Our client connects to a proxy which uses NTLM authentication. The destination is a server whose server certificate does not match to the actual hostname. The proxy authentication type is set to CURLAUTH_ANY. The following steps are necessary in order to reproduce the problem:

curl_easy_setopt(curl, CURLOPT_PROXY, proxy_ip);
curl_easy_setopt(curl, CURLOPT_PROXYPORT, proxy_port);
curl_easy_setopt(curl, CURLOPT_PROXYUSERPWD, proxy_userpwd);
curl_easy_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_ANY);

curl_easy_setopt(curl, CURLOPT_CAINFO, ca_cert);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L);

curl_easy_setopt(curl, CURLOPT_VERBOSE, 1);
curl_easy_setopt(curl, CURLOPT_DEBUGDATA, stderr);

curl_easy_setopt(curl, CURLOPT_URL, "https://<destination-ip>:443");
assert(curl_easy_perform(curl) == CURLE_PEER_FAILED_VERIFICATION);

This call fails since the server certificate doesn't match to the actual hostname. Now we go on:

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
curl_easy_perform(curl);

Problem: The last call to curl_easy_perform() never returns. libcurl sends over and over CONNECT request, of course receives always an HTTP status code 407 but does not carry on to authenticate itself.

Using

printf("libcurl: %s\n", curl_version_info(CURLVERSION_NOW)->version);

we get libcurl: 7.45.0-DEV. The used proxy is the latest Squid 2 using a simple fake authentication. The destination server is an Apache 2.4. If necessary I can provide their configuration files in order to reproduce the error.