Red Hat Bugzilla – Bug 458919
curl/cannot CONNECT HTTP request over proxy using ntlm2 auth
Last modified: 2010-10-22 23:39:56 EDT
Description of problem:
Customer has tried to used curl over NTLM Proxy, and the version that we ship in RHEL4 doesn't work, and the later versions from the upstream works ( 7.14)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. curl --proxy-ntlm -U user:password --proxy server:port http://www
auth failure, authentication, redirects, and loops
download redhat.com web page
seems to be header related issue
Modified the default HTTP headers used by libcurl:
A) Normal non-proxy HTTP:
- no more "Pragma: no-cache" (this only makes sense to proxies)
B) Non-CONNECT HTTP request over proxy:
- "Pragma: no-cache" is used (like before)
- "Proxy-Connection: Keep-alive" (for older style 1.0-proxies)
C) CONNECT HTTP request over proxy:
- "Host: [name]:[port]"
- "Proxy-Connection: Keep-alive"
Created attachment 314178 [details]
patch based on upstream code
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Created attachment 326710 [details]
patch based on upstream code
additional patches. this fixes the issue includes
NTLM2 session response support
Michele Bini modified the NTLM code to work for his "weird IIS case"
(http://curl.haxx.se/mail/lib-2006-02/0154.html) by adding the NTLM hash
function in addition to the LM one and making some other adjustments in the
order the different parts of the data block are sent in the Type-2 reply.
Inspiration for this work was taken from the Firefox NTLM implementation.
I edited the existing 21(!) NTLM test cases to run fine with these news. Due
to the fact that we now properly include the host name in the Type-2 message
the test cases now only compare parts of that chunk.
There is a test-case exactly for this:
# ./runtests.pl -a -p -v 162
********* System characteristics ********
* curl 7.12.1 (x86_64-redhat-linux-gnu)
* libcurl/7.12.1 OpenSSL/0.9.7a zlib/220.127.116.11 libidn/0.5.6
* Host: el4
* System: Linux el4 2.6.9-89.ELsmp #1 SMP Mon Apr 20 10:33:05 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
* Server SSL: ON
* libcurl SSL: ON
* libcurl debug: OFF
* valgrind: OFF
test 162...CMD; ../src/curl -o log/verifiedserver http://127.0.0.1:8999/verifiedserver 2>/dev/null
RUN: curl command returned 7
CMD: perl -I. ./httpserver.pl 8999 &
RUN: HTTP server is now verified to be our server
* pid http => 14584
[HTTP GET asking for --proxy-ntlm when some other authentication is required]
../src/curl --output log/curl162.out --include -v http://127.0.0.1:8999/162 --proxy http://127.0.0.1:8999 --proxy-user foo:bar --proxy-ntlm --fail >>log/stdout162 2>>log/stderr162
protocol OK received exitcode 22 OK
Shutting down test suite servers:
* kill pid for http => 14584
RUN: Test server pid 14584 signalled to die
TESTDONE: 1 tests out of 1 reported OK: 100%
TESTDONE: 1 tests were considered.
The test-case works, so it must be server-specific problem. Comparing the test's data with the latest upstrea, it really differs in the header:
@@ -37,8 +47,8 @@ http://%HOSTIP:%HOSTPORT/162 --proxy htt
-GET http://127.0.0.1:8999/162 HTTP/1.1
-Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
+GET http://%HOSTIP:%HTTPPORT/162 HTTP/1.1
+Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
User-Agent: curl/7.8.1-pre3 (sparc-sun-solaris2.7) libcurl 7.8.1-pre3 (OpenSSL 0.9.6a) (krb4 enabled)
I'll need some time to investigate it further.
As RHEL-4.9 is last update for RHEL-4 and it is not suitable for new features
and should address only security, performance and critical issues, I'm closing
that bugzilla WONTFIX. Issue is fixed in RHEL-5, backporting patches (comment #5) is too risky so late in RHEL-4 release cycle.