Added a new 'bit' in the connect struct named 'tunnel_proxy' that is set

if a connection is tunneled through a proxy. A tunnel is done with CONNECT,
either when using HTTPS or FTPS, or if explicitly enabled by the app.

lib/ftp.c

@@ -487,7 +487,7 @@ CURLcode Curl_ftp_connect(struct connectdata *conn)
   ftp->passwd = conn->passwd;
   ftp->response_time = 3600; /* set default response time-out */
 
-  if (data->set.tunnel_thru_httpproxy) {
+  if (conn->bits.tunnel_proxy) {
     /* We want "seamless" FTP operations through HTTP proxy tunnel */
     result = Curl_ConnectHTTPProxyTunnel(conn, FIRSTSOCKET,
                                          conn->host.name, conn->remote_port);
@@ -1702,7 +1702,7 @@ CURLcode ftp_use_pasv(struct connectdata *conn,
     /* this just dumps information about this second connection */
     ftp_pasv_verbose(conn, conninfo, newhostp, connectport);
   
-  if(data->set.tunnel_thru_httpproxy) {
+  if(conn->bits.tunnel_proxy) {
     /* We want "seamless" FTP operations through HTTP proxy tunnel */
     result = Curl_ConnectHTTPProxyTunnel(conn, SECONDARYSOCKET,
                                          newhostp, newport);

lib/http.c

@@ -254,8 +254,12 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
  * done.
  *
  * @param conn all information about the current connection
+ * @param request pointer to the request keyword
+ * @param path pointer to the requested path
+ * @param proxytunnel boolean if this is the request setting up a "proxy
+ * tunnel"
  *
- * Returns CURLcode
+ * @returns CURLcode
  */
 static CURLcode
 Curl_http_output_auth(struct connectdata *conn,
@@ -304,7 +308,7 @@ Curl_http_output_auth(struct connectdata *conn,
 
     /* Send proxy authentication header if needed */
     if (conn->bits.httpproxy &&
-        (data->set.tunnel_thru_httpproxy == proxytunnel)) {
+        (conn->bits.tunnel_proxy == proxytunnel)) {
 #ifdef USE_SSLEAY
       if(data->state.authproxy.want == CURLAUTH_NTLM) {
         auth=(char *)"NTLM";
@@ -1136,10 +1140,9 @@ CURLcode Curl_http_connect(struct connectdata *conn)
    * has occured, can we start talking SSL
    */
 
-  if(conn->bits.httpproxy &&
-     ((conn->protocol & PROT_HTTPS) || data->set.tunnel_thru_httpproxy)) {
+  if(conn->bits.tunnel_proxy) {
 
-    /* either HTTPS over proxy, OR explicitly asked for a tunnel */
+    /* either SSL over proxy, or explicitly asked for */
     result = Curl_ConnectHTTPProxyTunnel(conn, FIRSTSOCKET,
                                          conn->host.name,
                                          conn->remote_port);
@@ -1396,9 +1399,9 @@ CURLcode Curl_http(struct connectdata *conn)
       return CURLE_OUT_OF_MEMORY;
   }
 
-  if (conn->bits.httpproxy &&
-      !data->set.tunnel_thru_httpproxy &&
-      !(conn->protocol&PROT_HTTPS))  {
+  if (conn->bits.httpproxy && !conn->bits.tunnel_proxy)  {
+    /* Using a proxy but does not tunnel through it */
+
     /* The path sent to the proxy is in fact the entire URL. But if the remote
        host is a IDN-name, we must make sure that the request we produce only
        uses the encoded host name! */

lib/url.c

@@ -2137,6 +2137,7 @@ static CURLcode CreateConnection(struct SessionHandle *data,
   conn->bits.user_passwd = data->set.userpwd?1:0;
   conn->bits.proxy_user_passwd = data->set.proxyuserpwd?1:0;
   conn->bits.no_body = data->set.opt_no_body;
+  conn->bits.tunnel_proxy = data->set.tunnel_thru_httpproxy;
 
   /* This initing continues below, see the comment "Continue connectdata
    * initialization here" */
@@ -2837,6 +2838,13 @@ static CURLcode CreateConnection(struct SessionHandle *data,
     free(proxydup); /* free the duplicate pointer and not the modified */
   }
 
+  /*************************************************************
+   * If the protcol is using SSL and HTTP proxy is used, we set
+   * the tunnel_proxy bit.
+   *************************************************************/
+  if((conn->protocol&PROT_SSL) && conn->bits.httpproxy)
+    conn->bits.tunnel_proxy = TRUE;
+
   /*************************************************************
    * Take care of user and password authentication stuff
    *************************************************************/

lib/urldata.h

@@ -309,6 +309,10 @@ struct ConnectBits {
   bool retry;         /* this connection is about to get closed and then
                          re-attempted at another connection. */
   bool no_body;       /* CURLOPT_NO_BODY (or similar) was set */
+  bool tunnel_proxy;  /* if CONNECT is used to "tunnel" through the proxy.
+                         This is implicit when SSL-protocols are used through
+                         proxies, but can also be enabled explicitly by
+                         apps */
 };
 
 struct hostname {