How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
- Subject: How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
- From: Motti Shneor <email@hidden>
- Date: Mon, 05 Sep 2016 16:51:22 +0300
Hello everyone.
We use C++ boost asyncio for cross-platform networking. Hence, on Mac OS-X, we can’t use higher-level APIs (such as NSURLSession). We use our own proprietary binary protocol, but we need to pass it sometimes through HTTP Proxy on client sites. We use the “HTTP Connect” command to make a secure tunnel through the proxy, and work as normal. This works fine (Mac, LinuX, Windows etc.) when we provide proxy configuration of our own.
Now I’m trying to integrate with the OS-X normal proxy settings. I found the great (if old) code-sample CFProxySupportTool, read lots of documentation, and was able to neatly read and support HTTP, HTTPS, Auto-Configured and PAC based settings.
Yet, the credential keys in CFProxySupport (username and password) are normally empty, as they are stored in the keychain. I found a way to find and read credentials from the key-chain, but my test tool always triggers a dialog, asking the user permission to allow it access to the key-chain. Very reasonable for an App.
I tried this as root (our product is a monitoring tool, running as a systemwide daemon, managed by launchd, running always running as root) but that only complicated things further - not only the dialog popped up - my code no longer accessed the correct key-chain (the login key-chain of the active user) but rather the system key-chain where the credentials are missing.
My questions:
1. Why don’t Safari, Mail, Photos, and other standard apps trigger such dialog when they clearly use proxy settings (including credentials) to go to the internet? Is this behavior acceptable, and how is it done?
2. All proxy settings seem to be system-wide. Why do the credentials reside in the active user’s Login keychain, instead of the “System” keychain? Is there at all a way (except for manually editing the keychains) to set-up proxies for ALL users, including credentials?
3. Could I, at the time of installation of my product, ask once for this access, and have this “trust” saved for my installed daemon? That will be acceptable, as IT install our tool, and have rights for this. If this is possible - where and how could I do it?
4. Could I avoid the whole proxy-authentication protocol, and use some OS-X API that would do it for me (in the likes of NSURLSession) Is there some official lower-level API to do this? Otherwise I need to implement all kinds of authentication schemes (kerberos, NTLM, digest etc.), which seems silly on an OS that already knows how to do it? Clearly OS implementation will be superior to mine...
Any hint will be greatly appreciated.
Thanks!
Motti Shneor
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden