XHR/fetch failed over HTTPS-proxy

VERIFIED FIXED in Firefox 65



3 years ago
5 months ago


(Reporter: dab1818, Assigned: junior)


Bug Flags:
qe-verify +

Firefox Tracking Flags

(firefox65 verified)


(Whiteboard: [necko-next][proxy])


(5 attachments)

User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce:

1. configure firefox to use HTTPS-proxy (https://bugzilla.mozilla.org/show_bug.cgi?id=378637)
2. start firefox -jsconsole https://jsfiddle.net/kaihendry/k36yot0z/
3. click "Just testing" button

Actual results:

1. no result.
3. devtools network monitor: "The connection used to fetch this resource was not encrypted"

Expected results:

json-serialized response from "https://httpbin.org/get"
reproduced on firefox 45.xESR 50.x, seamonkey 2.35-2.38.

chromium --proxy-server=https://myproxy:3129 https://jsfiddle.net/kaihendry/k36yot0z/ works as expected.

direct "open" url https://httpbin.org/get works, only XMLHttpRequest/fetch affected.

also works on non-HTTPS port on same proxy-server.
Cannot reproduce on Fedora 25, Firefox Nightly 53.0a1 -- got expected JSON response from httpbin.org. Can you confirm you're still experiencing this on the latest Firefox Nightly version?
Flags: needinfo?(dab1818)
screenshot with devtools network-monitor on
Mozilla/5.0 (X11; Linux i686; rv:53.0) Gecko/20100101 Firefox/53.0
problem reproduced on:
Mozilla/5.0 (X11; Linux i686; rv:53.0) Gecko/20100101 Firefox/53.0

additional details:

proxy-server is squid-3.3.12 configured to request user x509-certificate to access proxy:
https_port myproxy:3129 cert=/etc/ssl/squid/myproxy.pem clientca=/etc/ssl/certs/ourCAbundle.crt

also squid configured to authentificate user using http-md5-digest scheme.

firefox configured to using HTTPS-proxy by "wpad-file", specified manually in firefox preferences or via MCD (Mission Control Desktop) settings.
Mozilla/5.0 (X11; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20161205030204

Hi Dmitry,

I have tested this issue on Ubuntu 15.10 x64 using the latest Nightly (20161205030204)and Firefox 45.0 esr , with proxy " https_port myproxy:3129 cert=/etc/ssl/squid/myproxy.pem clientca=/etc/ssl/certs/ourCAbundle.crt " and could not reproduce it, got expected JSON response from https://httpbin.org/get.

Could you please provide a screenshot with the Firefox Connection Settings?

Also please check if the issue is reproducible using Firefox with a new profile or in safe mode?



tested again with latest squid (3.5.22)
and Mozilla/5.0 (X11; Linux i686; rv:53.0) Gecko/20100101 Firefox/53.0

firefox --jsconsole --devtools --ProfileManager https://jsfiddle.net/kaihendry/k36yot0z/

1. create new firefox profile
2. install personal certificate (needed to connect to proxy)
3. point firefox "Automatic proxy configuration URL:" to http://myproxy/wpad.dat (for example)
4. wpat.dat contains: function FindProxyForURL(url, host) { return "HTTPS myproxy:3129"; }
5. squid.conf: https_port myproxy:3129 cert=/etc/ssl/squid/myproxy.pem clientca=/etc/ssl/certs/ourCAbundle.crt
6. press 'Just testing' on https://jsfiddle.net/kaihendry/k36yot0z/ page
7. network-monitor: "The connection used to fetch this resource was not encrypted"
8. browser console:
An error occurred during a connection to myproxy:3129.
SSL peer was unable to negotiate an acceptable set of security parameters.

all works fine if "clientca" options removed from squid configuration.
"  clientca=	File containing the list of CAs to use when
			requesting a client certificate."

simple test.
1. with "clientca" squid say:
openssl s_client -state -connect myproxy:3129 </dev/null
Acceptable client certificate CA names <-- WE NEED THIS
Client Certificate Types: RSA sign, DSA sign, ECDSA sign"

