Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

SSPI proxy authentication fails for large post strings

From: Abram Pousada <APousada_at_softwarekey.com>
Date: Tue, 10 Mar 2015 17:28:59 +0000

Hello,

First, I apologize if this message shows up twice. I'm not sure what happened, but it didn't seem to get through to the list the first time around, and it appeared as though I needed to re-subscribe when I tried to log-in. (I admit it has been a long time since I have sent anything.)

I have run into an issue where proxy authentication appears to fail under the following conditions:

* libcurl (7.41.0) was built (VC10-12) with USE_WINDOWS_SSPI defined.
* Using any (CURLAUTH_ANY) or negotiate (CURLAUTH_NEGOTIATE) for proxy authentication.
* The HTTP post includes a post string greater than TINY_INITIAL_POST_SIZE (defined in http.h as 1024) characters in length.
* Specified domain credentials are provided explicitly, from a computer which is not attached to the domain.
* Operating systems which this issue was verified so far include Windows 7 SP1, Windows 8, and Windows 8.1 (I can test in other versions if needed).

The proxy server is a Forefront TMG 2010 server (I recognize mainstream support for this ends soon), which requires integrated authentication for Active Directory users. Under the above conditions, it responds with an HTTP 407, even though it works just fine with a post less than or equal to 1024 characters in length. Here are the command arguments (this helped isolate the issue outside of our affected application) used to debug the library via the VS2013 solution:

-U "[domain]\[username]:[password]" --proxy-negotiate --proxy [host:port] --data "@$(UserProfile)\Desktop\request.txt" [postUrl]

After debugging a bit, I did find that I can prevent libcurl from going down the affected code path by explicitly setting an empty Expect header. (The command argument equivalent is --header "Expect:".) Other proxy authentication methods seem to function without this workaround. For example, explicitly using NTLM proxy authentication works just fine when this logic goes down the Expect: 100-continue path. Is setting the empty Expect header like this the best/safest way of implementing an immediate workaround?

Thanks in advanced for the help! Let me know if there is any additional information I can provide on the matter.

-Abram

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-03-10