curl-users
Proxy Digest Authentication not working
From: Rob Newton <robn_at_mirrabooka.com>
Date: Fri, 06 Sep 2013 14:24:19 +1000
Hi List,
I'm having a problem authenticating with an ISA proxy server using Digest authentication. I believe that the server is accepting Digest (along with kerberos and ntlm). I know that curl supports NTLM, and this works for me, but I need to test with Digest so that I can be sure that the Redhat Yum updater will work (which doesn't support NTLM). I would be grateful if someone could look at this trace and comment about where the problem might be.
It seems that the proxy server declares that it supports Digest (among others) but curl does not respond with a digest authentication. Maybe curl initially sent it digest, but the server doesn't like it for some reason?
$ curl -V
curl 7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.3.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
$ curl --trace-ascii zzd -x 10.100.10.1:8080 --proxy-digest -U 'me:mypass' http://www.google.com
== Info: About to connect() to proxy 10.100.10.1 port 8080 (#0)
== Info: Trying 10.100.10.1... == Info: connected
== Info: Connected to 10.100.10.1 (10.100.10.1) port 8080 (#0)
== Info: Proxy auth using Digest with user 'Mirrabooka'
=> Send header, 217 bytes (0xd9)
0000: GET http://www.google.com HTTP/1.1
0024: User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 N
0064: SS/3.14.3.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
0096: Host: www.google.com
00ac: Accept: */*
00b9: Proxy-Connection: Keep-Alive
00d7:
<= Recv header, 153 bytes (0x99)
0000: HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requ
0040: ires authorization to fulfill the request. Access to the Web Pro
0080: xy filter is denied. )
<= Recv header, 19 bytes (0x13)
0000: Via: 1.1 SUGARNET
== Info: gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_0' not found<= Recv header, 31 bytes (0x1f)
0000: Proxy-Authenticate: Negotiate
<= Recv header, 30 bytes (0x1e)
0000: Proxy-Authenticate: Kerberos
<= Recv header, 26 bytes (0x1a)
0000: Proxy-Authenticate: NTLM
<= Recv header, 176 bytes (0xb0)
0000: Proxy-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="
0040: 6054dc8bb8aace016b10157ff4585883616aeff95d923a5159063b37f9092341
0080: 24d4fa79129708cc",charset=utf-8,realm="Digest"
<= Recv header, 24 bytes (0x18)
0000: Connection: Keep-Alive
<= Recv header, 30 bytes (0x1e)
0000: Proxy-Connection: Keep-Alive
<= Recv header, 18 bytes (0x12)
0000: Pragma: no-cache
<= Recv header, 25 bytes (0x19)
0000: Cache-Control: no-cache
<= Recv header, 25 bytes (0x19)
0000: Content-Type: text/html
<= Recv header, 24 bytes (0x18)
0000: Content-Length: 4110
<= Recv header, 2 bytes (0x2)
0000:
<= Recv data, 865 bytes (0x361)
0000: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
0040: <HTML><HEAD><TITLE>Error Message</TITLE>
... MORE HTML ...
0c99: </BODY>
0ca2: </HTML>
0cab:
== Info: Connection #0 to host 10.100.10.1 left intact
== Info: Closing connection #0
$
Date: Fri, 06 Sep 2013 14:24:19 +1000
Hi List,
I'm having a problem authenticating with an ISA proxy server using Digest authentication. I believe that the server is accepting Digest (along with kerberos and ntlm). I know that curl supports NTLM, and this works for me, but I need to test with Digest so that I can be sure that the Redhat Yum updater will work (which doesn't support NTLM). I would be grateful if someone could look at this trace and comment about where the problem might be.
It seems that the proxy server declares that it supports Digest (among others) but curl does not respond with a digest authentication. Maybe curl initially sent it digest, but the server doesn't like it for some reason?
$ curl -V
curl 7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.3.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
$ curl --trace-ascii zzd -x 10.100.10.1:8080 --proxy-digest -U 'me:mypass' http://www.google.com
== Info: About to connect() to proxy 10.100.10.1 port 8080 (#0)
== Info: Trying 10.100.10.1... == Info: connected
== Info: Connected to 10.100.10.1 (10.100.10.1) port 8080 (#0)
== Info: Proxy auth using Digest with user 'Mirrabooka'
=> Send header, 217 bytes (0xd9)
0000: GET http://www.google.com HTTP/1.1
0024: User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 N
0064: SS/3.14.3.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
0096: Host: www.google.com
00ac: Accept: */*
00b9: Proxy-Connection: Keep-Alive
00d7:
<= Recv header, 153 bytes (0x99)
0000: HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requ
0040: ires authorization to fulfill the request. Access to the Web Pro
0080: xy filter is denied. )
<= Recv header, 19 bytes (0x13)
0000: Via: 1.1 SUGARNET
== Info: gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_0' not found<= Recv header, 31 bytes (0x1f)
0000: Proxy-Authenticate: Negotiate
<= Recv header, 30 bytes (0x1e)
0000: Proxy-Authenticate: Kerberos
<= Recv header, 26 bytes (0x1a)
0000: Proxy-Authenticate: NTLM
<= Recv header, 176 bytes (0xb0)
0000: Proxy-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="
0040: 6054dc8bb8aace016b10157ff4585883616aeff95d923a5159063b37f9092341
0080: 24d4fa79129708cc",charset=utf-8,realm="Digest"
<= Recv header, 24 bytes (0x18)
0000: Connection: Keep-Alive
<= Recv header, 30 bytes (0x1e)
0000: Proxy-Connection: Keep-Alive
<= Recv header, 18 bytes (0x12)
0000: Pragma: no-cache
<= Recv header, 25 bytes (0x19)
0000: Cache-Control: no-cache
<= Recv header, 25 bytes (0x19)
0000: Content-Type: text/html
<= Recv header, 24 bytes (0x18)
0000: Content-Length: 4110
<= Recv header, 2 bytes (0x2)
0000:
<= Recv data, 865 bytes (0x361)
0000: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
0040: <HTML><HEAD><TITLE>Error Message</TITLE>
... MORE HTML ...
0c99: </BODY>
0ca2: </HTML>
0cab:
== Info: Connection #0 to host 10.100.10.1 left intact
== Info: Closing connection #0
$
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-09-06