Opened 3 weeks ago

Closed 12 days ago

#24793 closed defect (fixed)

obfs4 breaks http proxy with basic auth

Reported by: gilcu3 Owned by:
Priority: Medium Milestone:
Component: Obfuscation/Obfsproxy Version:
Severity: Normal Keywords:
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When connecting through an http proxy with basic auth, the client (tor) should send an HTTP request with header "Proxy-Authorization: Basic <base64 user:password>" (rfc 7235), but instead tor uses something defined for basic auth with http servers, like "Authorization: Basic <base64 user:password>". For a proxy like squid (at least) this means it cannot connect to the relay network as it keeps receiving error 407 (auth required)

Child Tickets

Change History (12)

comment:1 Changed 3 weeks ago by mo

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

comment:2 Changed 3 weeks ago by gilcu3

I have tried with tor itself and it works, so this must be for sure a problem with Tor Browser config

comment:3 Changed 3 weeks ago by mcs

Cc: brade mcs added
Keywords: proxy auth basic removed
Status: newneeds_information

gilcu3, thanks for finding and reporting this bug. Can you please compare the torrc that is written when you use Tor Launcher (within Tor Browser) to configure proxy settings with the torrc that you used to demonstrate that this works with tor alone?

comment:4 Changed 2 weeks ago by gilcu3

I only added two lines to my /etc/tor/torrc file:

HTTPSProxy host:port
HTTPSProxyAuthenticator user:pass

and indeed they are exactly the same in ~/.tor-browser-en/INSTALL/Browser/TorBrowser/Data/Tor/torrc
the one used by Tor Browser

EDIT: well to be accurate I also added
FascistFirewall 1
to the default /etc/tor/torrc in arch-linux, and that line is not in the Tor Browser file.

Last edited 2 weeks ago by gilcu3 (previous) (diff)

comment:5 Changed 2 weeks ago by arma

I'm confused. So you're saying that Tor is configured the same way in each case? And Tor works for you directly, but the Tor in Tor Browser, configured the same way, doesn't?

comment:6 Changed 2 weeks ago by gilcu3

Yes, using tor as a service works, using it from the Tor Browser doesn't , and the lines in torrc refering to proxy config are the same. At least they seem to be

comment:7 Changed 2 weeks ago by yawning

I assume the failure case involves obfs4proxy.

https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/obfs4proxy/proxy_http.go#n92

https://github.com/golang/go/blob/master/src/net/http/request.go#L881

func (r *Request) SetBasicAuth(username, password string) {
	r.Header.Set("Authorization", "Basic "+basicAuth(username, password))
}

comment:8 Changed 2 weeks ago by gilcu3

yes exactly, obfs4 is the selected option in Tor Browser, so that line in code is correct or not?

comment:9 in reply to:  8 Changed 2 weeks ago by yawning

Replying to gilcu3:

yes exactly, obfs4 is the selected option in Tor Browser, so that line in code is correct or not?

I mean, it's an obfs4proxy bug.

comment:10 Changed 2 weeks ago by gilcu3

Component: Applications/Tor BrowserObfuscation/Obfsproxy
Status: needs_informationnew

comment:11 Changed 2 weeks ago by gk

Owner: tbb-team deleted
Status: newassigned
Summary: tor brower proxy auth basicobfs4 breaks http proxy with basic auth
Version: Tor: 0.3.1.9
Note: See TracTickets for help on using tickets.