Commit b721a59fef for openssl.org

commit b721a59fef180311d62a932c2d5be8a83942cbbe
Author: Peter Zhang <13811521135@163.com>
Date:   Wed Mar 11 22:59:48 2026 +0000

    Fix CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect

    When server contains a bare IPv6 address, OSSL_HTTP_proxy_connect() must
    wrap it in square brackets for the CONNECT request line (e.g.,
    CONNECT [::1]:443 HTTP/1.0).  Also handle the case where the server
    string already includes brackets (as returned by OSSL_HTTP_parse_url).

    Fixes: 29f178bddfdb ("Generalize the HTTP client so far implemented mostly in crypto/ocsp/ocsp_ht.c")

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Tue Mar 24 17:32:06 2026
    (Merged from https://github.com/openssl/openssl/pull/30384)

diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index 16f263d327..f9f7bff0d1 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -1466,7 +1466,11 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
     }
     BIO_push(fbio, bio);

-    BIO_printf(fbio, "CONNECT %s:%s " HTTP_1_0 "\r\n", server, port);
+    /* Add square brackets around a naked IPv6 address */
+    if (server[0] != '[' && strchr(server, ':') != NULL)
+        BIO_printf(fbio, "CONNECT [%s]:%s " HTTP_1_0 "\r\n", server, port);
+    else
+        BIO_printf(fbio, "CONNECT %s:%s " HTTP_1_0 "\r\n", server, port);

     /*
      * Workaround for broken proxies which would otherwise close