2. without "clientca" sqiud not request client certs:
openssl s_client -state -connect myproxy:3129 </dev/null
No client certificate CA names sent"

3. also no problem on non-HTTPS proxy-port (3128).
"proxy over HTTPS" not same as "ssl proxy" or "Use this proxy server for all protocols" through "HTTP proxy" settings in firefox.
firefox --safe-mode https://jsfiddle.net/kaihendry/k36yot0z/
not displayed correctly.
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
I will take a look.
Flags: needinfo?(dd.mozilla)
Whiteboard: [necko-next]
Can you make http log:

only change the line:
export MOZ_LOG=timestamp,rotate:200,nsHttp:5,nsSocketTransport:5,nsStreamPump:5,nsHostResolver:5
to be:
export MOZ_LOG=timestamp,rotate:200,nsHttp:5,nsSocketTransport:5,nsStreamPump:5,nsHostResolver:5,proxy:5

And try to reproduce your problem. Also fetch https://httpbin.org/get directly not using xhr or fetch. 

Which version of firefox are using? for the older ones MOZ_LOG should be change to NSPR_LOG_MODULES and MOZ_LOG_FILE with NSPR_LOG_FILE
1 run
MOZ_LOG=timestamp,rotate:200,nsHttp:5,nsSocketTransport:5,nsStreamPump:5,nsHostResolver:5,proxy:5 MOZ_LOG_FILE=test1.log ./firefox --jsconsole --devtools --ProfileManager https://jsfiddle.net/kaihendry/k36yot0z/
2 press "Just testing"
3 quit

1 MOZ_LOG=timestamp,rotate:200,nsHttp:5,nsSocketTransport:5,nsStreamPump:5,nsHostResolver:5,proxy:5 MOZ_LOG_FILE=test2.log ./firefox --jsconsole --devtools --ProfileManager https://httpbin.org/get
2 quit
Posted file test1.log
Posted file test2.log
tested on:
I have also experienced what I believe to be this issue.
HTTPS proxies seem to have been hardly used in anger, and there isn't much coherent information available on how to set one up. The following from-scratch configuration is intended to allow the bug to be reproduced quickly using Squid.

Note: This is not an example of how to set up an HTTPS proxy securely. Here be dragons, etc.
- It doesn't set up a full CA configuration / directory structure for OpenSSL, so the generated certificates are probably a bit on the minimal side
- All password protection of certificates is deliberately omitted
- Further configuration of Squid and the network environment would be required to make this even remotely suitable for exposure to the internet

Tested on a clean base install of Fedora 25, plus Squid (Fedora package) and Firefox nightly (BuildID=20170120225344)

1. Generate the required certificates (as an unprivileged user):

# Generate CA certificate
openssl req -new -newkey rsa:2048 -nodes -x509 -keyout myca.pem -out myca.pem -days 1000 -subj "/C=GB/ST=Nowhere/L=Anywhere/O=Nonesuch CA/SN=Nonesuch CA"

# Generate client certificate
openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/C=GB/ST=Nowhere/L=Anywhere/SN=Joe Bloggs"
openssl x509 -req -in client.csr -CA myca.pem -CAkey myca.pem -out client.crt -days 1000 -set_serial 01
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 -passout pass:

# Generate server certificate
openssl req -new -newkey rsa:2048 -nodes -keyout serverkey.pem -out servercert.csr -days 1000 -subj "/C=GB/ST=Nowhere/L=Anywhere/O=Nonesuch CA/CN=localhost"
openssl x509 -req -in servercert.csr -CA myca.pem -CAkey myca.pem -out servercert.pem -days 1000 -set_serial 02

2. Set up Squid (as root):

mkdir /etc/squid/mycert
cp servercert.pem serverkey.pem myca.pem /etc/squid/mycert/
echo "https_port 8080 cert=/etc/squid/mycert/servercert.pem key=/etc/squid/mycert/serverkey.pem cafile=/etc/squid/mycert/myca.pem clientca=/etc/squid/mycert/myca.pem sslcontext=id" >> /etc/squid/squid.conf
service squid start

3. Configure Firefox:

 > Smoke test 1: check https://localhost:8080/ is inaccessible (SSL error)

 > Install the certificates in Firefox (Preferences -> Advanced -> Certificates -> View Certificates)
 - Install the CA certificate "myca.pem" (The "Authorities" tab; select "Trust this CA to identify web sites")
 - Install the client certificate "client.p12" (The "Your Certificates" tab; blank password)

 > Smoke test 2: check https://localhost:8080/ is now accessible and yields a Squid error page (you will be prompted to select the client certificate installed above)

 > In Preferences -> Advanced -> Network -> Connection -> Settings, select "Automatic proxy configuration URL", and set the value to:
     data:text/plain,function FindProxyForURL(u,h) { return "HTTPS localhost:8080" }

 > Smoke test 3: load a remote site and check that it appears in /var/log/squid/access.log
 (At this point you should no longer be able to access https://localhost:8080/ directly)

 > Actual test 1 (fail):
 Go to https://jsfiddle.net/kaihendry/k36yot0z/ as above, and click the button

 > Actual test 2 (pass):
 Set the network connection back to "No proxy", and retry the above test site
Is the summary of this bug "trouble authenticating to HTTPS proxy with Client Certificate"?

I wouldn't be surprised if client certs weren't currently supported.
HTTPS proxy with Client Certificate works as expected, only XHR/fetch on firefox affected.
retested with same results on:
Flags: needinfo?(dab1818)
This one is failing:

2017-01-15 18:23:06.101675 UTC - [Socket Thread]: V/nsHttp nsHttpConnection::EnsureNPNComplete 83461100 [TSA....httpbin.org:443 (https:myproxy:3129)[:]] negotiated to ''
2017-01-15 18:23:06.101681 UTC - [Socket Thread]: V/nsHttp nsHttpConnection::EnsureNPNComplete setting complete to true
2017-01-15 18:23:06.101683 UTC - [Socket Thread]: V/nsHttp   writing CONNECT request stream
2017-01-15 18:23:06.101687 UTC - [Socket Thread]: D/nsSocketTransport nsSocketOutputStream::Write [this=8360d9e0 count=193]
2017-01-15 18:23:06.101689 UTC - [Socket Thread]: D/nsSocketTransport   calling PR_Write [count=193]
2017-01-15 18:23:06.103730 UTC - [Socket Thread]: D/nsSocketTransport   PR_Write returned [n=-1]
2017-01-15 18:23:06.103739 UTC - [Socket Thread]: D/nsSocketTransport JIMB: ReleaseFD_Locked: mFDref = 2
2017-01-15 18:23:06.103742 UTC - [Socket Thread]: D/nsSocketTransport ErrorAccordingToNSPR [in=-12227 out=805a2fc3]

This one works fine:
2017-01-15 18:23:39.825963 UTC - [Socket Thread]: V/nsHttp nsHttpConnection::EnsureNPNComplete 89084400 [TS.....httpbin.org:443 (https:myproxy:3129)[:]] negotiated to ''
2017-01-15 18:23:39.825968 UTC - [Socket Thread]: V/nsHttp nsHttpConnection::EnsureNPNComplete setting complete to true
2017-01-15 18:23:39.825971 UTC - [Socket Thread]: V/nsHttp   writing CONNECT request stream
2017-01-15 18:23:39.825974 UTC - [Socket Thread]: D/nsSocketTransport nsSocketOutputStream::Write [this=88a80de0 count=193]
2017-01-15 18:23:39.825976 UTC - [Socket Thread]: D/nsSocketTransport   calling PR_Write [count=193]
2017-01-15 18:23:39.826247 UTC - [Socket Thread]: D/nsSocketTransport   PR_Write returned [n=193]
2017-01-15 18:23:39.826251 UTC - [Socket Thread]: D/nsSocketTransport JIMB: ReleaseFD_Locked: mFDref = 2

I do not see any difference between this two, only that one is anonymous and the other not. But I do not know how that can produce this error. Keeler, can you take a look?
Flags: needinfo?(dd.mozilla) → needinfo?(dkeeler)
If I set MOZ_LOG to just "proxy:5" and then send a simple xhr, I see a ton of this:

[ProxyResolution]: D/proxy Use proxy from PAC: HTTPS localhost:8080
[Main Thread]: D/proxy pac thread callback HTTPS localhost:8080

along with:

1502131498.613      0 ::1 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- -

in the squid log. I think this is an issue in the proxy auto-config code.

