curl / Mailing Lists / curl-library / Single Mail


Re: NTLMV2 authentication;

From: Markus Moeller via curl-library <>
Date: Sun, 16 Dec 2018 14:52:46 -0000

Hi Daniel,

   It seems a bit more complicated. i.e. it is not "curl is fired up using
the command line" but a separate binary is called libauthretry. The tests
are assuming XP based LMcompatibility settings without using any random
challenge string which is used with the more secure NTLM auth methods. I
have now set the NTLM negotiate flags for the tests to be Lan manager only
( i.e. XP or older). So the tests should now work.

  As far as I understand despite the NTLM flags there is no real negotiation
of the NTLM version used i.e. the client will use a registry setting to use
more secure NTLM auth. It would mean curl needs a lmcompatibility option.
But instead of that I made some assumption based on the NTLM flags in the
challenge (type-2 response). i.e.

  if ONLY "Negotiate Lan Manager Key" is set use the existing old response
  if "Negotiate NTLM key" is set and "Negotiate Extended Security" is not
set use NTLM
  if "Negotiate Extended Security" is set use NTLMv2

  Would that make sense ?


-----Original Message-----
From: Daniel Stenberg
Sent: Friday, December 14, 2018 2:38 PM
To: Markus Moeller
Cc: Markus Moeller via curl-library
Subject: Re: NTLMV2 authentication;

On Fri, 14 Dec 2018, Markus Moeller wrote:

> Yes I mean exactly these tests. I could not yet figure which binary is
> creating the NTLM strings for the tests. I also have not yet checked how
> exactly the NTLM token string is created and I assume there is now some
> random string in hit when using NTLMv2.

These curl tests work like this:

A script reads tests/data/testNNNN where NNNN is the test number. This file
a test case description in an XML-like description language.

The script then starts one of more test servers as detailed in the test.

curl is fired up using the command line specified in the test file, using
test servers.

Finally, the script verifies that curl returned the right exit code, store
right output and used the protocols exactly as the test case specifies.


So, whenever we change curl to work different than before one or more test
cases are *likely* and *presumed* to fail since we change how curl speaks
protocols. The test cases then need to be updated and told exactly what the
new way of speaking looks like.

In your case, your changing NTLM details so you need tell the tests now what
the new correct strings are instead of the strings that were formerly the
correct ones.

I can only urge you to actually run these tests yourself on your own
see the failures happen and then update them to fix the failures.

So, it is *curl* that sends the protocol string that is now different than
before, because your change modified what curl does for NTLM.

Received on 2018-12-16