The default bug view has changed. See this FAQ.

Cannot authenticate to HTTPS proxy using client certificates

RESOLVED WORKSFORME

Status

()

Core
Networking
--
enhancement
RESOLVED WORKSFORME
14 years ago
a year ago

People

(Reporter: Kartik Subbarao, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [proxy][psm-auth])

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Currently, all connections that Mozilla makes to any internally-configured proxy
server are done over cleartext. This prevents the user from being able to
authenticate to the proxy server ITSELF via an encrypted channel, using client
certificate authentication.

I am requesting an enhancement request to Mozilla to allow the user to specify,
for example, https://proxy-server.corp.com:8080 as the address of the proxy
server. This would allow the user to securely authenticate to the proxy server,
which is critical in reverse-proxy and other applications. I would like to
explicitly request that the user be allowed to use a client certificate stored
in Mozilla's certificate repository to authenticate to the proxy server.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

14 years ago
->NEW

I know we don't do this right now.

darin: do you want this in PSM or here?

I think Darin and I understand exactly what you are asking for, so here's a
couple general comments:

1- This requires using SSL to make the client->proxy connecction. Possibly this
should be discussed in a separate bug that this bug would depend on.

2- You need to find a proxy server that supports both accepting SSL, as well as
client cert auth. 

3- If available, the prefs implementation would need to be carefully thought
out. I have been concerned that once we start adding SSL or auth options to the
proxy config, the already confusing prefs UI will collapse under the complexity.

IMHO, this system we have of hand coding support for the manual config mode is
going to have to go away, bug 89928.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: need to be able to use SSL and client certificate authentication to connect to a proxy server → Proxy: SSL and client certificates for proxy auth

Updated

14 years ago
Target Milestone: --- → Future
(Reporter)

Comment 2

14 years ago
To answer question (2) above, I would plan to use this with apache. Apache can
be configured to behave as a web proxy, and it supports SSL and
client-certificate authentication over SSL.

If you like, I can open up a separate enhancement request for (1). Let me know.

Comment 3

14 years ago
Hi

I think SSL encryption between browser and proxy (even when the request is http)
would be a great addition to Mozilla. The well known web cache, Squid now
supports terminating SSL connections (See
http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.12).

Secure (non-plaintext) authentication to the proxy would be a good idea too,
though I'm not sure what proxys support this. I don't think Squid does
(http://www.squid-cache.org/Doc/FAQ/FAQ-23.html).

 I see 2 seperate tasks here (Maybe should have their own bugs)

1. Implement HTTPS connection to proxy
2. Implement client certificate authentication to proxy


dave
*** Bug 313785 has been marked as a duplicate of this bug. ***

Comment 5

11 years ago
As we in the Squid HTTP proxy project quite frequently (once or twice a mont) get requests for this feature (SSL connections to the proxy, not that much the authentication using certificates) I am now about to look into what would be needed to implement this, and if possible implement it. I however probably need a little guidance on finding my way around in the Mozilla code base, the networking layers in particular..

Updated

11 years ago
Assignee: darin → nobody
QA Contact: benc → networking
Target Milestone: Future → ---

Comment 6

11 years ago
Didn't look very easy when I looked at it some months ago. A bit of restructuring needed to be able to layer SSL in this manner.

Not actively working on it at the moment.

Comment 7

6 years ago
Guys, this bug and bug 378637 appear to be related. I know it's been quite a while but I would love to see this implemented. I have a squid proxy which accepts https connections and thanks to a firefox add on, firemole, I was able to connect securely. The problem with the add on is that it doesn't work in firefox 4 and thus I'm looking (and kind of hoping) if you guys are still interested in implementing this.
Duplicate of this bug: 652119
> 1. Implement HTTPS connection to proxy

bug 378637

> 2. Implement client certificate authentication to proxy

This bug.
Depends on: 378637
Summary: Proxy: SSL and client certificates for proxy auth → Cannot authenticate to HTTPS proxy using client certificates
Whiteboard: [proxy][psm-auth]
I believe this works
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.