User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 Currently, all connections that Mozilla makes to any internally-configured proxy server are done over cleartext. This prevents the user from being able to authenticate to the proxy server ITSELF via an encrypted channel, using client certificate authentication. I am requesting an enhancement request to Mozilla to allow the user to specify, for example, https://proxy-server.corp.com:8080 as the address of the proxy server. This would allow the user to securely authenticate to the proxy server, which is critical in reverse-proxy and other applications. I would like to explicitly request that the user be allowed to use a client certificate stored in Mozilla's certificate repository to authenticate to the proxy server. Reproducible: Always Steps to Reproduce: 1. 2. 3.
->NEW I know we don't do this right now. darin: do you want this in PSM or here? I think Darin and I understand exactly what you are asking for, so here's a couple general comments: 1- This requires using SSL to make the client->proxy connecction. Possibly this should be discussed in a separate bug that this bug would depend on. 2- You need to find a proxy server that supports both accepting SSL, as well as client cert auth. 3- If available, the prefs implementation would need to be carefully thought out. I have been concerned that once we start adding SSL or auth options to the proxy config, the already confusing prefs UI will collapse under the complexity. IMHO, this system we have of hand coding support for the manual config mode is going to have to go away, bug 89928.
To answer question (2) above, I would plan to use this with apache. Apache can be configured to behave as a web proxy, and it supports SSL and client-certificate authentication over SSL. If you like, I can open up a separate enhancement request for (1). Let me know.
Hi I think SSL encryption between browser and proxy (even when the request is http) would be a great addition to Mozilla. The well known web cache, Squid now supports terminating SSL connections (See http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.12). Secure (non-plaintext) authentication to the proxy would be a good idea too, though I'm not sure what proxys support this. I don't think Squid does (http://www.squid-cache.org/Doc/FAQ/FAQ-23.html). I see 2 seperate tasks here (Maybe should have their own bugs) 1. Implement HTTPS connection to proxy 2. Implement client certificate authentication to proxy dave
*** Bug 313785 has been marked as a duplicate of this bug. ***
As we in the Squid HTTP proxy project quite frequently (once or twice a mont) get requests for this feature (SSL connections to the proxy, not that much the authentication using certificates) I am now about to look into what would be needed to implement this, and if possible implement it. I however probably need a little guidance on finding my way around in the Mozilla code base, the networking layers in particular..
Didn't look very easy when I looked at it some months ago. A bit of restructuring needed to be able to layer SSL in this manner. Not actively working on it at the moment.
Guys, this bug and bug 378637 appear to be related. I know it's been quite a while but I would love to see this implemented. I have a squid proxy which accepts https connections and thanks to a firefox add on, firemole, I was able to connect securely. The problem with the add on is that it doesn't work in firefox 4 and thus I'm looking (and kind of hoping) if you guys are still interested in implementing this.
> 1. Implement HTTPS connection to proxy bug 378637 > 2. Implement client certificate authentication to proxy This bug.
I believe this works