Menu
▾
▴
#528 HTTP proxy tunneling with NTLM proxy authenticate won't work
Well, not much more to add ...
I have a ISA server here which required NTLM
authentication and I'm trying to tunnel the proxy ... but
obviously Curl_ConnectHTTPProxyTunnel isn't quite
capable of this:
* About to connect() to 192.168.100.2 port 8080
* Trying 192.168.100.2... * connected
* Connected to 192.168.100.2 (192.168.100.2) port 8080
* Establish HTTP proxy tunnel to potsdam:80
> CONNECT potsdam:80 HTTP/1.0
Host: potsdam:80
Proxy-Connection: Keep-Alive
< HTTP/1.1 407 Proxy Authentication Required ( Der ISA
Server erfordert Autorisierung, um die Anforderung durchf
├╝hren z
u k├Ânnen. Der Zugriff auf den Webproxydienst wird
verweigert. )
< Via: 1.1 ISA-SERVER
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: close
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 757
<
* Proxy auth using NTLM with user 'Administrator'
> CONNECT potsdam:80 HTTP/1.0
Host: potsdam:80
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACA
AAAA=
Proxy-Connection: Keep-Alive
* Proxy CONNECT aborted
* Closing connection #0
error (56): Proxy CONNECT aborted
As you might be seeing: libcurl tries to reuse the
connection but the proxy has already closed it.
ConnectHTTPProxyTunnel doesn't notice this, tries to
send it's type1-packet to the server of the
already-closed-connection and ... BANG!
:-/
Discussion
Logged In: NO
for comparison: opera tries the same:
----- request -----
CONNECT potsdam:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0; .NET CLR 1.1.4322)
Host: potsdam
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
----- reply ----
HTTP/1.1 407 Proxy Authentication Required ( Der ISA Server
erfordert Autorisierung, um die Anforderung durchf..hren zu k..
nnen. Der Zugriff auf den Webproxydienst wird verweigert. )
Via: 1.1 ISA-SERVER
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 757
----- content follows, connection closed -----
but after that opera connects again, sends it's type1-packet,
get's the response and finally succeeds (all over the same
connection):
----- request -----
CONNECT potsdam:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0; .NET CLR 1.1.4322)
Host: potsdam
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB4IAogAAAAAAAAAAAAAAAAAAAA
AFAJMIAAAADw==
----- response -----
HTTP/1.1 407 Proxy Authentication Required ( Zugriff
verweigert )
Via: 1.1 ISA-SERVER
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAFAAUADgAAAAFgoKitsyWTopPhsEA
AAAAAAAAAGQAZABMAAAABQCTCAAAAA9JAFMAQQAt
AFMARQBSAFYARQBSAAIAFABJAFMAQQAtAFMARQBSA
FYARQBSAAEAFABJAFMAQQAtAFMARQBSAFYARQBSA
AQAFABpAHMAYQAtAHMAZQByAHYAZQByAAMAFABpAH
MAYQAtAHMAZQByAHYAZQByAAAAAAA=
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0
----- 2nd request -----
CONNECT potsdam:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0; .NET CLR 1.1.4322)
Host: potsdam
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAAA4ADg
BIAAAAGgAaAFYAAAAOAA4AcAAAAAAAAACuAAAABYK
AogUAkwgAAAAPSwBTAEUAWQBEAEUATABBAGQAbQBp
AG4AaQBzAHQAcgBhAHQAbwByAEsAUwBFAFkARABFAE
wA+OhgoFmZ4ADySZG6W3p/USjtmnChT5qt0PUUX2dtGkZNr
f6g1ZSMWU2Qx1CjcELg
----- 2nd response -----
HTTP/1.1 200 Connection established
Via: 1.1 ISA-SERVER
Logged In: YES
user_id=1110
This is a bug in how libcurl treats 407 with response-body
during auth negotiation with CONNECT. Please try the most
recent daily snapshot and see if that works better for you.
Logged In: NO
when CURLOPT_PROXYAUTH is set to CURLAUTH_NTLM
(instead of e.g. CURLAUTH_ANY) then it works (because the
type1-message is immediately sent). but i would consider that
a work-around ...
Logged In: NO
no, latest CVS doesn't work as well:
curl version: libcurl/7.14.1-20050706 OpenSSL/0.9.7g zlib/1.2.
2
* About to connect() to 192.168.100.2 port 8080
* Trying 192.168.100.2... * connected
* Connected to 192.168.100.2 (192.168.100.2) port 8080
* Establish HTTP proxy tunnel to potsdam:443
> CONNECT potsdam:443 HTTP/1.0
Host: potsdam:443
Proxy-Connection: Keep-Alive
< HTTP/1.1 407 Proxy Authentication Required ( Der ISA
Server erfordert Autorisierung, um die Anforderung durchf├╝
hren z
u k├nnen. Der Zugriff auf den Webproxydienst wird
verweigert. )
< Via: 1.1 ISA-SERVER
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: close
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 757
<
* Ignore 757 bytes of response-body
* Proxy auth using NTLM with user 'User'
> CONNECT potsdam:443 HTTP/1.0
Host: potsdam:443
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAA
A=
Proxy-Connection: Keep-Alive
* Proxy CONNECT aborted
* Closing connection #0
error (56): Proxy CONNECT aborted
Logged In: NO
by the way: I don't think it's related to the handling of 407 at all
when connecting the the proxy, libcurl never checks whether
the server sends "Proxy-Connection: close". Because of that it
supposes "Proxy-Connection: keep-alive" (as send by itself) is
still valid and therefore tries to reuse the connection which
obviously won't work in this case ...
Logged In: YES
user_id=1110
Ah, I didn't notice that but yes your analysis sounds about
right.
This needs attention.
Logged In: YES
user_id=1110
This is now an issue that is being looked into. It might not
reach 7.14.1 but it isn't forgotten. The CONNECT patch in
recent libcurl mailing list discussion addresses this
problem (and others). It is however not complete yet and it
might take some addition weeks/months before it is.
Closing this for now.