Opened 4 months ago

Closed 3 months ago

Last modified 4 weeks ago

#30575 closed defect (fixed)

"unable to connect" if Firefox GPOs configure proxy settings

Reported by: kT3Ycp9jwm Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-proxy-bypass, TorBrowserTeam201906, GeorgKoppen201906, tbb-backported
Cc: tom, pospeselr Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I am using Tor browser on a Microsoft Active Directory joined computer.
Domain admins set up Group Policy Objects configuring Firefox to use a proxy auto-configuration script.
That setting from GPO overrides automatic Tor Browser setting to use localhost:9150 and when I try to navigate I get "Unable to connect" error page.
Tor Browser connection settings are locked by the GPO, as it is in the installed version of Firefox, and I cannot change them manually.

Child Tickets

Attachments (3)

connection_settings.PNG (38.5 KB) - added by kT3Ycp9jwm 4 months ago.
Tor Browser connection settings screenshot
unable_to_connect.PNG (40.2 KB) - added by kT3Ycp9jwm 4 months ago.
"Unable to connect" error page
tor_network_settings.PNG (15.4 KB) - added by kT3Ycp9jwm 4 months ago.
Tor network settings

Download all attachments as: .zip

Change History (32)

Changed 4 months ago by kT3Ycp9jwm

Attachment: connection_settings.PNG added

Tor Browser connection settings screenshot

Changed 4 months ago by kT3Ycp9jwm

Attachment: unable_to_connect.PNG added

"Unable to connect" error page

comment:1 Changed 4 months ago by cypherpunks

Mozilla also doesn't know how Firefox works, see ticket:29916#comment:11.
Tor Browser 8.5 is still not portable. Sorry for that.

comment:2 Changed 4 months ago by gk

Cc: tom added
Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team
Status: newneeds_information

Hm. Did that work before and just Tor Browser 8.5 breaks now? The problem with GPOs is that it seems Tor Browser is happily following whatever the GPO is telling it. That means this could lead to a proxy bypass, see: #29916. We therefore set: browser.policies.testing.disallowEnterprise to true. Does flipping that pref get things working for you again? Where does the PAC file actually point to?

comment:3 in reply to:  2 Changed 4 months ago by kT3Ycp9jwm

Replying to gk:

Hm. Did that work before and just Tor Browser 8.5 breaks now?

no, it never worked since the policy was deployed (some months ago, but could manage to report it just today)

I use it as a local account, who does not get the policy

The problem with GPOs is that it seems Tor Browser is happily following whatever the GPO is telling it. That means this could lead to a proxy bypass, see: #29916. We therefore set: browser.policies.testing.disallowEnterprise to true.

just checked: it's already set to true, as default value

Does flipping that pref get things working for you again?

unfortunately not

Where does the PAC file actually point to?

proxy.pac is on an internal server domain.local/proxy.pac

I am using Tor Browser 8.5 (based on Mozilla Firefox 60.7.0esr) (32-bit), updated today just before taking screenshots

comment:4 Changed 4 months ago by gk

So, Tor Browser has some built-in capabilities to deal with proxy requirements in e.g. enterprise networks. I wonder what happens if you try that out. Could you figure out the actual ip address:port being used (and the proxy type)? Then there is "Tor Network Settings..." -> "I use a proxy to connect to the Internet" behind the onion button on the toolbar where you could enter those settings.

comment:5 Changed 4 months ago by kT3Ycp9jwm

in our proxy.pac the function FindProxyForURL(url, host) terminates with

return "PROXY proxy.*******.local:8080";

so I set Tor Browser as in the tor_network_settings.PNG attached

Changed 4 months ago by kT3Ycp9jwm

Attachment: tor_network_settings.PNG added

Tor network settings

comment:6 Changed 4 months ago by gk

Keywords: TorBrowserTeam201905 GeorgKoppen201905 tbb-proxy-bypass added
Priority: MediumHigh
Status: needs_informationnew

I suspect that did not work? I guess you could try selecting the SOCKS proxy option (instead of the HTTP/HTTPS one) in that case.

But either way, I think the underlying bug is that Tor Browser is affected by this Firefox policy at all and its proxy settings can get changed that way (even if it seems to fail closed). I try to figure out what's up here.

comment:7 in reply to:  6 Changed 4 months ago by kT3Ycp9jwm

Replying to gk:

But either way, I think the underlying bug is that Tor Browser is affected by this Firefox policy at all and its proxy settings can get changed that way

Yes, I think this is the point

Using a local account, who does NOT receive the GPO, Tor Browser works.
Using a domain user, who receives the GPO, Tor Browser does NOT work.

