Bug 1342778
Summary: | curl can't connect thought NTLM proxy with --proxy-any option. | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Mikhail <mikhail.v.gavrilov> | ||||||||||
Component: | curl | Assignee: | Kamil Dudka <kdudka> | ||||||||||
Status: | CLOSED CANTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||
Priority: | unspecified | ||||||||||||
Version: | 7.4 | CC: | kdudka, mikhail.v.gavrilov, szidek | ||||||||||
Target Milestone: | rc | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2017-09-22 08:17:03 UTC | Type: | Bug | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Attachments: |
|
Description
Mikhail
2016-06-05 08:05:54 UTC
--proxy-ntlm works as expected. Why not work --proxy-any option? $ curl -v --proxy-ntlm http://dev.sy24.ru * About to connect() to proxy 172.18.4.7 port 8080 (#0) * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://dev.sy24.ru/ HTTP/1.1 > Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= > User-Agent: curl/7.29.0 > Host: dev.sy24.ru > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( Access is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAGgokChd3jQQ94FeoAAAAAAAAAAKwArABGAAAABQLODgAAAA9FQVNULUtST05PU1BBTgIAHABFAEEAUwBUAC0ASwBSAE8ATgBPAFMAUABBAE4AAQAKAEkAUwBBAEUARwAEACQAZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAwAwAGkAcwBhAGUAZwAuAGUAYQBzAHQALgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAUAGgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAAAAAA= < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 0 < * Connection #0 to host 172.18.4.7 left intact * Issue another request to this URL: 'http://dev.sy24.ru/' * Found bundle for host dev.sy24.ru: 0x23b9e20 * Re-using existing connection! (#0) with host 172.18.4.7 * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://dev.sy24.ru/ HTTP/1.1 > Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAA4ADgBwAAAABgAGAH4AAAAGAAYAhAAAAAAAAAAAAAAABoKJAmxNLg06/tUyAAAAAAAAAAAAAAAAAAAAAMuEXxFUQ5t++f6btUcCZptJ1Xw2dGmOL2Vhc3Qta3Jvbm9zcGFuZWR2Z2x1c2ludWYx > User-Agent: curl/7.29.0 > Host: dev.sy24.ru > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 OK < Via: 1.1 ISAEG < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Date: Sun, 05 Jun 2016 08:17:24 GMT < Content-Type: text/html; charset=UTF-8 < Server: nginx/1.8.1 < Vary: Accept-Encoding < X-Powered-By: PHP/5.6.22 < <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="Content-Language" content="ru-ru" /> <title>Нужно обновление браузера</title> <link href="css/bootstrap.css" rel="stylesheet" /> <link href="css/bootstrap-theme.css" rel="stylesheet" /> <link href="css/citrus.css" media="screen" rel="stylesheet" type="text/css" /> </head> <style> body { margin:0 auto; width:900px; text-align:center; } a { padding: 5px; display:block; } a:hover { background-color: white; } </style> <body> <div> <h4>Внимание! На Вашем компьютере обнаружено устаревшее ПО.</h4> <div> <h2>У Вас не поддерживаемый браузер Unknown Unknown</h2> <h3>Мы ценим ваше время и нервы и не хотим, чтобы вы наблюдали постоянные глюки, падение системы и бесконечную загрузку данных.</h3> <h4>Поэтому настоятельно Вам рекомендуем выбрать и установить любой из современных браузеров. Список по предпочтительности расположен ниже с лева на право.</h4> <table cellspacing="0" style="border:none;width:100%"> <tr> <td align="center"> <a href="http://www.google.com/chrome" target="_blank" title="Бескомпромиссная производительность"> <img src="assets/images/browsers/gc.png" alt="Google Chrome" /> <h5>Google Chrome</h5> <h6>минимум 27 версии</h6> </a> </td> <td align="center"> <a href="http://www.mozilla.com/firefox/" target="_blank" title="Отличный баланс потребления ресурсов и производительности"> <img src="assets/images/browsers/mf.png" alt="Mozilla Firefox" /> <h5>Mozilla Firefox</h5> <h6>минимум 25 версии</h6> </a> </td> <td align="center"> <a href="http://www.opera.com/download/" target="_blank" title="Для тех кто привык к данному браузеру"> <img src="assets/images/browsers/op.png" alt="Opera Browser" /> <h5>Opera Browser</h5> <h6>минимум 18 версии</h6> </a> </td> </tr> </table> <h3>За обновлением программного обеспечения обращайтесь в тех поддержку по рабочему телефону 8-100</h3> </div> </div> </body> </html> * Closing connection 0 Are you able to connect through the same proxy from Fedora with --proxy-anyauth? If yes, could you please use git-bisect to find the first upstream commit where it works for you? On Fedora 23 all works as expected curl without any proxy options and even wget!!!! =========================Fedora 23=========================== $ curl --version curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.43.0 NSS/3.22 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.6.0 nghttp2/1.7.1 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets Metalink On Fedora 23 all works as expected curl without any proxy options and even wget!!!! =========================Fedora 23=========================== $ curl --version curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.43.0 NSS/3.22 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.6.0 nghttp2/1.7.1 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets Metalink $ curl -v http://dev.sy24.ru * Rebuilt URL to: http://dev.sy24.ru/ * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) * Proxy auth using Basic with user 'east-kronospan\edvglu' > GET http://dev.sy24.ru/ HTTP/1.1 > Host: dev.sy24.ru > Proxy-Authorization: Basic ZWFzdC1rcm9ub3NwYW5cZWR2Z2x1Om5pdmE0eDQkJCQ= > User-Agent: curl/7.43.0 > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 OK < Via: 1.1 ISAEG < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Date: Mon, 06 Jun 2016 19:29:12 GMT < Content-Type: text/html; charset=UTF-8 < Server: nginx/1.8.1 < Vary: Accept-Encoding < X-Powered-By: PHP/5.6.22 < <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="Content-Language" content="ru-ru" /> <title>Нужно обновление браузера</title> <link href="css/bootstrap.css" rel="stylesheet" /> <link href="css/bootstrap-theme.css" rel="stylesheet" /> <link href="css/citrus.css" media="screen" rel="stylesheet" type="text/css" /> </head> <style> body { margin:0 auto; width:900px; text-align:center; } a { padding: 5px; display:block; } a:hover { background-color: white; } </style> <body> <div> <h4>Внимание! На Вашем компьютере обнаружено устаревшее ПО.</h4> <div> <h2>У Вас не поддерживаемый браузер Unknown Unknown</h2> <h3>Мы ценим ваше время и нервы и не хотим, чтобы вы наблюдали постоянные глюки, падение системы и бесконечную загрузку данных.</h3> <h4>Поэтому настоятельно Вам рекомендуем выбрать и установить любой из современных браузеров. Список по предпочтительности расположен ниже с лева на право.</h4> <table cellspacing="0" style="border:none;width:100%"> <tr> <td align="center"> <a href="http://www.google.com/chrome" target="_blank" title="Бескомпромиссная производительность"> <img src="assets/images/browsers/gc.png" alt="Google Chrome" /> <h5>Google Chrome</h5> <h6>минимум 27 версии</h6> </a> </td> <td align="center"> <a href="http://www.mozilla.com/firefox/" target="_blank" title="Отличный баланс потребления ресурсов и производительности"> <img src="assets/images/browsers/mf.png" alt="Mozilla Firefox" /> <h5>Mozilla Firefox</h5> <h6>минимум 25 версии</h6> </a> </td> <td align="center"> <a href="http://www.opera.com/download/" target="_blank" title="Для тех кто привык к данному браузеру"> <img src="assets/images/browsers/op.png" alt="Opera Browser" /> <h5>Opera Browser</h5> <h6>минимум 18 версии</h6> </a> </td> </tr> </table> <h3>За обновлением программного обеспечения обращайтесь в тех поддержку по рабочему телефону 8-100</h3> </div> </div> </body> </html> * Closing connection 0 ============================= RHEL 7================================== $ curl --version curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.19.1 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz $ curl -v http://dev.sy24.ru * About to connect() to proxy 172.18.4.7 port 8080 (#0) * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) * Proxy auth using Basic with user 'east-kronospan\edvglu' > GET http://dev.sy24.ru/ HTTP/1.1 > Proxy-Authorization: Basic ZWFzdC1rcm9ub3NwYW5cZWR2Z2x1Om5pdmE0eDQkJCQ= > User-Agent: curl/7.29.0 > Host: dev.sy24.ru > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2374 < <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML dir=ltr><HEAD><TITLE>The page cannot be displayed</TITLE> <STYLE>A:link { FONT: 8pt/11pt verdana; COLOR: #ff0000 } A:visited { FONT: 8pt/11pt verdana; COLOR: #4e4e4e } </STYLE> <META content=NOINDEX name=ROBOTS> <META http-equiv=Content-Type content="text-html; charset=Windows-1252"> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY bgColor=#ffffff> <TABLE cellSpacing=5 cellPadding=3 width=410> <TBODY> <TR> <TD vAlign=center align=left width=360> <H1 style="FONT: 13pt/15pt verdana; COLOR: #000000"><!--Problem-->The page cannot be displayed</H1></TD></TR> <TR> <TD width=400 colSpan=2><FONT style="FONT: 8pt/11pt verdana; COLOR: #000000">There is a problem with the page you are trying to reach and it cannot be displayed.</FONT></TD></TR> <TR> <TD width=400 colSpan=2><FONT style="FONT: 8pt/11pt verdana; COLOR: #000000"> <HR color=#c0c0c0 noShade> <P>Please try the following:</P> <UL> <LI>Click the Refresh button, or try again later.<BR> <LI>Open the Web site home page, and then look for links to the information you want. <LI>If you typed the page address in the Address bar, make sure that it is spelled correctly.<BR> <LI>Verify that the Internet access policy on your network allows you to view this this page.</LI> <LI>If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the Web site home page. </LI></UL> <H2 style="FONT: 8pt/11pt verdana; COLOR: #000000">HTTP 407 Proxy Authentication Required - The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)<BR>Internet Security and Acceleration Server</H2> <HR color=#c0c0c0 noShade> <P>Technical Information (for support personnel)</P> <UL> <LI>Background:<BR>The gateway could not retrieve the requested page.<P></P></LI> <LI>ISA Server: isaeg.east.kronospan.int<BR> Via: <BR><BR>Time: 06.06.2016 19:31:59 GMT </LI></UL></FONT></TD></TR></TBODY></TABLE></BODY></HTML> * Closing connection 0 [admin@sinuf1 ~]$ [admin@sinuf1 ~]$ curl -v http://dev.sy24.ru * About to connect() to proxy 172.18.4.7 port 8080 (#0) * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) * Proxy auth using Basic with user 'east-kronospan\edvglu' > GET http://dev.sy24.ru/ HTTP/1.1 > Proxy-Authorization: Basic ZWFzdC1rcm9ub3NwYW5cZWR2Z2x1Om5pdmE0eDQkJCQ= > User-Agent: curl/7.29.0 > Host: dev.sy24.ru > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2374 < <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML dir=ltr><HEAD><TITLE>The page cannot be displayed</TITLE> <STYLE>A:link { FONT: 8pt/11pt verdana; COLOR: #ff0000 } A:visited { FONT: 8pt/11pt verdana; COLOR: #4e4e4e } </STYLE> <META content=NOINDEX name=ROBOTS> <META http-equiv=Content-Type content="text-html; charset=Windows-1252"> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY bgColor=#ffffff> <TABLE cellSpacing=5 cellPadding=3 width=410> <TBODY> <TR> <TD vAlign=center align=left width=360> <H1 style="FONT: 13pt/15pt verdana; COLOR: #000000"><!--Problem-->The page cannot be displayed</H1></TD></TR> <TR> <TD width=400 colSpan=2><FONT style="FONT: 8pt/11pt verdana; COLOR: #000000">There is a problem with the page you are trying to reach and it cannot be displayed.</FONT></TD></TR> <TR> <TD width=400 colSpan=2><FONT style="FONT: 8pt/11pt verdana; COLOR: #000000"> <HR color=#c0c0c0 noShade> <P>Please try the following:</P> <UL> <LI>Click the Refresh button, or try again later.