Proxy authentication is not working for HTTPS
When a user enters proxy details on system_advanced_misc.php it should trigger the firewall to use the proxy for things like
pkg. This seems to work for HTTP URLs, but not HTTPS.
We are setting up the environment properly as far as I can see. Packet captures show the request going to the proxy, the proxy responds that authentication is required, but the client never sends the request with authentication details.
: set | grep http http_proxy 198.51.100.23:3128 http_proxy_auth basic:*:jimp:jimp http_proxy_auth_pass jimp http_proxy_auth_user jimp http_proxy_port 3128 : env | grep HTTP HTTP_PROXY=198.51.100.23:3128 HTTP_PROXY_AUTH=basic:*:jimp:jimp
Even on 2.4.5 snapshots this fails with an error such as:
pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/packagesite.txz: Proxy Authentication Required
As a quick test, a fetch of an HTTPS URL also fails, but HTTP succeeds:
: fetch -o - https://files00.netgate.com/ fetch: https://files00.netgate.com/: Proxy Authentication Required : fetch -o - http://files00.netgate.com/ [...] - 4872 B 14 kBps 00m00s
Last time this came up in #6949 there was a FreeBSD bug referenced at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194483 that may or may not be related.
It was working at one time before 2.4-RELEASE but broke again at some point.
This also appears to affect stock FreeBSD 11.2, easy to replicate with fetch
env HTTP_PROXY="198.51.100.23:3128" HTTP_PROXY_AUTH="basic:*:jimp:jimp" fetch -o - https://files00.netgate.com/
Just substitute in a proxy IP address/user/pass that you can reach which is set to require auth.
Annoying but not critical, can be moved ahead if fixing is prohibitively difficult, but we did have it fixed before, so maybe a patch or two were not carried forward.