Bug 458919 - curl/cannot CONNECT HTTP request over proxy using ntlm2 auth
curl/cannot CONNECT HTTP request over proxy using ntlm2 auth
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: curl (Show other bugs)
4.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Kamil Dudka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-13 04:08 EDT by ritz
Modified: 2010-10-22 23:39 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-23 07:12:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch based on upstream code (9.89 KB, patch)
2008-08-13 04:21 EDT, ritz
no flags Details | Diff
patch based on upstream code (25.92 KB, patch)
2008-12-12 01:44 EST, ritz
no flags Details | Diff

  None (edit)
Description ritz 2008-08-13 04:08:47 EDT
Description of problem:
Customer has tried to used curl over NTLM Proxy, and the version that we ship in RHEL4 doesn't work, and the later versions from the upstream works ( 7.14)


Version-Release number of selected component (if applicable):
7.12

How reproducible:
always

Steps to Reproduce:
1. curl --proxy-ntlm -U user:password --proxy server:port http://www 
  
Actual results:
auth failure, authentication, redirects, and loops

Expected results:
download redhat.com web page

Additional info:
seems to be header related issue

Revision 1.272
Modified the default HTTP headers used by libcurl:

A) Normal non-proxy HTTP:

- no more "Pragma: no-cache" (this only makes sense to proxies)

B) Non-CONNECT HTTP request over proxy:

- "Pragma: no-cache" is used (like before)
- "Proxy-Connection: Keep-alive" (for older style 1.0-proxies)

C) CONNECT HTTP request over proxy:

- "Host: [name]:[port]"
- "Proxy-Connection: Keep-alive"

reference -
http://cool.haxx.se/cvs.cgi/curl/lib/http.c.diff?r2=1.272&r1=1.271&diff_format=l
Comment 1 ritz 2008-08-13 04:21:59 EDT
Created attachment 314178 [details]
patch based on upstream code
Comment 4 RHEL Product and Program Management 2008-10-31 12:50:31 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 5 ritz 2008-12-12 01:44:28 EST
Created attachment 326710 [details]
patch based on upstream code

additional patches. this fixes the issue includes 

http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.51&r2=1.52&diff_format=l
http://cool.haxx.se/cvs.cgi/curl/lib/ssluse.c.diff?r1=1.150&r2=1.151&diff_format=l
http://cool.haxx.se/cvs.cgi/curl/lib/ssluse.h.diff?r1=1.25&r2=1.26&diff_format=l
NTLM2 session response support


http://cool.haxx.se/cvs.cgi/curl/lib/urldata.h.diff?r1=1.283&r2=1.284&diff_format=l
http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.50&r2=1.49&diff_format=l

Michele Bini modified the NTLM code to work for his "weird IIS case"
(http://curl.haxx.se/mail/lib-2006-02/0154.html) by adding the NTLM hash
function in addition to the LM one and making some other adjustments in the
order the different parts of the data block are sent in the Type-2 reply.
Inspiration for this work was taken from the Firefox NTLM implementation.

I edited the existing 21(!) NTLM test cases to run fine with these news. Due
to the fact that we now properly include the host name in the Type-2 message
the test cases now only compare parts of that chunk.
Comment 7 Kamil Dudka 2010-03-19 12:13:54 EDT
There is a test-case exactly for this:
# pwd
/root/curl/RHEL-4/curl-7.12.1/tests

# ./runtests.pl -a -p -v 162
********* System characteristics ******** 
* curl 7.12.1 (x86_64-redhat-linux-gnu) 
* libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
* Host: el4
* System: Linux el4 2.6.9-89.ELsmp #1 SMP Mon Apr 20 10:33:05 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
* Server SSL:       ON
* libcurl SSL:      ON
* libcurl debug:    OFF
* valgrind:         OFF
***************************************** 
test 162...CMD; ../src/curl -o log/verifiedserver http://127.0.0.1:8999/verifiedserver 2>/dev/null
RUN: curl command returned 7
CMD: perl -I. ./httpserver.pl  8999 &
RUN: HTTP server is now verified to be our server
* pid http => 14584
[HTTP GET asking for --proxy-ntlm when some other authentication is required]
../src/curl --output log/curl162.out  --include -v http://127.0.0.1:8999/162 --proxy http://127.0.0.1:8999 --proxy-user foo:bar --proxy-ntlm --fail >>log/stdout162 2>>log/stderr162
 protocol OK received exitcode 22 OK
Shutting down test suite servers:
* kill pid for http  => 14584
RUN: Test server pid 14584 signalled to die
TESTDONE: 1 tests out of 1 reported OK: 100%
TESTDONE: 1 tests were considered.


The test-case works, so it must be server-specific problem.  Comparing the test's data with the latest upstrea, it really differs in the header:
@@ -37,8 +47,8 @@ http://%HOSTIP:%HOSTPORT/162 --proxy htt
 <protocol>
-GET http://127.0.0.1:8999/162 HTTP/1.1
-Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
+GET http://%HOSTIP:%HTTPPORT/162 HTTP/1.1
+Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
 User-Agent: curl/7.8.1-pre3 (sparc-sun-solaris2.7) libcurl 7.8.1-pre3 (OpenSSL 0.9.6a) (krb4 enabled)
-Host: 127.0.0.1:8999
-Pragma: no-cache
+Host: %HOSTIP:%HTTPPORT
 Accept: */*
+Proxy-Connection: Keep-Alive


I'll need some time to investigate it further.
Comment 9 Ondrej Vasik 2010-03-23 07:12:17 EDT
As RHEL-4.9 is last update for RHEL-4 and it is not suitable for new features
and should address only security, performance and critical issues, I'm closing
that bugzilla WONTFIX. Issue is fixed in RHEL-5, backporting patches (comment #5) is too risky so late in RHEL-4 release cycle.

Note You need to log in before you can comment on or make changes to this bug.