Index: lib/libfetch/http.c
===================================================================
--- lib/libfetch/http.c	(revision 355130)
+++ lib/libfetch/http.c	(working copy)
@@ -1409,12 +1409,49 @@
 		return (NULL);
 	init_http_headerbuf(&headerbuf);
 	if (strcmp(URL->scheme, SCHEME_HTTPS) == 0 && purl) {
-		http_cmd(conn, "CONNECT %s:%d HTTP/1.1",
-		    URL->host, URL->port);
-		http_cmd(conn, "Host: %s:%d",
-		    URL->host, URL->port);
-		http_cmd(conn, "");
-		if (http_get_reply(conn) != HTTP_OK) {
+		for (int retry = 0; retry < 2; ++retry) {
+			if (retry > 0) {
+				fetch_close(conn);
+				conn = fetch_connect(curl->host, curl->port, af, verbose);
+				if (conn == NULL) {
+					http_seterr(HTTP_NEED_PROXY_AUTH);
+					goto ouch;
+				}
+				clean_http_headerbuf(&headerbuf);
+			}
+			http_cmd(conn, "CONNECT %s:%d HTTP/1.1",
+			    URL->host, URL->port);
+			http_cmd(conn, "Host: %s:%d",
+			    URL->host, URL->port);
+			if (retry > 0) {
+				http_auth_challenges_t proxy_challenges;
+				http_auth_params_t aparams;
+				init_http_auth_challenges(&proxy_challenges);
+				init_http_auth_params(&aparams);
+				if (*purl->user || *purl->pwd) {
+					aparams.user = strdup(purl->user);
+					aparams.password = strdup(purl->pwd);
+				} else if ((p = getenv("HTTP_PROXY_AUTH")) != NULL &&
+					   *p != '\0') {
+					if (http_authfromenv(p, &aparams) < 0) {
+						http_seterr(HTTP_NEED_PROXY_AUTH);
+						goto ouch;
+					}
+				} else if (fetch_netrc_auth(purl) == 0) {
+					aparams.user = strdup(purl->user);
+					aparams.password = strdup(purl->pwd);
+				} else {
+					http_seterr(HTTP_NEED_PROXY_AUTH);
+					goto ouch;
+				}
+				http_authorize(conn, "Proxy-Authorization",
+					       &proxy_challenges, &aparams, purl);
+				clean_http_auth_params(&aparams);
+			}
+			http_cmd(conn, "");
+			if (http_get_reply(conn) != HTTP_NEED_PROXY_AUTH) break;
+		}
+		if (conn->err != HTTP_OK) {
 			http_seterr(conn->err);
 			goto ouch;
 		}