curl-users
Re: File upload with proxy authentication
Date: Sat, 3 Nov 2012 14:25:22 -0000
I did some further analysis. And the reason for not authenticating lies in Curl_http_output_auth where a check is made for proxy_user_passwd. Since with negotiate this does come from the cache it is set to 0 and not Authorisation header is returned. I tried to set conn->bits.proxy_user_passwd in Curl_input_negotiate to rue to simulate that a username/password was given, but hit another issue that curl does a connection reuse and overwrites this flag.
As I do not understand all the dependencies what would be the best approach to fix this ?
Thank you
Markus
CURLcode
Curl_http_output_auth(struct connectdata *conn,
const char *request,
const char *path,
bool proxytunnel) /* TRUE if this is the request setting
up the proxy tunnel */
{
CURLcode result = CURLE_OK;
struct SessionHandle *data = conn->data;
struct auth *authhost;
struct auth *authproxy;
DEBUGASSERT(data);
authhost = &data->state.authhost;
authproxy = &data->state.authproxy;
if((conn->bits.httpproxy && conn->bits.proxy_user_passwd) ||
conn->bits.user_passwd)
/* continue please */ ;
else {
authhost->done = TRUE;
authproxy->done = TRUE;
return CURLE_OK; /* no authentication with no user or password */
}
"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message news:k735pv$f24$1_at_ger.gmane.org...
I added some debug and see that the first gss_init_sec_context is successful, but it looks like the Authorisation header is not added to the reply, why the second gss_init_sec_context call fails.
Markus
src/curl -v --proxy-negotiate http://www.csm-testcenter.org/test
* About to connect() to proxy opensuse12.suse.home port 3128 (#0)
* Trying 2a01:348:1f9::29... connected
> GET http://www.csm-testcenter.org/test HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.0e zlib/1.2.5 c-ares/1.7.5 libidn/1.22 libssh2/1.2.9
> Host: www.csm-testcenter.org
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* HTTP 1.0, assume close after body
< HTTP/1.0 407 Proxy Authentication Required
< Server: squid/3.1.16
< Mime-Version: 1.0
< Date: Sat, 03 Nov 2012 13:09:37 GMT
< Content-Type: text/html
< Content-Length: 3381
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Vary: Accept-Language
< Content-Language: en
* context == GSS_C_NO_CONTEXT
* MAJOR_STATUS: 1
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: NTLM
< X-Cache: MISS from opensuse12
< X-Cache-Lookup: NONE from opensuse12:3128
< Via: 1.0 opensuse12 (squid/3.1.16)
* HTTP/1.0 connection set to keep alive!
< Connection: keep-alive
<
* Ignoring the response-body
* Connection #0 to host opensuse12.suse.home left intact
* Issue another request to this URL: 'http://www.csm-testcenter.org/test'
* Re-using existing connection! (#0) with host opensuse12.suse.home
* Connected to opensuse12.suse.home (2a01:348:1f9::29) port 3128 (#0)
> GET http://www.csm-testcenter.org/test HTTP/1.0
> User-Agent: curl/7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.0e zlib/1.2.5 c-ares/1.7.5 libidn/1.22 libssh2/1.2.9
> Host: www.csm-testcenter.org
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* HTTP 1.0, assume close after body
< HTTP/1.0 407 Proxy Authentication Required
< Server: squid/3.1.16
< Mime-Version: 1.0
< Date: Sat, 03 Nov 2012 13:09:37 GMT
< Content-Type: text/html
< Content-Length: 3381
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Vary: Accept-Language
< Content-Language: en
* context != GSS_C_NO_CONTEXT
* MAJOR_STATUS: 589824
* gss_init_sec_context() failed: : Unknown error (0)Proxy-Authenticate: Negotiate
< Proxy-Authenticate: NTLM
< X-Cache: MISS from opensuse12
< X-Cache-Lookup: NONE from opensuse12:3128
< Via: 1.0 opensuse12 (squid/3.1.16)
* HTTP/1.0 connection set to keep alive!
< Connection: keep-alive
<
"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message news:k716ve$pep$1_at_ger.gmane.org...
