RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 799557 - RHEL-6 libcurl fails when using digest auth and have multiple auth options
Summary: RHEL-6 libcurl fails when using digest auth and have multiple auth options
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: curl
Version: 6.2
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: rc
: 6.5
Assignee: Kamil Dudka
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
: 953864 (view as bug list)
Depends On:
Blocks: 994246 1096797
TreeView+ depends on / blocked
 
Reported: 2012-03-03 00:12 UTC by Peter Edwards
Modified: 2018-12-09 16:47 UTC (History)
22 users (show)

Fixed In Version: curl-7.19.7-39.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-22 07:15:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
backport of upstream 4851daf (2.16 KB, patch)
2012-03-05 12:32 UTC, Kamil Dudka
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 325133 0 None None None Never

Internal Links: 953864

Description Peter Edwards 2012-03-03 00:12:58 UTC
Description of problem:
 
Using curl-7.19.7-26.el6_1.2.x86_64
 
curl -v --digest -u AliBaba:OpenSesame  'http://treasure.cave:80/door'
* About to connect() to treasure.cave port 80 (#0)
*   Trying 1.2.3.4... connected
* Connected to treasure.cave (1.2.3.4) port 80 (#0)
* Server auth using Digest with user 'AliBaba'
> GET /door HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: treasure.cave
> Accept: */*
>
< HTTP/1.1 401 Access Denied
< Server: Microsoft-IIS/7.5
< WWW-Authenticate: NTLM
* gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_273' not foundWWW-Authenticate: Negotiate
< WWW-Authenticate: Digest realm="treasure.cave", nonce="My8yLzIwMTIgNjo1ODo0OSBQTQ", opaque="0000000000000000", stale=false, algorithm=MD5, qop="auth"
* gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_273' not foundWWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-IS-Server: a_windows_host
< X-Powered-By: ASP.NET
< Date: Fri, 02 Mar 2012 23:57:48 GMT
< Content-Length: 17
<
* Connection #0 to host treasure.cave left intact
* Closing connection #0
401 Access Denied

Version-Release number of selected component (if applicable):

curl-7.19.7-26.el6_1.2.x86_64

How reproducible:

See above.
  
Actual results:

gss_init_sec_context() errors, 401 Access Denied.

Expected results:

No gss_init_sec_context() errors, no 401 Access Denied.

Additional info:
 
The same bug exists in curl 7.22.0 when configured with "--with-gssapi" , but is fixed in 7.23.0 and 7.24.0.  The bug is only present if curl is configured with "--with-gssapi".  
 
Line 738 of lib/http.c that was added in 7.23.0 is needed.  It is line 736 in an unpatched 7.19.7.  This line (along with a close brace):
 
if(authp->picked == CURLAUTH_GSSNEGOTIATE) {
 
Above and around:
 
if(data->state.negotiate.state == GSS_AUTHSENT) {

Fixes it.  Thanks.

Comment 1 Peter Edwards 2012-03-04 15:08:07 UTC
This was the commit that introduced the line above:
  https://github.com/bagder/curl/commit/4851dafcf164bf2de5bd33c3cf2b786422ed05b6
The mailing list bug report:
  http://curl.haxx.se/mail/lib-2011-10/0323.html
Thanks.

Comment 2 Kamil Dudka 2012-03-05 12:28:14 UTC
Thanks for the bug report and pointer to the upstream fix.  Please clarify what you mean by "regression in curl-7.19.7-26.el6_1.2.x86_64".  Do you mean that it worked in RHEL-6 before the update?  That sounds pretty unlikely to me...

Comment 3 Kamil Dudka 2012-03-05 12:32:11 UTC
Created attachment 567588 [details]
backport of upstream 4851daf

Comment 4 Peter Edwards 2012-03-05 12:44:40 UTC
Sorry.  It worked on RHEL-5.  I didn't test older RH RPM versions on RHEL-6.  I will do that now.

Comment 5 Peter Edwards 2012-03-05 14:22:13 UTC
I tested with:

curl-7.19.7-16.el6.x86_64
libcurl-7.19.7-16.el6.x86_64

libcurl-7.19.7-15.el6.x86_64
curl-7.19.7-15.el6.x86_64

libcurl-7.19.7-6.el6.x86_64
curl-7.19.7-6.el6.x86_64

it does not work with any of these, failing in the same manner.  It does work on RHEL-5 with:

curl-7.15.5-9.el5_7.4

Thanks for the quick response.

Comment 6 Kamil Dudka 2012-03-13 15:27:46 UTC
The bug was present also in Fedora 16.  I have submitted an update for it:

https://admin.fedoraproject.org/updates/curl-7.21.7-7.fc16

Comment 14 Kamil Dudka 2013-04-20 08:47:31 UTC
*** Bug 953864 has been marked as a duplicate of this bug. ***

Comment 15 Jason McCormick 2013-06-04 02:57:26 UTC
We've recently been working on a system upgrade from EL5 to EL6 and encountered this broken behavior with curl for NTLM authentication. I've repackaged the EL6 curl using the patch provided here and it solves are problem as well. Will this bug definitely be fixed in RHEL 6.5?