<BR> <LI>Open the Web site home page, and then look for links to the information you want. <LI>If you typed the page address in the Address bar, make sure that it is spelled correctly.<BR> <LI>Verify that the Internet access policy on your network allows you to view this this page.</LI> <LI>If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the Web site home page. </LI></UL> <H2 style="FONT: 8pt/11pt verdana; COLOR: #000000">HTTP 407 Proxy Authentication Required - The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)<BR>Internet Security and Acceleration Server</H2> <HR color=#c0c0c0 noShade> <P>Technical Information (for support personnel)</P> <UL> <LI>Background:<BR>The gateway could not retrieve the requested page.<P></P></LI> <LI>ISA Server: isaeg.east.kronospan.int<BR> Via: <BR><BR>Time: 06.06.2016 19:34:07 GMT </LI></UL></FONT></TD></TR></TBODY></TABLE></BODY></HTML> * Closing connection 0 I think judging from logs that Fedora 23 does not triggered the NTLM, and use Basic authorization. And this works in my case. Very strage. Created attachment 1165359 [details]
request compare
really don't understand this magic. Why on Fedora Proxy-Authorization: Basic ZWFzdC1rcm9ub3NwYW5cZWR2Z2x1Om5pdmE0eDQkJCQ= Created attachment 1165391 [details]
curl_Fedora.trace
Created attachment 1165392 [details]
curl_RHEL.trace
The proxy apparently does not require NTLM authentication if you are able to connect using just basic authentication. (In reply to Mikhail from comment #7) > Proxy-Authorization: Basic ZWFzdC1rcm9ub3NwYW5cZWR2Z2x1Om5pdmE0eDQkJCQ= You have disclosed your credentials on the Internet, just so you know... Kamil, sorry my previous experiment is not clear. Seems that from 10.18.4.16 ip address proxy not require any authorization. Now I changed IP adress and recheck my experiment. # curl -v --proxy-any http://google.com * Rebuilt URL to: http://google.com/ * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) > GET http://google.com/ HTTP/1.1 > Host: google.com > User-Agent: curl/7.43.0 > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2373 < * Closing connection 0 * Issue another request to this URL: 'http://google.com/' * Hostname 172.18.4.7 was found in DNS cache * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) > GET http://google.com/ HTTP/1.1 > Host: google.com > User-Agent: curl/7.43.0 > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos * gss_init_sec_context() failed: : SPNEGO cannot find mechanisms to negotiate < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2373 < <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML dir=ltr><HEAD><TITLE>The page cannot be displayed</TITLE> <STYLE>A:link { FONT: 8pt/11pt verdana; COLOR: #ff0000 } A:visited { FONT: 8pt/11pt verdana; COLOR: #4e4e4e } </STYLE> <META content=NOINDEX name=ROBOTS> <META http-equiv=Content-Type content="text-html; charset=Windows-1252"> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY bgColor=#ffffff> <TABLE cellSpacing=5 cellPadding=3 width=410> <TBODY> <TR> <TD vAlign=center align=left width=360> <H1 style="FONT: 13pt/15pt verdana; COLOR: #000000"><!--Problem-->The page cannot be displayed</H1></TD></TR> <TR> <TD width=400 colSpan=2><FONT style="FONT: 8pt/11pt verdana; COLOR: #000000">There is a problem with the page you are trying to reach and it cannot be displayed.</FONT></TD></TR> <TR> <TD width=400 colSpan=2><FONT style="FONT: 8pt/11pt verdana; COLOR: #000000"> <HR color=#c0c0c0 noShade> <P>Please try the following:</P> <UL> <LI>Click the Refresh button, or try again later.<BR> <LI>Open the Web site home page, and then look for links to the information you want. <LI>If you typed the page address in the Address bar, make sure that it is spelled correctly.<BR> <LI>Verify that the Internet access policy on your network allows you to view this this page.</LI> <LI>If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the Web site home page. </LI></UL> <H2 style="FONT: 8pt/11pt verdana; COLOR: #000000">HTTP 407 Proxy Authentication Required - The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)<BR>Internet Security and Acceleration Server</H2> <HR color=#c0c0c0 noShade> <P>Technical Information (for support personnel)</P> <UL> <LI>Background:<BR>The gateway could not retrieve the requested page.<P></P></LI> <LI>ISA Server: isaeg.east.kronospan.int<BR> Via: <BR><BR>Time: 07.06.2016 4:28:31 GMT </LI></UL></FONT></TD></TR></TBODY></TABLE></BODY></HTML> * Closing connection 1 As we see on Fedora 23 connect thought NTLM proxy with --proxy-any option not work too. As we see second request pass without Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= Created attachment 1165501 [details]
fedora 23 curl log
Could you please use git-bisect to find the first upstream commit where it works for you? Kamil, I try configure dnf for working with NTLM proxy, but seems dnf not work with proxy. # cat /etc/dnf/dnf.conf [main] gpgcheck=1 installonly_limit=3 clean_requirements_on_remove=True proxy=http://172.18.4.7:8080 proxy_username=east-kronospan\edvglu proxy_password=niva4x4$$$ # dnf download --source curl -v cachedir: /var/cache/dnf Loaded plugins: download, builddep, noroot, copr, debuginfo-install, Query, playground, protected_packages, reposync, config-manager, langpacks, generate_completion_cache, needs-restarting Adding ru to language list Error reading file : /var/lib/dnf/plugins/langpacks/installed_langpacks as it does not exist initialized Langpacks plugin DNF version: 1.1.9 enabling updates-source repository enabling fedora-source repository Cannot download 'https://mirrors.fedoraproject.org/metalink?repo=updates-released-f23&arch=x86_64': Cannot prepare internal mirrorlist: Curl error (56): Failure when receiving data from the peer for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f23&arch=x86_64 [Invalid file descriptor]. Error: Failed to synchronize cache for repo 'updates' First off, there is no dnf on RHEL-7. On Fedora, this is handled by the librepo package I guess. I do not know which version of librepo you are using but the latest upstream version of librepo seems to default to basic auth: https://github.com/rpm-software-management/librepo/blob/bc39a9a0/librepo/handle.h#L113 I am not sure whether dnf provides a configuration option to change it. Better to ask for help on Fedora/dnf-focused channels... I got confused. On which system RHEL-7 or Fedora make better git bisect? For git bisect better use vanilla curl or curl with all existed Red Hat patches? Kamil, can you have a ready-made script that makes git bisect, and then tests automatically and if false do again git bisect? (In reply to Mikhail from comment #18) > I got confused. On which system RHEL-7 or Fedora make better git bisect? If the problem is really in curl, it does not matter. You can compile RHEL-7 curl on Fedora as well as the latest upstream curl on RHEL-7. In any case I would suggest to use the curl(1) tool for debugging it. Involving yum, dnf, librepo, etc. would only complicate the task. > For git bisect better use vanilla curl or curl with all existed Red Hat > patches? It is unlikely that the problem is caused by a downstream patch, so I would first try to bisect the upstream git repository: $ git clone https://github.com/curl/curl.git $ cd curl $ git bisect start master curl-7_29_0 (In reply to Mikhail from comment #19) > Kamil, can you have a ready-made script that makes git bisect, and then > tests automatically and if false do again git bisect? I do not think that a script is necessary. You will find the commit in 11 steps only if you bisect it manually. Just type 'git bisect bad' if you are able to connect, or 'git bisect good' if not. While bisecting, make sure that you are using the locally built libcurl.so instead of the system one. Exporting the LD_LIBRARY_PATH environment variable set to absolute path of the directory containing libcurl.so will do the job. You can verify it takes an effect by 'ldd /usr/bin/curl' or 'curl --version'. Kamil, which option I need use. I am used this options from spec file. $ ./configure --disable-static --enable-symbol-hiding --enable-ipv6 --enable-ldaps --enable-manual --enable-threaded-resolver --with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt --with-libidn --with-libmetalink --with-libssh2 --with-nghttp2 --without-ssl --with-nss But compilation was ended without success: In file included from http2.c:29:0: /usr/include/nghttp2/nghttp2.h:1782:1: note: expected ‘nghttp2_on_invalid_frame_recv_callback {aka int (*)(struct nghttp2_session *, const union <anonymous> *, int, void *)}’ but argument is of type ‘int (*)(nghttp2_session *, const nghttp2_frame *, uint32_t, void *) {aka int (*)(struct nghttp2_session *, const union <anonymous> *, unsigned int, void *)}’ nghttp2_session_callbacks_set_on_invalid_frame_recv_callback( ^ http2.c: In function ‘Curl_http2_switched’: http2.c:1005:6: error: ‘NGHTTP2_CLIENT_CONNECTION_PREFACE’ undeclared (first use in this function) NGHTTP2_CLIENT_CONNECTION_PREFACE, ^ http2.c:1005:6: note: each undeclared identifier is reported only once for each function it appears in http2.c:1006:6: error: ‘NGHTTP2_CLIENT_CONNECTION_PREFACE_LEN’ undeclared (first use in this function) NGHTTP2_CLIENT_CONNECTION_PREFACE_LEN, Use --without-nghttp2 instead of --with-nghttp2. First iteration $ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl --version curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.38.1-DEV NSS/3.24 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.6.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink $ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl -v --proxy-any http://google.com * Rebuilt URL to: http://google.com/ * Hostname was NOT found in DNS cache * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) > GET http://google.com/ HTTP/1.1 > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2373 < * Closing connection 0 * Issue another request to this URL: 'http://google.com/' * Hostname was found in DNS cache * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) * Initializing NSS with certpath: sql:/etc/pki/nssdb * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://google.com/ HTTP/1.1 > Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( Access is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAGgokCGAKgbXcbJk0AAAAAAAAAAKwArABGAAAABQLODgAAAA9FQVNULUtST05PU1BBTgIAHABFAEEAUwBUAC0ASwBSAE8ATgBPAFMAUABBAE4AAQAKAEkAUwBBAEUARwAEACQAZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAwAwAGkAcwBhAGUAZwAuAGUAYQBzAHQALgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAUAGgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAAAAAA= < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 0 < * Connection #1 to host 172.18.4.7 left intact * Issue another request to this URL: 'http://google.com/' * Found bundle for host google.com: 0x55d902632810 * Re-using existing connection! (#1) with host 172.18.4.7 * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://google.com/ HTTP/1.1 > Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAADcANwAWAAAAA4ADgA0AQAABgAGAEIBAAAJAAkASAEAAAAAAAAAAAAABoKJAj6M2nUdu2jhv8XvWd7nE3Hwd1zsh0Cc1D9N0/O1UYNL53MhN9DqUkoBAQAAAAAAAABAkLVFxdEB8Hdc7IdAnNQAAAAAAgAcAEUAQQBTAFQALQBLAFIATwBOAE8AUwBQAEEATgABAAoASQBTAEEARQBHAAQAJABlAGEAcwB0AC4AawByAG8AbgBvAHMAcABhAG4ALgBpAG4AdAADADAAaQBzAGEAZQBnAC4AZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQABQAaAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAAAAAAAAAABlYXN0LWtyb25vc3BhbmVkdmdsdWxvY2FsaG9zdA== > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 302 Found < Via: 1.0 ISAEG < Content-Length: 258 < Date: Mon, 