cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Problem with NTLM proxy authentication

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Thu, 11 Sep 2014 21:48:05 +0100

On Thu, 11 Sep 2014, Ulrich Telle wrote:

> > I wonder whether we are being "too strict" in some respects. The libcurl
> > NTLM SSPI code (as far as I can remember) has been like that for years.
> >
> > Have you tried and if not can you try removing some or even all of
> > those flags and passing 0 in your version of libcurl?
>
> I created a libcurl version in which I replaced the combination of flags
>
> ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONNECTION
>
> by simply 0 (zero) (which is equivalent to ISC_REQ_CONNECTION according
> to the documentation of InitializeSecurityContext).
>
> I tested this new version within my own comapany: it (still) worked. So it
seem
> the flags are not required for normal operation.
>
> Then, this morning I asked one user in Far East and one user in Germany to
> perform a test. For both the test succeeded. That is, removing the flags
seems to
> have done the trick.

Whilst I have some experience in this area I'm not a security expert - I'm
still learning in some respects ;-)

What I did find from my own testing of the Kerberos 5 support I recently
added for the email protocols was that these flags served no purpose, if
you're not encrptying the data, so if you look at the new code in
curl_sasl_sspi.c I simply pass zero - unless the mutual authentication flag
is set in which case I pass in ISC_REQ_MUTUAL_AUTH (which we don't use in
the NTLM code).

> I have no explanation why the flags seem to have had such a negative
effect for
> some of the users.
>
> However, after googling again for some time I found this url
>
> and this url

Interesting finds.

> My conclusion is that it seems to be better to remove the flags.

I'm all for removing them if it means we work out of the box with more proxy
servers.

Do you think it is worth passing a flag into those functions and setting the
ISC_REQ_ flags if that flag is set - for the email protocols for example or
not?

However, I have just tested this against and Exchange 2013 server with both
single sign on and a specific user account (both with and without the
domain) and all three tests succeeded with the ISQ_REQ_ flags as zero.

Are you up to providing a patch - I can do it but it is your find so I would
rather you are credited for the work ;-)

Kind Regards

Steve
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-11

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: schannel modifications for WinCE 6"
Previous message: Marc Hoersken: "Re: schannel modifications for WinCE 6"
In reply to: Ulrich Telle: "Re: Problem with NTLM proxy authentication"
Next in thread: Ulrich Telle: "Re: Problem with NTLM proxy authentication"
Reply: Ulrich Telle: "Re: Problem with NTLM proxy authentication"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]