cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem with NTLM proxy authentication

From: Ulrich Telle <Ulrich.Telle_at_gmx.de>
Date: Thu, 11 Sep 2014 21:45:42 +0200
Steve,

> > One difference I see in the source code of the SSPI authentication
> > module of FireFox is that SSPI function InitializeSecurityContext is
> > called without any of the flags libcurl is using:
>
> I wonder whether we are being "too strict" in some respects. The libcurl
> NTLM SSPI code (as far as I can remember) has been like that for years.
>
> Have you tried and if not can you try removing some or even all of
> those flags and passing 0 in your version of libcurl?

I created a libcurl version in which I replaced the combination of flags

ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONNECTION

by simply 0 (zero) (which is equivalent to ISC_REQ_CONNECTION according to the documentation of InitializeSecurityContext).

I tested this new version within my own comapany: it (still) worked. So it seems the flags are not required for normal operation.

Then, this morning I asked one user in Far East and one user in Germany to perform a test. For both the test succeeded. That is, removing the flags seems to have done the trick.

I have no explanation why the flags seem to have had such a negative effect for some of the users.

However, after googling again for some time I found this url

https://code.google.com/p/serf/issues/detail?id=147

regarding ISC_REQ_CONFIDENTIALITY, stating that it has no effect for HTTP;

and this url

https://bugreports.qt-project.org/browse/QTBUG-17322

where someone experienced the same problem with the error code SEC_E_INVALID_TOKEN from InitializeSecurityContext. In this thread Shane Kearns added a comment - 27/Jun/12 12:50 PM stating:

"ISC_REQ_CONFIDENTIALITY seems to be the one causing a problem. However I don't think we need replay detection either - the proxy is authenticating us rather than the other way around.  ..."


My conclusion is that it seems to be better to remove the flags.

Regards,

Ulrich
--
E-Mail privat:  Ulrich.Telle@gmx.de
World Wide Web: http://www.telle-online.de

  

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-11