Comment 16 Kamil Dudka 2013-06-04 11:58:54 UTC
Thank you for confirming the fix, Jason!

If you want to increase the chance of having the fix for the issue included in RHEL 6.5, please contact the product support.  Bugzilla is only a bug tracking tool and RHEL updates are driven by customer requests.

Comment 17 Jason McCormick 2013-06-07 15:12:22 UTC
I've opened case #00886699 for this.

Comment 18 Peter Edwards 2013-06-07 15:29:44 UTC
Thank you Jason McCormick for opening the case.

Comment 32 Maxim Burgerhout 2013-09-26 07:12:19 UTC
Opened another case (#00949737) to emphasize that this is important for multiple customers.

Comment 37 RHEL Program Management 2013-10-14 00:47:16 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 38 Jason McCormick 2013-10-14 13:32:00 UTC
I've requested management escalation for this BZ and my case. I also can't find the reference KB article on the support site.

Comment 39 Kamil Dudka 2013-10-14 14:10:00 UTC
(In reply to Jason McCormick from comment #38)
> I also can't find the reference KB article on the support site.

There is a reference to Knowledge Base above on this page, it points to:

    https://access.redhat.com/site/solutions/325133

Comment 40 Jason McCormick 2013-10-14 14:30:47 UTC
I see that as "Access Denied". The URL says "If this is knowledge content, it may be unpublished or retired."

Comment 41 Christian Horn 2013-10-14 14:42:12 UTC
(In reply to Kamil Dudka from comment #39)
>     https://access.redhat.com/site/solutions/325133
This kbase contains no additional information.  It has been published just now, it can atleast help to guide affected users to this bz here.

@engineering: could we get a new test build including the patch?  Are we ok with handing it out for verification?  The new build will then probably be 6.5 based.

Comment 50 Christian Horn 2013-10-14 15:59:02 UTC
A new build of test packages has been initiated.  Please open a case with the Red Hat Support (i.e. open a case via access.redhat.com ) and hint at this bugzilla, you can then get the packages - to verify the patch works.

Comment 52 Christian Horn 2013-11-05 13:13:40 UTC
The following 2 testpackages have been verified by my customer to fix the issue.
  curl-7.19.7-37.1.el6.x86_64.rpm / 
  libcurl-7.19.7-37.1.el6.x86_64.rpm

Comment 63 Johnny Hughes 2014-10-10 09:30:39 UTC
I don't know if this is related, but on the CentOS Devel mail list, this patch was pointed out as needed to solve an issue for NTLM as well:

https://github.com/bagder/curl/commit/63a0bd4270decef04e64fbe497b42f2c9e26c62b

From this post:

http://lists.centos.org/pipermail/centos-devel/2014-October/012111.html

Comment 64 Kamil Dudka 2014-10-10 09:51:29 UTC
(In reply to Johnny Hughes from comment #63)
> https://github.com/bagder/curl/commit/63a0bd4270decef04e64fbe497b42f2c9e26c62b

The above takes effect only if you explicitly set CURLOPT_FORBID_REUSE.  I would not classify the patch as related to this bug.  There were dozens of other NTLM fixes in curl between 4851dafc and 63a0bd42.

Comment 65 Paul Ling 2014-10-10 22:43:41 UTC
(In reply to Kamil Dudka from comment #64)
> (In reply to Johnny Hughes from comment #63)

I am the person that post that thread (http://lists.centos.org/pipermail/centos-devel/2014-October/012111.html) to centOS developer mail list. I know that is not the same issue, but that issue (ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth) bothers me more than this.

The connection of NTLM authenticated request shouldn't be reuse in libcurl multi interface because it includes authentication context, after reuse with other plain requests to the same server, the context will be messed up and then next request with the same user's NTLM authentication will get 401 always until this connection get closed by HTTP server, and new connection to be established for the NTLM request. 

But because of this defect, I couldn't set CURLOPT_FORBID_REUSE for NTLM authenticated request (it always failed after retry five times), due to NTLM requires the same connection for at least two continuous requests to finish authentication. This issue normally may not be able reproduce with curl command line because curl doesn't use the multi interface for asynchronous I/O that my appserver did.

That is a serious defect, I hope this issue can be patched to redhat 6 and CentOS 6 ASAP!

Paul Ling

Comment 66 Kamil Dudka 2014-10-13 07:07:13 UTC
(In reply to Paul Ling from comment #65)
> That is a serious defect, I hope this issue can be patched to redhat 6 and
> CentOS 6 ASAP!

While we appreciate your feedback, such a discussion makes no sense on a bug that is already fixed (and verified to be fixed).

Please file a separate bug, or better a customer case, for your issue.


Note You need to log in before you can comment on or make changes to this bug.