HTTPS proxies don't work

[superclarkk]

Environment: Debian 12 Firefox 115.10.0esr (64-bit) FoxyProxy 8.9

When I configure FoxyProxy with HTTP+HTTPS enabled proxy servers using HTTP, it works correctly.

If I configure the system proxy settings with the proxy using HTTPS, it also works correctly.

However, when I change the protocol to HTTPS in FoxyProxy, it returns SSL_ERROR_RX_RECORD_TOO_LONG errors for any website I try to access.

Could anyone who has a proxy server that supports both protocols to the same port please test this to confirm?

Let me know what other information is needed to confirm there's a problem.

[erosman]

The issue here is between Firefox and the proxy server. It is not related to the FoxyProxy.

See also:

• How To Fix the “SSL_ERROR_RX_RECORD_TOO_LONG” Error in Firefox (7 Methods)
• Getting the error "SSL_ERROR_RX_RECORD_TOO_LONG" when attempting to access multiple different sites, sometimes goes away with refresh but sometimes prersists
• How to fix the SSL_ERROR_RX_RECORD_TOO_LONG Firefox Error
• How To Fix The SSL_ERROR_RX_RECORD_TOO_LONG Error In Firefox: A Comprehensive Guide

[superclarkk]

As per the articles, I reduced the TLS setting, security.tls.version.max, from 4 to 3, and restarted firefox, but it didn't fix it.

A lot of the other advice isn't really relevant, as it relates to Windows, not Debian, or says to disable the Proxy, which obviously defeats the objective.

I don't understand why HTTPS would work in Debian's system proxy (Settings > Network > Network Proxy), but not in Firefox/FoxyProxy.

The proxy provider believes that it's a FoxyProxy issue, so I feel like I'm going from pillar to post.

[erosman]

What happens when you set the HTTPS proxy directly in the Firefox Settings -> Network Settings?

[superclarkk]

Thanks a lot for your reply.

Firefox Network settings work as expected with HTTPS. I tested it using maxmind and dnsleaktest.

[ericjung]

I use FoxyProxy on Firefox with https proxies.

1. what are the ports for both http and https proxy servers?
2. Do they share the same ip address or dns name?
3. Are you able to share the ip address/dns name, ports, and credentials in email so I can test and debug? If not, can you name the proxy provider?

please at least answer 1 and 2.

thanks

[superclarkk]

• what are the ports for both http and https proxy servers?
• Do they share the same ip address or dns name?
• Are you able to share the ip address/dns name, ports, and credentials in email so I can test and debug? If not, can you name the proxy provider?

The proxies serve both HTTP and HTTPS on the same IPs, and on the same ports, which is 8800. They aren't configured with a FQDN.

I'd consider giving access, but they're restricted by IP address, so I'd have to know yours in order to do that. Let's exhaust all the other options first.

[ericjung]

The proxies serve both HTTP and HTTPS on the same IPs, and on the same port

in my experience, I’ve never seen both http and https proxy supported on the same ip address and port at the same time.

[superclarkk]

The provider assures me that both protocols are supported on the same IP and port. If I only configure the HTTPS proxy server in Debian 12 + Gnome 43.9's proxy settings (see attached), it works as expected. I've confirmed this using DNSLeakTest's Extended Test

[superclarkk]

The provider assures me that both protocols are supported on the same IP and port. If I only configure the HTTPS proxy server in Debian 12 + Gnome 43.9's proxy, via System Settings > Network > Network Proxy > Manual (see screenshot), it works as expected. I've confirmed this using DNSLeakTest's Extended Test

[erosman]

If I only configure the HTTPS proxy server in Debian 12 + Gnome 43.9's proxy, via System Settings > Network > Network Proxy > Manual (see screenshot), it works as expected.

The proxy setting in the picture is protocol based. What happens according to the picture is that:

• HTTP sites -> connect directly (no proxy)
• HTTPS sites -> connect via the proxy
• FTP -> connect directly (no proxy)
• SOCKS -> connect directly (no proxy)

Try setting both the HTTP and HTTPS in the Debian to the same proxy & port at the same time, and see how it works out.

[superclarkk]

Ah, I see - sorry about that.

I entered the proxy server IP and port to both the HTTP and HTTPS proxy fields, and tested by going to http.badssl.com, which can be found at badssl.com. The page was correctly displayed.

[erosman]

Can you test the same in Firefox?

• Disable Debian proxy
• Disable FoxyProxy
• Enter both HTTP & HTTPS in Settings > Network Settings > Manual prpxy configuration

[superclarkk]

That works correctly, @erosman.

DNS Leak Test shows that my own IP is not leaked, as do a few other services I use. I can also view http pages (tested using http://http.badssl.com/).

[ericjung]

They aren't configured with a FQDN.

does this mean the proxy host is an ip address?

SSL certificates cannot be signed for IP addresses. If the host is an ip address, the certificate is invalid.

[erosman]

It may be that the proxy provider doesn't provide SSL proxies and what they mean is that the HTTP proxy can be used for HTTP & HTTPS sites, which is fine.

In that case, the proxy in FoxyProxy should be set as HTTP (and not HTTPS).

[ericjung]

I entered the proxy server IP and port to both the HTTP and HTTPS proxy fields

SSL certificates cannot be validly signed for IP addresses. If the host is an ip address, the certificate is invalid and Firefox won't accept it. Ask your proxy provider to give you a DNS name for the proxy server, not an ip address, and tell them to create an SSL certificate for that DNS and install it into the proxy server software.

that will encrypt traffic between firefox and the proxy server.

[superclarkk]

It may be that the proxy provider doesn't provide SSL proxies and what they mean is that the HTTP proxy can be used for HTTP & HTTPS sites, which is fine.

In that case, the proxy in FoxyProxy should be set as HTTP (and not HTTPS).

Wouldn't that mean traffic between the user and proxy would be unencrypted? If so, for sites that require login, surely that would be a major security concern?

[erosman]

Wouldn't that mean traffic between the user and proxy would be unencrypted? If so, for sites that require login, surely that would be a major security concern?

That is not the case. Proxy is simply a forwarder. It forward from source to the destination & back.

user -> proxy -> destination

When using an HTTP proxy and connecting to an HTTPS site, the encryption still occurs between the user & destination.

When using an HTTPS proxy, the communication is encrypted between user & proxy. Proxy then decrypts it and sends it to the destination. If the destination is HTTPS, then destination will re-encrypt it and send it back.

In other words, in case of HTTPS proxies and HTTPS target, it is encrypted twice going and twice returning.

AFA destination is concerned, there is no diffidence between using an HTTP or HTTPS proxy.

In general, proxies have 2 primary and distinctive purposes:

• To hide the user/source location from the target/destination
• To hide the target/destination from user's ISP (e.g. bypass local restrictions)

For the 1st type, an HTTP proxy works better as additional decrypting affects speed and RAM/CPU usage (although generally negligible). For the 2nd type, an HTTPS /SOCKS proxy works better.

[superclarkk]

Thank you for the clarification. Sorry for any confusion I've caused. In retrospect, I think Foxy works as designed, and my provider is compatible with it. I'll close this issue.