Bugs item #2799008, was opened at 2009-05-31 08:06
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2799008&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: http
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Aaron Oneal (incarnadine)
Assigned to: Daniel Stenberg (bagder)
Summary: POST + NTLM broken

Initial Comment:
Using 7.19.5, it is not possible to use NTLM and do a POST against a server like IIS7.

Flow:
1. Request w/ content length but no body! <== bad libcurl! must send body or 0 content length
2. Response 401 authorization required
3. Request (NTLM authorized) w/ content length + body
4. Response 400 bad request

IIS correctly tells libcurl to go away with its authorized request because it didn't finish sending the body from the first request.

I discovered this while trying to do what I would expect is a very common scenario -- use libcurl (via Axis2/C) to send a SOAP request to a web service.

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2009-06-01 13:56

Message:
isn't this then as test 267? It _does_ send a Content-Length: 0 btw so your
case must obviously be different. The question is probably How?

----------------------------------------------------------------------

Comment By: Aaron Oneal (incarnadine)
Date: 2009-05-31 21:31

Message:
I checked out lib553.c and see it's using CURLOPT_READFUNCTION instead of
CURLOPT_POSTFILEDS, but otherwise I don't notice anything out of the
ordinary (besides it not using NTLM). The other tests are in a format I'm
not familiar with.

It could be the server the test suite runs against isn't waiting around
for the body of the first request once it sends the 401 and so the test is
passing.

You can see from the traces though what's going across the wire and this
would seem to indicate a problem.

----------------------------------------------------------------------

Comment By: Aaron Oneal (incarnadine)
Date: 2009-05-31 18:07

Message:
The Expect header is not being sent in the request and the server responds
immediately with a 401. I looked at the Axis2/C code and it explicitly sets
the header to "Expect:" which I presume is how you tell libcurl not to send
the header, though I don't know why they would do that. I'll have a look at
those tests to see if I can compare it with what the Axis2/C code is doing
and will also attach the relevant file here.

I have attached a NetMon 3.3 trace which demonstrates the problem.

You can grab NetMon here if you don't have it handy:
http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en

----------------------------------------------------------------------

Comment By: Dan Fandrich (dfandrich)
Date: 2009-05-31 08:26

Message:
This is a common scenario and it has several tests in the curl test suite
(e.g. 267, 553, 1100). How does your scenario differ from those? Are you
sure you're not running into libcurl's Expect: 100-continue behaviour,
which is desired? Can you post the log of your failing session so we can
see exactly what's going on?

----------------------------------------------------------------------

Comment By: Aaron Oneal (incarnadine)
Date: 2009-05-31 08:14

Message:
Also worth mentioning, I'm using MinGW and building as follows:
mingw32-make -f Makefile.m32 libcurl.a SSL=1 ZLIB=1 SSPI=1 IPV6=1

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2799008&group_id=976
Received on 2009-06-01