Bug 625685

Summary: Unable to use proxy with kerberos authentication for https
Product: Red Hat Enterprise Linux 6 Reporter: Kamil Dudka <kdudka>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: high    
Version: 6.0CC: luf, mhusnain, mvadkert, ovasik, paul
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
libcurl was unable to authenticate http proxies via Kerberos. This is now fixed and libcurl can successfully authenticate http proxies via Kerberos.
 Story Points: ---
Clone Of: 625676
: 989557 (view as bug list) Environment:
Last Closed: 2011-05-19 13:12:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 625676    
Bug Blocks: 657396, 989557    
Attachments:
Description Flags
upstream patches applied on el6 code ovasik: review+

Description Kamil Dudka 2010-08-20 06:55:55 UTC 
+++ This bug was initially created as a clone of Bug #625676 +++

Description of problem:
I'm unable to use curl with all https:// URLs when my proxy uses kerberos authentization:
curl --proxy http://myproxy:3128 --proxy-negotiate --proxy-user : https://email.seznam.cz
407 Proxy Auth required
when
curl --proxy http://myproxy:3128 --proxy-negotiate --proxy-user : http://email.seznam.cz
works ok.

This bug was already fixed by curl developer(s) in git. Let's see:
https://sourceforge.net/tracker/?func=detail&aid=3046066&group_id=976&atid=100976

I need fix for all supported Fedora and RHEL distributions as soon as possible.
May I add same bug report for RHEL or is this bug report enough for it?

Version-Release number of selected component (if applicable):
$ curl -V
curl 7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.6 NSS/3.12.6.2 zlib/1.2.3 libidn/1.9 libssh2/1.2.4
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile SSL libz

How reproducible:
We have a squid with kerberos authentization.
curl --proxy http://myproxy:3128 --proxy-negotiate --proxy-user : https://email.seznam.cz
407 Proxy Auth required
when
curl --proxy http://myproxy:3128 --proxy-negotiate --proxy-user : http://email.seznam.cz
works ok.


Steps to Reproduce:
1. Install and setup squid with kerberos negotiation auth.
2. curl --proxy http://myproxy:3128 --proxy-negotiate --proxy-user : https://email.seznam.cz
  
Actual results:
407 Proxy Auth required

Expected results:
Requested page.

Additional info:
This bug was already fixed by curl developer(s) in git. Let's see:
https://sourceforge.net/tracker/?func=detail&aid=3046066&group_id=976&atid=100976
There is official patch in the tracker. I attach the official patch here too.

--- Additional comment from kdudka on 2010-08-20 08:53:08 CEST ---

(In reply to comment #0)
> Created attachment 439865 [details]
> patch for the problem created by curl developer

Thanks for filing the bug.  Upstream commit:

http://github.com/bagder/curl/commit/13b8fc4

> I need fix for all supported Fedora and RHEL distributions as soon as possible.
> May I add same bug report for RHEL or is this bug report enough for it?

I'll clone the bug for RHEL-6.  RHEL-5 does not suffer from the flaw as there is no proxy support in http_negotiate at all.
Comment 4 Kamil Dudka 2011-01-04 16:57:18 UTC 
upstream commits:

https://github.com/bagder/curl/commit/e01cc77
https://github.com/bagder/curl/commit/13b8fc4
Comment 5 Kamil Dudka 2011-01-05 13:04:00 UTC 
Created attachment 471853 [details]
upstream patches applied on el6 code
Comment 10 Misha H. Ali 2011-04-20 00:47:09 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
libcurl was unable to authenticate Kerberos proxies. This is now fixed and libcurl can successfully authenticate Kerberos proxies.
Comment 11 Misha H. Ali 2011-04-26 23:41:39 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-libcurl was unable to authenticate Kerberos proxies. This is now fixed and libcurl can successfully authenticate Kerberos proxies.+libcurl was unable to authenticate http proxies via Kerberos. This is now fixed and libcurl can successfully authenticate http proxies via Kerberos.
Comment 12 errata-xmlrpc 2011-05-19 13:12:26 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0573.html