cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem with NTLM proxy authentication

From: Ulrich Telle <Ulrich.Telle_at_gmx.de>
Date: Thu, 11 Sep 2014 21:45:42 +0200

Steve,

> > One difference I see in the source code of the SSPI authentication

> > module of FireFox is that SSPI function InitializeSecurityContext is

> > called without any of the flags libcurl is using:

> I wonder whether we are being "too strict" in some respects. The libcurl

> NTLM SSPI code (as far as I can remember) has been like that for years.

> Have you tried and if not can you try removing some or even all of

> those flags and passing 0 in your version of libcurl?

I created a libcurl version in which I replaced the combination of flags

ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONNECTION

by simply 0 (zero) (which is equivalent to ISC_REQ_CONNECTION according to the documentation of InitializeSecurityContext).

I tested this new version within my own comapany: it (still) worked. So it seems the flags are not required for normal operation.

Then, this morning I asked one user in Far East and one user in Germany to perform a test. For both the test succeeded. That is, removing the flags seems to have done the trick.

I have no explanation why the flags seem to have had such a negative effect for some of the users.

However, after googling again for some time I found this url

https://code.google.com/p/serf/issues/detail?id=147

regarding ISC_REQ_CONFIDENTIALITY, stating that it has no effect for HTTP;

and this url

https://bugreports.qt-project.org/browse/QTBUG-17322

where someone experienced the same problem with the error code SEC_E_INVALID_TOKEN from InitializeSecurityContext. In this thread Shane Kearns added a comment - 27/Jun/12 12:50 PM stating:

"ISC_REQ_CONFIDENTIALITY seems to be the one causing a problem. However I don't think we need replay detection either - the proxy is authenticating us rather than the other way around. ..."

My conclusion is that it seems to be better to remove the flags.

Regards,

Ulrich

E-Mail privat: Ulrich.Telle@gmx.de

World Wide Web: http://www.telle-online.de

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-11

This message: [ Message body ]
Next message: Marc Hoersken: "Re: schannel modifications for WinCE 6"
Previous message: Ben Sutcliffe: "Re: schannel modifications for WinCE 6"
In reply to: Steve Holme: "RE: Problem with NTLM proxy authentication"
Next in thread: Steve Holme: "RE: Problem with NTLM proxy authentication"
Reply: Steve Holme: "RE: Problem with NTLM proxy authentication"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]