13 Jun 2016 07:32:16 GMT < Location: http://www.google.ru/?gfe_rd=cr&ei=gGFeV8y3NcXG7gT-v5rABA < Content-Type: text/html; charset=UTF-8 < Cache-Control: private < <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.ru/?gfe_rd=cr&ei=gGFeV8y3NcXG7gT-v5rABA">here</A>. </BODY></HTML> * Connection #1 to host 172.18.4.7 left intact All works as expected When doing second iteration have make error :( $ git bisect good $ make clean $ make mv -f .deps/libcurl_la-hostcheck.Tpo .deps/libcurl_la-hostcheck.Plo make[2]: *** No rule to make target 'bundles.c', needed by 'libcurl_la-bundles.lo'. Stop. make[2]: Leaving directory '/home/synergy/curl/curl/lib' Makefile:709: recipe for target 'all' failed make[1]: *** [all] Error 2 make[1]: Leaving directory '/home/synergy/curl/curl/lib' Makefile:857: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1 Please help.. The already generated makefiles are no longer valid after you checked out a different revision (by 'git bisect good'). Run 'autoreconf -fiv' to regenerate the necessary build templates before running make again. If it does not help, try to run './buildconf' and then run './configure ...' manually. If you append --enable-maintainer-mode to your configure options, the autoconf script itself will try to update the necessary files for you automatically (although it may fail in some corner cases). All `git bisect All `git bisect` was good for me. $ git bisect good f77dfbc5fbb7a20f8d3ef918df35b68c0b60f1e9 is the first bad commit commit f77dfbc5fbb7a20f8d3ef918df35b68c0b60f1e9 Author: Jay Satiro <raysatiro> Date: Sat Jun 11 17:33:16 2016 -0400 CURLOPT_POSTFIELDS.3: Clarify what happens when set empty When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a zero-byte POST. Prior to this change it was documented as sending data from the read callback. This also changes the wording of what happens when empty or NULL so that it's hopefully easier to understand for people whose primary language isn't English. Bug: https://github.com/curl/curl/issues/862 Reported-by: Askar Safin :040000 040000 7b58778258743ee411baac5efaa66900a5d9ee55 22199933ec4afc4b476a77d455516e1b71e94067 M docs And also last `git bisect` $ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl --version curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.50.0-DEV NSS/3.24 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.6.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets Metalink $ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl -v --proxy-any http://google.com * Rebuilt URL to: http://google.com/ * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) > GET http://google.com/ HTTP/1.1 > Host: google.com > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2374 < * Closing connection 0 * Issue another request to this URL: 'http://google.com/' * Hostname 172.18.4.7 was found in DNS cache * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) * Initializing NSS with certpath: sql:/etc/pki/nssdb * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://google.com/ HTTP/1.1 > Host: google.com > Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 407 Proxy Authentication Required ( Access is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAGgokCPxl4C64WEIsAAAAAAAAAAKwArABGAAAABQLODgAAAA9FQVNULUtST05PU1BBTgIAHABFAEEAUwBUAC0ASwBSAE8ATgBPAFMAUABBAE4AAQAKAEkAUwBBAEUARwAEACQAZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAwAwAGkAcwBhAGUAZwAuAGUAYQBzAHQALgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAUAGgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAAAAAA= < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 0 < * Connection #1 to host 172.18.4.7 left intact * Issue another request to this URL: 'http://google.com/' * Found bundle for host google.com: 0x55c6ab26a6f0 [can pipeline] * Re-using existing connection! (#1) with proxy 172.18.4.7 * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://google.com/ HTTP/1.1 > Host: google.com > Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAADcANwAWAAAAA4ADgA0AQAABgAGAEIBAAAJAAkASAEAAAAAAAAAAAAABoKJAqNEs1G5waqsCJIZPAcJhnjrP1mW0qAJWlGMJ7oEgRBbsU+HcPcKpsABAQAAAAAAAABk4d1wxdEB6z9ZltKgCVoAAAAAAgAcAEUAQQBTAFQALQBLAFIATwBOAE8AUwBQAEEATgABAAoASQBTAEEARQBHAAQAJABlAGEAcwB0AC4AawByAG8AbgBvAHMAcABhAG4ALgBpAG4AdAADADAAaQBzAGEAZQBnAC4AZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQABQAaAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAAAAAAAAAABlYXN0LWtyb25vc3BhbmVkdmdsdWxvY2FsaG9zdA== > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 302 Found < Via: 1.0 ISAEG < Content-Length: 258 < Date: Mon, 13 Jun 2016 12:41:12 GMT < Location: http://www.google.ru/?gfe_rd=cr&ei=6KleV5HwI4-BygWpzrDABA < Content-Type: text/html; charset=UTF-8 < Cache-Control: private < <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.ru/?gfe_rd=cr&ei=6KleV5HwI4-BygWpzrDABA">here</A>. </BODY></HTML> * Connection #1 to host 172.18.4.7 left intact What it means? Problem in patches or compile options? my options: $ ./configure --disable-static --enable-symbol-hiding --enable-ipv6 --enable-ldaps --enable-manual --enable-threaded-resolver --with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt --with-libidn --with-libmetalink --with-libssh2 --without-nghttp2 --without-ssl --with-nss Does it mean that you were _not_ able to connect with any of those revisions? (In reply to Kamil Dudka from comment #20) > Just type 'git bisect bad' if you are > able to connect, or 'git bisect good' if not. If you go in the opposite direction always answering `bad`, it also all commits are working. This is last commit: $ git bisect bad 0a4bb75bc55f097003c6b2055996a6925b991fb0 is the first bad commit commit 0a4bb75bc55f097003c6b2055996a6925b991fb0 Author: Daniel Stenberg <daniel> Date: Wed Feb 6 11:52:22 2013 +0100 THANKS: 12 contributors from 7.29.0 :040000 040000 69912a05be90c6d566513abb5ce90db42f88052f a678968f8c6f3f2e6462501d59f1eed40c1e3bac M docs If you go in the opposite direction always answering `bad`, it also all commits are working. This is last commit: $ git bisect bad 0a4bb75bc55f097003c6b2055996a6925b991fb0 is the first bad commit commit 0a4bb75bc55f097003c6b2055996a6925b991fb0 Author: Daniel Stenberg <daniel> Date: Wed Feb 6 11:52:22 2013 +0100 THANKS: 12 contributors from 7.29.0 :040000 040000 69912a05be90c6d566513abb5ce90db42f88052f a678968f8c6f3f2e6462501d59f1eed40c1e3bac M docs $ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl --version curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.28.2-DEV NSS/3.24 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.6.