Bugs item #1233264, was opened at 2005-07-06 02:10
Message generated for change (Comment added) made by nobody
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1233264&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Daniel Stenberg (bagder)
Summary: HTTP proxy tunneling with NTLM proxy authenticate won't work

Initial Comment:
Well, not much more to add ...
I have a ISA server here which required NTLM
authentication and I'm trying to tunnel the proxy ... but
obviously Curl_ConnectHTTPProxyTunnel isn't quite
capable of this:

* About to connect() to 192.168.100.2 port 8080
* Trying 192.168.100.2... * connected
* Connected to 192.168.100.2 (192.168.100.2) port 8080
* Establish HTTP proxy tunnel to potsdam:80
> CONNECT potsdam:80 HTTP/1.0
Host: potsdam:80
Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required ( Der ISA
Server erfordert Autorisierung, um die Anforderung durchf
&#9500;&#9565;hren z
u k&#9500;Ânnen. Der Zugriff auf den Webproxydienst wird
verweigert. )
< Via: 1.1 ISA-SERVER
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: close
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 757
<
* Proxy auth using NTLM with user 'Administrator'
> CONNECT potsdam:80 HTTP/1.0
Host: potsdam:80
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACA
AAAA=
Proxy-Connection: Keep-Alive

* Proxy CONNECT aborted
* Closing connection #0
error (56): Proxy CONNECT aborted

As you might be seeing: libcurl tries to reuse the
connection but the proxy has already closed it.
ConnectHTTPProxyTunnel doesn't notice this, tries to
send it's type1-packet to the server of the
already-closed-connection and ... BANG!

:-/

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2005-07-06 03:55

Message:
Logged In: NO

no, latest CVS doesn't work as well:

curl version: libcurl/7.14.1-20050706 OpenSSL/0.9.7g zlib/1.2.
2
* About to connect() to 192.168.100.2 port 8080
* Trying 192.168.100.2... * connected
* Connected to 192.168.100.2 (192.168.100.2) port 8080
* Establish HTTP proxy tunnel to potsdam:443
> CONNECT potsdam:443 HTTP/1.0
Host: potsdam:443
Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required ( Der ISA
Server erfordert Autorisierung, um die Anforderung durchf&#9500;&#9565;
hren z
u k&#9500;Ânnen. Der Zugriff auf den Webproxydienst wird
verweigert. )
< Via: 1.1 ISA-SERVER
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: close
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 757
<
* Ignore 757 bytes of response-body
* Proxy auth using NTLM with user 'User'
> CONNECT potsdam:443 HTTP/1.0
Host: potsdam:443
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAA
A=
Proxy-Connection: Keep-Alive

* Proxy CONNECT aborted
* Closing connection #0
error (56): Proxy CONNECT aborted

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2005-07-06 03:42

Message:
Logged In: NO

when CURLOPT_PROXYAUTH is set to CURLAUTH_NTLM
(instead of e.g. CURLAUTH_ANY) then it works (because the
type1-message is immediately sent). but i would consider that
a work-around ...

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2005-07-06 02:59

Message:
Logged In: YES
user_id=1110

This is a bug in how libcurl treats 407 with response-body
during auth negotiation with CONNECT. Please try the most
recent daily snapshot and see if that works better for you.

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2005-07-06 02:52

Message:
Logged In: NO

for comparison: opera tries the same:

----- request -----
CONNECT potsdam:443 HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0; .NET CLR 1.1.4322)

Host: potsdam
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
----- reply ----
HTTP/1.1 407 Proxy Authentication Required ( Der ISA Server
erfordert Autorisierung, um die Anforderung durchf..hren zu k..
nnen. Der Zugriff auf den Webproxydienst wird verweigert. )
Via: 1.1 ISA-SERVER
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 757
----- content follows, connection closed -----

but after that opera connects again, sends it's type1-packet,
get's the response and finally succeeds (all over the same
connection):

----- request -----
CONNECT potsdam:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0; .NET CLR 1.1.4322)
Host: potsdam
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB4IAogAAAAAAAAAAAAAAAAAAAA
AFAJMIAAAADw==
----- response -----
HTTP/1.1 407 Proxy Authentication Required ( Zugriff
verweigert )
Via: 1.1 ISA-SERVER
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAFAAUADgAAAAFgoKitsyWTopPhsEA
AAAAAAAAAGQAZABMAAAABQCTCAAAAA9JAFMAQQAt
AFMARQBSAFYARQBSAAIAFABJAFMAQQAtAFMARQBSA
FYARQBSAAEAFABJAFMAQQAtAFMARQBSAFYARQBSA
AQAFABpAHMAYQAtAHMAZQByAHYAZQByAAMAFABpAH
MAYQAtAHMAZQByAHYAZQByAAAAAAA=
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0
----- 2nd request -----
CONNECT potsdam:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0; .NET CLR 1.1.4322)
Host: potsdam
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAAA4ADg
BIAAAAGgAaAFYAAAAOAA4AcAAAAAAAAACuAAAABYK
AogUAkwgAAAAPSwBTAEUAWQBEAEUATABBAGQAbQBp
AG4AaQBzAHQAcgBhAHQAbwByAEsAUwBFAFkARABFAE
wA+OhgoFmZ4ADySZG6W3p/USjtmnChT5qt0PUUX2dtGkZNr
f6g1ZSMWU2Qx1CjcELg
----- 2nd response -----
HTTP/1.1 200 Connection established
Via: 1.1 ISA-SERVER

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1233264&group_id=976
_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-tracker
Received on 2005-07-06