RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1154747 - NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
Summary: NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: curl
Version: 6.3
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Stefan Kremen
URL:
Whiteboard:
Depends On: 1166264
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-20 16:38 UTC by Paul Ling
Modified: 2015-07-22 05:43 UTC (History)
4 users (show)

Fixed In Version: curl-7.19.7-43.el6
Doc Type: Bug Fix
Doc Text:
libcurl provides a FORBID_REUSE flag to disable reuse of existing connections. However, the connection reuse feature is internally used to implement NTLM (NT LAN Manager) authentication. This resulted in authentication failures when the FORBID_REUSE was set. An upstream patch has been applied on libcurl sources to ensure that the FORBID_REUSE flag does not interfere with the NTLM authentication. Now both the features can be used together with no side effects.
Clone Of:
: 1166264 (view as bug list)
Environment:
Last Closed: 2015-07-22 05:43:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1254 0 normal SHIPPED_LIVE Moderate: curl security, bug fix, and enhancement update 2015-07-20 17:50:03 UTC

Description Paul Ling 2014-10-20 16:38:32 UTC 
Description of problem:
if CURLOPT_FORBID_REUSE is set, requests using NTLM failed
since NTLM requires multiple requests that re-use the same connection
for the authentication to work

Version-Release number of selected component (if applicable):
7.19.7

How reproducible:
The connection of NTLM authenticated request shouldn't be reuse in libcurl multi interface because it includes authentication context, after reuse with other plain requests to the same server, the context will be messed up and then next request with the same user's NTLM authentication will get 401 always until this connection get closed by HTTP server, and new connection to be established for the NTLM request. 

But because of this defect, I couldn't set CURLOPT_FORBID_REUSE for NTLM authenticated request (it always failed after retry five times), due to NTLM requires the same connection for at least two continuous requests to finish authentication. This issue normally may not be able reproduce with curl command line because curl doesn't use the multi interface for asynchronous I/O that my appserver did.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
Ignore the forbid reuse flag in case the NTLM authentication
handshake is in progress, according to the NTLM state flag.

Additional info:

Please refer to curl fix here.
https://github.com/bagder/curl/commit/63a0bd4270decef04e64fbe497b42f2c9e26c62b
Comment 2 Kamil Dudka 2014-10-21 13:01:20 UTC 
(In reply to Paul Ling from comment #0)
> The connection of NTLM authenticated request shouldn't be reuse in libcurl
> multi interface because it includes authentication context, after reuse with
> other plain requests to the same server, the context will be messed up and
> then next request with the same user's NTLM authentication will get 401
> always until this connection get closed by HTTP server, and new connection
> to be established for the NTLM request.

Which bug do you refer to above?  Has it been already reported?  How are you confirming that libcurl is used correctly in the above scenario?

Please provide a minimal example.
Comment 3 Paul Ling 2014-10-21 23:51:21 UTC 
Here is the information copied from curl known bugs in the link I gave in this bug additional info section.

-77. CURLOPT_FORBID_REUSE on a handle prevents NTLM from working since it
-  "abuses" the underlying connection re-use system and if connections are
-  forced to close they break the NTLM support.
-
Comment 4 Kamil Dudka 2014-10-22 00:44:37 UTC 
That is actually not what I was asking about.  I meant what is the reason you need to use CURLOPT_FORBID_REUSE at all?
Comment 5 Paul Ling 2014-10-22 18:51:24 UTC 
Steps to Reproduce:
1. Create curl multi handle with most default options, I only set CURLMOPT_SOCKETFUNCTION/CURLMOPT_SOCKETDATA for libevent integration
2. Create and add easy handle for NTLM authentication HTTPS request with AD user A credentials. One connection will be established this time
3. Create and add one HTTPS request to the same web server but doesn't require NTLM authentication afterward, libcurl will reuse the connection which send NTLM authentication request.
4. Create and add the third request as same as the first NTLM requests with the same user. libcurl still want to reuse the same connection for this new NTLM request. But IIS will return 401 always as below unless the old connection break down and new connection established.


 * Re-using existing connection! (#0) with host hhh.xxx.com
 * Connected to hhh.xxx.com (10.26.0.100) port 443 (#0)
 * Server auth using NTLM with user 'ppp'
 > POST /auth/useradauth HTTP/1.1^M
 User-Agent: libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2^M
 Host: hhh.xxx.com^M
 Accept: */*^M
 Content-Type: application/json^M
 Content-Length: 67^M
 ^M
 < HTTP/1.1 401 Unauthorized^M
 < Server: Microsoft-IIS/7.5^M
 * gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_0' not found< WWW-Authenticate: Negotiate^M
 * Authentication problem. Ignoring this.
 < WWW-Authenticate: NTLM^M
 < X-Powered-By: ASP.NET^M
 < Date: Wed, 22 Oct 2014 18:40:44 GMT^M
 < Content-Length: 0^M
 < ^M
 * Connection #0 to host hhh.xxx.com left intact
Comment 6 Kamil Dudka 2014-10-23 14:05:40 UTC 
This looks like CVE-2014-0015, which is fixed since curl-7.19.7-37.el6_5.3.  Please have a look at bug #1053903 for details.
Comment 7 Paul Ling 2014-10-24 06:34:08 UTC 
I noticed bug #1053903 as well, but it only happened when use multiple auth options together. To avoid this issue, I already specified only CURLAUTH_NTLM as HTTP_AUTH option in my app.
Comment 8 Kamil Dudka 2014-10-24 07:03:06 UTC 
The point is that, if the authentication credentials (at least user name?) differ, the connection cannot be reused (even if CURLOPT_FORBID_REUSE is not set).  So the request for a minimal example is still valid.
Comment 9 Paul Ling 2014-10-24 07:08:30 UTC 
But in my case, it is the same user to make NTLM http request twice in two minutes. If it is another user to make NTLM HTTP request, there is no problem.
Comment 10 Kamil Dudka 2014-10-24 07:33:27 UTC 
As I understand it, you give libcurl user name and password to authenticate on sites that do not require (more precisely deny) authentication, which causes a problem later on.
Comment 11 Paul Ling 2014-10-24 21:19:20 UTC 
Let me explain little bit more about my case.
My web server has two web apps, one is authenticator which takes IWA authentication and issue my special ticket to client. The second web app is that takes this ticket inside of HTTP body to provide discovery service, this web app does not request NTLM authentication.

The client process is that sending authentication HTTPS request with user/password to the first webapp, following by the second NON-NTLM HTTPS request without user/password. Once my client repeat this process, only the first authentication HTTPS request got succeeded, the second time authentication and later will always got 401 failure because of the connection re-use.
Comment 12 Kamil Dudka 2014-10-29 14:41:50 UTC 
(In reply to Paul Ling from comment #11)
> The client process is that sending authentication HTTPS request with
> user/password to the first webapp, following by the second NON-NTLM HTTPS
> request without user/password. Once my client repeat this process, only the
> first authentication HTTPS request got succeeded, the second time
> authentication and later will always got 401 failure because of the
> connection re-use.

That ^^^ is the part that I still do not understand.  If your first request has user/password set and the second request does not have user/password set, the connection cannot be re-used for them.

Are you sure you have upgraded to curl-7.19.7-37.el6_5.3 or later?
Comment 22 errata-xmlrpc 2015-07-22 05:43:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1254.html
Note You need to log in before you can comment on or make changes to this bug.