Bugs item #2944325, was opened at 2010-02-02 03:31
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2944325&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: http
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Rich Coe (rhcoe)
Assigned to: Daniel Stenberg (bagder)
Summary: ntlm proxy does not authenicate

Initial Comment:
I was trying to download a file through an authentication proxy.
The authentication fails. I was able to get the file via firefox.

curl --get -L http://download.opensuse.org/distribution/11.1/repo/oss/content
options:
    --proxy-ntlm
    --proxy-user "myuser:mypass"
    --proxy "proxy:8080"

version: curl-7.19.6
User-Agent: curl/7.19.6 (i686-pc-linux-gnu) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3 libidn/1.10

I don't know if either or both of these differences are currently significant.

I did network traces of both http connections. At first I thought
curl was not sending the userid and hostname, but I found that curl is sending
them as text and firefox is sending them as unicode.

The only other difference I see is the NTLMSSP flags.
These are the flags sent by the proxy:
    1... .... .... .... .... .... .... .... = Negotiate 56: Set
    .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
    ..1. .... .... .... .... .... .... .... = Negotiate 128: Set
    .... ..1. .... .... .... .... .... .... = Negotiate 0x02000000: Set
    .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
    .... .... .... ...1 .... .... .... .... = Negotiate Challenge Init Response: Set
    .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
    .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
    .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
    .... .... .... .... .... .... .... .1.. = Request Target: Set
    .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set

These are the flags returned to the proxy by firefox:
    .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
    .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
    .... .... .... .... .... .... .... .1.. = Request Target: Set
    .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set

These are the flags returned to the proxy by curl:
    1... .... .... .... .... .... .... .... = Negotiate 56: Set
    .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
    ..1. .... .... .... .... .... .... .... = Negotiate 128: Set
    .... ..1. .... .... .... .... .... .... = Negotiate 0x02000000: Set
    .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
    .... .... .... ...1 .... .... .... .... = Negotiate Challenge Init Response: Set
    .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
    .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
    .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
    .... .... .... .... .... .... .... .1.. = Request Target: Set

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2010-02-04 19:42

Message:
A related discussion on what seems to be the same lacking feature is here:

http://www.mail-archive.com/curl-library@cool.haxx.se/msg02691.html

This is not so much a bug but something we never have supported. I'd like
to see us do it, but I don't have any means to test and I don't have any
use for it myself.

----------------------------------------------------------------------

Comment By: Rich Coe (rhcoe)
Date: 2010-02-03 13:21

Message:
Proxy is 'powered by Astaro'.

I experimented with two settings.
The first experiment was with setting the NTLM flags the same as ff, but
with keeping the unicode bit turned off.

The second experiment was with keeping the NTLM flags set, sending the
user-id and hostname as UNICODE and setting the unicode bit turned on.

I was only able to successfully authenticate with sending the userid and
hostname as unicode.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2944325&group_id=976
Received on 2010-02-04