Bug 1000773 - nc breaks on HTTP/1.1 proxy servers
Summary: nc breaks on HTTP/1.1 proxy servers
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nc
Version: 6.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Petr Šabata
QA Contact: Martin Žember
Depends On:
Blocks: 1159820
TreeView+ depends on / blocked
Reported: 2013-08-25 03:20 UTC by Andreas M. Kirchwitz
Modified: 2019-02-15 13:34 UTC (History)
8 users (show)

Fixed In Version: nc-1.84-23.el6
Doc Type: Enhancement
Doc Text:
Feature: Netcat now understands HTTP/1.1 proxy responses. Reason: Some proxies send HTTP/1.1 responses to HTTP/1.0 requests. Netcat didn't understand these and was therefore unusuable in such situations. Result: Netcat now works with HTTP/1.1-only proxies.
Clone Of:
Last Closed: 2014-12-08 09:08:02 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2014:1968 0 normal SHIPPED_LIVE nc bug fix update 2014-12-08 14:07:44 UTC

Description Andreas M. Kirchwitz 2013-08-25 03:20:20 UTC
Description of problem:
nc only supports HTTP/1.0 proxy servers and fails on HTTP/1.1 responses.

$ nc -X connect -x proxy.example.com:3128 www.example.com 443
nc: Proxy error: "HTTP/1.1 200 Connection established"

nc works fine without proxy or with HTTP/1.0 proxy servers, but with recent versions of Squid (always sending HTTP/1.1 responses) it fails. Proxy servers must send the highest HTTP version they support (not necessarily the same as the version of the original request).

If you look into the source code, nc expects a hardcoded "HTTP/1.0 200 " response. It shouldn't care about the HTTP version as long as it gets a positive "200" response.

Version-Release number of selected component (if applicable):

How reproducible:
Use nc to connect through a HTTP/1.1 proxy.

Steps to Reproduce:
1. see above

Actual results:
nc aborts because of hardcoded HTTP version.

Expected results:
Happily connect and ignore the HTTP version (the "200" response is all that matters).

Additional info:
I could use "ncat" (nmap) instead but that has also an issue with HTTP proxy.

Comment 2 Petr Šabata 2013-08-26 08:50:51 UTC
This is an easy fix and already present upstream, too.

Comment 6 ruckc@yahoo.com 2014-05-29 13:12:50 UTC
This should be a trivial fix, please update from upstream.

Comment 10 Petr Šabata 2014-11-26 14:38:58 UTC
A fix pushed in nc-1.84-23.el6.

Comment 14 errata-xmlrpc 2014-12-08 09:08:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.