cURL / Mailing Lists / curl-library / Single Mail

curl-library

Server authentication failures when using proxies

From: Fabian Keil <freebsd-listen_at_fabiankeil.de>
Date: Fri, 29 Mar 2013 14:46:16 +0100

Recently (after the pipelining changes were pushed to git) a couple of
server authentication tests started failing for me when testing through
a HTTP proxy (Privoxy).

Connections on which the challenge arrived weren't reused to send the
credentials, causing the test to loop until reaching the max-client-connections
limit on the proxy.

An excerpt from test67 (the first failing test) after adding a couple of
additional debug messages:

13:07:56.161373 == Info: Connection #0 to host 10.0.0.1 left intact
13:07:56.161404 == Info: Issue another request to this URL: 'http://10.0.0.1:8990/67'
13:07:56.161431 == Info: STATE: PERFORM => CONNECT handle 0x801c7b088; line 1526 (connection #-5000)
13:07:56.161604 == Info: Found bundle for host 10.0.0.1: 0x801c7a468
13:07:56.161626 == Info: Checking proxy bits
13:07:56.161640 == Info: Connection match
13:07:56.161653 == Info: we wantNTLM
13:07:56.161667 == Info: Not forcing reuse
13:07:56.161796 == Info: About to connect() to proxy 10.0.0.1 port 8118 (#1)
13:07:56.161894 == Info: Trying 10.0.0.1...
13:07:56.162096 == Info: Adding handle: conn: 0x801cd5d08
13:07:56.162116 == Info: Adding handle: send: 0
13:07:56.162132 == Info: Adding handle: recv: 0
13:07:56.162161 == Info: Curl_addHandleToPipeline: length: 1
13:07:56.162178 == Info: 0x801c3f008 is at send pipe head
13:07:56.162200 == Info: - Conn 0 (0x801cd5608) send_pipe: 0, recv_pipe: 0
13:07:56.162220 == Info: - Conn 1 (0x801cd5d08) send_pipe: 1, recv_pipe: 0
13:07:56.162241 == Info: STATE: CONNECT => WAITCONNECT handle 0x801c7b088; line 1048 (connection #1)
13:07:56.162277 == Info: Connected to 10.0.0.1 (10.0.0.1) port 8118 (#1)
13:07:56.162317 == Info: STATE: WAITCONNECT => DO handle 0x801c7b088; line 1167 (connection #1)
13:07:56.162459 == Info: Server auth using NTLM with user 'testuser'
13:07:56.162795 => Send header, 205 bytes (0xcd)

While the correct proxy connection is considered, it isn't reused
as credentialsMatch is only set for direct connections.

The attached patch moves the check out of the "no proxy" block and gets
most of the tests I'm expecting to work through a proxy working again,
namely: 67 68 89 156 159 267 1100 2025 2026 2028 2029 2030 2031

In my opinion the fact that the credentials previously were send on
a new connection (instead of restarting the authentication dance
from scratch) could be considered another bug, but the attached patch
obviously doesn't address this.

Fabian

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

text/x-patch attachment: 0001-Let-ConnectionExists-mark-credential-matches-for-pro.patch

application/pgp-signature attachment: signature.asc

Received on 2013-03-29

This message: [ Message body ]
Next message: Sergei Nikulov: "Re: Compile libcurl using MS VS2008"
Previous message: Katie Scott: "compiling libcurl using MS VS2010"
Next in thread: Daniel Stenberg: "Re: Server authentication failures when using proxies"
Reply: Daniel Stenberg: "Re: Server authentication failures when using proxies"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]