Tor network settings (behind the onion button) are the same in both cases, so I think they are ok.
The difference is in the connection settings (Menu --> Options --> Network proxy --> Settings): when the GPO applies, proxy settings are hijacked and I cannot revert them because they're locked.

comment:8 Changed 4 months ago by gk

Status: newneeds_information

Okay, I tried for a while to set up a testing environment on my local computer and have the group policy editor used to lock down the proxy configurations in Firefox. However, this policy is neither applied to Firefox nor Tor Browser for me. I took the policy templates from https://github.com/mozilla/policy-templates/releases and copied them over to C:\Windows\PolicyDefinitions and then started the policy editor and activated the proxy option. What else do I need to do to get this going? Do I need some other tool making sure the respective users are under that policy or what am I missing here?

comment:9 in reply to:  8 ; Changed 4 months ago by kT3Ycp9jwm

did you apply the GPO to a OU containing both user and computer?

comment:10 in reply to:  9 Changed 4 months ago by gk

Status: needs_informationnew

Replying to kT3Ycp9jwm:

did you apply the GPO to a OU containing both user and computer?

No, I think that's the piece I still need to figure out, thanks.

comment:11 Changed 4 months ago by gk

Some cypherpunks mentioned that comment:13:ticket:18101 could be promising her.

comment:12 Changed 4 months ago by gk

Status: newneeds_information

kT3Ycp9jwm: Could you test whether the following bundle fixes the problem for you? It should just disable looking for any GPO and loading associated policies:

https://people.torproject.org/~gk/testbuilds/torbrowser-install-win64-30575_en-US.exe
https://people.torproject.org/~gk/testbuilds/torbrowser-install-win64-30575_en-US.exe.asc

comment:13 Changed 3 months ago by gk

Cc: pospeselr added

comment:14 Changed 3 months ago by gk

Keywords: TorBrowserTeam201906 added; TorBrowserTeam201905 removed

Moving tickets to June

comment:15 Changed 3 months ago by gk

Keywords: GeorgKoppen201906 added; GeorgKoppen201905 removed

Moving my tickets to June

comment:16 Changed 3 months ago by kT3Ycp9jwm

can't try now, I'm on a 32bit pc

comment:17 Changed 3 months ago by kT3Ycp9jwm

on x64 I can't launch the exe, could you please post a zip?

comment:18 in reply to:  17 Changed 3 months ago by gk

Replying to kT3Ycp9jwm:

on x64 I can't launch the exe, could you please post a zip?

Hm, maybe, let me see. What is the issue? Meanwhile, maybe a 32bit build would help?

https://people.torproject.org/~gk/testbuilds/torbrowser-install-30575_en-US.exe
https://people.torproject.org/~gk/testbuilds/torbrowser-install-30575_en-US.exe.asc

comment:19 Changed 3 months ago by kT3Ycp9jwm

it works!
both on 32 and 64 bit... thank you very much!

on x64 I got a block from Win Defender (unknown publisher) but today I found how to go on

comment:20 in reply to:  19 ; Changed 3 months ago by gk

Keywords: TorBrowserTeam201906R added; TorBrowserTeam201906 removed
Status: needs_informationneeds_review

Replying to kT3Ycp9jwm:

it works!
both on 32 and 64 bit... thank you very much!

on x64 I got a block from Win Defender (unknown publisher) but today I found how to go on

Yeah, sorry for that I did not sign the .exe file. But I am glad I found the right knobs to turn. :)

I pushed the patch per accident onto tor-browser-60.7.0esr-9.0-1 directly (commit 9d582e62e32ee8143fd638744f2f5f0f49c28ca3), instead of pointing to my public tor-browser repo. Sorry for that mistake (I'll leave the patch in for now to avoid additional overhead backout/reapply overhead). Please use that version for review, so we can include it in the next release.

comment:21 in reply to:  20 ; Changed 3 months ago by kT3Ycp9jwm

Replying to gk:

Please use that version for review, so we can include it in the next release.

sorry... what should I have to do?

comment:22 Changed 3 months ago by pospeselr

Keywords: TorBrowserTeam201906 added; TorBrowserTeam201906R removed

comment:23 Changed 3 months ago by pospeselr

Status: needs_reviewmerge_ready

comment:24 in reply to:  21 Changed 3 months ago by gk

Replying to kT3Ycp9jwm:

Replying to gk:

Please use that version for review, so we can include it in the next release.

sorry... what should I have to do?

Sorry. That's been meant for the reviewer.

comment:25 in reply to:  22 Changed 3 months ago by gk

Resolution: fixed
Status: merge_readyclosed

comment:26 Changed 3 months ago by gk

Keywords: tbb-backport added

comment:27 Changed 8 weeks ago by kT3Ycp9jwm

sorry for the almost-off-topic question... when will Tor Browser include this patch?
thanks

comment:28 in reply to:  27 Changed 8 weeks ago by gk

Replying to kT3Ycp9jwm:

sorry for the almost-off-topic question... when will Tor Browser include this patch?
thanks

I think the next regular one will have it (which is scheduled for 9/3).

comment:29 Changed 4 weeks ago by gk

Keywords: tbb-backported added; tbb-backport removed

Backported by cherry-picking the fix onto tor-browser-60.8.0esr-8.5-1 (commit 85e9a040aea41cf3c926394da1bcf22a298bf081).

Note: See TracTickets for help on using tickets.