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink $ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl -v --proxy-any http://google.com * About to connect() to proxy 172.18.4.7 port 8080 (#0) * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) > GET http://google.com HTTP/1.1 > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2374 < * Closing connection 0 * Issue another request to this URL: 'http://google.com' * About to connect() to proxy 172.18.4.7 port 8080 (#1) * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) * Initializing NSS with certpath: sql:/etc/pki/nssdb * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://google.com HTTP/1.1 > Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( Access is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAGgokCUHwgbXaFzagAAAAAAAAAAKwArABGAAAABQLODgAAAA9FQVNULUtST05PU1BBTgIAHABFAEEAUwBUAC0ASwBSAE8ATgBPAFMAUABBAE4AAQAKAEkAUwBBAEUARwAEACQAZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAwAwAGkAcwBhAGUAZwAuAGUAYQBzAHQALgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAUAGgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAAAAAA= < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 0 < * Connection #1 to host 172.18.4.7 left intact * Issue another request to this URL: 'http://google.com' * Found bundle for host google.com: 0x565214d31040 * Re-using existing connection! (#1) with host 172.18.4.7 * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://google.com HTTP/1.1 > Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAA4ADgBwAAAABgAGAH4AAAAJAAkAhAAAAAAAAAAAAAAABoKJAuOLzQP+3mNNAAAAAAAAAAAAAAAAAAAAAKeXN64tM5J7Bv9J1S1R0Yqcedn12oVZhmVhc3Qta3Jvbm9zcGFuZWR2Z2x1bG9jYWxob3N0 > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 302 Found < Via: 1.0 ISAEG < Content-Length: 256 < Date: Mon, 13 Jun 2016 14:35:40 GMT < Location: http://www.google.ru/?gfe_rd=cr&ei=vMReV_b6NMzFZLDHiNAK < Content-Type: text/html; charset=UTF-8 < Cache-Control: private < <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.ru/?gfe_rd=cr&ei=vMReV_b6NMzFZLDHiNAK">here</A>. </BODY></HTML> * Connection #1 to host 172.18.4.7 left intact The pre-requisition for git-bisect to be useful is that there is an observable difference between the old and new revisions (curl-7_29_0 and master in your case). So I would suggest to start with checking these two revisions manually using just 'git checkout'. If I understand your observation correctly, are you saying that your are able to connect with upstream checkout of curl-7_29_0 but not with the RHEL-7 libcurl package? (In reply to Kamil Dudka from comment #31) > The pre-requisition for git-bisect to be useful is that there is an > observable difference between the old and new revisions (curl-7_29_0 and > master in your case). So I would suggest to start with checking these two > revisions manually using just 'git checkout'. $ git checkout curl-7_29_0 (In reply to Kamil Dudka from comment #31) > The pre-requisition for git-bisect to be useful is that there is an > observable difference between the old and new revisions (curl-7_29_0 and > master in your case). So I would suggest to start with checking these two > revisions manually using just 'git checkout'. $ git checkout curl-7_29_0 $ make clean $ autoreconf -fiv $ make $ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl --version curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.28.2-DEV NSS/3.24 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.6.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink $ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl -v --proxy-any http://google.com * About to connect() to proxy 172.18.4.7 port 8080 (#0) * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) > GET http://google.com HTTP/1.1 > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2374 < * Closing connection 0 * Issue another request to this URL: 'http://google.com' * About to connect() to proxy 172.18.4.7 port 8080 (#1) * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) * Initializing NSS with certpath: sql:/etc/pki/nssdb * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://google.com HTTP/1.1 > Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( Access is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAGgokCAJSsPGHRXfoAAAAAAAAAAKwArABGAAAABQLODgAAAA9FQVNULUtST05PU1BBTgIAHABFAEEAUwBUAC0ASwBSAE8ATgBPAFMAUABBAE4AAQAKAEkAUwBBAEUARwAEACQAZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAwAwAGkAcwBhAGUAZwAuAGUAYQBzAHQALgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAUAGgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAAAAAA= < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 0 < * Connection #1 to host 172.18.4.7 left intact * Issue another request to this URL: 'http://google.com' * Found bundle for host google.com: 0x556dd3d57040 * Re-using existing connection! (#1) with host 172.18.4.7 * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://google.com HTTP/1.1 > Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAA4ADgBwAAAABgAGAH4AAAAJAAkAhAAAAAAAAAAAAAAABoKJAtoYsaN80guwAAAAAAAAAAAAAAAAAAAAANb1eDtalIXlb11dXaPihOPGa5LYiBSh1mVhc3Qta3Jvbm9zcGFuZWR2Z2x1bG9jYWxob3N0 > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 302 Found < Via: 1.0 ISAEG < Content-Length: 258 < Date: Mon, 13 Jun 2016 16:01:37 GMT < Location: http://www.google.ru/?gfe_rd=cr&ei=4dheV8G7FYKcwwOXjLiQAw < Content-Type: text/html; charset=UTF-8 < Cache-Control: private < <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.ru/?gfe_rd=cr&ei=4dheV8G7FYKcwwOXjLiQAw">here</A>. </BODY></HTML> * Connection #1 to host 172.18.4.7 left intact $ git checkout master $ make clean $ autoreconf -fiv $ make $ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl --version curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.50.0-DEV NSS/3.24 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.6.