[networking] Add proxy_client_cert, proxy_verify and legacy_proxy_ssl_support options

yt_dlp/networking/_curlcffi.py

@@ -187,7 +187,7 @@ class CurlCFFIRH(ImpersonateRequestHandler, InstanceStoreMixin):
             # curl_cffi does not currently set these for proxies
             session.curl.setopt(CurlOpt.PROXY_CAINFO, certifi.where())
 
-            if not self.verify:
+            if not self.proxy_verify:
                 session.curl.setopt(CurlOpt.PROXY_SSL_VERIFYPEER, 0)
                 session.curl.setopt(CurlOpt.PROXY_SSL_VERIFYHOST, 0)
 
@@ -202,6 +202,15 @@ class CurlCFFIRH(ImpersonateRequestHandler, InstanceStoreMixin):
             if client_certificate_password:
                 session.curl.setopt(CurlOpt.KEYPASSWD, client_certificate_password)
 
+        if self._proxy_client_cert:
+            session.curl.setopt(CurlOpt.PROXY_SSLCERT, self._proxy_client_cert['client_certificate'])
+            proxy_client_certificate_key = self._proxy_client_cert.get('client_certificate_key')
+            proxy_client_certificate_password = self._proxy_client_cert.get('client_certificate_password')
+            if proxy_client_certificate_key:
+                session.curl.setopt(CurlOpt.PROXY_SSLKEY, proxy_client_certificate_key)
+            if proxy_client_certificate_password:
+                session.curl.setopt(CurlOpt.PROXY_KEYPASSWD, proxy_client_certificate_password)
+
         timeout = self._calculate_timeout(request)
 
         # set CURLOPT_LOW_SPEED_LIMIT and CURLOPT_LOW_SPEED_TIME to act as a read timeout. [1]
@@ -243,6 +252,8 @@ class CurlCFFIRH(ImpersonateRequestHandler, InstanceStoreMixin):
                 or (e.code == CurlECode.RECV_ERROR and 'CONNECT' in str(e))
             ):
                 raise ProxyError(cause=e) from e
+            elif e.code == CurlECode.RECV_ERROR and 'SSL' in str(e):
+                raise SSLError(cause=e) from e
             else:
                 raise TransportError(cause=e) from e
 

yt_dlp/networking/_requests.py

@@ -301,6 +301,7 @@ class RequestsRH(RequestHandler, InstanceStoreMixin):
         session = RequestsSession()
         http_adapter = RequestsHTTPAdapter(
             ssl_context=self._make_sslcontext(legacy_ssl_support=legacy_ssl_support),
+            proxy_ssl_context=self._make_proxy_sslcontext(),
             source_address=self.source_address,
             max_retries=urllib3.util.retry.Retry(False),
         )

yt_dlp/networking/common.py

@@ -187,10 +187,14 @@ class RequestHandler(abc.ABC):
     @param source_address: Client-side IP address to bind to for requests.
     @param verbose: Print debug request and traffic information to stdout.
     @param prefer_system_certs: Whether to prefer system certificates over other means (e.g. certifi).
-    @param client_cert: SSL client certificate configuration.
+    @param client_cert: SSL client certificate configuration.z
             dict with {client_certificate, client_certificate_key, client_certificate_password}
+    @param proxy_client_cert: SSL client certificate configuration for proxy connections.
+        dict with {client_certificate, client_certificate_key, client_certificate_password}
     @param verify: Verify SSL certificates
+    @param proxy_verify: Verify SSL certificates of proxy connections
     @param legacy_ssl_support: Enable legacy SSL options such as legacy server connect and older cipher support.
+    @param legacy_proxy_ssl_support: Enable legacy SSL options such as legacy server connect and older cipher support for proxy connections.
 
     Some configuration options may be available for individual Requests too. In this case,
     either the Request configuration option takes precedence or they are merged.
@@ -230,8 +234,11 @@ class RequestHandler(abc.ABC):
         verbose: bool = False,
         prefer_system_certs: bool = False,
         client_cert: dict[str, str | None] | None = None,
+        proxy_client_cert: dict[str, str | None] | None = None,
         verify: bool = True,
+        proxy_verify: bool = True,
         legacy_ssl_support: bool = False,
+        legacy_proxy_ssl_support: bool = False,
         **_,
     ):
 
@@ -244,8 +251,11 @@ class RequestHandler(abc.ABC):
         self.verbose = verbose
         self.prefer_system_certs = prefer_system_certs
         self._client_cert = client_cert or {}
+        self._proxy_client_cert = proxy_client_cert or {}
         self.verify = verify
+        self.proxy_verify = proxy_verify
         self.legacy_ssl_support = legacy_ssl_support
+        self.legacy_proxy_ssl_support = legacy_proxy_ssl_support
         super().__init__()
 
     def _make_sslcontext(self, legacy_ssl_support=None):
@@ -256,6 +266,14 @@ class RequestHandler(abc.ABC):
             **self._client_cert,
         )
 
+    def _make_proxy_sslcontext(self, legacy_ssl_support=None):
+        return make_ssl_context(
+            verify=self.proxy_verify,
+            legacy_support=legacy_ssl_support if legacy_ssl_support is not None else self.legacy_proxy_ssl_support,
+            use_certifi=not self.prefer_system_certs,
+            **self._proxy_client_cert,
+        )
+
     def _merge_headers(self, request_headers):
         return HTTPHeaderDict(self.headers, request_headers)