macOS Daemon fails to work with Authenticating HTTP/HTTPS proxy in System Preferences

Hi,


We are facing an issue where the launch daemons fails to work with the authenticating proxy configured in System Preferences.


We tried both NSURLConnection and NSURLSession APIs and both fails with following error:


Error with NSURLConnection:


Error Domain=kCFErrorDomainCFNetwork Code=311 "There was a problem establishing a secure tunnel through the web proxy server." UserInfo={NSErrorFailingURLStringKey=https://google.com/, NSErrorFailingURLKey=https://google.com/, _kCFStreamErrorCodeKey=-2097, _kCFStreamErrorDomainKey=4, NSLocalizedRecoverySuggestion=Please check your proxy settings.For help with this problem, contact your system administrator., NSLocalizedDescription=There was a problem establishing a secure tunnel through the web proxy server.}


Error with NSURLSession: Error Domain=kCFErrorDomainCFNetwork Code=311 "(null)" UserInfo={_kCFStreamErrorCodeKey=-2097, _kCFStreamErrorDomainKey=4}


Same binary works fine when run as command line tool with this proxy configuration. Credentials are also configured in the System Preferences for the proxy. We do not see "Proxy-Authorization" header added to the request on the proxy server when daemon tries to request for the resource. Do we need to add the header explicitly when NSURLConnection/Session are used from Daemon?


Regards,

Sanjay.

Up vote post of sanaw Down vote post of sanaw
5.7k views
Posted by
sanaw
Reply
Add a Comment

Accepted Reply

So looks like we need to provide those manually in authentication delegate.

Right. And it’s not clear how the system could solve this for you, given that there’s a possibility that different users might have different credentials for the proxy.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

In this context error -2097 translates to an internal CFNetwork error with the general semantics of ‘proxy authentication required’, which is not very useful alas.

I believe what’s going on here is that the proxy password is being saved into the user’s keychain, and thus your daemon is unable to access it. You wrote:

Do we need to add the header explicitly when NSURLConnection/Session are used from Daemon?

Messing around with authentication headers directly is generally not a good idea. Do you get an authentication challenge for the proxy? If so, try handling that challenge.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Quinn,


Messing around with authentication headers directly is generally not a good idea. Do you get an authentication challenge for the proxy? If so, try handling that challenge.


Yes, if I set "connectionProxyDictionary" on URLSessonConfig then the authentication challenge is received for "NSURLAuthenticationMethodHTTPBasic". Should we handle the authentication here by providing username and password for proxy. Hope System Configuration/Keychain APIs can help with this though I tried "URLCredentialStorage" and it does not work as creds are in user keychain and not in System. Maybe we can ask user for those using daemon <-> user-agent over XPC.


We can detect if proxy is set up using "CFNetworkCopySystemProxySettings" and then set "connectionProxyDictionary" accordingly. Is this the expected approach for daemons?


Regards,

Sanjay.

Posted by
sanaw
Up vote reply of sanaw Down vote reply of sanaw
Add a Comment

Is this the expected approach for daemons?

My expectation is that, if there are system proxy settings (as returned by 

CFNetworkCopySystemProxySettings
), the session should use them. That won’t help with the proxy credential, but that’s different from the proxy settings themselves.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Ok, yes session uses the proxy but just that credentials are not detected as you said earlier. So looks like we need to provide those manually in authentication delegate.

Posted by
sanaw
Up vote reply of sanaw Down vote reply of sanaw
Add a Comment

So looks like we need to provide those manually in authentication delegate.

Right. And it’s not clear how the system could solve this for you, given that there’s a possibility that different users might have different credentials for the proxy.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Ok thanks Quinn. I think in this case daemon can ask user-agent for credentials as user-agent would be able to read it from URLCredentialStorage by creating the URLProtectionSpace for the required proxy. I tried this with the simple command line application and it gets the creds fine so those can be XPCed to daemon as needed.

Posted by
sanaw
Up vote reply of sanaw Down vote reply of sanaw
Add a Comment