macOS Daemon fails to work with Authenticating HTTP/HTTPS proxy in System Preferences

Question

Created Dec ’18

Replies 6

Boosts 0

Views 6.2k

Participants 2

Hi,

We are facing an issue where the launch daemons fails to work with the authenticating proxy configured in System Preferences.

We tried both NSURLConnection and NSURLSession APIs and both fails with following error:

Error with NSURLConnection:

Error Domain=kCFErrorDomainCFNetwork Code=311 "There was a problem establishing a secure tunnel through the web proxy server." UserInfo={NSErrorFailingURLStringKey=https://google.com/, NSErrorFailingURLKey=https://google.com/, _kCFStreamErrorCodeKey=-2097, _kCFStreamErrorDomainKey=4, NSLocalizedRecoverySuggestion=Please check your proxy settings.For help with this problem, contact your system administrator., NSLocalizedDescription=There was a problem establishing a secure tunnel through the web proxy server.}

Error with NSURLSession: Error Domain=kCFErrorDomainCFNetwork Code=311 "(null)" UserInfo={_kCFStreamErrorCodeKey=-2097, _kCFStreamErrorDomainKey=4}

Same binary works fine when run as command line tool with this proxy configuration. Credentials are also configured in the System Preferences for the proxy. We do not see "Proxy-Authorization" header added to the request on the proxy server when daemon tries to request for the resource. Do we need to add the header explicitly when NSURLConnection/Session are used from Daemon?

Regards,

Sanjay.

Answered by DTS Engineer in 347938022

So looks like we need to provide those manually in authentication delegate.

Right. And it’s not clear how the system could solve this for you, given that there’s a possibility that different users might have different credentials for the proxy.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’19

In this context error -2097 translates to an internal CFNetwork error with the general semantics of ‘proxy authentication required’, which is not very useful alas.

I believe what’s going on here is that the proxy password is being saved into the user’s keychain, and thus your daemon is unable to access it. You wrote:

Do we need to add the header explicitly when NSURLConnection/Session are used from Daemon?

Messing around with authentication headers directly is generally not a good idea. Do you get an authentication challenge for the proxy? If so, try handling that challenge.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

sanaw OP

Jan ’19

Hi Quinn,

Messing around with authentication headers directly is generally not a good idea. Do you get an authentication challenge for the proxy? If so, try handling that challenge.

Yes, if I set "connectionProxyDictionary" on URLSessonConfig then the authentication challenge is received for "NSURLAuthenticationMethodHTTPBasic". Should we handle the authentication here by providing username and password for proxy. Hope System Configuration/Keychain APIs can help with this though I tried "URLCredentialStorage" and it does not work as creds are in user keychain and not in System. Maybe we can ask user for those using daemon <-> user-agent over XPC.

We can detect if proxy is set up using "CFNetworkCopySystemProxySettings" and then set "connectionProxyDictionary" accordingly. Is this the expected approach for daemons?

Regards,

Sanjay.

0

Answer 3

DTS Engineer OP

Apple

Jan ’19

Is this the expected approach for daemons?

My expectation is that, if there are system proxy settings (as returned by

CFNetworkCopySystemProxySettings

), the session should use them. That won’t help with the proxy credential, but that’s different from the proxy settings themselves.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

sanaw OP

Jan ’19

Ok, yes session uses the proxy but just that credentials are not detected as you said earlier. So looks like we need to provide those manually in authentication delegate.

0

Answer 5

DTS Engineer OP

Apple

Jan ’19

Accepted Answer

So looks like we need to provide those manually in authentication delegate.

Right. And it’s not clear how the system could solve this for you, given that there’s a possibility that different users might have different credentials for the proxy.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 6

sanaw OP

Jan ’19

Ok thanks Quinn. I think in this case daemon can ask user-agent for credentials as user-agent would be able to read it from URLCredentialStorage by creating the URLProtectionSpace for the required proxy. I tried this with the simple command line application and it gets the creds fine so those can be XPCed to daemon as needed.

0