cURL / Mailing Lists / curl-library / Single Mail


Re: NTLMv2

From: Bharat Varma <>
Date: Tue, 20 Jan 2009 11:59:04 +0530

2009/1/20 Daniel Stenberg <>

> On Mon, 19 Jan 2009, Bharat Varma wrote:
> Now that NTLMv2 has been opened up my MS sometime back, does libcurl
>> support NTLMv2 ?
> Opened up? How opened up? And no, libcurl doesn't support it. I'll welcome
> patches.
> Would SSPI support now enabled on curl, would it help getting through
>> NTLMv2 ?
> I don't know. Try it and tell us how it works!
> Or do we need to accept Domain, username, password information from the
>> user ?
> How is that related to NTLMv2? AFAIK you don't need to provide that info
> for the regular SSPI NTLM auth so I would expect that to be the same for v2.
> --
> /

Here are my observations so far after some tests I ran yesterday.. I don't
know much about whether the curl headers dump gives any info about whether
the proxy is NTLM or NTLM v2. But information below might help.

1. Tried program based on curl 7.17.x some 10 months back ( may be an
earlier version.. Whatever was the version that was latest last year this
time) in an NTLM environment. I remember thinking it is NTLMv2. I failed to
connect through the proxy.

2. Tried SSPI & SSL enabled Curl 7.19.2 this time - same environment. This
time, there was a BlueCoat proxy (one of the best proxy/firewall products in
the market and also one of the most expensive) too. I was able to fetch the
auto configuration script file from Internet Explorer using the wininet API,
feed the file to the pacparser library (3rd party) and use the resultant
proxy for the curl handle.

Both times, I had a friend run the tests and the company is a reasonably big
name in the software industry. It definitely has NTLM and I think there is a
good chance that it has NTLM v2 authentication.

The settings I used -

curl_easy_setopt(m_curlHandle, CURLOPT_PROXY, proxyAddress.c_str());
curl_easy_setopt(m_curlHandle, CURLOPT_USERPWD, "");
curl_easy_setopt(m_curlHandle, CURLOPT_HTTPPROXYTUNNEL, 1);
curl_easy_setopt(m_curlHandle, CURLOPT_PROXYAUTH, CURLAUTH_ANY);

On top of this, I did a CONNECT_ONLY and got the socket using

On this socket, I ran a trivial echo protocol and I got through without any
hassles. I am going to run a couple more with a binary data transfer
protocol this time and will update this list based on the observations. If
there is any way I can dump headers so that we can see if it is NTLM or
NTLMv2, I can write a small program and post the headers.
Received on 2009-01-20