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets Metalink $ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl -v --proxy-any http://google.com * Rebuilt URL to: http://google.com/ * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) > GET http://google.com/ HTTP/1.1 > Host: google.com > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2374 < * Closing connection 0 * Issue another request to this URL: 'http://google.com/' * Hostname 172.18.4.7 was found in DNS cache * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) * Initializing NSS with certpath: sql:/etc/pki/nssdb * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://google.com/ HTTP/1.1 > Host: google.com > Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 407 Proxy Authentication Required ( Access is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAGgokCKf0vfFrshzAAAAAAAAAAAKwArABGAAAABQLODgAAAA9FQVNULUtST05PU1BBTgIAHABFAEEAUwBUAC0ASwBSAE8ATgBPAFMAUABBAE4AAQAKAEkAUwBBAEUARwAEACQAZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAwAwAGkAcwBhAGUAZwAuAGUAYQBzAHQALgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAUAGgBrAHIAbwBuAG8AcwBwAGEAbgAuAGkAbgB0AAAAAAA= < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 0 < * Connection #1 to host 172.18.4.7 left intact * Issue another request to this URL: 'http://google.com/' * Found bundle for host google.com: 0x55ca169a36f0 [can pipeline] * Re-using existing connection! (#1) with proxy 172.18.4.7 * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) * Proxy auth using NTLM with user 'east-kronospan\edvglu' > GET http://google.com/ HTTP/1.1 > Host: google.com > Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAADcANwAWAAAAA4ADgA0AQAABgAGAEIBAAAJAAkASAEAAAAAAAAAAAAABoKJAtPPe0ZcXXcD3mjPAAdGwuEkBZAskhc/k/bHkozJyjXHT1g9/axuMIwBAQAAAAAAAADgyPWQxdEBJAWQLJIXP5MAAAAAAgAcAEUAQQBTAFQALQBLAFIATwBOAE8AUwBQAEEATgABAAoASQBTAEEARQBHAAQAJABlAGEAcwB0AC4AawByAG8AbgBvAHMAcABhAG4ALgBpAG4AdAADADAAaQBzAGEAZQBnAC4AZQBhAHMAdAAuAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQABQAaAGsAcgBvAG4AbwBzAHAAYQBuAC4AaQBuAHQAAAAAAAAAAABlYXN0LWtyb25vc3BhbmVkdmdsdWxvY2FsaG9zdA== > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 302 Found < Via: 1.0 ISAEG < Content-Length: 258 < Date: Mon, 13 Jun 2016 16:30:56 GMT < Location: http://www.google.ru/?gfe_rd=cr&ei=wN9eV5OoE4jEsAGmvpS4DA < Content-Type: text/html; charset=UTF-8 < Cache-Control: private < <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.ru/?gfe_rd=cr&ei=wN9eV5OoE4jEsAGmvpS4DA">here</A>. </BODY></HTML> * Connection #1 to host 172.18.4.7 left intact > If I understand your observation correctly, are you saying that your are > able to connect with upstream checkout of curl-7_29_0 but not > with the RHEL-7 libcurl package? Yes, upstream checkout curl-7_29_0 and master is worked as you see in above output, but not work with RHEL-7 and Fedora-23 libcurl package. (In reply to Mikhail from comment #33) > Yes, upstream checkout curl-7_29_0 and master is worked as you see in above > output, but not work with RHEL-7 and Fedora-23 libcurl package. Sounds strange but still possible. So it does not make any sense to bisect the upstream git repository any more. You can just download the released tarball from upstream: http://curl.haxx.se/download/curl-7.29.0.tar.lzma Make sure you are using the same steps for build in both the cases, namely the configure options. Then try to rebuild the RHEL-7 libcurl package without any downstream patches -- does that make any difference? /bin/sh ../libtool --tag=CC --mode=link gcc -O2 -Wno-system-headers -pthread -o curl curl-tool_binmode.o curl-tool_bname.o curl-tool_cb_dbg.o curl-tool_cb_hdr.o curl-tool_cb_prg.o curl-tool_cb_rea.o curl-tool_cb_see.o curl-tool_cb_wrt.o curl-tool_cfgable.o curl-tool_convert.o curl-tool_dirhie.o curl-tool_doswin.o curl-tool_easysrc.o curl-tool_formparse.o curl-tool_getparam.o curl-tool_getpass.o curl-tool_help.o curl-tool_helpers.o curl-tool_homedir.o curl-tool_hugehelp.o curl-tool_libinfo.o curl-tool_main.o curl-tool_metalink.o curl-tool_mfiles.o curl-tool_msgs.o curl-tool_operate.o curl-tool_operhlp.o curl-tool_panykey.o curl-tool_paramhlp.o curl-tool_parsecfg.o curl-tool_setopt.o curl-tool_sleep.o curl-tool_urlglob.o curl-tool_util.o curl-tool_vms.o curl-tool_writeenv.o curl-tool_writeout.o curl-tool_xattr.o curl-strtoofft.o curl-strdup.o curl-rawstr.o curl-nonblock.o ../lib/libcurl.la -lmetalink -lz libtool: link: gcc -O2 -Wno-system-headers -pthread -o .libs/curl curl-tool_binmode.o curl-tool_bname.o curl-tool_cb_dbg.o curl-tool_cb_hdr.o curl-tool_cb_prg.o curl-tool_cb_rea.o curl-tool_cb_see.o curl-tool_cb_wrt.o curl-tool_cfgable.o curl-tool_convert.o curl-tool_dirhie.o curl-tool_doswin.o curl-tool_easysrc.o curl-tool_formparse.o curl-tool_getparam.o curl-tool_getpass.o curl-tool_help.o curl-tool_helpers.o curl-tool_homedir.o curl-tool_hugehelp.o curl-tool_libinfo.o curl-tool_main.o curl-tool_metalink.o curl-tool_mfiles.o curl-tool_msgs.o curl-tool_operate.o curl-tool_operhlp.o curl-tool_panykey.o curl-tool_paramhlp.o curl-tool_parsecfg.o curl-tool_setopt.o curl-tool_sleep.o curl-tool_urlglob.o curl-tool_util.o curl-tool_vms.o curl-tool_writeenv.o curl-tool_writeout.o curl-tool_xattr.o curl-strtoofft.o curl-strdup.o curl-rawstr.o curl-nonblock.o ../lib/.libs/libcurl.so -lmetalink -lz -pthread -Wl,-rpath -Wl,/usr/local/lib /usr/bin/ld: curl-tool_metalink.o: undefined reference to symbol 'NSS_ShutdownContext@@NSS_3.12.5' /usr/lib64/libnss3.so: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status Makefile:567: recipe for target 'curl' failed make[2]: *** [curl] Error 1 make[2]: Leaving directory '/home/synergy/curl/2/curl-7.29.0/src' Makefile:485: recipe for target 'all' failed make[1]: *** [all] Error 2 make[1]: Leaving directory '/home/synergy/curl/2/curl-7.29.0/src' Makefile:516: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1 This error pop's when I try compile sources from tarball. Options is same as in git variant. You seem to build curl with metalink support, which is redundant for debugging the bug in question. Either configure with the --without-libmetalink option or just uninstall the libmetalink-devel package from the system where you build it. Kamil, I am understand why upstream curl worked, but libcurl package not work. It happens because when I compile upstream curl I remove option --with-gssapi${KRB5_PREFIX} That is why I suggested to use equivalent options in both cases. Now you can put the option back and try the latest upstream. Does it behave the same as RHEL-7 libcurl? I removed this option because I don't understand what equal ${KRB5_PREFIX} in my case. ${KRB5_PREFIX} evaluates as empty string on both RHEL-7 and Fedora. You can just run rpmbuild and see how the configure script is invoked exactly. Ok, I retested with git bisect all upstream revisions and all they are not worked. Also I compile tarball and it not worked too. $ LD_LIBRARY_PATH=/home/synergy/curl/2/curl-7.29.0/lib/.libs curl --version curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.24 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.6.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink [synergy@localhost curl-7.29.0]$ LD_LIBRARY_PATH=/home/synergy/curl/2/curl-7.29.0/lib/.libs curl -v --proxy-any http://google.com * About to connect() to proxy 172.18.4.7 port 8080 (#0) * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0) > GET http://google.com HTTP/1.1 > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2374 < * Closing connection 0 * Issue another request to this URL: 'http://google.com' * About to connect() to proxy 172.18.4.7 port 8080 (#1) * Trying 172.18.4.7... * Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1) > GET http://google.com HTTP/1.1 > User-Agent: curl/7.43.0 > Host: google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ) < Via:1.1 ISAEG < Proxy-Authenticate: NTLM < Proxy-Authenticate: Kerberos * gss_init_sec_context() failed: : No Kerberos credentials available (default cache: KEYRING:persistent:1000) < Proxy-Authenticate: Negotiate < Connection: close * HTTP/1.1 proxy connection set close! < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 2374 < <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML dir=ltr><HEAD><TITLE>The page cannot be displayed</TITLE> <STYLE>A:link { FONT: 8pt/11pt verdana; COLOR: #ff0000 } A:visited { FONT: 8pt/11pt verdana; COLOR: #4e4e4e } </STYLE> <META content=NOINDEX name=ROBOTS> <META http-equiv=Content-Type content="text-html; charset=Windows-1252"> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY bgColor=#ffffff> <TABLE cellSpacing=5 cellPadding=3 width=410> <TBODY> <TR> <TD vAlign=center align=left width=360> <H1 style="FONT: 13pt/15pt verdana; COLOR: #000000"><!--Problem-->The page cannot be displayed</H1></TD></TR> <TR> <TD width=400 colSpan=2><FONT style="FONT: 8pt/11pt verdana; COLOR: #000000">There is a problem with the page you are trying to reach and it cannot be displayed.</FONT></TD></TR> <TR> <TD width=400 colSpan=2><FONT style="FONT: 8pt/11pt verdana; COLOR: #000000"> <HR color=#c0c0c0 noShade> <P>Please try the following:</P> <UL> <LI>Click the Refresh button, or try again later.<BR> <LI>Open the Web site home page, and then look for links to the information you want. <LI>If you typed the page address in the Address bar, make sure that it is spelled correctly.<BR> <LI>Verify that the Internet access policy on your network allows you to view this this page.</LI> <LI>If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the Web site home page. </LI></UL> <H2 style="FONT: 8pt/11pt verdana; COLOR: #000000">HTTP 407 Proxy Authentication Required - The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)<BR>Internet Security and Acceleration Server</H2> <HR color=#c0c0c0 noShade> <P>Technical Information (for support personnel)</P> <UL> <LI>Background:<BR>The gateway could not retrieve the requested page.<P></P></LI> <LI>ISA Server: isaeg.east.kronospan.int<BR> Via: <BR><BR>Time: 14.06.2016 11:45:59 GMT </LI></UL></FONT></TD></TR></TBODY></TABLE></BODY></HTML> * Closing connection 1 Do I understand it correctly that it does not work with the latest upstream version of libcurl if you configure it with --with-gssapi? Then I would suggest to report the issue on the upstream mailing list. Even if this bug was approved to be fixed in RHEL-7, it needs to be fixed upstream first anyway. > Do I understand it correctly that it does not work with the latest upstream version of libcurl if you configure it with --with-gssapi? Yes, exactly Upstream bug report https://github.com/curl/curl/issues/876 RHEL-7 libcurl now behaves equally as upstream libcurl regarding the problem in question. Even if upstream came with some improvements, it would be likely not possible to backport them to RHEL-7 without breaking the backward compatibility. I am closing this bug as CANTFIX. |