Menu

#896 ntlm proxy does not authenicate

closed-later
http (206)
5
2014-08-22
2010-02-02
Rich Coe
No

I was trying to download a file through an authentication proxy.
The authentication fails. I was able to get the file via firefox.

curl --get -L http://download.opensuse.org/distribution/11.1/repo/oss/content
options:
--proxy-ntlm
--proxy-user "myuser:mypass"
--proxy "proxy:8080"

version: curl-7.19.6
User-Agent: curl/7.19.6 (i686-pc-linux-gnu) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3 libidn/1.10

I don't know if either or both of these differences are currently significant.

I did network traces of both http connections. At first I thought
curl was not sending the userid and hostname, but I found that curl is sending
them as text and firefox is sending them as unicode.

The only other difference I see is the NTLMSSP flags.
These are the flags sent by the proxy:
1... .... .... .... .... .... .... .... = Negotiate 56: Set
.1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
..1. .... .... .... .... .... .... .... = Negotiate 128: Set
.... ..1. .... .... .... .... .... .... = Negotiate 0x02000000: Set
.... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
.... .... .... ...1 .... .... .... .... = Negotiate Challenge Init Response: Set
.... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
.... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
.... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
.... .... .... .... .... .... .... .1.. = Request Target: Set
.... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set

These are the flags returned to the proxy by firefox:
.... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
.... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
.... .... .... .... .... .... .... .1.. = Request Target: Set
.... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set

These are the flags returned to the proxy by curl:
1... .... .... .... .... .... .... .... = Negotiate 56: Set
.1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
..1. .... .... .... .... .... .... .... = Negotiate 128: Set
.... ..1. .... .... .... .... .... .... = Negotiate 0x02000000: Set
.... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
.... .... .... ...1 .... .... .... .... = Negotiate Challenge Init Response: Set
.... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
.... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
.... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
.... .... .... .... .... .... .... .1.. = Request Target: Set

Discussion

  • Rich Coe

    Rich Coe - 2010-02-03

    Proxy is 'powered by Astaro'.

    I experimented with two settings.
    The first experiment was with setting the NTLM flags the same as ff, but
    with keeping the unicode bit turned off.

    The second experiment was with keeping the NTLM flags set, sending the
    user-id and hostname as UNICODE and setting the unicode bit turned on.

    I was only able to successfully authenticate with sending the userid and
    hostname as unicode.

     
  • Daniel Stenberg

    Daniel Stenberg - 2010-02-04

    A related discussion on what seems to be the same lacking feature is here:

    http://www.mail-archive.com/curl-library@cool.haxx.se/msg02691.html

    This is not so much a bug but something we never have supported. I'd like to see us do it, but I don't have any means to test and I don't have any use for it myself.

     
  • Daniel Stenberg

    Daniel Stenberg - 2010-02-14

    This bug is now added to the KNOWN_BUGS document as #75. As there's nobody working on this, this bug entry is set to 'later' and will be closed soonish unless someone speaks up.

     
  • Daniel Stenberg

    Daniel Stenberg - 2010-02-14
    • status: open --> pending-later
     
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
  • SourceForge Robot

    • status: pending-later --> closed-later