Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reset "multipass" state when CONNECT request is done #3972

Closed
wants to merge 1 commit into from
Closed

reset "multipass" state when CONNECT request is done #3972

wants to merge 1 commit into from

Conversation

tilicho
Copy link

@tilicho tilicho commented May 31, 2019

Usually, work with proxy using NTLM looks like this
(https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117931-technote-ntml.html):
1. Client sends

HEADER: > CONNECT my.site.com:443 HTTP/1.1
Host: my.site.com:443
Proxy-Authorization: NTLM <tldr1>
Proxy-Connection: Keep-Alive

2. Proxy responds:
HEADER: < HTTP/1.1 407 Proxy Authentication Required
HEADER: < Proxy-Authenticate: NTLM <tldr2>

3. Client sends:
HEADER: > CONNECT my.site.com:443 HTTP/1.1
Host: my.site.com:443
Proxy-Authorization: NTLM <tldr3>

4. If everything is fine, proxy finally replies with http status 200
HEADER: < HTTP/1.1 200 Connection established

After that, client send original request through proxy (POST/GET/PUT/...).

We found interesting proxy from cisco, that performs some optimization in that conversation.
It looks like this:
1'. Client sends

HEADER: > CONNECT my.site.com:443 HTTP/1.1
Host: my.site.com:443
Proxy-Authorization: NTLM <tldr1>
Proxy-Connection: Keep-Alive

2'. Proxy immediatelly responds with http status 200:
HEADER: < HTTP/1.1 200 Connection established

This happens because proxy has remembered that client with specific ip address had passed ntlm authentication already.
So, proxy desides to pass client without performing long conversation.

And, in the case of such short ntlm conversation we found bug in curl.
If curl performed POST request with body through such proxy, after short ntlm convertation curl makes POST request WITHOUT BODY.

@bagder bagder changed the title fix for work with ntlm proxy (post method with incorrect empty body can be sent to server) reset "multipass" state when CONNECT request is done Jun 1, 2019
@bagder
Copy link
Member

bagder commented Jun 2, 2019

The same travis job has failed now three times (I restarted it twice) which might imply there's a problem.

When run event-driven test 89 seems to be able to get stuck. I've tried to re-run that locally but have not seen it happen for me: ./runtests.pl -e 89.

@bagder
Copy link
Member

bagder commented Jun 2, 2019

Probably a false positive since #3976 also saw the same problem occurring...

@bagder
Copy link
Member

bagder commented Jun 2, 2019

Thanks!

@bagder bagder closed this in f9b60fb Jun 2, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Aug 31, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
authentication HTTP
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tilicho @bagder