From ea2f68c8369821d3be20bb856c9d9fe05d5c0df0 Mon Sep 17 00:00:00 2001
From: Steffen Ullrich <github@maulwuff.de>
Date: Sun, 4 Jan 2026 18:59:04 +0100
Subject: [PATCH] Make TLS enabled proxy work (proxy URL https:// not http://)
 by using stacked TLS layers newly introduced in IO::Socket::SSL 2.096

---
 lib/LWP/Protocol/https.pm | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
index e5b3ffc..a87b2f6 100644
--- a/lib/LWP/Protocol/https.pm
+++ b/lib/LWP/Protocol/https.pm
@@ -99,12 +99,26 @@ if ( $Net::HTTPS::SSL_SOCKET_CLASS->can('start_SSL')) {
     # SNI should be passed there only if it is not an IP address.
     # Details: https://github.com/libwww-perl/libwww-perl/issues/449#issuecomment-1896175509
 	my $host = $url->host() =~ m/:|^[\d.]+$/s ? undef : $url->host();
-	$sock = LWP::Protocol::https::Socket->start_SSL( $sock,
+	my $usebio = {};
+	if (UNIVERSAL::can($sock,'is_SSL') && $sock->is_SSL) {
+	    $usebio = eval { $Net::HTTPS::SSL_SOCKET_CLASS->can_nested_ssl } or
+		die "no support for nested TLS in this IO::Socket::SSL version";
+	}
+
+	$sock = LWP::Protocol::https::Socket->start_SSL( my $osock = $sock,
 	    SSL_verifycn_name => $url->host,
 	    SSL_hostname => $host,
+	    %$usebio,
 	    $self->_extra_sock_opts,
 	);
-	$@ = LWP::Protocol::https::Socket->errstr if ! $sock;
+	if (!$sock) {
+	    $@ = LWP::Protocol::https::Socket->errstr;
+	    return;
+	}
+	if ($usebio and my @fields = grep { /^http_/ } keys %{*$osock}) {
+	    # propagate any http_ fields from osock to sock
+	    @{*$sock}{@fields} = @{*$osock}{@fields}
+	}
 	return $sock;
     }
 }