAlert(FAILED_NEED_PASSWD);
+#ifdef USE_SSL
+		    if(did_connect)
+			HTTP_NETCLOSE(s, handle);
+#endif /* USE_SSL */
 		    FREE(command);
 		    FREE(hostname);
 		    FREE(docname);
@@ -570,7 +740,11 @@ try_again:
       auth_proxy = NO;
   }
 
+#ifdef USE_SSL
+    if (!do_connect && do_post) {
+#else
     if (do_post) {
+#endif /* USE_SSL */
 	CTRACE (tfp, "HTTP: Doing post, content-type '%s'\n",
 		     anAnchor->post_content_type ? anAnchor->post_content_type
 						 : "lose");
@@ -596,9 +770,15 @@ try_again:
   else
       StrAllocCat(command, crlf);	/* Blank line means "end" of headers */
 
+#ifdef USE_SSL
+  CTRACE (tfp, "Writing:\n%s%s----------------------------------\n",
+	       command,
+	       (anAnchor->post_data && !do_connect ? crlf : ""));
+#else
   CTRACE (tfp, "Writing:\n%s%s----------------------------------\n",
 	       command,
 	       (anAnchor->post_data ? crlf : ""));
+#endif /* USE_SSL */
 
   _HTProgress (gettext("Sending HTTP request."));
 
@@ -955,6 +1135,35 @@ try_again:
 		 *  > 206 is unknown.
 		 *  All should return something to display.
 		 */
+#ifdef USE_SSL
+	        if (do_connect) {
+		    CTRACE(tfp, "HTTP: Proxy tunnel to '%s' established.\n",
+				connect_host);
+		    do_connect = FALSE;
+		    url = connect_url;
+		    FREE(line_buffer);
+		    FREE(line_kept_clean);
+		    if (!strncmp(connect_url, "snews", 5)) {
+			CTRACE(tfp,
+			"      Will attempt handshake and snews connection.\n");
+			status = HTNewsProxyConnect(s, url, anAnchor,
+						    format_out, sink);
+			goto done;
+		    }
+		    did_connect = TRUE;
+		    already_retrying = TRUE;
+		    eol = 0;
+		    bytes_already_read = 0;
+		    had_header = NO;
+		    length = 0;
+		    doing_redirect = FALSE;
+	            permanent_redirection = FALSE;
+		    target = NULL;
+		    CTRACE(tfp,
+			"      Will attempt handshake and resubmit headers.\n");
+		    goto use_tunnel;
+		}
+#endif /* USE_SSL */
 		HTProgress(line_buffer);
 	    } /* case 2 switch */
 	    break;
@@ -1512,6 +1721,13 @@ Cookie2_continuation:
 			gettext("Retrying with access authorization information."));
 		    FREE(line_buffer);
 		    FREE(line_kept_clean);
+#ifdef USE_SSL
+		    if (using_proxy && !strncmp(url, "https://", 8)) {
+			url = arg;
+			do_connect = TRUE;
+			did_connect = FALSE;
+		    }
+#endif /* USE_SSL */
 		    goto try_again;
 		} else if (!(traversal || dump_output_immediately) &&
 			   HTConfirm(gettext("Show the 401 message body?"))) {
@@ -1812,6 +2028,15 @@ done:
   do_head = FALSE;
   do_post = FALSE;
   reloading = FALSE;
+#ifdef USE_SSL
+  do_connect = FALSE;
+  did_connect = FALSE;
+  FREE(connect_host);
+  if (handle) {
+    SSL_free(handle);
+    handle = NULL;
+  }
+#endif /* USE_SSL */
   return status;
 }