First, configure Chrome to use a PAC file for proxy configuration. I went to my Ethernet settings and entered file:///home/chronos/user/Downloads/proxy.pac in the "Autoconfiguration URL" field. /home/chronos/user/Downloads/proxy.pac contains the following:

function FindProxyForURL(url, host) {
  return "PROXY proxy.example.com:8080; DIRECT";
}

Then restart the tlsdated service and look at /var/log/tlsdate.log. I see the following:

2017-04-26T16:40:02.004091-07:00 INFO tlsdated[17377]: [event:cros:handle_proxy_change]: fired
2017-04-26T16:40:02.004157-07:00 NOTICE tlsdate[17378]: pac_fmt unmatched: 'DIRECT;PROXY proxy.example.com:8080' 12
2017-04-26T16:40:02.004194-07:00 INFO tlsdated[17377]: pac_fmt unmatched: 'DIRECT;PROXY proxy.example.com:8080' 12

Earlier, I was seeing the following:

2017-04-26T16:33:11.004183-07:00 NOTICE tlsdate[16669]: [event:cros:handle_proxy_change]: fired
2017-04-26T16:33:11.004195-07:00 INFO tlsdated[16668]: [event:cros:handle_proxy_change]: fired
2017-04-26T16:33:11.004341-07:00 NOTICE tlsdate[16669]: invalid host:port: proxy.example.com:8080;DIRECT
2017-04-26T16:33:11.004374-07:00 INFO tlsdated[16668]: invalid host:port: proxy.example.com:8080;DIRECT

In src/platform-cros.c, I see the following TODO:

/* Convert PAC return format to tlsdated url format */
/* TODO(wad) support multiple proxies when Chromium does:
 * PROXY x.x.x.x:yyyy; PROXY z.z.z.z:aaaaa
 */
static
void
canonicalize_pac (const char *pac_fmt, char *proxy_url, size_t len)
{
...

I think that Chrome may *always* return "DIRECT" as an option when a PAC file is specified, which would mean that tlsdated would never work in this case. I don't know when it last worked, if ever.

Luckily, it looks like manually-configured proxies are returned as a single entry, so tlsdated works then.

canonicalize_pac() is a bunch of C string manipulation code without any tests and I'm reluctant to touch it.