Bug 1118751 - Endless loop with GSSAPI authentication to proxy
Summary: Endless loop with GSSAPI authentication to proxy
Alias: None
Product: Fedora
Classification: Fedora
Component: curl
Version: 20
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Kamil Dudka
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-11 13:03 UTC by David Woodhouse
Modified: 2014-08-03 01:57 UTC (History)
2 users (show)

Fixed In Version: curl-7.32.0-12.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-08-03 01:57:36 UTC
Type: Bug

Attachments (Terms of Use)

Description David Woodhouse 2014-07-11 13:03:33 UTC
Sometimes due to reverse DNS issues, we attempt to obtain a Kerberos ticket for the *wrong* host. When we present the ticket, it obviously doesn't work.

If the server is a proxy and returns an empty 'Proxy-Authenticate: Negotiate' header indicating that it didn't work and we should try something else... we just try again. Over and over and over again.

Actually, this is just the tip of the iceberg when it comes to curl's brokenness with GSSAPI. Fixes at http://git.infradead.org/users/dwmw2/curl.git (posted to the list today).

Comment 1 Kamil Dudka 2014-07-14 12:26:15 UTC
Thanks for the pointer and the patches.  I would prefer to wait till they are merged upstream before submitting updates for stable releases though.

Comment 2 David Woodhouse 2014-07-16 15:31:06 UTC
That makes perfect sense. The patches are now merged upstream.

Comment 3 Kamil Dudka 2014-07-16 17:00:03 UTC
They are included in curl-7.37.1-1.fc22 for now, will consider backport later...

Comment 4 Kamil Dudka 2014-07-17 12:47:11 UTC
There is a possible regression of bug #1093348, which is being discussed upstream:


Comment 5 David Woodhouse 2014-07-17 13:14:13 UTC
Yeah, I wish I could remember which server I was using when I saw bug 1093348 :)

Comment 6 David Woodhouse 2014-07-18 16:07:23 UTC
I still can't find the original server but I've set up something to emulate it and retested with the latest curl code. It still behaves correctly... or as well as it did before, at least :)

It's still using the *first* Negotiate response, where using the non-empty one might make more sense. But that's not a regression.

Comment 7 Kamil Dudka 2014-07-21 11:26:42 UTC
Thanks for checking it!  Do you want to backport some additional patches on top of the original patchset then?


Comment 8 David Woodhouse 2014-07-21 14:23:31 UTC
No need for anything more at the moment; I think that patch set captures everything that's important. Michael O is working on some other improvements but they are mostly cosmetic.

I've just done a test build of your 7.37.1-1.fc22 package locally and it seems to be working correctly for me — Negotiate auth is sanely falling back to GSS-NTLMSSP etc.


Comment 9 Fedora Update System 2014-07-30 13:04:55 UTC
curl-7.32.0-12.fc20 has been submitted as an update for Fedora 20.

Comment 10 Fedora Update System 2014-08-01 06:04:46 UTC
Package curl-7.32.0-12.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing curl-7.32.0-12.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2014-08-03 01:57:36 UTC
curl-7.32.0-12.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.