> Here is some more output and I see:
>
> * gss_init_sec_context() failed: : Unknown error
>
> but my Kerberos cache got the Kerberos tickt for the proxy
>
> markus_at_opensuse12:~> klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: markus_at_SUSE.HOME
>
> Valid starting Expires Service principal
> 11/02/12 19:26:10 11/03/12 05:26:10 krbtgt/SUSE.HOME_at_SUSE.HOME
> renew until 11/03/12 19:26:07, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac
> 11/02/12 19:26:15 11/03/12 05:26:10 HTTP/opensuse12.suse.home_at_SUSE.HOME
> renew until 11/03/12 19:26:07, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac
>
> Markus
>
>
> markus_at_opensuse12:~> curl -v --form file_upload=@test.txt --form
> do=test --form subdo=file_upload --form http_submit="Start HTTP upload"
> http://www.csm-testcenter.org/test
> * About to connect() to proxy opensuse12.suse.home port 3128 (#0)
> * Trying 2a01:348:1f9::29... connected
>> POST http://www.csm-testcenter.org/test HTTP/1.1
>> User-Agent: curl/7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0
>> OpenSSL/1.0.0e zlib/1.2.5 c-ares/1.7.5 libidn/1.22 libssh2/1.2.9
>> Host: www.csm-testcenter.org
>> Accept: */*
>> Proxy-Connection: Keep-Alive
>> Content-Length: 515
>> Expect: 100-continue
>> Content-Type: multipart/form-data;
>> boundary=----------------------------254bed6ebc0d
>>
> < HTTP/1.1 407 Proxy Authentication Required
> < Server: squid/3.2.2-BZR
> < Mime-Version: 1.0
> < Date: Fri, 02 Nov 2012 19:26:15 GMT
> < Content-Type: text/html
> < Content-Length: 3532
> < X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> < Vary: Accept-Language
> < Content-Language: en
> < Proxy-Authenticate: Negotiate
> < Proxy-Authenticate: NTLM
> < X-Cache: MISS from opensuse12
> < X-Cache-Lookup: NONE from opensuse12:3128
> < Via: 1.1 opensuse12 (squid/3.2.2-BZR)
> < Connection: keep-alive
> * HTTP error before end of send, stop sending
> <
> * Closing connection #0
> * Issue another request to this URL: 'http://www.csm-testcenter.org/test'
> * About to connect() to proxy opensuse12.suse.home port 3128 (#0)
> * Trying 2a01:348:1f9::29... connected
>> POST http://www.csm-testcenter.org/test HTTP/1.1
>> User-Agent: curl/7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0
>> OpenSSL/1.0.0e zlib/1.2.5 c-ares/1.7.5 libidn/1.22 libssh2/1.2.9
>> Host: www.csm-testcenter.org
>> Accept: */*
>> Proxy-Connection: Keep-Alive
>> Content-Length: 515
>> Expect: 100-continue
>> Content-Type: multipart/form-data;
>> boundary=----------------------------30cbf6c8845e
>>
> < HTTP/1.1 407 Proxy Authentication Required
> < Server: squid/3.2.2-BZR
> < Mime-Version: 1.0
> < Date: Fri, 02 Nov 2012 19:26:15 GMT
> < Content-Type: text/html
> < Content-Length: 3532
> < X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> < Vary: Accept-Language
> < Content-Language: en
> * gss_init_sec_context() failed: : Unknown errorProxy-Authenticate:
> Negotiate
> < Proxy-Authenticate: NTLM
> < X-Cache: MISS from opensuse12
> < X-Cache-Lookup: NONE from opensuse12:3128
> < Via: 1.1 opensuse12 (squid/3.2.2-BZR)
> < Connection: keep-alive
> * HTTP error before end of send, stop sending
> <
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
> "http://www.w3.org/TR/html4/strict.dtd">
> <html><head>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
> <title>ERROR: Cache Access Denied</title>
> <style type="text/css"><!--
> /*
> Stylesheet for Squid Error pages
> Adapted from design by Free CSS Templates
> http://www.freecsstemplates.org
> Released for free under a Creative Commons Attribution 2.5 License
> */
>
> /* Page basics */
> * {
> font-family: verdana, sans-serif;
> }
>
> html body {
> margin: 0;
> padding: 0;
> background: #efefef;
> font-size: 12px;
> color: #1e1e1e;
> }
>
> /* Page displayed title area */
> #titles {
> margin-left: 15px;
> padding: 10px;
> padding-left: 100px;
> background: url('http://www.squid-cache.org/Artwork/SN.png')
> no-repeat left;
> }
>
> /* initial title */
> #titles h1 {
> color: #000000;
> }
> #titles h2 {
> color: #000000;
> }
>
> /* special event: FTP success page titles */
> #titles ftpsuccess {
> background-color:#00ff00;
> width:100%;
> }
>
> /* Page displayed body content area */
> #content {
> padding: 10px;
> background: #ffffff;
> }
>
> /* General text */
> p {
> }
>
> /* error brief description */
> #error p {
> }
>
> /* some data which may have caused the problem */
> #data {
> }
>
> /* the error message received from the system or other software */
> #sysmsg {
> }
>
> pre {
> font-family:sans-serif;
> }
>
> /* special event: FTP / Gopher directory listing */
> #dirmsg {
> font-family: courier;
> color: black;
> font-size: 10pt;
> }
> #dirlisting {
> margin-left: 2%;
> margin-right: 2%;
> }
> #dirlisting tr.entry td.icon,td.filename,td.size,td.date {
> border-bottom: groove;
> }
> #dirlisting td.size {
> width: 50px;
> text-align: right;
> padding-right: 5px;
> }
>
> /* horizontal lines */
> hr {
> margin: 0;
> }
>
> /* page displayed footer area */
> #footer {
> font-size: 9px;
> padding-left: 10px;
> }
>
>
> body
> :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya,
> sans-serif; float: right; }
> :lang(he) { direction: rtl; }
> --></style>
> </head><body id=ERR_CACHE_ACCESS_DENIED>
> <div id="titles">
> <h1>ERROR</h1>
> <h2>Cache Access Denied.</h2>
> </div>
> <hr>
>
> <div id="content">
> <p>The following error was encountered while trying to retrieve the URL: <a
> href="http://www.csm-testcenter.org/test">http://www.csm-testcenter.org/test</a></p>
>
> <blockquote id="error">
> <p><b>Cache Access Denied.</b></p>
> </blockquote>
>
> <p>Sorry, you are not currently allowed to request
> http://www.csm-testcenter.org/test from this cache until you have
> authenticated yourself.</p>
>
> <p>Please contact the <a
> href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20opensuse12%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Fri,%2002%20Nov%202012%2019%3A26%3A15%20GMT%0D%0A%0D%0AClientIP%3A%202a01%3A348%3A1f9%3A%3A29%0D%0A%0D%0AHTTP%20Request%3A%0D%0APOST%20%2Ftest%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F7.22.0%20(x86_64-unknown-linux-gnu)%20libcurl%2F7.22.0%20OpenSSL%2F1.0.0e%20zlib%2F1.2.5%20c-ares%2F1.7.5%20libidn%2F1.22%20libssh2%2F1.2.9%0D%0AHost%3A%20www.csm-testcenter.org%0D%0AAccept%3A%20*%2F*%0D%0AProxy-Connection%3A%20Keep-Alive%0D%0AContent-Length%3A%20515%0D%0AExpect%3A%20100-continue%0D%0AContent-Type%3A%20multipart%2Fform-data%3B%20boundary%3D----------------------------30cbf6c8845e%0D%0A%0D%0A%0D%0A">ca
> che
> administrator</a> if you have difficulties authenticating yourself.</p>
>
> <br>
> </div>
>
> <hr>
> <div id="footer">
> <p>Generated Fri, 02 Nov 2012 19:26:15 GMT by opensuse12
> (squid/3.2.2-BZR)</p>
> <!-- ERR_CACHE_ACCESS_DENIED -->
> </div>
> </body></html>
> * Closing connection #0
>
>
>
> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
> news:k70g1c$573$1_at_ger.gmane.org...
>>
>> Should the following work with a proxy which supports negotiate
>> authentication.
>>
>> kinit user_at_DOMAIN
>>
>> curl -v --proxy-negotiate --form file_upload=@test.txt --form
>> do=test --form subdo=file_upload --form http_submit="Start HTTP upload"
>> http://www.csm-testcenter.org/test
>>
>> When I try it I see the proxy sends a 407 with the negotiate header but
>> curl does not reply (e.g send the same request with an additional proxy
>> authentication header)
>>
>> Thank you
>> Markus
>>
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-users
>> FAQ: http://curl.haxx.se/docs/faq.html
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
------------------------------------------------------------------------------
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-11-03