Description of problem: Customer has tried to used curl over NTLM Proxy, and the version that we ship in RHEL4 doesn't work, and the later versions from the upstream works ( 7.14) Version-Release number of selected component (if applicable): 7.12 How reproducible: always Steps to Reproduce: 1. curl --proxy-ntlm -U user:password --proxy server:port http://www Actual results: auth failure, authentication, redirects, and loops Expected results: download redhat.com web page Additional info: seems to be header related issue Revision 1.272 Modified the default HTTP headers used by libcurl: A) Normal non-proxy HTTP: - no more "Pragma: no-cache" (this only makes sense to proxies) B) Non-CONNECT HTTP request over proxy: - "Pragma: no-cache" is used (like before) - "Proxy-Connection: Keep-alive" (for older style 1.0-proxies) C) CONNECT HTTP request over proxy: - "Host: [name]:[port]" - "Proxy-Connection: Keep-alive" reference - http://cool.haxx.se/cvs.cgi/curl/lib/http.c.diff?r2=1.272&r1=1.271&diff_format=l
Created attachment 314178 [details] patch based on upstream code
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
Created attachment 326710 [details] patch based on upstream code additional patches. this fixes the issue includes http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.51&r2=1.52&diff_format=l http://cool.haxx.se/cvs.cgi/curl/lib/ssluse.c.diff?r1=1.150&r2=1.151&diff_format=l http://cool.haxx.se/cvs.cgi/curl/lib/ssluse.h.diff?r1=1.25&r2=1.26&diff_format=l NTLM2 session response support http://cool.haxx.se/cvs.cgi/curl/lib/urldata.h.diff?r1=1.283&r2=1.284&diff_format=l http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.50&r2=1.49&diff_format=l Michele Bini modified the NTLM code to work for his "weird IIS case" (http://curl.haxx.se/mail/lib-2006-02/0154.html) by adding the NTLM hash function in addition to the LM one and making some other adjustments in the order the different parts of the data block are sent in the Type-2 reply. Inspiration for this work was taken from the Firefox NTLM implementation. I edited the existing 21(!) NTLM test cases to run fine with these news. Due to the fact that we now properly include the host name in the Type-2 message the test cases now only compare parts of that chunk.
There is a test-case exactly for this: # pwd /root/curl/RHEL-4/curl-7.12.1/tests # ./runtests.pl -a -p -v 162 ********* System characteristics ******** * curl 7.12.1 (x86_64-redhat-linux-gnu) * libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6 * Host: el4 * System: Linux el4 2.6.9-89.ELsmp #1 SMP Mon Apr 20 10:33:05 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux * Server SSL: ON * libcurl SSL: ON * libcurl debug: OFF * valgrind: OFF ***************************************** test 162...CMD; ../src/curl -o log/verifiedserver http://127.0.0.1:8999/verifiedserver 2>/dev/null RUN: curl command returned 7 CMD: perl -I. ./httpserver.pl 8999 & RUN: HTTP server is now verified to be our server * pid http => 14584 [HTTP GET asking for --proxy-ntlm when some other authentication is required] ../src/curl --output log/curl162.out --include -v http://127.0.0.1:8999/162 --proxy http://127.0.0.1:8999 --proxy-user foo:bar --proxy-ntlm --fail >>log/stdout162 2>>log/stderr162 protocol OK received exitcode 22 OK Shutting down test suite servers: * kill pid for http => 14584 RUN: Test server pid 14584 signalled to die TESTDONE: 1 tests out of 1 reported OK: 100% TESTDONE: 1 tests were considered. The test-case works, so it must be server-specific problem. Comparing the test's data with the latest upstrea, it really differs in the header: @@ -37,8 +47,8 @@ http://%HOSTIP:%HOSTPORT/162 --proxy htt <protocol> -GET http://127.0.0.1:8999/162 HTTP/1.1 -Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA= +GET http://%HOSTIP:%HTTPPORT/162 HTTP/1.1 +Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= User-Agent: curl/7.8.1-pre3 (sparc-sun-solaris2.7) libcurl 7.8.1-pre3 (OpenSSL 0.9.6a) (krb4 enabled) -Host: 127.0.0.1:8999 -Pragma: no-cache +Host: %HOSTIP:%HTTPPORT Accept: */* +Proxy-Connection: Keep-Alive I'll need some time to investigate it further.
As RHEL-4.9 is last update for RHEL-4 and it is not suitable for new features and should address only security, performance and critical issues, I'm closing that bugzilla WONTFIX. Issue is fixed in RHEL-5, backporting patches (comment #5) is too risky so late in RHEL-4 release cycle.