(Note that in a debug build, I had to comment out the MOZ_ASSERT(false) at nsNSSIOLayer.cpp:1181)
Flags: needinfo?(dkeeler)
I tried 3 different method to configure HTTPS-proxy:
1 auto-config url: wpad.dat with function FindProxyForURL ...
2 auto-config url: data:text/plain,function FindProxyForURL ...
3 using FoxyProxy mentioned https://bugzilla.mozilla.org/show_bug.cgi?id=378637

all with same results: xhr not working.

squid log:
2017/08/09 23:59:27 kid1| Error negotiating SSL connection on FD 37: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate (1/-1)

seems like a problem on the firefox side?

if "clientca=..." removed from "https_port" all works fine,
but squid does not require client certificate from browser - it's not what i wanted.
hmmm - I don't think we send client certificates with XHRs, so maybe there's a bug where we don't send one to the proxy to authenticate?
(In reply to Dmitry A. Bakshaev from comment #17)
> HTTPS proxy with Client Certificate works as expected, only XHR/fetch on
> firefox affected.

Same for me. But I also want to note here that it does not work in IE 11, but in Chrome.
So in Firefox it is a "SSL_ERROR_HANDSHAKE_FAILURE_ALERT". In IE 11 it might be the same issue?! In IE 11 I get a "XMLHttpRequest: Network Error 0x2ee4" (https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/245775/).
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P2
Ni? Gary who probably have some ideas about the issue.
Flags: needinfo?(xeonchen)
Whiteboard: [necko-next] → [necko-next][proxy]
(In reply to David Keeler [:keeler] (use needinfo?) from comment #22)
> hmmm - I don't think we send client certificates with XHRs, so maybe there's
> a bug where we don't send one to the proxy to authenticate?

Probably Patrick knows more about this?
Flags: needinfo?(xeonchen) → needinfo?(mcmanus)
I think this is the place where we disable client certs for anonymous connection, like xhr.

We could probably enable this for proxy authentication even if a channel is anonymous. 

What do you think?
Flags: needinfo?(mcmanus) → needinfo?(dkeeler)
That's probably a reasonable solution.
Flags: needinfo?(dkeeler)
dragana's suggestion seems fine.. but I actually didn't think we did client certs for proxy authentication.. maybe I'm just wrong about that
(In reply to Patrick McManus [:mcmanus] from comment #29)
> dragana's suggestion seems fine.. but I actually didn't think we did client
> certs for proxy authentication.. maybe I'm just wrong about that

Client certs for proxy authentication are working for non anonymous connection - see comment 11. The second test works and it is connecting to a proxy using client certs.
Assignee: nobody → juhsu
Ever confirmed: true
Will ask for a review after verification
Per comment 15, I can reproduce this issue.

However, the console shows
"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://httpbin.org/get. (Reason: CORS request did not succeed)." which indicates there's another issue we need to solve (either test code or browser code)
The error shown in console triggered from a unrelated PR error SSL_ERROR_HANDSHAKE_FAILURE_ALERT, which indicates attachment 9025187 [details] not working
Keywords: checkin-needed
Pushed by apavel@mozilla.com:
provide client cert when using proxy with SSL r=keeler
Keywords: checkin-needed
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
CodeName=Firefox Nightly

everything works fine
thank you all
Flags: qe-verify+

Verified as fixed with Firefox 65.0, no "SSL_ERROR_HANDSHAKE_FAILURE_ALERT" error in browser console with proxy " https_port myproxy:3129 cert=/etc/ssl/squid/myproxy.pem clientca=/etc/ssl/certs/ourCAbundle.crt.

You need to log in before you can comment on or make changes to this bug.