From: Peter Zhang <13811521135@163.com>
Date: Wed, 11 Mar 2026 22:59:48 +0000 (+0000)
Subject: Fix CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect
X-Git-Tag: openssl-4.0.0~111
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e9ba9d69f785de4f5f4deb9be0e6f7563235c0a;p=thirdparty%2Fopenssl.git

Fix CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect

When server contains a bare IPv6 address, OSSL_HTTP_proxy_connect() must
wrap it in square brackets for the CONNECT request line (e.g.,
CONNECT [::1]:443 HTTP/1.0).  Also handle the case where the server
string already includes brackets (as returned by OSSL_HTTP_parse_url).

Fixes: 29f178bddfdb ("Generalize the HTTP client so far implemented mostly in crypto/ocsp/ocsp_ht.c")

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:32:06 2026
(Merged from https://github.com/openssl/openssl/pull/30384)

(cherry picked from commit b721a59fef180311d62a932c2d5be8a83942cbbe)
---

diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index 16f263d3275..f9f7bff0d11 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -1466,7 +1466,11 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
     }
     BIO_push(fbio, bio);
 
-    BIO_printf(fbio, "CONNECT %s:%s " HTTP_1_0 "\r\n", server, port);
+    /* Add square brackets around a naked IPv6 address */
+    if (server[0] != '[' && strchr(server, ':') != NULL)
+        BIO_printf(fbio, "CONNECT [%s]:%s " HTTP_1_0 "\r\n", server, port);
+    else
+        BIO_printf(fbio, "CONNECT %s:%s " HTTP_1_0 "\r\n", server, port);
 
     /*
      * Workaround for broken proxies which would otherwise close