Bugs item #1233264, was opened at 2005-07-06 11:10
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1233264&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: http
Group: wrong behaviour
>Status: Closed
>Resolution: Later
Priority: 6
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Daniel Stenberg (bagder)
Summary: HTTP proxy tunneling with NTLM proxy authenticate won't work

Initial Comment:
Well, not much more to add ...
I have a ISA server here which required NTLM
authentication and I'm trying to tunnel the proxy ... but
obviously Curl_ConnectHTTPProxyTunnel isn't quite
capable of this:

* About to connect() to 192.168.100.2 port 8080
* Trying 192.168.100.2... * connected
* Connected to 192.168.100.2 (192.168.100.2) port 8080
* Establish HTTP proxy tunnel to potsdam:80
> CONNECT potsdam:80 HTTP/1.0
Host: potsdam:80
Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required ( Der ISA
Server erfordert Autorisierung, um die Anforderung durchf
&#9500;&#9565;hren z
u k&#9500;Ânnen. Der Zugriff auf den Webproxydienst wird
verweigert. )
< Via: 1.1 ISA-SERVER
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: close
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 757
<
* Proxy auth using NTLM with user 'Administrator'
> CONNECT potsdam:80 HTTP/1.0
Host: potsdam:80
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACA
AAAA=
Proxy-Connection: Keep-Alive

* Proxy CONNECT aborted
* Closing connection #0
error (56): Proxy CONNECT aborted

As you might be seeing: libcurl tries to reuse the
connection but the proxy has already closed it.
ConnectHTTPProxyTunnel doesn't notice this, tries to
send it's type1-packet to the server of the
already-closed-connection and ... BANG!

:-/

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2005-08-18 13:43

Message:
Logged In: YES
user_id=1110

This is now an issue that is being looked into. It might not
reach 7.14.1 but it isn't forgotten. The CONNECT patch in
recent libcurl mailing list discussion addresses this
problem (and others). It is however not complete yet and it
might take some addition weeks/months before it is.

Closing this for now.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2005-07-06 13:08

Message:
Logged In: YES
user_id=1110

Ah, I didn't notice that but yes your analysis sounds about
right.

This needs attention.

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2005-07-06 13:00

Message:
Logged In: NO

by the way: I don't think it's related to the handling of 407 at all
when connecting the the proxy, libcurl never checks whether
the server sends "Proxy-Connection: close". Because of that it
supposes "Proxy-Connection: keep-alive" (as send by itself) is
still valid and therefore tries to reuse the connection which
obviously won't work in this case ...

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2005-07-06 12:55

Message:
Logged In: NO

no, latest CVS doesn't work as well:

curl version: libcurl/7.14.1-20050706 OpenSSL/0.9.7g zlib/1.2.
2
* About to connect() to 192.168.100.2 port 8080
* Trying 192.168.100.2... * connected
* Connected to 192.168.100.2 (192.168.100.2) port 8080
* Establish HTTP proxy tunnel to potsdam:443
> CONNECT potsdam:443 HTTP/1.0
Host: potsdam:443
Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required ( Der ISA
Server erfordert Autorisierung, um die Anforderung durchf&#9500;&#9565;
hren z
u k&#9500;Ânnen. Der Zugriff auf den Webproxydienst wird
verweigert. )
< Via: 1.1 ISA-SERVER
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: close
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 757
<
* Ignore 757 bytes of response-body
* Proxy auth using NTLM with user 'User'
> CONNECT potsdam:443 HTTP/1.0
Host: potsdam:443
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAA
A=
Proxy-Connection: Keep-Alive

* Proxy CONNECT aborted
* Closing connection #0
error (56): Proxy CONNECT aborted

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2005-07-06 12:42

Message:
Logged In: NO

when CURLOPT_PROXYAUTH is set to CURLAUTH_NTLM
(instead of e.g. CURLAUTH_ANY) then it works (because the
type1-message is immediately sent). but i would consider that
a work-around ...

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2005-07-06 11:59

Message:
Logged In: YES
user_id=1110

This is a bug in how libcurl treats 407 with response-body
during auth negotiation with CONNECT. Please try the most
recent daily snapshot and see if that works better for you.

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2005-07-06 11:52

Message:
Logged In: NO

for comparison: opera tries the same:

----- request -----
CONNECT potsdam:443 HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0; .NET CLR 1.1.4322)

Host: potsdam
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
----- reply ----
HTTP/1.1 407 Proxy Authentication Required ( Der ISA Server
erfordert Autorisierung, um die Anforderung durchf..hren zu k..
nnen. Der Zugriff auf den Webproxydienst wird verweigert. )
Via: 1.1 ISA-SERVER
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 757
----- content follows, connection closed -----

but after that opera connects again, sends it's type1-packet,
get's the response and finally succeeds (all over the same
connection):

----- request -----
CONNECT potsdam:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0; .NET CLR 1.1.4322)
Host: potsdam
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB4IAogAAAAAAAAAAAAAAAAAAAA
AFAJMIAAAADw==
----- response -----
HTTP/1.1 407 Proxy Authentication Required ( Zugriff
verweigert )
Via: 1.1 ISA-SERVER
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAFAAUADgAAAAFgoKitsyWTopPhsEA
AAAAAAAAAGQAZABMAAAABQCTCAAAAA9JAFMAQQAt
AFMARQBSAFYARQBSAAIAFABJAFMAQQAtAFMARQBSA
FYARQBSAAEAFABJAFMAQQAtAFMARQBSAFYARQBSA
AQAFABpAHMAYQAtAHMAZQByAHYAZQByAAMAFABpAH
MAYQAtAHMAZQByAHYAZQByAAAAAAA=
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0
----- 2nd request -----
CONNECT potsdam:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0; .NET CLR 1.1.4322)
Host: potsdam
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAAA4ADg
BIAAAAGgAaAFYAAAAOAA4AcAAAAAAAAACuAAAABYK
AogUAkwgAAAAPSwBTAEUAWQBEAEUATABBAGQAbQBp
AG4AaQBzAHQAcgBhAHQAbwByAEsAUwBFAFkARABFAE
wA+OhgoFmZ4ADySZG6W3p/USjtmnChT5qt0PUUX2dtGkZNr
f6g1ZSMWU2Qx1CjcELg
----- 2nd response -----
HTTP/1.1 200 Connection established
Via: 1.1 ISA-SERVER

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1233264&group_id=976
_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-tracker
Received on 2005-08-18