On 2013-10-24 07:22, Peter K. O'Connor wrote:
I thought the username and password will *only* be sent to SERVER2, *after* the SSL handshake, with each request.
It the password for authentication on your proxy was sent *after* the handshake, then SSL would have to be terminated on the proxy rather than on your final server. Your proxy could then eavesdrop all your data, and the transfer between your proxy and your final server would be unencrypted. Is that really what you'd expect?
The usual scenario is that the connection from your client to your proxy is generally performed over a trusted network, while the connection between your proxy and the final server is performed over a hostile network (usually the Internet).
Am I missing anything here?
Not really. This is precisely how the CONNECT protocol is designed.
Mike