"unable to connect" if Firefox GPOs configure proxy settings
I am using Tor browser on a Microsoft Active Directory joined computer. Domain admins set up Group Policy Objects configuring Firefox to use a proxy auto-configuration script. That setting from GPO overrides automatic Tor Browser setting to use localhost:9150 and when I try to navigate I get "Unable to connect" error page. Tor Browser connection settings are locked by the GPO, as it is in the installed version of Firefox, and I cannot change them manually.
Trac:
Username: kT3Ycp9jwm
Activity
Hm. Did that work before and just Tor Browser 8.5 breaks now? The problem with GPOs is that it seems Tor Browser is happily following whatever the GPO is telling it. That means this could lead to a proxy bypass, see: #29916 (moved). We therefore set:
browser.policies.testing.disallowEnterprisetotrue. Does flipping that pref get things working for you again? Where does the PAC file actually point to?Trac:
Owner: N/A to tbb-team
Status: new to needs_information
Cc: N/A to tom
Component: - Select a component to Applications/Tor Browser
Replying to gk:
Hm. Did that work before and just Tor Browser 8.5 breaks now?
no, it never worked since the policy was deployed (some months ago, but could manage to report it just today)
I use it as a local account, who does not get the policy
The problem with GPOs is that it seems Tor Browser is happily following whatever the GPO is telling it. That means this could lead to a proxy bypass, see: #29916 (moved). We therefore set:
browser.policies.testing.disallowEnterprisetotrue.just checked: it's already set to true, as default value
Does flipping that pref get things working for you again?
unfortunately not
Where does the PAC file actually point to?
proxy.pac is on an internal server domain.local/proxy.pac
I am using Tor Browser 8.5 (based on Mozilla Firefox 60.7.0esr) (32-bit), updated today just before taking screenshots
Trac:
Username: kT3Ycp9jwm-
So, Tor Browser has some built-in capabilities to deal with proxy requirements in e.g. enterprise networks. I wonder what happens if you try that out. Could you figure out the actual ip address:port being used (and the proxy type)? Then there is "Tor Network Settings..." -> "I use a proxy to connect to the Internet" behind the onion button on the toolbar where you could enter those settings.
-
I suspect that did not work? I guess you could try selecting the SOCKS proxy option (instead of the HTTP/HTTPS one) in that case.
But either way, I think the underlying bug is that Tor Browser is affected by this Firefox policy at all and its proxy settings can get changed that way (even if it seems to fail closed). I try to figure out what's up here.
Trac:
Priority: Medium to High
Status: needs_information to new
Keywords: N/A deleted, GeorgKoppen201905, TorBrowserTeam201905, tbb-proxy-bypass added -
Replying to gk:
But either way, I think the underlying bug is that Tor Browser is affected by this Firefox policy at all and its proxy settings can get changed that way Yes, I think this is the point
Using a local account, who does NOT receive the GPO, Tor Browser works. Using a domain user, who receives the GPO, Tor Browser does NOT work.
Tor network settings (behind the onion button) are the same in both cases, so I think they are ok. The difference is in the connection settings (Menu --> Options --> Network proxy --> Settings): when the GPO applies, proxy settings are hijacked and I cannot revert them because they're locked.
Trac:
Username: kT3Ycp9jwm -
Okay, I tried for a while to set up a testing environment on my local computer and have the group policy editor used to lock down the proxy configurations in Firefox. However, this policy is neither applied to Firefox nor Tor Browser for me. I took the policy templates from https://github.com/mozilla/policy-templates/releases and copied them over to C:\Windows\PolicyDefinitions and then started the policy editor and activated the proxy option. What else do I need to do to get this going? Do I need some other tool making sure the respective users are under that policy or what am I missing here?
Trac:
Status: new to needs_information -
Replying to kT3Ycp9jwm:
did you apply the GPO to a OU containing both user and computer?
No, I think that's the piece I still need to figure out, thanks.
Trac:
Status: needs_information to new -
kT3Ycp9jwm: Could you test whether the following bundle fixes the problem for you? It should just disable looking for any GPO and loading associated policies:
https://people.torproject.org/~gk/testbuilds/torbrowser-install-win64-30575_en-US.exe https://people.torproject.org/~gk/testbuilds/torbrowser-install-win64-30575_en-US.exe.asc
Trac:
Status: new to needs_information -
Replying to kT3Ycp9jwm:
on x64 I can't launch the exe, could you please post a zip?
Hm, maybe, let me see. What is the issue? Meanwhile, maybe a 32bit build would help?
https://people.torproject.org/~gk/testbuilds/torbrowser-install-30575_en-US.exe https://people.torproject.org/~gk/testbuilds/torbrowser-install-30575_en-US.exe.asc
-
Replying to kT3Ycp9jwm:
it works! both on 32 and 64 bit... thank you very much!
on x64 I got a block from Win Defender (unknown publisher) but today I found how to go on
Yeah, sorry for that I did not sign the .exe file. But I am glad I found the right knobs to turn. :)
I pushed the patch per accident onto
tor-browser-60.7.0esr-9.0-1directly (commit 9d582e62e32ee8143fd638744f2f5f0f49c28ca3), instead of pointing to my public tor-browser repo. Sorry for that mistake (I'll leave the patch in for now to avoid additional overhead backout/reapply overhead). Please use that version for review, so we can include it in the next release.Trac:
Keywords: TorBrowserTeam201906 deleted, TorBrowserTeam201906R added
Status: needs_information to needs_review -
Replying to gk:
Please use that version for review, so we can include it in the next release.
sorry... what should I have to do?
Trac:
Username: kT3Ycp9jwm 
This patch ( https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-60.7.0esr-9.0-1&id=9d582e62e32ee8143fd638744f2f5f0f49c28ca3 ) looks good to me.
Trac:
Keywords: TorBrowserTeam201906R deleted, TorBrowserTeam201906 added-
Replying to kT3Ycp9jwm:
Replying to gk:
Please use that version for review, so we can include it in the next release.
sorry... what should I have to do?
Sorry. That's been meant for the reviewer.
-
Replying to pospeselr:
This patch ( https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-60.7.0esr-9.0-1&id=9d582e62e32ee8143fd638744f2f5f0f49c28ca3 ) looks good to me.
Thanks!
Trac:
Resolution: N/A to fixed
Status: merge_ready to closed -
Replying to kT3Ycp9jwm:
sorry for the almost-off-topic question... when will Tor Browser include this patch? thanks
I think the next regular one will have it (which is scheduled for 9/3).
mentioned in issue #30795 (moved)
mentioned in issue #31978 (moved)
mentioned in issue #32418 (moved)
