cURL / Mailing Lists / curl-users / Single Mail

curl-users

failure with proxy-ntlm, SSL

From: David Byron <DByron_at_everdreamcorp.com>
Date: Tue, 25 May 2004 15:48:46 -0700

Again I'm having trouble writing a test case for this, but the following
command fails for me using current cvs. As background:

$ ./curl --version
curl 7.12.0-CVS (i686-pc-cygwin) libcurl/7.12.0-CVS OpenSSL/0.9.7d
zlib/1.2.1
Protocols: ftp gopher telnet dict ldap http file https ftps
Features: Debug Largefile NTLM SSL libz

Here's the command that fails:

$ ./curl https://www.paypal.com -k --proxy
http://some_real_ntlm_proxy:proxy_port --proxy-user
domain\\user:password --proxy-ntlm --verbose
* About to connect() to some_real_ntlm_proxy port proxy_port
* Connected to some_real_ntlm_proxy (some_real_ntlm_proxy) port
proxy_port
* Establish HTTP proxy tunnel to www.paypal.com:443
< HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires
authorization to fulfill the request. Access to the Web Proxy
 service is denied. )
< Via:1.1 QE-COBPROXY
< Proxy-Authenticate: NTLM
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: Negotiate
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 3779
<
* Proxy CONNECT aborted
* Closing connection #0
curl: (56) Proxy CONNECT aborted

If I do the same command with a non-SSL URL (like http://www.google.com,
or even http://www.paypal.com), it works fine:

$ ./curl http://www.google.com -k --verbose --proxy
http://some_real_ntlm_proxy:proxy_port --proxy-user
domain\\user:password --proxy-ntlm --verbose
* About to connect() to some_real_ntlm_proxy port proxy_port
* Connected to some_real_ntlm_proxy (some_real_ntlm_proxy) port
proxy_port
* Proxy auth using NTLM with user 'domain\user'
> GET http://www.google.com HTTP/1.1
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
User-Agent: curl/7.12.0-CVS (i686-pc-cygwin) libcurl/7.12.0-CVS
OpenSSL/0.9.7d zlib/1.2.1
Host: www.google.com
Pragma: no-cache
Accept: */*

< HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )
< Via:1.1 QE-COBPROXY
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADAAAAACAgAAgt7KJfalymgAAAAAAAAAAAAAAAAwAAAA
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
* Connection #0 to host www.google.com left intact
* Issue another request to this URL: 'http://www.google.com'
* Re-using existing connection! (#0) with host www.google.com
* Connected to some_real_ntlm_proxy (some_real_ntlm_proxy) port
proxy_port
* Proxy auth using NTLM with user 'domain\user'
> GET http://www.google.com HTTP/1.1
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAE8AAAAYABgAZwAAAAkACQBAAAAABgAGAEkAAAAAAAAATwAAAAAA
AAB/AAAAAYIAAGV2ZXJjbGVhcnFldGVzdB
YZeoBAP9TOtAfm2c9ulv8AwBQksNZ9DHC9q+ZUGo56HOVzTdfEfMN95oUEm8DOSQ==
User-Agent: curl/7.12.0-CVS (i686-pc-cygwin) libcurl/7.12.0-CVS
OpenSSL/0.9.7d zlib/1.2.1
Host: www.google.com
Pragma: no-cache
Accept: */*

< HTTP/1.1 200 OK
< Via: 1.0 QE-COBPROXY
< Content-length: 2130
< Date: Tue, 25 May 2004 22:41:54 GMT
< Content-Type: text/html

<the rest of the page is here>

curl version 7.11.2 works fine with the SSL URL:

* About to connect() to some_real_ntlm_proxy port proxy_port
* Connected to some_real_ntlm_proxy (some_real_ntlm_proxy) port
proxy_port
* Establish HTTP proxy tunnel to www.paypal.com:443
* Proxy auth using NTLM with user 'domain\user'
< HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )
< Via:1.1 QE-COBPROXY
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADAAAAACAgAAuOIalRHvGesAAAAAAAAAAAAAAAAwAAAA
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
<
* Proxy auth using NTLM with user 'domain\user'
< HTTP/1.1 200 Connection established
< Via: 1.1 QE-COBPROXY
<
* Proxy replied OK to CONNECT request
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: /C=US/ST=California/L=Palo Alto/O=Paypal,
Inc./OU=Information Systems/OU=Terms of use at www.verisign.com/rpa (c)0
0/CN=www.paypal.com
* start date: 2004-03-03 00:00:00 GMT
* expire date: 2006-03-03 23:59:59 GMT
* common name: www.paypal.com (matched)
* issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS I
ncorp.by Ref. LIABILITY LTD.(c)97 VeriSign
* SSL certificate verify result: 20, continuing anyway.
> GET / HTTP/1.1
User-Agent: curl/7.11.2.1 (i386-pc-win32) libcurl/7.11.2.1
OpenSSL/0.9.7a
Host: www.paypal.com
Pragma: no-cache
Accept: */*

< HTTP/1.1 200 OK
< Date: Tue, 25 May 2004 22:45:48 GMT
< Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7a

< the rest of the page >

Any ideas? I've attached my attempt at a testcase, but it hangs.

Thanks much.

-DB

  • application/octet-stream attachment: test173
Received on 2004-05-26