#1381 Problem with proxy CONNECT using wrong auth then re-used

closed-fixed
None
5
2014-08-25
2014-06-11
Marcel Raad
No

I'm using libcurl 7.37.0 (built with SSPI on Windows) and I'm trying to establish a proxy tunnel through a squid 3.2.11 proxy, which sends "Connection: Keep-Alive" with 407 responses. Both CURLOPT_HTTPPROXYTUNNEL and CURLOPT_CONNECT_ONLY are set to 1. When I use the easy API, everything works as expected, and also when I use a proxy that sends "(Proxy-)Connection: Close" with 407 responses, as the connection is not reused in this case.

But when I use the multi API and I don't submit valid proxy credentials for the first transfer, the connection gets reused for the second transfer (now with valid credentials). Because the first socket is then still valid in Curl_setup_conn, multi_runsingle switches immediately from CURLM_STATE_CONNECT to CURLM_STATE_DO, skipping proxy authentication, and then immediately to CURLM_STATE_DONE because of the connect_only option. libcurl then tells me that the connection was successful, but I cannot use the socket as the CONNECT still has not succeeded because of the missing proxy authentication.

Related

Bugs: #1388

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2014-06-15

    So, checking that I understand this right, in this problematic case it re-uses a connection to the proxy which it shouldn't?

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-06-15
    • assigned_to: Daniel Stenberg
     
  • Marcel Raad

    Marcel Raad - 2014-06-15

    Yes, either that or libcurl should do the proxy authentication again after reuse, but I think the second option would complicate the logic in multi_runsingle a lot.

     
  • Marcel Raad

    Marcel Raad - 2014-07-03

    Sorry, this was actually an error in my code :-( I always passed CURL_SOCKET_BAD to curl_multi_socket_action when I called it with CURL_CSELECT_IN. I have changed that to the correct socket descriptor and it's working now. It only worked by chance with the other proxies.

     
  • Marcel Raad

    Marcel Raad - 2014-07-03

    Oh, but of course libcurl shouldn't reuse this connection with failed proxy authentication and then immediately tell me that the CONNECT was successful.

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-07-23
    • status: open --> open-confirmed
     
  • Daniel Stenberg

    Daniel Stenberg - 2014-07-23

    I have a pending fix. I'm working on a writing up a test case for it to verify.

     
  • Michael Osipov

    Michael Osipov - 2014-07-23

    Daniel, I'd be interested to test your change against TMG too.

     
    Last edit: Michael Osipov 2014-07-23
  • Daniel Stenberg

    Daniel Stenberg - 2014-07-23
    • summary: Problem with proxy CONNECT and Connection: Keep-Alive --> Problem with proxy CONNECT using wrong auth then re-used
     
  • Daniel Stenberg

    Daniel Stenberg - 2014-07-29

    I'm struggling with the test case still, but I've been playing with this fix. It attempts to close the connection to a proxy if CONNECT fails and auth negotiation is not ongoing.

    diff --git a/lib/http_proxy.c b/lib/http_proxy.c
    index 17f1c00..5343eb7 100644
    --- a/lib/http_proxy.c
    +++ b/lib/http_proxy.c
    @@ -552,14 +552,20 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn,
       if(200 != data->req.httpcode) {
         if(closeConnection && data->req.newurl) {
           conn->bits.proxy_connect_closed = TRUE;
           infof(data, "Connect me again please\n");
         }
    -    else if(data->req.newurl) {
    -      /* this won't be used anymore for the CONNECT so free it now */
    -      free(data->req.newurl);
    -      data->req.newurl = NULL;
    +    else {
    +      if(data->req.newurl) {
    +        /* this won't be used anymore for the CONNECT so free it now */
    +        free(data->req.newurl);
    +        data->req.newurl = NULL;
    +      }
    +      /* failure, close this connection to avoid re-use */
    +      connclose(conn, "proxy CONNECT failure");
    +      Curl_closesocket(conn, conn->sock[sockindex]);
    +      conn->sock[sockindex] = CURL_SOCKET_BAD;
         }
    
         /* to back to init state */
         conn->tunnel_state[sockindex] = TUNNEL_INIT;
    
     
  • Marcel Raad

    Marcel Raad - 2014-08-01

    I've tested this patch with my previous, broken code against the squid proxy and it works for me.

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-08-25

    Thanks, I've now pushed this fit to git without any new test case since it turned out so complicated and time-consuming to make one. Hopefully I get around to adding one in a future!

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-08-25
    • status: open-confirmed --> closed-fixed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks