cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Failure with --proxy-anyauth on NTLM

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Tue, 3 Apr 2012 14:13:19 +0200

On Tue, Apr 03, 2012 at 12:21:20PM +0200, Matteo Fiorito wrote:
> It is not a problem to store a configuration.
> The problem is the user can give me username and password (which I
> store crypted in a config file), however the user does not know what
> is NTLM..
> I could test all the AUTH protocols, but it seems CURLAUTH_ANY
> should/would do it:
> " libcurl will automatically select the one it finds most secure. "
>
> Does it work? Not for my customer.

Based on the logs, that's quite likely because the server is broken. The
server advertises the Negotiate protocol so libcurl happily attempts to use
it, but when it fails, it gives up. It's possible that the failure is
due to a problem in libcurl, but it's also rather likely that it's a server
problem.

Can you provide the output of -v or --trace-ascii during a transaction?

> >>- Or maybe to test all the authentication before failing? Testing all of:
> >>
> >> Proxy-Authenticate: Negotiate
> >> Proxy-Authenticate: Kerberos
> >> Proxy-Authenticate: NTLM
> >I don't believe this is currently possible but others on the list might be
> >able to confirm it for you. I guess libcurl would have to:
> >
> >* Try GSS in this example
> >* If that fails it would then move on and try the next supported mechanism
> >(Kerberos in this example)
> >* If that fails then it would move on and try NTLM
> >* That would then succeed in your scenario so then libcurl would continue
> >with the URL request
> >
> >If this is something you would like to try, I would suggest downloading the
> >libcurl source code and start hacking
> Hope I will have the chance.

IMHO, this isn't necessary. If the server advertises an authorization
protocol and curl selects it, then any failure must be assumed to be due to
an authorization failure. If the failure is due to bugs in the server and/or
curl, then those bugs should be fixed rather than adding code to try other
random authentication schemes.

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-03

This message: [ Message body ]
Next message: Oscar Koeroo: "Re: initial attemt at a port of cURL to Plan9"
Previous message: Steve Holme: "RE: Failure with --proxy-anyauth on NTLM"
In reply to: Matteo Fiorito: "RE: Failure with --proxy-anyauth on NTLM"
Next in thread: Steve Holme: "RE: Failure with --proxy-anyauth on NTLM"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]