1

I'm trying to get Firefox nightly to use a secure HTTP/2 proxy, but it's refusing to accept a self-signed certificate.

The proxy is composed of nghttp2 as the HTTP/2 front-end and a simple Twisted proxy as the back-end. The Twisted code is from https://wiki.python.org/moin/Twisted-Examples and works on its own as a HTTP/1.1 proxy. nghttp2 is invoked with 

nghttpx -s -flocalhost,8443 -b127.0.0.1,8080 server.pem server.pem -L INFO

Firefox is using it as a proxy as specified in https://nghttp2.org/documentation/nghttpx-howto.html#http-2-proxy-mode.

I created server.pem for localhost using 

openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

When I try to load a generic website like http://www.something.com through the proxy, Firefox brings up the "This Connection is Untrusted" warning. However, if I tell it to add and store the exception, it just brings up the warning again. From what I can tell, it's never making it past the nghttp2 front-end to the Twisted proxy.

Am I supposed to be doing something different for secure proxy certificated? I can't find much online other than nghttp2 stating, "Please note that both Firefox nightly and Chromium require valid certificate for secure proxy."

Ric
  • 581
  • 5
  • 26
  • It seems to be working with Chrome, so I'm assuming this is an issue with Firefox. – Ric Apr 29 '15 at 17:17
  • It looks like I spoke too soon about Chrome. Chrome currently incorrectly implements HTTP/2 CONNECT: https://code.google.com/p/chromium/issues/detail?id=433784 – Ric Apr 30 '15 at 16:50

1 Answers1

2

Patrick McManus answered almost exactly this in the Firefox bugzilla a while ago - and the reason for this is that there is still a lack of UI for this in Firefox:

You can do a TOFU exception for the proxy case, but you have to do it a little differently.

  1. turn off the proxy use in firefox.

  2. put https://PROXYNAME:PROXYPORT/ in the location bar (use the same name and port number as you have configured in the PAC - you can't use ip addresses or default ports.. you can't use ip addresses because they can't be verified by the PKI and exceptions are stored per port.

  3. override the cert warning and perm. store the exception. The response you get will be meaningless as you are now addressing the proxy port as if it was an endpoint
  4. turn the proxy back on and use it.
Daniel Stenberg
  • 54,736
  • 17
  • 146
  • 222